In the future, I want to try out a dedicated tool for this SMB Share searching like SnaffCon .
Collect Data
NTLM
Copy nxc smb $TARGETS -u $ADUSER -d $ADDOMAIN -p $( PSWPRMPT ) -M spider_plus ;PSW = ""
Search Data
Overview
Copy echo ; echo ; echo
UNIQ_FILES = $( cat /tmp/nxc_hosted/nxc_spider_plus/* | jq -r '.[] | select(length > 0) | keys[]' | sort -u )
echo " [+] $( echo "$UNIQ_FILES" | wc -l ) unique files found"
MEDIA_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.iso|\.img|\.vmdk|\.vdi|\.dmg|\.bin|\.nrg|\.cue|\.raw|\.ova|\.ovf' )
echo " [+] $( echo "$MEDIA_FILES" | wc -l ) Media files found"
SENSITIVE_FILES = $( echo "$UNIQ_FILES" | egrep -i 'password|passwd|pwd|secret|credential|user|login|vault|key|token|apikey|auth|dbpass|rootpass|adminpass|crypto' )
echo " [+] $( echo "$SENSITIVE_FILES" | wc -l ) Sensitive keyword files found"
SCRIPT_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.sh|\.ps1|\.bat|\.cmd|\.py|\.rb|\.pl|\.js|\.vbs|\.php|\.asp|\.psm1|\.ksh|\.zsh|\.bash|\.csh|\.tcsh' )
echo " [+] $( echo "$SCRIPT_FILES" | wc -l ) Script files found"
DOCUMENT_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.pdf|\.rtf|\.csv|\.odt|\.ods|\.odp' )
echo " [+] $( echo "$DOCUMENT_FILES" | wc -l ) Document files found"
TEXT_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.txt' )
echo " [+] $( echo "$TEXT_FILES" | wc -l ) Text files found"
ARCHIVE_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.zip|\.tar|\.gz|\.tgz|\.bz2|\.7z|\.rar|\.xz|\.cab|\.iso' )
echo " [+] $( echo "$ARCHIVE_FILES" | wc -l ) Archive files found"
DB_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.sql|\.db|\.mdb|\.sqlite|\.accdb|\.dbf|\.dump|\.bak|\.backup|\.ldif' )
echo " [+] $( echo "$DB_FILES" | wc -l ) Database-related files found"
CONFIG_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.conf|\.cfg|\.ini|\.yaml|\.yml|\.properties|\.json|\.xml|\.env' )
echo " [+] $( echo "$CONFIG_FILES" | wc -l ) Configuration files found"
CERT_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.pem|\.crt|\.key|\.pfx|\.p12|\.csr|\.der' )
echo " [+] $( echo "$CERT_FILES" | wc -l ) Certificate and key files found"
LOG_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.log|\.out|\.audit|\.trace|\.dmp' )
echo " [+] $( echo "$LOG_FILES" | wc -l ) Log files found"
EXEC_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.exe|\.dll|\.so|\.o|\.bin|\.out|\.msi|\.deb|\.rpm|\.apk|\.app|\.jar|\.war|\.ear' )
echo " [+] $( echo "$EXEC_FILES" | wc -l ) Executable files found"
BACKUP_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.bak|\.tmp|\.swp|\.old|\.save|\.orig|\.bk|\.backup|\.~|\.recovery' )
echo " [+] $( echo "$BACKUP_FILES" | wc -l ) Backup and temporary files found"
WEB_FILES = $( echo "$UNIQ_FILES" | egrep -i '\.html|\.htm|\.js|\.php|\.jsp|\.asp|\.aspx|\.css|\.cgi' )
echo " [+] $( echo "$WEB_FILES" | wc -l ) Web-related files found"
List File Names
List Possible Sensitive Files
Copy echo "$SENSITIVE_FILES"
List Media Files (iso, vmdk, img... ect)
List Scripts (sh, ps1, bat... ect)
List Document Files (docx, xlsx, pptx... ect)
Copy echo "$DOCUMENT_FILES"
List Text Files (txt)
List Archive Files (zip, tar, gz... ect)
Copy echo "$ARCHIVE_FILES"
List Database Files (sql, db, mdb... ect)
List Config Files (conf, .cfg, .ini, .yaml... ect)
List Certificate Files (... ect)
List Log Files (log, out, audit, trace, dmp... ect)
List Executable Files (exe, dll, bin... ect)
List Web Files (html, js, php... ect)
List all files
View all files (Names only)
View all unique files + paths
Copy cat /tmp/nxc_hosted/nxc_spider_plus/* | jq '.[] | select(length > 0) | keys[]' | tr -d '"' | sort -u
List other files
Count of files NOT detected in other checks
Copy ALL_TYPES_REGEX='\.(iso|img|vmdk|vdi|dmg|bin|nrg|cue|raw|sh|ps1|bat|cmd|py|rb|pl|js|vbs|php|asp|psm1|ksh|zsh|bash|csh|tcsh|doc|docx|xls|xlsx|ppt|pptx|pdf|txt|rtf|csv|odt|ods|odp|zip|tar|gz|tgz|bz2|7z|rar|xz|cab|sql|db|mdb|sqlite|accdb|dbf|dump|bak|backup|ldif|conf|cfg|ini|yaml|yml|properties|json|xml|env|pem|crt|key|pfx|p12|csr|der|log|out|audit|trace|dmp|exe|dll|so|o|msi|deb|rpm|apk|app|jar|war|ear|bak|tmp|swp|old|save|orig|bk|~|recovery|html|htm|jsp|css|cgi)$'
UNDOCUMENTED_EXT_FILES = $( echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX" )
echo " [+] $( echo "$UNDOCUMENTED_EXT_FILES" | wc -l ) files with unique extensions not in previous checks found"
List of file types NOT found in other checks
Copy UNIQUE_EXTENSIONS = $( echo "$UNDOCUMENTED_EXT_FILES" | awk -F. '{if (NF>1) print $NF}' | sort -u )
echo " [+] Unique file extensions not detected:"
echo "$UNIQUE_EXTENSIONS"
List of file names NOT found in other checks
Copy UNDOCUMENTED_FILES = $( echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX" )
echo " [+] $( echo "$UNDOCUMENTED_FILES" | wc -l ) unique file names not detected in previous checks found"
echo " [+] Unique file names not detected:"
echo "$UNDOCUMENTED_FILES"
Locate IP/Share by file name
Copy echo ; echo
vared -p 'File Path: ' -c SEARCHTEXT
JSONFILE = $( grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1 )
SERVER_IP = $( echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g' )
HOSTNAME = $( dig -x $SERVER_IP +short )
SHARE_NAME = $( jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE)
echo ; echo
echo " [+] Server IP: $SERVER_IP ($HOSTNAME)"
echo " [+] Share Name: $SHARE_NAME"
echo " [+] Found File: $SEARCHTEXT"
Display File Contents (Requires Auth)
Copy echo ; echo
vared -p 'File Path: ' -c SEARCHTEXT
JSONFILE = $( grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1 )
SERVER_IP = $( echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g' )
SHARE_NAME = $( jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE)
cat >> /tmp/smb_download_script.txt << EOF
use $SHARE_NAME
cat $SEARCHTEXT
EOF
smbng --host "$SERVER_IP" -u "$ADUSER" -d "$ADDOMAIN" --no-colors -N --startup-script /tmp/smb_download_script.txt
rm /tmp/smb_download_script.txt
The above requires smbng to be installed. It can be installed with Pipx using pipx install git+https://github.com/p0dalirius/smbclient-ng.git