Server Message Block (SMB)

Windows CMD - Net Use

C:\xyz> net use n: \\\Finance

The command completed successfully.
C:\xyz> net use n: \\\Finance /user:plaintext Password123

The command completed successfully.

With the shared folder mapped as the n drive, we can execute Windows commands as if this shared folder is on our local computer.

C:\xyz> dir n: /a-d /s /b | find /c ":\"

Syntax Description
dir Application
n: Directory or drive to search
/a-d /a is the attribute and -d means not directories
/s Displays files in a specified directory and all subdirectories
/b Uses bare format (no heading information or summary)

The following command | find /c ":\\" process the output of dir n: /a-d /s /b to count how many files exits in the directory and subdirectories. You can use dir /? to see the full help. Searching througth 29,302 files is time comsuming, scripting and command line utilities can help us speed up the search.

C:\xyz>dir n:\*cred* /s /b


C:\xyz>dir n:\*secret* /s /b


Windows CMD - Findstr

c:\xyz>findstr /s /i cred n:\*.*

n:\Contracts\private\secret.txt:file with all credentials

Windows PowerShell

PS C:\xyz> Get-ChildItem \\\Finance\

    Directory: \\\Finance

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         2/23/2022   3:27 PM                Contracts

Instead of net use, we can use New-PSDrive in PowerShell.

To provide a username and password with Powershell, we need to create a PSCredential object.

PS C:\xyz> $username = 'plaintext'
PS C:\xyz> $password = 'Password123'
PS C:\xyz> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\xyz> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\xyz> New-PSDrive -Name "N" -Root "\\\Finance" -PSProvider "FileSystem" -Credential $cred

Name           Used (GB)     Free (GB) Provider      Root                                                              CurrentLocation
----           ---------     --------- --------      ----                                                              ---------------
N                                      FileSystem    \\\Finance

In PowerShell, we can use the command Get-ChildItem or the short variant gci instead of the command dir.

PS C:\xyz> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count


We can use the property -Include to find specific items from the directory specified by the Path parameter.

PS C:\xyz> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

    Directory: N:\Contracts\private

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/23/2022   4:36 PM             25 credentials.txt

The Select-String cmdlet uses regular expression matching to search for text patterns in input strings and files. We can use Select-String similar to grep in UNIX or findstr.exe in Windows.

PS C:\xyz> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

N:\Contracts\private\secret.txt:1:file with all credentials

Linux - Mount

neutron@kali[/kali]$ sudo mkdir /mnt/Finance
neutron@kali[/kali]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. // /mnt/Finance

As an alternative, we can use a credential file.

neutron@kali[/kali]$ mount -t cifs // /mnt/Finance -o credentials=/path/credentialfile

The file credentialfile has to be structured like this:


Once a shared folder is mounted, you can use common Linux tools such as find or grep to interact with the file structure.

neutron@kali[/kali]$ find /mnt/Finance/ -name *cred*


Find files that contain the string cred:

neutron@kali[/kali]$ grep -rn /mnt/Finance/ -ie cred

/mnt/Finance/Contracts/private/secret.txt:1:file with all credentials

Command Line Utilities


Linux - SQSH

neutron@kali[/kali]$ sqsh -S -U username -P Password123

Windows - SQLCMD

C:\xyz> sqlcmd -S -U username -P Password123


Linux - MySQL

neutron@kali[/kali]$ mysql -u username -pPassword123 -h

Windows - MySQL

C:\xyz> mysql.exe -u username -pPassword123 -h