From 50f37523f53f1cc783b011e9d39f76697868ed2a Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 27 Nov 2023 17:58:23 +0100
Subject: [PATCH 1/2] pentesting-smb: add From Windows / no third-party tools

---
 network-services-pentesting/pentesting-smb.md | 41 ++++++++++++++++++-
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/network-services-pentesting/pentesting-smb.md b/network-services-pentesting/pentesting-smb.md
index fa1b2137..074594fc 100644
--- a/network-services-pentesting/pentesting-smb.md
+++ b/network-services-pentesting/pentesting-smb.md
@@ -136,8 +136,8 @@ rpcclient -U "username%passwd" <IP> #With creds
 
 ### Enumerate Users, Groups & Logged On Users
 
+This info should already being gathered from enum4linux and enum4linux-ng
 
-# This info should already being gathered from enum4linux and enum4linux-ng
 ```bash
 crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
 crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
@@ -151,16 +151,19 @@ enumdomgroups
 ```
 
 ### Enumerate local users
+
 [Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
+
 ```bash
 lookupsid.py -no-pass hostname.local
 ```
+
 Oneliner
+
 ```bash
 for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
 ```
 
-
 ### Metasploit - Enumerate local users
  ```bash
 use auxiliary/scanner/smb/smb_lookupsid
@@ -268,6 +271,40 @@ smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BA
 smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
 ```
 
+### **From Windows / no third-party tools**
+
+PowerShell
+
+```powershell
+# Retrieves the SMB shares on the locale computer.
+Get-SmbShare
+Get-WmiObject -Class Win32_Share
+# Retrieves the SMB shares on a remote computer.
+get-smbshare -CimSession "<computer name or session object>"
+# Retrieves the connections established from the local SMB client to the SMB servers.
+Get-SmbConnection
+```
+
+CMD console
+
+```shell
+# List shares on the local computer
+net share
+# List shares on a remote computer (including hidden ones)
+net view \\<ip> /all
+```
+
+MMC Snap-in (graphical)
+
+```shell
+# Shared Folders: Shared Folders > Shares
+fsmgmt.msc
+# Computer Management: Computer Management > System Tools > Shared Folders > Shares
+compmgmt.msc
+```
+
+explorer.exe (graphical), enter `\\<ip>\` to see the available non-hidden shares.
+
 ### Mount a shared folder
 
 ```bash

From b7996be56bf6d65523012fc0ed29c57d121d22db Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 27 Nov 2023 18:01:07 +0100
Subject: [PATCH 2/2] pentesting-smb: change title

---
 network-services-pentesting/pentesting-smb.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/network-services-pentesting/pentesting-smb.md b/network-services-pentesting/pentesting-smb.md
index 074594fc..09752a84 100644
--- a/network-services-pentesting/pentesting-smb.md
+++ b/network-services-pentesting/pentesting-smb.md
@@ -271,7 +271,7 @@ smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BA
 smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
 ```
 
-### **From Windows / no third-party tools**
+### **Enumerate shares from Windows / without third-party tools**
 
 PowerShell