File Shares

There are multiple different highly technical ways of extracting credentials from various places within Active Directory. However, like social engineering, users can allow us access in times when technical protections require much time and expertise.

People like to store passwords in Excel files or Word files or batch scripts or PowerShell scripts or PDFs or x y z. Why not look for these files?

Manspider

GitHub - blacklanternsecurity/MANSPIDER: Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!GitHub

Manspider is a great tool for spidering SMB file shares to search for files that match what you're looking for. Here are the ones I almost always attempt (examples are similar to ones in the GitHub repository):

# Search for filenames that contain the string "passw"
manspider smb_alive.txt -f passw -d [domain] -u [username] -p [password]

# Search for documents that contain the string "passw"
manspider smb_alive.txt -c passw -e xlsx csv docx pdf -d [domain] -u [username] -p [password]

# Search for files with script-related extensions
manspider smb_alive.txt -e bat vbs ps1 psd1 psm1 -d [domain] -u [username] -p [password]

# Search for virtual disks
manspider smb_alive.txt -e vmdk vhd vdi -d [domain] -u [username] -p [password]

Any files identified will go to your ~/.manspider/loot/ directory by default.

If you're considering Opsec, keep in mind that this tool will authenticate as a single user to many many computers (if configured to) within a short amount of time and touch a lot of files. This is LOUD.

PreviousCredential Hunting NextLSASS Credentials

Last updated 12 days ago

hashtagManspider

Manspider