Files often leak usernames, domains, internal hostnames, email addresses, authors, paths, and sometimes credentials.
This is initial access when files are reachable through public web content, anonymous SMB, Guest SMB, or low-privileged shares.
Keep in mind that LDAP may also contain metadata (such as passwords inside fields like description for example in disabled/test/forgotten/deleted objects), however it usually requires a bind so it is not truly an initial access technique - just giving you a heads up.
Collect File Names First
For SMB:
smbclient //10.10.10.200/Public -N -c 'recurse; ls' | tee public-files.txt
smbclient //10.10.10.200/IT -U 'OOTW\alice.wright%StudentPass2026!' -c 'recurse; ls' | tee it-files.txt
For a mounted share:
find /mnt/share -type f | tee files.txt
Interesting extensions:
doc
docx
xls
xlsx
ppt
pptx
pdf
txt
config
conf
ini
ps1
bat
cmd
xml
json
Extract Metadata
exiftool file.docx
exiftool *.pdf
exiftool -r /mnt/share
Look for:
Author
Creator
Last Modified By
Company
Template
Hyperlinks
Internal paths
Email addresses
Hostnames
Domain names
Search Content
Recursive search:
rg -i "pass|pwd|password|user|username|token|secret|key|ldap|mssql|sql|vpn|admin" /mnt/share
Office files are zip archives. Extract and search:
mkdir unpacked
unzip report.docx -d unpacked
rg -i "pass|user|ldap|sql|vpn|admin" unpacked
Strings fallback:
strings file.pdf | rg -i "pass|user|ldap|sql|vpn|admin"
Build Username Lists
Extract email-style values:
rg -o '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+' /mnt/share | sort -u > emails.txt
cut -d@ -f1 emails.txt | sort -u > users.txt
Extract Windows domain names:
rg -o '[A-Za-z0-9._-]+\\\\[A-Za-z0-9._-]+' /mnt/share | sort -u
Detection
Defenders look for:
- unusual file access on shares
- Security 5140 and 5145 share access events
- large recursive reads
- access to old project, onboarding, or scripts folders
- archive extraction on endpoints
- exfiltration of document-heavy directories
Remediation
- remove secrets from documents and scripts
- strip metadata before publishing files
- restrict share permissions
- audit readable shares regularly
- use secret scanning on file shares and repositories
- rotate exposed credentials