shareenum.py – Enumerating Share Permissions in Windows Networks
During an audit I needed a tool to enumerate the permissions for all shared file resources within a large client network. Although there are several tools to enumerate client shares (e.g. nmap), I found none for enumerating the permissions in detail.
The Python script is basically a wrapper for rpcclient from the Samba client package. This is not an attack tool – you will need proper administrative rights to read the share permissions (see line RPCCommand = ... in the source). In addition to enumerating share permissions, the script also enumerates local groups (e.g. local administrators).
Example log file content
10.0.0.1 netshareenum netname: SecretShare remark: (null) path: C:\ password: (null) 10.0.0.1 netsharegetinfo netname: SecretShare ... Permissions: 0x1f01ff ... SID: S-1-1-0:\Everybody 10.0.0.1 querydominfo Domain: PC01 Server: ... 10.0.0.1 enumalsgroups_builtin group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] 10.0.0.1 queryaliasmem 0x220 S-...-500:PC01\Administrator S-...-...:DOM\SecretAdmin