Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

Credentials in Metadata

Files often leak usernames, domains, internal hostnames, email addresses, authors, paths, and sometimes credentials.

This is initial access when files are reachable through public web content, anonymous SMB, Guest SMB, or low-privileged shares.

Keep in mind that LDAP may also contain metadata (such as passwords inside fields like description for example in disabled/test/forgotten/deleted objects), however it usually requires a bind so it is not truly an initial access technique - just giving you a heads up.


Collect File Names First

For SMB:

smbclient //10.10.10.200/Public -N -c 'recurse; ls' | tee public-files.txt
smbclient //10.10.10.200/IT -U 'OOTW\alice.wright%StudentPass2026!' -c 'recurse; ls' | tee it-files.txt

For a mounted share:

find /mnt/share -type f | tee files.txt

Interesting extensions:

doc
docx
xls
xlsx
ppt
pptx
pdf
txt
config
conf
ini
ps1
bat
cmd
xml
json

Extract Metadata

exiftool file.docx
exiftool *.pdf
exiftool -r /mnt/share

Look for:

Author
Creator
Last Modified By
Company
Template
Hyperlinks
Internal paths
Email addresses
Hostnames
Domain names

Search Content

Recursive search:

rg -i "pass|pwd|password|user|username|token|secret|key|ldap|mssql|sql|vpn|admin" /mnt/share

Office files are zip archives. Extract and search:

mkdir unpacked
unzip report.docx -d unpacked
rg -i "pass|user|ldap|sql|vpn|admin" unpacked

Strings fallback:

strings file.pdf | rg -i "pass|user|ldap|sql|vpn|admin"

Build Username Lists

Extract email-style values:

rg -o '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+' /mnt/share | sort -u > emails.txt
cut -d@ -f1 emails.txt | sort -u > users.txt

Extract Windows domain names:

rg -o '[A-Za-z0-9._-]+\\\\[A-Za-z0-9._-]+' /mnt/share | sort -u

Detection

Defenders look for:

  • unusual file access on shares
  • Security 5140 and 5145 share access events
  • large recursive reads
  • access to old project, onboarding, or scripts folders
  • archive extraction on endpoints
  • exfiltration of document-heavy directories

Remediation

  • remove secrets from documents and scripts
  • strip metadata before publishing files
  • restrict share permissions
  • audit readable shares regularly
  • use secret scanning on file shares and repositories
  • rotate exposed credentials