FindDomainShare - Crawl though the Entire Domain and Instantly See What You Can Access
Access auditing during domain enumeration is often a recursive process—every new credential or privilege obtained can reopen the door to a fresh round of discovery. This continuous cycle of privilege escalation and network reconnaissance can become tedious and time-consuming when done manually.
Over the years, several tools have emerged to streamline domain enumeration workflows. Among the most widely used are the Find-DomainShare cmdlet from PowerView, and NetExec (formerly CrackMapExec). PowerView has long been a staple for SMB share enumeration on Windows, while NetExec has evolved into a versatile exploitation framework capable of performing wide-ranging Active Directory operations from any platform.
However, both tools come with trade-offs. PowerView is PowerShell-based and lacks built-in access validation and access to a Windows host is required. NetExec is powerful but broader in scope, and its share enumeration features are part of a larger framework not optimized for precision auditing or OS fingerprinting.
To address these gaps, I created FindDomainShare — a fast, modular, cross-platform tool purpose-built for SMB share enumeration, permission auditing, and local admin detection across all domain-joined hosts. It’s a single Python script that is scalable and designed for red teamers, penetration testers, blue team defenders, and system administrators alike — anyone who needs a clear, actionable view of file share exposure and access control in a Windows domain environment.
Here’s how it compares to PowerView’s Find-DomainShare and NetExec:
| Feature | FindDomainShare | Find-DomainShare (PowerView) | NetExec (GitHub) |
|---|---|---|---|
| Language | Python | PowerShell | Python |
| Platform | Cross-platform (Linux, Windows, macOS) | Windows only | Cross-platform (Linux, Windows) |
| Dependencies | Impacket, tqdm | .NET Framework, PowerShell | Impacket |
| Domain Host Discovery | ✅ Via LDAP (AD enumeration) | ✅ Via LDAP | ❌ No |
| SMB Share Enumeration | ✅ Yes | ✅ Yes | ✅ Yes |
| Read/Write Access Testing | ✅ Built-in SMB read/write tests per share | ❌ Not included | ✅ Shows access level (RO/RW/Admin) |
| Admin Access Detection | ✅ Yes | ❌ No | ✅ Yes |
| OS Version Enumeration | ✅ Yes (via SMB fingerprinting) | ❌ No | ✅ Yes (via SMB info) |
| Share Comments / Remarks | ✅ Yes | ❌ No | ✅ Yes |
| Multi-threaded Scanning | ✅ Yes | ❌ No | ✅ Yes (multithreaded modules) |
| Output Options | Console, JSON, CSV | Text only | Console, JSON |
| Authentication Methods | NTLM, TGT, AES, Hashes, password | Current user context (Kerberos/NTLM) | NTLM, Kerberos, Hashes, Certificates |
| Can Run Remotely | ✅ Yes | ⚠️ Usually needs domain-joined Windows | ✅ Yes |
| Stealth / OPSEC | ⚠️ Loud (SMB logins & file writes) | 🟡 More stealthy (in-memory possible) | ⚠️ Loud (parallel SMB auth attempts) |
| Passwordless Auth Support | ✅ Hashes, tickets, AES keys | ⚠️ Limited | ✅ Full (hashes, tickets, certs, etc.) |
| Customization & Extensibility | ✅ Modular, scriptable | 🟡 Scriptable, not modular | ✅ Plugin-based module system |
| Ideal For | Focused recon + permission auditing | Classic PowerShell-based AD recon | Full-featured AD offensive toolkit |
Installation
The installation is straight forward. If you are using Kali, impacket suite and tqdm are installed by default.
┌──(kali㉿kali)-[/tmp]
└─$ git clone https://github.com/TacticalGator/FindDomianShare
Cloning into 'FindDomianShare'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (7/7), 21.95 KiB | 1.69 MiB/s, done.
┌──(kali㉿kali)-[/tmp]
└─$ python3 FindDomianShare/FindDomianShare.py
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
usage: FindDomianShare.py [-h] [-computer-name COMPUTER_NAME]
[-check-access] [-check-admin]
[-skip-default] [-threads THREADS]
[-retries RETRIES]
[-retry-delay RETRY_DELAY]
[-output {console,json,csv,all}]
[-output-file OUTPUT_FILE] [-ts]
[-debug] [-base-dn BASE_DN]
[-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-dc-ip ip address]
[-dc-host hostname]
target
You can just clone the repo and run the script as is. Otherwise, you need to install impacket suite as well as
Usage
While the tool supports TGTs, cleartext passwords, NTLM hashes, and Kerberos keys, the -k flag is required to enforce Kerberos protocol handling. Additionally, access to the Domain Controller (DC) host is mandatory to interact with Kerberos Key Distribution Center (KDC) and ticket caches.
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ KRB5CCNAME=john.doe@dc01.example.com.ccache python3 FindDomianShare.py example.COM/john.doe@dc01.example.com -k -no-pass -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-07-21 16:08:48
[*] Connecting to LDAP at dc01
[*] LDAPS connection successful
[*] Found 1 computers in the domain
[*] Found 6 shares on dc01.example.com
[*] Enumeration completed in 0:00:00.576541. Found 6 shares.
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type OS Remark
----------------------------------------------------------------------------------------------------
dc01.example.com ADMIN$ Unknown (Hidden) Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) Windows Server 2022 Remote IPC
dc01.example.com company Unknown Windows Server 2022 company share
dc01.example.com NETLOGON Unknown Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown Windows Server 2022 Logon server share The recommended use is to always leverage thepass_the_ticket technique for authentication as that is the superior OPSEC practice.
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ python3 ./FindDomianShare.py EXAMPLE.COM/john.doe@dc01.example.com -k -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Starting domain share enumeration at 2025-07-21 16:27:15
[*] Connecting to LDAP at dc01
[-] CCache file is not found. Skipping...
[*] LDAPS connection successful
[*] Found 1 computers in the domain
[-] CCache file is not found. Skipping...
[*] Found 6 shares on dc01.example.com
[*] Enumeration completed in 0:00:00.964443. Found 6 shares.
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type OS Remark
----------------------------------------------------------------------------------------------------
dc01.example.com ADMIN$ Unknown (Hidden) Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) Windows Server 2022 Remote IPC
dc01.example.com company Unknown Windows Server 2022 company share
dc01.example.com NETLOGON Unknown Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown Windows Server 2022 Logon server share CLEARTEXT authentication
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ python3 ./FindDomianShare.py EXAMPLE.COM/john.doe@dc01.example.com -k -hashes :510037c67d52760ca076ef199fd26c51 -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-07-21 16:26:28
[*] Connecting to LDAP at dc01
[-] CCache file is not found. Skipping...
[*] LDAPS connection successful
[*] Found 1 computers in the domain
[-] CCache file is not found. Skipping...
[*] Found 6 shares on dc01.example.com
[*] Enumeration completed in 0:00:00.729078. Found 6 shares.
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type OS Remark
----------------------------------------------------------------------------------------------------
dc01.example.com ADMIN$ Unknown (Hidden) Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) Windows Server 2022 Remote IPC
dc01.example.com company Unknown Windows Server 2022 company share
dc01.example.com NETLOGON Unknown Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown Windows Server 2022 Logon server share NTLM hash.
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ python3 ./FindDomianShare.py EXAMPLE.COM/john.doe@dc01.example.com -k -aesKey 9e562dc6076f467d1906674f24e5a5a3760c5f07a509b5d194b3bfb864398d70 -dc-ip $IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-07-21 16:25:31
[*] Connecting to LDAP at dc01
[-] CCache file is not found. Skipping...
[*] LDAPS connection successful
[*] Found 1 computers in the domain
[-] CCache file is not found. Skipping...
[*] Found 6 shares on dc01.example.com
[*] Enumeration completed in 0:00:00.731753. Found 6 shares.
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type OS Remark
----------------------------------------------------------------------------------------------------
dc01.example.com ADMIN$ Unknown (Hidden) Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) Windows Server 2022 Remote IPC
dc01.example.com company Unknown Windows Server 2022 company share
dc01.example.com NETLOGON Unknown Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown Windows Server 2022 Logon server share Kerberos key.
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ KRB5CCNAME=john.doe@dc01.example.com.ccache python3 ./FindDomianShare.py EXAMPLE.COM/john.doe@dc01.example.com -k -no-pass -dc-ip $IP -check-access -check-admin
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-07-21 16:14:19
[*] Connecting to LDAP at dc01
[*] LDAPS connection successful
[*] Found 1 computers in the domain
[*] Found 6 shares on dc01.example.com
[*] Enumeration completed in 0:00:01.683444. Found 6 shares.
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type Admin Read Write OS Remark
----------------------------------------------------------------------------------------------------
dc01.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) No No No Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2022 Remote IPC
dc01.example.com company Unknown No Yes Yes Windows Server 2022 company share
dc01.example.com NETLOGON Unknown No Yes No Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown No Yes No Windows Server 2022 Logon server shareThe -check-access and -check-admin flags can be used to evaluate both read/write permissions and administrative access.
┌──(kali㉿kali)-[/tmp/FindDomianShare]
└─$ KRB5CCNAME=john.doe@dc01.example.com.ccache python3 ./FindDomianShare.py EXAMPLE.COM/john.doe@dc01.example.com -k -no-pass -dc-ip $IP -check-access -check-admin -base-dn 'DC=EXAMPLE,DC=COM'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Starting domain share enumeration at 2025-07-21 16:15:19
[*] Connecting to LDAP at dc01
[*] LDAP connection successful
[*] Found 9 computers in the domain
[*] Admin access confirmed on pci32.example.com
[*] Found 3 shares on web23.example.com
[*] Found 3 shares on prod03.example.com
[*] Found 3 shares on client56.example.com
[*] Found 3 shares on smtp.example.com
[*] Found 2 shares on archive.example.com
[*] Found 4 shares on client21.example.com
[*] Found 4 shares on testing.example.com
[*] Found 5 shares on dc01.example.com
[*] Found 4 shares on pci32.example.com
[*] Enumeration completed in 0:00:01.961663. Found 31 shares.
Found 31 shares:
----------------------------------------------------------------------------------------------------
Computer Share Type Admin Read Write OS Remark
----------------------------------------------------------------------------------------------------
web23.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2019 Remote Admin
web23.example.com C$ Unknown (Hidden) No No No Windows Server 2019 Default share
web23.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2019 Remote IPC
prod03.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2022 Remote Admin
prod03.example.com C$ Unknown (Hidden) No No No Windows Server 2022 Default share
prod03.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2022 Remote IPC
client56.example.com ADMIN$ Unknown (Hidden) No No No Windows 11 Enterpris Remote Admin
client56.example.com C$ Unknown (Hidden) No No No Windows 11 Enterpris Default share
client56.example.com IPC$ Disk (Hidden) No Yes No Windows 11 Enterpris Remote IPC
smtp.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2022 Remote Admin
smtp.example.com C$ Unknown (Hidden) No No No Windows Server 2022 Default share
smtp.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2022 Remote IPC
archive.example.com backup Unknown No Yes No Unknown Backup Share
archive.example.com IPC$ Disk (Hidden) No No No Unknown IPC Service (Samba Server Version 4.1
client21.example.com ADMIN$ Unknown (Hidden) No No No Windows 11 Enterpris Remote Admin
client21.example.com C$ Unknown (Hidden) No No No Windows 11 Enterpris Default share
client21.example.com IPC$ Disk (Hidden) No Yes No Windows 11 Enterpris Remote IPC
client21.example.com Users Unknown No Yes No Windows 11 Enterpris
testing.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2022 Remote Admin
testing.example.com backup Unknown No Yes Yes Windows Server 2022
testing.example.com C$ Unknown (Hidden) No No No Windows Server 2022 Default share
testing.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2022 Remote IPC
dc01.example.com ADMIN$ Unknown (Hidden) No No No Windows Server 2022 Remote Admin
dc01.example.com C$ Unknown (Hidden) No No No Windows Server 2022 Default share
dc01.example.com IPC$ Disk (Hidden) No Yes No Windows Server 2022 Remote IPC
dc01.example.com NETLOGON Unknown No Yes No Windows Server 2022 Logon server share
dc01.example.com SYSVOL Unknown No Yes No Windows Server 2022 Logon server share
pci32.example.com ADMIN$ Unknown (Hidden) Yes Yes Yes Windows Server 2022 Remote Admin
pci32.example.com C$ Unknown (Hidden) Yes Yes Yes Windows Server 2022 Default share
pci32.example.com IPC$ Disk (Hidden) Yes Yes No Windows Server 2022 Remote IPC
pci32.example.com Users Unknown Yes Yes Yes Windows Server 2022 Another example with 9 domain-joint hosts.
Advance Usage
The -base-dn and -computer-name flags provides advanced control over the LDAP search scope and are particularly useful in complex Active Directory environments as they overrides the automatically generated base Distinguished Name (DN) derived from the domain. By default, the tool constructs the base DN from the domain components (e.g., DC=example,DC=com for example.com). You may also use the -debug flag to verify LDAP search parameters as well as to display verbose output.
Below are some examples:
1. PCI Compliance Scanning
Scan only payment processing servers:
-base-dn "OU=PCI_Servers,OU=Secure,DC=corp,DC=com"2. Departmental Audit
Audit HR department workstations:
-base-dn "OU=HR_Workstations,DC=corp,DC=com" -output csv -output-file hr_shares3. Multi-Domain Enterprise
Scan European subsidiaries in a global forest:
-base-dn "DC=eu,DC=globalcorp,DC=net"4. Combined with Filtering
Works with -computer-name for precise targeting:
-base-dn "OU=Servers,DC=corp,DC=com" -computer-name "WEB-.*"⚠️ Disclaimer
FindDomainShare is intended for authorized security testing, auditing, and research purposes only. Unauthorized access to computer systems, networks, or data is illegal and unethical.
FindDomainShare was created to assist red teamers, penetration testers, blue team defenders, and system administrators in identifying and auditing SMB share exposures within Windows Active Directory environments. It is particularly useful in post-exploitation or internal assessment scenarios where visibility into file shares and access permissions is crucial.
Because the tool actively performs SMB authentication attempts, enumerates domain-joined hosts, and checks for read/write access to network shares, it will generate network traffic that may be logged, detected, or flagged by security monitoring systems. As such, it should not be used in environments where stealth is required unless explicitly authorized.
By using this tool, you agree that you are solely responsible for ensuring you have proper authorization to run it in any given environment. The developer assumes no liability for misuse or unauthorized activity.
Always get explicit written permission before conducting any security testing on networks or systems that you do not own.
This project is released under the GNU General Public License v3.0 (GPLv3), which permits use, modification, and distribution under its terms. However, the authors assume no liability for misuse or damages resulting from its use.