Home > Network Pentesting

File Shares & Credentials

File shares and credentials play a major role in pivoting and lateral movement. Internal networks often rely on shared folders, mapped drives, centralized authentication, and domain accounts. Misconfigurations in these areas allow attackers to harvest credentials, identify sensitive files, and move laterally with minimal effort. Understanding how to enumerate, access, and exploit file shares is essential for internal network penetration testing.

Why File Shares Matter

File shares reveal:

  • Sensitive documents

  • Password files

  • Configuration files

  • Scripts with hardcoded credentials

  • Backup archives

  • Deployment keys

  • Internal documentation

These resources often expose login details or trust relationships that accelerate an attacker’s privilege escalation.

Step 1: Enumerate SMB Shares

SMB (Server Message Block) is the primary file-sharing protocol on Windows networks. Begin by identifying which hosts expose SMB.

Discover SMB Servers

sudo nmap -p445 10.10.10.0/24

Enumerate Shares (Anonymous)

smbclient -L //10.10.10.5 -N

If shares list appears, anonymous access is possible.

Enumerate with Credentials

smbclient -L //10.10.10.5 -U username

SMB enumeration reveals public shares, admin shares, and misconfigured directories.

Step 2: Access and Browse Shares

Once shares are identified, access them to view contents.

Connect to a Share

smbclient //10.10.10.5/share -U username

List Files

Inside smbclient:

ls

Download Files

get filename

Search for Interesting Content

Look for:

  • .txt files

  • .ini files

  • .xml configs

  • .ps1 scripts

  • KeePass databases (.kdbx)

  • Backup archives (.zip, .bak)

These often store hardcoded passwords.

Step 3: Enumerate Shares Using Impacket

Impacket provides powerful enumeration options.

smbclient.py

python3 smbclient.py DOMAIN/username@10.10.10.5

findstr over SMB (searching for passwords)

python3 smbclient.py DOMAIN/user@10.10.10.5 -c 'findstr /S /I password *.txt *.ini *.config'

This quickly exposes credential leaks.

Step 4: Enumerate File Permissions

Detect writable shares, which attackers can abuse for persistence or privilege escalation.

Identify Writable Directories

In smbclient:

put test.txt

If upload succeeds, the share is writable.

Writable shares allow:

  • Dropping malicious scripts

  • Planting payloads

  • Overwriting service files

  • DLL hijacking opportunities

Step 5: Mapped Drives Discovery

Mapped drives reveal hidden file paths and privileged shares.

Check Mapped Drives (Windows foothold)

net use

This shows drives mapped to internal servers, often only visible to the logged-in user.

Mapped drives can lead to:

  • Hidden shares

  • Backup directories

  • Internal scripts

  • Administrative tools

Step 6: Extract Credentials from Shared Files

Many internal networks unintentionally store credentials in shared folders. Common sources include:

1. Configuration Files

  • database.ini

  • web.config

  • settings.xml

  • appsettings.json

2. PowerShell Scripts

  • Deployment scripts with plaintext creds

  • Backup scripts

  • Automated tasks

3. Group Policy Preferences (GPP)

Old GPP passwords stored in SYSVOL were encrypted with a known key.

Extract GPP Passwords

findstr /S cpassword \\<domain>\SYSVOL\*.xml

Decrypt GPP password using gpp-decrypt.

4. KeePass Databases

If .kdbx is found, obtain:

  • Master password via other sources

  • Memory dump attacks

  • Weak password cracking

5. SSH/Private Keys

Look for:

  • id_rsa

  • id_ecdsa

  • .pem files

These provide direct access to servers.

Step 7: Extract Credentials via Responder Capture

If the share requests authentication and NTLM relay is possible, use captured hashes:

  • For pass-the-hash

  • For SMB relay

  • For cracking

NTLM Hash Cracking

hashcat -m 5600 hash.txt wordlist.txt

Weak internal passwords reveal more shares.

Step 8: Searching File Shares Efficiently

Use command-line searches to extract credential patterns.

Searching for Password Strings (Windows)

findstr /spin /c:"password" .

Searching on Linux-hosted Shares

grep -Ri "password" .

Keyword searches reveal:

  • Passwords

  • API keys

  • Connection strings

  • Hardcoded tokens

Step 9: Using CrackMapExec for Share Enumeration

CrackMapExec (CME) automates share discovery.

List Shares

cme smb 10.10.10.5 -u user -p pass --shares

Check Write Access

cme smb 10.10.10.5 -u user -p pass --shares | grep READ,WRITE

Writable shares are ideal targets for persistence or escalation.

Step 10: Using File Shares for Lateral Movement

Once credentials or scripts are obtained, lateral movement begins.

Common paths:

  • RDP (3389)

  • WinRM (5985/5986)

  • SMB admin access

  • PSExec

  • SSH (Linux servers)

Example using PSExec:

python3 psexec.py DOMAIN/user:pass@10.10.10.5

This provides interactive command execution.

Why File Shares & Credentials Matter

File shares are often the weakest link in internal networks. They reveal:

  • Misconfigurations

  • Poor password hygiene

  • Hardcoded secrets

  • Unsecured backups

  • Forgotten scripts

  • Hidden trust relationships

Credentials gained from shares fuel:

  • Privilege escalation

  • Lateral movement

  • Domain compromise

  • Persistent footholds

A single weakly secured share can collapse an entire network.

Intel Dump

  • SMB shares reveal sensitive files and weak configurations

  • Tools include smbclient, Impacket, CrackMapExec

  • Search for passwords, keys, configs, scripts, and backups

  • Writable shares enable persistence and exploitation

  • Credentials from shares support lateral movement and escalation

HOME COMMUNITY CAREERS DASHBOARD