# Searching SMB Shares {% hint style="info" %} **In the future, I want to try out a dedicated tool for this SMB Share searching like** [SnaffCon](https://github.com/SnaffCon/Snaffler). {% endhint %} ## Shrawler ```bash # Install shrawler $ADDOMAIN/$ADUSER@$ADCONTROLLER --hosts $ACTIVE --spider # Run shrawler $ADDOMAIN/$ADUSER@$ADCONTROLLER --hosts $ACTIVE --spider ``` ## NetExec ### Collect Data **NTLM** ```bash nxc smb $TARGETS -u $ADUSER -d $ADDOMAIN -p $(PSWPRMPT) -M spider_plus;PSW="" ``` *** ### Search Data ### Overview ```bash echo;echo;echo UNIQ_FILES=$(cat /tmp/nxc_hosted/nxc_spider_plus/* | jq -r '.[] | select(length > 0) | keys[]' | sort -u) echo " [+] $(echo "$UNIQ_FILES" | wc -l) unique files found" MEDIA_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.iso|\.img|\.vmdk|\.vdi|\.dmg|\.bin|\.nrg|\.cue|\.raw|\.ova|\.ovf') echo " [+] $(echo "$MEDIA_FILES" | wc -l) Media files found" SENSITIVE_FILES=$(echo "$UNIQ_FILES" | egrep -i 'password|passwd|pwd|secret|credential|user|login|vault|key|token|apikey|auth|dbpass|rootpass|adminpass|crypto') echo " [+] $(echo "$SENSITIVE_FILES" | wc -l) Sensitive keyword files found" SCRIPT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.sh|\.ps1|\.bat|\.cmd|\.py|\.rb|\.pl|\.js|\.vbs|\.php|\.asp|\.psm1|\.ksh|\.zsh|\.bash|\.csh|\.tcsh') echo " [+] $(echo "$SCRIPT_FILES" | wc -l) Script files found" DOCUMENT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.pdf|\.rtf|\.csv|\.odt|\.ods|\.odp') echo " [+] $(echo "$DOCUMENT_FILES" | wc -l) Document files found" TEXT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.txt') echo " [+] $(echo "$TEXT_FILES" | wc -l) Text files found" ARCHIVE_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.zip|\.tar|\.gz|\.tgz|\.bz2|\.7z|\.rar|\.xz|\.cab|\.iso') echo " [+] $(echo "$ARCHIVE_FILES" | wc -l) Archive files found" DB_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.sql|\.db|\.mdb|\.sqlite|\.accdb|\.dbf|\.dump|\.bak|\.backup|\.ldif') echo " [+] $(echo "$DB_FILES" | wc -l) Database-related files found" CONFIG_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.conf|\.cfg|\.ini|\.yaml|\.yml|\.properties|\.json|\.xml|\.env') echo " [+] $(echo "$CONFIG_FILES" | wc -l) Configuration files found" CERT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.pem|\.crt|\.key|\.pfx|\.p12|\.csr|\.der') echo " [+] $(echo "$CERT_FILES" | wc -l) Certificate and key files found" LOG_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.log|\.out|\.audit|\.trace|\.dmp') echo " [+] $(echo "$LOG_FILES" | wc -l) Log files found" EXEC_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.exe|\.dll|\.so|\.o|\.bin|\.out|\.msi|\.deb|\.rpm|\.apk|\.app|\.jar|\.war|\.ear') echo " [+] $(echo "$EXEC_FILES" | wc -l) Executable files found" BACKUP_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.bak|\.tmp|\.swp|\.old|\.save|\.orig|\.bk|\.backup|\.~|\.recovery') echo " [+] $(echo "$BACKUP_FILES" | wc -l) Backup and temporary files found" WEB_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.html|\.htm|\.js|\.php|\.jsp|\.asp|\.aspx|\.css|\.cgi') echo " [+] $(echo "$WEB_FILES" | wc -l) Web-related files found" ``` *** ### List File Names **List Possible Sensitive Files** ```bash echo "$SENSITIVE_FILES" ``` **List Media Files (iso, vmdk, img... ect)** ```bash echo "$MEDIA_FILES" ``` **List Scripts (sh, ps1, bat... ect)** ```bash echo "$SCRIPT_FILES" ``` **List Document Files (docx, xlsx, pptx... ect)** ```bash echo "$DOCUMENT_FILES" ``` **List Text Files (txt)** ```bash echo "$TEXT_FILES" ``` **List Archive Files (zip, tar, gz... ect)** ```bash echo "$ARCHIVE_FILES" ``` **List Database Files (sql, db, mdb... ect)** ```bash echo "$DB_FILES" ``` **List Config Files (conf, .cfg, .ini, .yaml... ect)** ```bash echo "$CONFIG_FILES" ``` **List Certificate Files (... ect)** ```bash echo "$CERT_FILES" ``` **List Log Files (log, out, audit, trace, dmp... ect)** ```bash echo "$LOG_FILES" ``` **List Executable Files (exe, dll, bin... ect)** ```bash echo "$EXEC_FILES" ``` **List Web Files (html, js, php... ect)** ```bash echo "$WEB_FILES" ``` *** ### List all files **View all files (Names only)** ```bash echo "$UNIQ_FILES" ``` **View all unique files + paths** ```bash cat /tmp/nxc_hosted/nxc_spider_plus/* | jq '.[] | select(length > 0) | keys[]' | tr -d '"' | sort -u ``` *** ### List other files **Count of files NOT detected in other checks** ```bash ALL_TYPES_REGEX='\.(iso|img|vmdk|vdi|dmg|bin|nrg|cue|raw|sh|ps1|bat|cmd|py|rb|pl|js|vbs|php|asp|psm1|ksh|zsh|bash|csh|tcsh|doc|docx|xls|xlsx|ppt|pptx|pdf|txt|rtf|csv|odt|ods|odp|zip|tar|gz|tgz|bz2|7z|rar|xz|cab|sql|db|mdb|sqlite|accdb|dbf|dump|bak|backup|ldif|conf|cfg|ini|yaml|yml|properties|json|xml|env|pem|crt|key|pfx|p12|csr|der|log|out|audit|trace|dmp|exe|dll|so|o|msi|deb|rpm|apk|app|jar|war|ear|bak|tmp|swp|old|save|orig|bk|~|recovery|html|htm|jsp|css|cgi)$' UNDOCUMENTED_EXT_FILES=$(echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX") echo " [+] $(echo "$UNDOCUMENTED_EXT_FILES" | wc -l) files with unique extensions not in previous checks found" ``` **List of file types NOT found in other checks** ```bash UNIQUE_EXTENSIONS=$(echo "$UNDOCUMENTED_EXT_FILES" | awk -F. '{if (NF>1) print $NF}' | sort -u) echo " [+] Unique file extensions not detected:" echo "$UNIQUE_EXTENSIONS" ``` **List of file names NOT found in other checks** ```bash UNDOCUMENTED_FILES=$(echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX") echo " [+] $(echo "$UNDOCUMENTED_FILES" | wc -l) unique file names not detected in previous checks found" echo " [+] Unique file names not detected:" echo "$UNDOCUMENTED_FILES" ``` *** ### **Locate IP/Share by file name** ```bash echo;echo vared -p 'File Path: ' -c SEARCHTEXT JSONFILE=$(grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1) SERVER_IP=$(echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g') HOSTNAME=$(dig -x $SERVER_IP +short) SHARE_NAME=$(jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE) echo;echo echo " [+] Server IP: $SERVER_IP ($HOSTNAME)" echo " [+] Share Name: $SHARE_NAME" echo " [+] Found File: $SEARCHTEXT" ``` **Display File Contents (Requires Auth)** ```bash echo;echo vared -p 'File Path: ' -c SEARCHTEXT JSONFILE=$(grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1) SERVER_IP=$(echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g') SHARE_NAME=$(jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE) cat >> /tmp/smb_download_script.txt << EOF use $SHARE_NAME cat $SEARCHTEXT EOF smbng --host "$SERVER_IP" -u "$ADUSER" -d "$ADDOMAIN" --no-colors -N --startup-script /tmp/smb_download_script.txt rm /tmp/smb_download_script.txt ``` {% hint style="warning" %} The above requires [smbng ](https://github.com/p0dalirius/smbclient-ng)to be installed. It can be installed with Pipx using `pipx install git+https://github.com/p0dalirius/smbclient-ng.git` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sixthcyber.com/active-directory/searching-smb-shares.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.