4.1 NetShareEnum

The following diagram demonstrates the steps taken to enumerate the shares on a remote server by using the Remote Administration Protocol. Assume that this sequence is executed over an existing SMB connection established between the client and the server. The underlying SMB transaction request and response are included for clarity.

Enumeration of shares

Figure 2: Enumeration of shares

  1. The client sends a Remote Administration Protocol request for the NetShareEnum command to the server in an SMB transaction request.

     Smb: C; Transact, FileName = \PIPE\LANMAN
      Protocol: SMB
      Command: Transact 37(0x25)
      DOSError: No Error
       ErrorClass: No Error
       Reserved: 0 (0x0)
       Error: No Error
      SMBHeader: Command, TID: 0x0800, PID: 0x74B2, UID: 0x0800,
                 MID: 0x4681
       Flags: 0 (0x0)
       Flags2: 32768 (0x8000)
       PIDHigh: 0 (0x0)
       SecuritySignature: 0x0
       Reserved: 0 (0x0)
       TreeID: 2048 (0x800)
       ProcessID: 29874 (0x74B2)
       UserID: 2048 (0x800)
       MultiplexID: 18049 (0x4681)
      CTransaction: 
       WordCount: 14 (0xE)
       TotalParameterCount: 19 (0x13)
       TotalDataCount: 0 (0x0)
       MaxParameterCount: 8 (0x8)
       MaxDataCount: 4096 (0x1000)
       MaxSetupCount: 0 (0x0)
       Reserved1: 0 (0x0)
       Flags: Do not disconnect TID
        BIT0: ...............0 Do not disconnect TID
       Timeout: 5000 sec(s)
       Reserved2: 0 (0x0)
       ParameterCount: 19 (0x13)
       ParameterOffset: 90 (0x5A)
       DataCount: 0 (0x0)
       DataOffset: 0 (0x0)
       SetupCount: 0 (0x0)
       Reserved3: 0 (0x0)
       ByteCount: 46 (0x2E)
       Pad: 210 (0xD2)
       UnicodeFileName: \PIPE\LANMAN
       Parameters: RAPParams and NetShareEnum request (19 Bytes)
          00 00 57 72 4C 65 68 00 42 31 33 42 57 7A 00 01   (..WrLeh.B13BWz..)
          00 00 10                                          (...)
    
  2. The server responds with the list of shares for this server. In this situation, the server has four shares: C$ with a Remark of "Default share", IPC$ with a Remark of "Remote IPC", ADMIN$ with a Remark of "Remote Admin", and D$ with a Remark of "Default share".

     Smb: R; Transact
      Protocol: SMB
      Command: Transact 37(0x25)
      DOSError: No Error
       ErrorClass: No Error
       Reserved: 0 (0x0)
       Error: No Error
      SMBHeader: Response, TID: 0x0800, PID: 0x74B2, UID: 0x0800,
                 MID: 0x4681
       Flags: 128 (0x80)
       Flags2: 32768 (0x8000)
       PIDHigh: 0 (0x0)
       SecuritySignature: 0x0
       Reserved: 0 (0x0)
       TreeID: 2048 (0x800)
       ProcessID: 29874 (0x74B2)
       UserID: 2048 (0x800)
       MultiplexID: 18049 (0x4681)
      RTransaction: 
       WordCount: 10 (0xA)
       TotalParameterCount: 8 (0x8)      
       TotalDataCount: 132 (0x84)
       Reserved: 0 (0x0)
       ParameterCount: 8 (0x8)
       ParameterOffset: 56 (0x38)
       ParamDisplacement: 0 (0x0)
       DataCount: 132 (0x84)
       DataOffset: 64 (0x40)
       DataDisplacement: 0 (0x0)
       SetupCount: 0 (0x0)
       Reserved1: 0 (0x0)
       ByteCount: 141 (0x8D)
       Pad1: Binary Large Object (1 Bytes)
       Parameters: ErrorCode, Converter, and RAPOutParams for 
                   NetShareEnum (8 Bytes)
          00 00 7C 0F 04 00 04 00                           (..|.....)   
       Data: RAP NetShareInfo1 Array (132 Bytes)
          43 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00   (C$..............)
          F2 0F 00 00 49 50 43 24 00 00 00 00 00 00 00 00   (ò...IPC$........)
          00 00 03 00 E7 0F 00 00 41 44 4D 49 4E 24 00 00   (....ç...ADMIN$..)
          00 00 00 00 00 00 00 00 DA 0F 00 00 44 24 00 00   (........Ú...D$..)
          00 00 00 00 00 00 00 00 00 00 00 00 CC 0F 00 00   (............Ì...)
          44 65 66 61 75 6C 74 20 73 68 61 72 65 00 52 65   (Default share.Re)
          6D 6F 74 65 20 41 64 6D 69 6E 00 52 65 6D 6F 74   (mote Admin.Remot)
          65 20 49 50 43 00 44 65 66 61 75 6C 74 20 73 68   (e IPC.Default sh)
          61 72 65 00                                       (are.)