Shared folders in organizations are very common and bad practices among users present a major risk. Even if the shared folder isn't completely open to the world, it is not uncommon to find misconfigured permissions that give anyone in the organization access to sensitive information.
This recipe shows how to list shared folders of Windows machines with Nmap.
Open your terminal and enter the following Nmap command:
$ nmap -p139,445 --script smb-enum-shares --script-args smbusername=Administrator,smbpassword=Password <target>
A list of shares will be returned including their permissions:
Host script results: | smb-enum-shares: | account_used: WORKGROUP\Administrator | ADMIN$ | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Users: 0 | Max Users: <unlimited> | Path: C:\WINNT | Anonymous access: <none> | Current user access: READ/WRITE | C$ | Type: STYPE_DISKTREE_HIDDEN...