During a penetration test, you have identified several Windows endpoints listening on TCP port 445. You suspect that some of these hosts expose administrative shares such as C$ and ADMIN$ that are not visible through the normal network browser. Which action will MOST likely enumerate both regular and hidden shares so you can inspect their contents?
Launch an NTLM relay attack to forward SMB authentication between hosts
Run the Nmap smb-enum-shares script (or use smbclient -L) against each host
Execute the Nmap smb-enum-users script to list valid domain accounts
Perform a password-spray attack against the RDP service on each endpoint
Tools such as Nmap's smb-enum-shares NSE script or the smbclient -L //host command query the Server Service and return every file share registered on a Windows computer, including hidden administrative shares whose names end with a dollar sign. Scripts like smb-enum-users enumerate accounts, while NTLM relay attacks and RDP password spraying focus on credential capture, not share discovery, and therefore will not list the shares you are looking for.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of administrative shares like C$ and ADMIN$ in Windows?
Open an interactive chat with Bash
How does the `smb-enum-shares` script in Nmap work?
Open an interactive chat with Bash
What is the difference between enumeration using `smb-enum-shares` and `smb-enum-users` in Nmap?