Shared Drive

BLUF:

If you have an AD file share address and authorization, your job is to (1) identify the protocol and exposure, (2) enumerate access and permissions safely, (3) map it to users/groups and GPOs, and (4) assess risk (sensitive data, misconfigs, abuse paths) without touching content you shouldn’t. Below is a clean, ops-ready flow with commands.

flowchart TD
A[Share Address] --> B{Protocol?}
B -->|SMB/CIFS| C[SMB Enumeration]
B -->|DFS| D[DFS Enumeration]
C --> E[Auth vs Guest]
E --> F[Permissions & ACLs]
F --> G[Content Sensitivity]
G --> H[AD Mapping & Abuse Paths]

1) Identify the share type

Most AD “share drives” are SMB (CIFS), sometimes fronted by DFS.

• UNC: \server\share

• URL-ish: smb://server/share

• DFS hint: \domain.local\dfsroot\share

Resolve basics:

nslookup <server>
nmap -p 445 <server>

2) Anonymous vs authenticated access

Start read-only, least privilege.

# List shares (null session)
smbclient -L //<server> -N

# With creds (domain user)
smbclient -L //<server> -U <domain\\user>

If guest/anonymous lists shares → flag immediately.

3) Enumerate the target share (safely)

Do not download everything. List metadata first.

smbclient //<server>/<share> -U <domain\\user>
# inside smbclient
ls
recurse OFF

Or via mount (read-only if possible):

sudo mount -t cifs //<server>/<share> /mnt/share \
  -o ro,username=<user>,domain=<domain>

4) Permissions & ACLs (this is where findings live)

Check NTFS ACLs—look for Everyone, Authenticated Users, Domain Users with write/modify.

# Linux
getfacl /mnt/share

Windows (preferred for fidelity):

icacls \\server\share

Red flags:

• Write/Modify for broad groups

• Inherited permissions broken incorrectly

• Owners set to non-admin users

5) Map to AD objects (who

should

have access)

Identify groups tied to the share and expand membership.

# Enumerate group membership
net group "<GroupName>" /domain

BloodHound angle:

• Who can write to the share?

• Any service accounts or IT groups with overbroad access?

6) DFS-specific checks (if applicable)

dfsutil diag viewdfs \\domain.local\dfsroot

• Mispointed targets

• Old servers still reachable

• Permissions differ per target

7) Sensitive data discovery (light touch)

You’re looking for presence, not exfil.

Patterns to spot-check filenames:

• password, creds, backup, key, vault

• .kdbx, .pfx, .pem, .config, .xml, .ps1

• Old IT docs, onboarding, GPO exports

If allowed, hash filenames only or sample directory trees.

8) Abuse paths to test (only if in scope)

• Write access → drop file for DLL search order hijack?

• Logon scripts in shares referenced by GPOs?

• Service accounts reading from writable paths?

• Ransomware blast radius (write access breadth)

9) Reporting: what clients care about

Structure findings like this:

• Finding: Overbroad write access on \server\share

• Impact: Credential exposure / lateral movement / ransomware

• Evidence: ACL output + group mapping

• Recommendation: Least privilege, remove broad groups, enable auditing