> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/credential-hunting-in-network-shares.md).

# Credential Hunting in Network Shares

### Overview

Corporate network shares are used daily for file sharing across teams — and are routinely misconfigured, leaving credentials, config files, and sensitive data accessible to any authenticated user. This is one of the highest-yield low-effort steps during internal assessments.

***

### What to Look For

#### Keywords Inside Files

```
passw    user    token    key    secret    INLANEFREIGHT\
```

> Localize keywords to the target — a German company uses `Benutzer` not `User`.

#### File Extensions to Target

| Extension | Why                                                             |
| --------- | --------------------------------------------------------------- |
| `.ini`    | App/service config                                              |
| `.cfg`    | Config files                                                    |
| `.env`    | Environment variables — often contain API keys and DB passwords |
| `.xlsx`   | Spreadsheets — IT teams store password lists here               |
| `.ps1`    | PowerShell scripts — may hardcode credentials                   |
| `.bat`    | Batch scripts — same problem                                    |
| `.xml`    | Unattend.xml, web.config — frequent credential leaks            |
| `.txt`    | Notes, password lists                                           |

#### Interesting File Names

```
config    user    passw    cred    initial    secret    backup
```

#### Strategic Targeting

Don't scan everything blindly — prioritize:

```
IT shares > Finance shares > HR shares > General/Marketing shares
```

IT shares are the most likely to contain service account credentials, deployment scripts, and config files with hardcoded passwords.

***

### Manual Search (Before Scaling to Tools)

#### Windows (PowerShell)

```powershell
# Search file contents recursively across a share
Get-ChildItem -Recurse -Include *.txt,*.ini,*.cfg,*.xml,*.ps1,*.bat \\Server\Share | Select-String -Pattern "passw"

# Search file names for interesting terms
Get-ChildItem -Recurse \\Server\Share | Where-Object { $_.Name -match "passw|cred|config|user" }
```

#### Linux

```bash
# Search file contents across a mounted share
grep -r "passw\|password\|user\|token" /mnt/share/ 2>/dev/null

# Find files by interesting name
find /mnt/share -iname "*passw*" -o -iname "*cred*" -o -iname "*config*" 2>/dev/null
```

***

### Hunting from Windows

#### Snaffler

C# tool — run on a domain-joined machine. Automatically discovers all accessible shares in the domain and searches for interesting files. Color-coded output: Red = high confidence credential find, Yellow = worth reviewing.

**Basic scan:**

```cmd
Snaffler.exe -s
```

**Useful flags:**

| Flag              | Purpose                                                           |
| ----------------- | ----------------------------------------------------------------- |
| `-s`              | Run scan (required)                                               |
| `-u`              | Pull user list from AD and search for references to them in files |
| `-i <share>`      | Include only specific shares                                      |
| `-n <share>`      | Exclude specific shares                                           |
| `-o snaffler.log` | Save output to file                                               |

**Output color coding:**

| Color  | Meaning                                                             |
| ------ | ------------------------------------------------------------------- |
| Red    | High confidence — likely credential (e.g. password in unattend.xml) |
| Yellow | Worth reviewing (e.g. .wim deployment image)                        |
| Green  | Readable share discovered                                           |
| Black  | Share found but not accessible                                      |

> A large amount of manual review is still required — many matches are false positives.

**Notable find type — `unattend.xml`:**

```
\\DC01.inlanefreight.local\ADMIN$\Panther\unattend.xml
```

Windows deployment files frequently contain `<AdministratorPassword>` in plaintext. Snaffler flags these as Red automatically.

***

#### PowerHuntShares

PowerShell script — does not require a domain-joined machine. Enumerates SMB shares, permissions, and generates an **HTML report** for easy review.

```powershell
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public
```

**What it does automatically:**

* Enumerates domain computers via LDAP
* Checks TCP 445 availability
* Enumerates all SMB shares and permissions
* Identifies shares with excessive privileges (read/write for everyone)
* Flags high-risk shares
* Generates HTML summary + CSV detail files

Output directory: `c:\Users\Public\SmbShareHunt-<timestamp>\`

***

### Hunting from Linux

#### MANSPIDER

Scans SMB shares remotely from Linux. Run via Docker to avoid dependency issues. Downloads matching files to a local loot directory.

```bash
docker run --rm -v ./manspider:/root/.manspider \
  blacklanternsecurity/manspider \
  <target_ip> -c 'passw' -u '<username>' -p '<password>'
```

**Common flags:**

| Flag | Purpose                         |
| ---- | ------------------------------- |
| `-c` | Search file contents for string |
| `-u` | Username                        |
| `-p` | Password                        |
| `-f` | Search by filename pattern      |
| `-e` | Filter by file extension        |

Matching files are saved to `./manspider/loot/`.

***

#### NetExec (nxc)

The `--spider` option crawls SMB shares and searches file contents for patterns.

```bash
nxc smb <target_ip> -u <user> -p '<password>' --spider <ShareName> --content --pattern "passw"
```

**Flags:**

| Flag               | Purpose                     |
| ------------------ | --------------------------- |
| `--spider <share>` | Share name to spider        |
| `--content`        | Search inside file contents |
| `--pattern`        | String pattern to match     |

***

### Tool Comparison

| Tool                 | Platform | Requires Domain Join | Output                |
| -------------------- | -------- | -------------------- | --------------------- |
| Snaffler             | Windows  | Yes                  | Console (color-coded) |
| PowerHuntShares      | Windows  | No                   | HTML report + CSV     |
| MANSPIDER            | Linux    | No                   | Loot directory        |
| NetExec (`--spider`) | Linux    | No                   | Console               |

***

### Credential Hunting Checklist — Network Shares

```
[ ] Identify accessible shares (net view, nxc smb --shares, Snaffler)
[ ] Prioritize IT / DevOps / Finance shares
[ ] Search file contents for: passw, user, token, key, secret
[ ] Search file names for: config, cred, passw, initial, backup
[ ] Target extensions: .ini .cfg .env .xml .ps1 .bat .xlsx .txt
[ ] Check unattend.xml / sysprep.xml for AdminPassword
[ ] Check SYSVOL/NETLOGON for GPP cpassword (if older domain)
[ ] Download and review flagged files manually
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/credential-hunting-in-network/credential-hunting-in-network-shares.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
