SMB Share Data Hunting
Search for Secrets - Quick Reference
manspider <cidr_or_host> -d <domain> -u <user> -p '<pass>' --sharenames SYSVOL NETLOGON -e xml txt ini conf config ps1 psm1 bat cmd vbs json sql pfx pem ppk kdbx rdp ovpn -f passw secret cred id_rsa web\.config app\.config -c '(?i)cpassword|password=|password:|pwd=|secret=|token=|api[_-]?key|BEGIN .{0,20}PRIVATE KEY|aws_access_key_id|aws_secret_access_key' -n -t 12 -m 12
nxc smb <cidr_or_dc> -d <domain> -u <user> -p '<pass>' --spider SYSVOL --content --pattern '(?i)cpassword|password=|password:|pwd=|secret=|token=|api[_-]?key|BEGIN .{0,20}PRIVATE KEY|aws_access_key_id|aws_secret_access_key'
nxc smb <cidr_or_dc> -d <domain> -u <user> -p '<pass>' --spider NETLOGON --content --pattern '(?i)password=|password:|pwd=|secret=|token=|BEGIN .{0,20}PRIVATE KEY|aws_access_key_id|aws_secret_access_key'
nxc
| Action |
Command |
| List shares across a subnet |
nxc smb <cidr> -u <user> -p '<pass>' --shares |
| List only READ/WRITE shares |
nxc smb <cidr> -u <user> -p '<pass>' --shares READ |
| List only WRITE shares |
nxc smb <cidr> -u <user> -p '<pass>' --shares WRITE |
| List shares on one host |
nxc smb <ip> -u <user> -p '<pass>' --shares |
| Spider C$ for “txt” filenames |
nxc smb <ip> -u <user> -p '<pass>' --spider C\$ --pattern txt |
| Spider all readable shares (module) |
nxc smb <ip> -u <user> -p '<pass>' -M spider_plus |
| Spider + download all matches |
nxc smb <ip> -u <user> -p '<pass>' -M spider_plus -o DOWNLOAD_FLAG=True |
MANSPIDER
| Action |
Command |
| Search filenames (space-separated regexes) |
manspider <cidr_or_host> -d <domain> -u <user> -p '<pass>' -f passw secret cred |
| Search file contents (regex) |
manspider <host> -d <domain> -u <user> -p '<pass>' -c 'BEGIN .{1,10} PRIVATE KEY' |
| Limit by extensions |
manspider <host> -d <domain> -u <user> -p '<pass>' -e xlsx csv docx pdf |
| Use Kerberos (ccache) |
KRB5CCNAME=<ccache> manspider <host> -d <domain> -k |
| Increase threads / depth |
manspider <cidr> -d <domain> -u <user> -p '<pass>' -t 10 -m 15 |
| Don’t auto-download matches |
manspider <host> -d <domain> -u <user> -p '<pass>' -n |
pyFindUncommonShares
https://github.com/p0dalirius/pyFindUncommonShares
| Action |
Command |
| List all shares with WRITE access for current user |
./FindUncommonShares.py -au '<username>' -ap '<password>' -ad <domain> --auth-dc-ip <dc_ip> --writable |
| Export list of shares in domain to an Excel file |
./FindUncommonShares.py -au '<username>' -ap '<password>' -ad <domain> --auth-dc-ip <dc_ip> --writable --export-xlsx ./examples/results.xlsx |
| List all shares with access rights for current user |
./FindUncommonShares.py -au '<username>' -ap '<password>' -ad <domain> --auth-dc-ip <dc_ip> --writable --check-user-access |
Snaffler (Windows) — fast share hunter
| Action |
Command |
| Crawl domain, stream + save results |
Snaffler.exe -s -o snaffler.tsv -d <domain> -u <user> -p <pass> |
| Target one host’s shares |
Snaffler.exe -s -o snaffler.tsv -d <domain> -u <user> -p <pass> -c <dc_ip> -t <host> |