Scan SMB Shared Folders for Interesting, Sensitve Files

.NET Executable - Snaffler

• Snaffler: https://github.com/SnaffCon/Snaffler
• C# alternative: https://github.com/fullmetalcache/SharpFiles

Example: Executing through Cobalt Strike:

execute-assembly /pipe/Snaffler/x64/4.5/Snaffler.exe -o c:\users\allem\desktop\08-30_1647_Snaffler.log

Convert output to list of file paths with custom/snaffler-2-unc-paths.sh

---

PowerShell - PowerView

• Transcripts started below can be used to examine partial results of the scan while it is still running.
• Can also be used as backup output if the process gets killed, file gets deleted, etc

1. Collect list of shares:

• If this doesn’t find any/many results, use NoPing version of PowerView instead. (In Tools folder) ** BE SURE TO USE NOPING VERSION FOR EVERYTHING IN ENVIRONMENTS WHERE PING SEEMS TO BE DISABLED **

Start-Transcript Log\01-01.interesting_shares.script

Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 | ConvertTo-CSV | Set-Content interesting_shares.csv -PassThru -Encoding Ascii

Stop-Transcript

• Can turn CSV into TXT list with:

  cat interesting_shares.csv | awk -F '"' '{ print "\\\\" $8 "\\" $2}' | sort -u > accessible_shares.txt
  

2. Collect list of interesting files

Start-Transcript Log\01-01.sensitive_files.script

Invoke-FileFinder -Verbose -Threads 20 -Include @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config', '*.wim', '*.bkp', '*backup*', '*.bak*', '*sql*', '*id_rsa*', '*id_dsa*', '*.ppk', '*.msg', '*.pst', '*.kdb*', '*code*', '*PIN*', '*phy*sec*', '*vuln*', '*pentest*', '*penetration*', '*security*', '*secure*', '*private*', '*confidential*', '*.ova', '*.vbox', '*.vdi', '*.ovf', '*.img', '*.vhd*', '*.hdd', '*.qed', '*.qcow*', '*key*', 'SAM', 'SECURITY', 'SYSTEM', '*ntds*', '*.dmp', '*ntlm*', '*lock*', '*.eml', '*.qbb*', '*alarm*', '*ssn*', '*soc*sec*', '*W-2*', '*.bat', '*.cmd', '*.vbs', '*.ps1', '*.sh', '*bash_history*', 'signons.sqlite', 'key3.db', 'key4.db', 'cookies.sqlite', 'logins.json', '*phish*', '*.rdp', '*minidump*', '*procdump*', '*vnc*' ) | ConvertTo-CSV | Set-Content sensitive_files.csv -PassThru -Encoding Ascii

Stop-Transcript

• If that didn’t take too long - get a list of ALL the files

Invoke-FileFinder -Verbose -Threads 20 -Include @('*.*') | ConvertTo-CSV | Set-Content ALL_shared_files.csv -PassThru | ConvertFrom-CSV

3. Convert output to list of file paths

cat ../sensitive_files.csv | tr '\r' '\n' | grep -vE '^$' | awk -F '","' '{ print $3 }' | sort -u > file_paths.txt

---