Snaffler Impacket port - find credentials and sensitive data on SMB shares
Project description
snaffler-ng
Impacket port of Snaffler.
snaffler-ng is a post-exploitation / red teaming tool designed to discover readable SMB shares, walk directory trees, and identify credentials and sensitive data on Windows systems.
Features
- SMB share discovery via SRVSVC (NetShareEnum)
- DFS namespace discovery via LDAP (v1 + v2), merged and deduplicated with share enumeration
- Recursive directory tree walking
- Regex-based file and content classification
- NTLM authentication (password or pass-the-hash)
- Kerberos authentication
- Multithreaded scanning (share / tree / file stages)
- Optional file download (“snaffling”)
- Resume support via SQLite state database
- Compatible with original and custom TOML rule sets
- Deterministic, ingestion-friendly logging (plain / JSON / TSV)
Installation
pip install snaffler-ng
Quick Start
Full Domain Discovery
Providing only a domain triggers full domain discovery:
snaffler run \
-u USERNAME \
-p PASSWORD \
-d DOMAIN.LOCAL
This will automatically:
- Query Active Directory for computer objects
- Discover DFS namespace targets via LDAP (v1
fTDfs+ v2msDFS-Linkv2) - Enumerate SMB shares on discovered hosts
- Merge and deduplicate DFS and SMB share paths
- Scan all readable shares
When using Kerberos, set KRB5CCNAME to a valid ticket cache and use hostnames/FQDNs:
snaffler run \
-k \
--use-kcache \
-d DOMAIN.LOCAL \
--dc-host CORP-DC02
Targeted Scans
Scan a specific UNC path (no discovery):
snaffler run \
-u USERNAME \
-p PASSWORD \
--unc //192.168.1.10/Share
Scan multiple computers (share discovery enabled):
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer 192.168.1.10 \
--computer 192.168.1.11
Load target computers from file:
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txt
Logging & Output Formats
snaffler-ng supports three output formats, each with a distinct purpose:
Plain(default, human-readable)JSON(structured, SIEM-friendly)TSV(flat, ingestion-friendly)
Resume Support
Large environments are expected.
You can resume interrupted scans using the --resume argument:
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txt \
--resume
State tracks processed shares, directories, and files to avoid re-scanning.
Authentication Options
- NTLM username/password
- NTLM pass-the-hash (
--hash) - Kerberos (
-k) - Kerberos via existing ccache (
--use-kcache)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file snaffler_ng-1.0.2.tar.gz.
File metadata
- Download URL: snaffler_ng-1.0.2.tar.gz
- Upload date:
- Size: 56.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ab85f2e0ad7124db7fb7e55374b39ef8a1d87b9d17bd2fb2dad07665ee0f825
|
|
| MD5 |
de8c0b74a3cc6e2184913be16c191be9
|
|
| BLAKE2b-256 |
aa53c056656e798689a557eaf86fe8423d1a37b1ddea510303d373f88fab1f8b
|
File details
Details for the file snaffler_ng-1.0.2-py3-none-any.whl.
File metadata
- Download URL: snaffler_ng-1.0.2-py3-none-any.whl
- Upload date:
- Size: 85.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cea66f2c870e26380ef56076906bba729f7360477a42af807ae2451634499342
|
|
| MD5 |
4d3475f1d0752d426a0a9c6c963d75ae
|
|
| BLAKE2b-256 |
55fced1cb5e52b9d855ea8b3ea172938702de45eb7e16ac3c7c33d670846bd1d
|
