Blackfield smbclient -L \\\\10.10.10.192\\
Password for [WORKGROUP\nakul]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
➜ Blackfield smbclient //10.10.10.192/profiles$
Password for [WORKGROUP\nakul]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 22:17:12 2020
.. D 0 Wed Jun 3 22:17:12 2020
AAlleni D 0 Wed Jun 3 22:17:11 2020
ABarteski D 0 Wed Jun 3 22:17:11 2020
ABekesz D 0 Wed Jun 3 22:17:11 2020
ABenzies D 0 Wed Jun 3 22:17:11 2020
ABiemiller D 0 Wed Jun 3 22:17:11 2020
...SNIP
lots of directory which looks like usernames.
I ll mount these directory on my system and then i can create a wordlists with these directory names.. these folders are empty inside
mount -t cifs //10.10.10.192/profiles$ /mnt/htb/Blackfield
ls -1 > user
ls -1 makes sure that every output is in a new line, i pip the output into a file 'user' which will work as a username wordlists.