snaffler-ng 1.1.2

Snaffler Impacket port - find credentials and sensitive data on SMB shares

snaffler-ng

Impacket port of Snaffler.

snaffler-ng is a post-exploitation / red teaming tool designed to discover readable SMB shares, walk directory trees, and identify credentials and sensitive data on Windows systems.

Features

• SMB share discovery via SRVSVC (NetShareEnum)
• DFS namespace discovery via LDAP (v1 + v2), merged and deduplicated with share enumeration
• Recursive directory tree walking
• Regex-based file and content classification
• NTLM authentication (password or pass-the-hash)
• Kerberos authentication
• Multithreaded scanning (share / tree / file stages)
• Optional file download (“snaffling”)
• Resume support via SQLite state database
• Compatible with original and custom TOML rule sets
• Deterministic, ingestion-friendly logging (plain / JSON / TSV)
• Custom DNS resolution (--nameserver) for internal AD hostname resolution through SOCKS tunnels
• Pipe-friendly: accepts NetExec (nxc) --shares output via --stdin

Installation

pip

pip install snaffler-ng

Standalone Binary

Pre-built single-file executables (no Python required) are attached to each GitHub Release:

Platform	File
Linux x86_64	snaffler-linux-x86_64
Windows x86_64	snaffler-windows-x86_64.exe

Kali / Debian

sudo dpkg -i snaffler-ng_*.deb

Quick Start

Full Domain Discovery

Providing only a domain triggers full domain discovery:

snaffler \
  -u USERNAME \
  -p PASSWORD \
  -d DOMAIN.LOCAL

This will automatically:

• Query Active Directory for computer objects
• Discover DFS namespace targets via LDAP (v1 fTDfs + v2 msDFS-Linkv2)
• Enumerate SMB shares on discovered hosts
• Merge and deduplicate DFS and SMB share paths
• Scan all readable shares

When using Kerberos, set KRB5CCNAME to a valid ticket cache and use hostnames/FQDNs:

snaffler \
-k \
--use-kcache \
-d DOMAIN.LOCAL \
--dc-host CORP-DC02

---

Targeted Scans

Scan a specific UNC path (no discovery):

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --unc //192.168.1.10/Share

Scan multiple computers (share discovery enabled):

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --computer 192.168.1.10 \
  --computer 192.168.1.11

Load target computers from file:

snaffler \
  -u USERNAME \
  -p PASSWORD \
  --computer-file targets.txt

Pipe from NetExec (nxc)

Pipe nxc smb --shares output directly into snaffler-ng with --stdin:

nxc smb 10.8.50.20 -u user -p pass --shares | snaffler -u user -p pass --stdin

This parses NXC's share output, extracts UNC paths, and feeds them into the file scanner. Snaffler's existing share/directory rules handle filtering.

Custom DNS Server

Use --nameserver (or --ns) to resolve hostnames through a specific DNS server instead of the system resolver. Useful for lab environments, split DNS, or any setup where the system resolver can't reach the target domain:

# Point at the DC for name resolution
snaffler -u USER -p PASS -d DOMAIN.LOCAL --dc-host 192.168.201.11 --ns 192.168.201.11

# Combine with SOCKS — DNS queries use TCP and route through the tunnel automatically
snaffler -u USER -p PASS -d DOMAIN.LOCAL --dc-host 192.168.201.11 \
  --socks socks5://127.0.0.1:1080 --ns 192.168.201.11

Logging & Output Formats

snaffler-ng supports three output formats, each with a distinct purpose:

• Plain (default, human-readable)
• JSON (structured, SIEM-friendly)
• TSV (flat, ingestion-friendly)

Resume Support

Large environments are expected.

You can resume interrupted scans using the --resume argument:

snaffler \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txt \
--resume

State tracks processed shares, directories, and files to avoid re-scanning.

Authentication Options

• NTLM username/password
• NTLM pass-the-hash (--hash)
• Kerberos (-k)
• Kerberos via existing ccache (--use-kcache)
• SOCKS proxy pivoting (--socks)
• Custom DNS server (--nameserver / --ns)