4.1 NetShareEnum
The following diagram demonstrates the steps taken to enumerate the shares on a remote server by using the Remote Administration Protocol. Assume that this sequence is executed over an existing SMB connection established between the client and the server. The underlying SMB transaction request and response are included for clarity.
Figure 2: Enumeration of shares
The client sends a Remote Administration Protocol request for the NetShareEnum command to the server in an SMB transaction request.
Smb: C; Transact, FileName = \PIPE\LANMAN Protocol: SMB Command: Transact 37(0x25) DOSError: No Error ErrorClass: No Error Reserved: 0 (0x0) Error: No Error SMBHeader: Command, TID: 0x0800, PID: 0x74B2, UID: 0x0800, MID: 0x4681 Flags: 0 (0x0) Flags2: 32768 (0x8000) PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 2048 (0x800) ProcessID: 29874 (0x74B2) UserID: 2048 (0x800) MultiplexID: 18049 (0x4681) CTransaction: WordCount: 14 (0xE) TotalParameterCount: 19 (0x13) TotalDataCount: 0 (0x0) MaxParameterCount: 8 (0x8) MaxDataCount: 4096 (0x1000) MaxSetupCount: 0 (0x0) Reserved1: 0 (0x0) Flags: Do not disconnect TID BIT0: ...............0 Do not disconnect TID Timeout: 5000 sec(s) Reserved2: 0 (0x0) ParameterCount: 19 (0x13) ParameterOffset: 90 (0x5A) DataCount: 0 (0x0) DataOffset: 0 (0x0) SetupCount: 0 (0x0) Reserved3: 0 (0x0) ByteCount: 46 (0x2E) Pad: 210 (0xD2) UnicodeFileName: \PIPE\LANMAN Parameters: RAPParams and NetShareEnum request (19 Bytes) 00 00 57 72 4C 65 68 00 42 31 33 42 57 7A 00 01 (..WrLeh.B13BWz..) 00 00 10 (...)
The server responds with the list of shares for this server. In this situation, the server has four shares: C$ with a Remark of "Default share", IPC$ with a Remark of "Remote IPC", ADMIN$ with a Remark of "Remote Admin", and D$ with a Remark of "Default share".
Smb: R; Transact Protocol: SMB Command: Transact 37(0x25) DOSError: No Error ErrorClass: No Error Reserved: 0 (0x0) Error: No Error SMBHeader: Response, TID: 0x0800, PID: 0x74B2, UID: 0x0800, MID: 0x4681 Flags: 128 (0x80) Flags2: 32768 (0x8000) PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 2048 (0x800) ProcessID: 29874 (0x74B2) UserID: 2048 (0x800) MultiplexID: 18049 (0x4681) RTransaction: WordCount: 10 (0xA) TotalParameterCount: 8 (0x8) TotalDataCount: 132 (0x84) Reserved: 0 (0x0) ParameterCount: 8 (0x8) ParameterOffset: 56 (0x38) ParamDisplacement: 0 (0x0) DataCount: 132 (0x84) DataOffset: 64 (0x40) DataDisplacement: 0 (0x0) SetupCount: 0 (0x0) Reserved1: 0 (0x0) ByteCount: 141 (0x8D) Pad1: Binary Large Object (1 Bytes) Parameters: ErrorCode, Converter, and RAPOutParams for NetShareEnum (8 Bytes) 00 00 7C 0F 04 00 04 00 (..|.....) Data: RAP NetShareInfo1 Array (132 Bytes) 43 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (C$..............) F2 0F 00 00 49 50 43 24 00 00 00 00 00 00 00 00 (ò...IPC$........) 00 00 03 00 E7 0F 00 00 41 44 4D 49 4E 24 00 00 (....ç...ADMIN$..) 00 00 00 00 00 00 00 00 DA 0F 00 00 44 24 00 00 (........Ú...D$..) 00 00 00 00 00 00 00 00 00 00 00 00 CC 0F 00 00 (............Ì...) 44 65 66 61 75 6C 74 20 73 68 61 72 65 00 52 65 (Default share.Re) 6D 6F 74 65 20 41 64 6D 69 6E 00 52 65 6D 6F 74 (mote Admin.Remot) 65 20 49 50 43 00 44 65 66 61 75 6C 74 20 73 68 (e IPC.Default sh) 61 72 65 00 (are.)