Use PowerShell to Discover and Record File Shares
An old college professor of mine once gave our class some simple yet sound advice; know your network. I didn’t realize it at the time but that his statement would stick with me and be something that I’d repeat to new hires and colleagues. So here you go Steve, I am writing this article for you.
Today’s Tip-of-the-Week is about knowing your network, specifically the file shares that it contains. Knowing what file shares exist and having a complete list of them can not only help with audits, but it will also help ensure you know what’s on your network and that it’s secure.
Here is an overview of how the script will work:
- First, you will use Powershell’s Test-Connection to ping sweep the entire network.
- Then, any successful pings will translate the IP address to their DNS name.
- Next, you will enumerate the computer shares using WMI.
- Lastly, you will store the following in a .csv file: computer name, local path of the share, the share name, and the UNC path.
Please note, you're going to omit the hidden admin shares from our search as those are defaults and can be found on any network. Default admin shares are C$, D$, E$, etc. We’re only concerned with the non-default shares, which are the ones end users can access.
Here are the steps:
- First, you need to modify the Powershell script. Everything in bold will need to be modified to match your environment. Don’t be intimidated though, just the IP address range, network address, and optionally the file names and paths need to be modified.
######################Beginning of script######################
#Use Test-Connection to ping sweep the entire subnet network. Modify the #$start, $end and $ip variables to match your network.
$start = 1
$end = 254
$start..$end | foreach {
$ip = "192.168.15.0" -replace "0$",$_
Write-Host "Pinging $IP" -Foregroundcolor Cyan
$status = (Test-Connection $ip -Count 1 -Quiet)
$ErrorActionPreference = "silentlycontinue"
$Result = $null
#Pass the IP address to .Net for DNS name resolution.
$Result = [System.Net.Dns]::gethostentry($IP)
#Begin processing the results
#If the ping result is true then enumerate the shares. Optionally you can change #the bolded file name
If ($Result)
{
$MyResult = [string]$Result.HostName
write-Host "Resolved. Enumerating shares from $MyResult" -ForegroundColor Green
get-wmiobject win32_share -computer $ip | where {$_.name -NotLike "*$"} | sort-object -property path | select-object __server,Name,Path | export-csv .\wmi-server-shares-temp.csv -notypeinformation -encoding ASCII -force -Append
}
#If the ping result is false, don’t enumerate but export to a csv. Optionally you can #change the bolded file name.
Else
{
$MyResult = "unresolved"
Write-Host "Hostname for $IP $MyResult" -foregroundcolor Red
$ip | export-csv .\wmi-servers-not-resolved.csv -notypeinformation -encoding ASCII -force -Append
}
#UNCPath. Optionally you can change the bolded file name
$folder = import-csv .\wmi-server-shares-temp.csv | Select-Object -ExpandProperty Name
foreach ($i in $folder)
{
$uncpath = ForEach-Object {("\\"+$MyResult + "\" +$i)}
Write-Host "$uncpath"
import-csv .\wmi-server-shares-temp.csv | Select *, @{Name="UNCPath";Expression={$uncpath}} | export-csv .\wmi-server-shares.csv -Append -Force -NoTypeInformation
}
}
########################End of script#########################
-
Save the script to wherever you’d like. Be sure to give it the .ps1 file extension.
-
To run the script, open Powershell as an administrator.
-
Then type .\filename.ps1 and click press enter.
-
The script will create output similar to this:
That’s all there is to it. Now you have a script that can audit your network and document all the file shares.
We would like to hear from all of you! If there is anything you’d like to see in a future Tip-of-the-Week article, please reach out to us online at https://www.watchpointdata.com/contact or email us at info@watchpointdata.com.