Snaffler Impacket port - find credentials and sensitive data on SMB shares

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for totekuh from gravatar.com totekuh

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache License
  • Author: totekuh
  • Requires: Python >=3.9
  • Provides-Extra: test
Report project as malware

Project description

snaffler-ng

Impacket port of Snaffler.

snaffler-ng is a post-exploitation / red teaming tool designed to discover readable SMB shares, walk directory trees, and identify credentials and sensitive data on Windows systems.

Features

  • SMB share discovery via SRVSVC (NetShareEnum)
  • DFS namespace discovery via LDAP (v1 + v2), merged and deduplicated with share enumeration
  • Recursive directory tree walking
  • Regex-based file and content classification
  • NTLM authentication (password or pass-the-hash)
  • Kerberos authentication
  • Multithreaded scanning (share / tree / file stages)
  • Optional file download (“snaffling”)
  • Resume support via SQLite state database
  • Compatible with original and custom TOML rule sets
  • Deterministic, ingestion-friendly logging (plain / JSON / TSV)
  • Pipe-friendly: accepts NetExec (nxc) --shares output via --stdin

Installation

pip install snaffler-ng

Quick Start

Full Domain Discovery

Providing only a domain triggers full domain discovery:

snaffler \
  -u USERNAME \
  -p PASSWORD \
  -d DOMAIN.LOCAL

This will automatically:

  • Query Active Directory for computer objects
  • Discover DFS namespace targets via LDAP (v1 fTDfs + v2 msDFS-Linkv2)
  • Enumerate SMB shares on discovered hosts
  • Merge and deduplicate DFS and SMB share paths
  • Scan all readable shares

When using Kerberos, set KRB5CCNAME to a valid ticket cache and use hostnames/FQDNs:

snaffler \
-k \
--use-kcache \
-d DOMAIN.LOCAL \
--dc-host CORP-DC02

Targeted Scans

Scan a specific UNC path (no discovery):

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --unc //192.168.1.10/Share

snaffler-ng run

Scan multiple computers (share discovery enabled):

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --computer 192.168.1.10 \
  --computer 192.168.1.11

Load target computers from file:

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --computer-file targets.txt

Pipe from NetExec (nxc)

Pipe nxc smb --shares output directly into snaffler-ng with --stdin:

nxc smb 10.8.50.20 -u user -p pass --shares | snaffler -u user -p pass --stdin

This parses NXC's share output, extracts UNC paths, and feeds them into the file scanner. Snaffler's existing share/directory rules handle filtering.

Logging & Output Formats

snaffler-ng supports three output formats, each with a distinct purpose:

  • Plain (default, human-readable)
  • JSON (structured, SIEM-friendly)
  • TSV (flat, ingestion-friendly)

Resume Support

Large environments are expected.

You can resume interrupted scans using the --resume argument:

snaffler \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txt \
--resume

State tracks processed shares, directories, and files to avoid re-scanning.

Authentication Options

  • NTLM username/password
  • NTLM pass-the-hash (--hash)
  • Kerberos (-k)
  • Kerberos via existing ccache (--use-kcache)

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for totekuh from gravatar.com totekuh

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache License
  • Author: totekuh
  • Requires: Python >=3.9
  • Provides-Extra: test

Release history Release notifications | RSS feed

1.5.11

1.5.10

1.5.9

1.5.8

1.5.7

1.5.6

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.1

1.4.0

1.3.0

1.2.1

1.1.2

This version

1.1.1

1.1.0

1.0.2

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

snaffler_ng-1.1.1.tar.gz (71.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

snaffler_ng-1.1.1-py3-none-any.whl (101.4 kB view details)

Uploaded Python 3

File details

Details for the file snaffler_ng-1.1.1.tar.gz.

File metadata

  • Download URL: snaffler_ng-1.1.1.tar.gz
  • Upload date:
  • Size: 71.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for snaffler_ng-1.1.1.tar.gz
Algorithm Hash digest
SHA256 49401bbea3d17fef84313bfe5106cf2aa22961bc045e0c0d4c7b13ec726af36d
MD5 0437ff459dbbf039b663c81720dba880
BLAKE2b-256 a2d9d3939b90d26a432f1f57dc1b6bad599dbeb08858d4937c1eb9bd4344708e

See more details on using hashes here.

File details

Details for the file snaffler_ng-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: snaffler_ng-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 101.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for snaffler_ng-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 d0eaa45e36f22b226470e1d8ff0e56e845247b82e01e74896f95f88f9b362a22
MD5 be54403bf26c399f54e22bcd97674e4c
BLAKE2b-256 50cda96fa54b7b4c8e1edd5573f1ca61c1bc0be23a994efecd121894a59d23ad

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page