Network Share Enumeration

The netshares command can be run with or without parameters. It can take two optional arguments. The first argument is the host you want to scan. If you don’t specify a host, it will scan localhost. The second optional argument is privs. If you specify this argument, then badger will check whether it has administrative privileges on the host. But unlike most share enumeration tools which try to check privileges on the admin share, this command performs some magic without touching the admin share C$. This helps to avoid the usual detections techniques while checking for privileges on the remote host at the same time. The below figure shows an unprivileged query to the domain controller (BRDC01) with privs argument which returns Error 5 which stands for GetLastError access denied.