Search and explore local network shares
From ArchWiki
[edit] Discovering and accessing windows shares on your home network
This is how I connected to my girlfriend's Win98 machine over a cross-cable connection - I had to disable her firewall first of course (and mine strangely) to keep it simple. We are currently without an internet connection so we are not at any risk.
This doc is based on Access windows share for a user.
It is worth pointing that all the information gathered using the following tools is easily accessible by checking the settings of the machine you are connecting to - however, if you do it this way all the problems with having the wrong case or path should be more easily avoided - plus if the other machine is quite a distance away you don't want to have to keep going and checking, do you?
Of course you can also use this information to gain access to unprotected windows shares anywhere - this is illegal in most, if not all, places and not too mention rude. We do not condone this type of activity.
To protect yourself always use a firewall and if you must share folders password protect them, and don't put your credit card details in a file within a shared folder.
Here we go, run all this as root.
1) nmap lets us check which ports are open (I am using the 192.168.1.* IP address range as I know what the IPs are, you only need to know the IP to get started here)
nmap -sT 192.168.1.*
This gives the following results, the first result is her box, the second is mine.
Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT Interesting ports on 192.168.1.1: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 139/tcp open netbios-ssn 5000/tcp open UPnP Interesting ports on 192.168.1.5: (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 6000/tcp open X11 Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds
For connecting to windows shares we only need port 139 tho, so we do:
nmap -sT 192.168.1.* -p 139
Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:46 PHT Interesting ports on 192.168.1.1: PORT STATE SERVICE 139/tcp open netbios-ssn Interesting ports on 192.168.1.5: PORT STATE SERVICE 139/tcp closed netbios-ssn Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 5.696 seconds
2) Now we know the port we need is open we can use the nmblookup app to check which services are running - we know there are interesting ports on 192.168.1.1 so we just check those
nmblookup -A 192.168.1.1 Looking up status of 192.168.1.1 PUTER <00> - B <ACTIVE> HOMENET <00> - <GROUP> B <ACTIVE> PUTER <03> - B <ACTIVE> PUTER <20> - B <ACTIVE> HOMENET <1e> - <GROUP> B <ACTIVE> USER NAME <03> - B <ACTIVE> HOMENET <1d> - B <ACTIVE> ..''''MSBROWSE''''. <01> - <GROUP> B <ACTIVE>
so this tells us the status of the NetBios services - PUTER will be the computer name defined in Network Neighbourhood, HOMENET will be the workgroup name, USER NAME is just the name of the logged in user (I think)
Anyway, you need to look for the <20> which shows the name of the computer that has open services - in this case PUTER
3) Now we use smbclient to list which services are shared on PUTER. As you are all security concious people you will have passworded your shared folders in MS as it is notoriously insecure - you may be asked for a password at this point but just press enter and you should still get the list.
smbclient -L \\PUTER Sharename Type Comment --------- ---- ------- MY_MUSIC Disk SHAREDDOCS Disk PRINTER$ Disk PRINTER Printer IPC$ IPC Remote Inter Process Communication Server Comment --------- ------- PUTER Workgroup Master --------- ------- HOMENET PUTER
4) Now we know which folders are shared we can mount them locally :) The best way to do this is to create a folder called shares in /mnt, then add a dir for the machine name you are connecting to and a dir for the folder you are mounting:
mkdir -p /mnt/shares mkdir /mnt/shares/PUTER mkdir /mnt/shares/PUTER/MY_MUSIC
Then we use samba mount to mount the share, you can do this two ways:
smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC mount -t smbfs //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC
NOW it will ask you for the folder sharing password which you SHOULD set for all windows shares - enter the password and it should mount the folder on the specified point. If you don't want to have to give the password separately you can just use the option switch -o
smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC -o password=folder_password mount -t smbfs -o password=folderpassword //PUTER/MYMUSIC /mnt/shares/PUTER/MY_MUSIC
If you don't use passwords for your shared folders, you are: a) exposing yourself to hackers, and you can see how easy it is for them b) able to use the guest option
smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC -o guest
this will fail if the folder IS passworded.
You can also add these commands to fstab to simplify the process and have shares mounted at startup for example:
//PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC smbfs user,noatime,usernameusername,passwordfolder_password 0 0