View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009560Kali LinuxNew Tool Requestspublic2026-02-20 21:142026-02-20 21:14
Reportertotekuh Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009560: New tool request: snaffler-ng - SMB share credential and sensitive data scanner
Description

Name: snaffler-ng
Version: 1.1.1
Homepage: https://github.com/totekuh/snaffler-ng
Author: totekuh
License: Apache 2.0
Language: Python 3

What it does

snaffler-ng is an Impacket port of Snaffler (https://github.com/SnaffCon/Snaffler), a post-exploitation tool that discovers readable SMB shares, walks directory trees, and identifies credentials and sensitive data on Windows file

It runs a 3-stage pipeline: domain discovery via LDAP → share enumeration via SRVSVC/SMB → recursive file scanning with content classification. It supports NTLM, Pass-the-Hash, and Kerberos authentication.

Key features

  • 50+ built-in classification rules across 5 scopes (share, directory, file, content, post-match)
  • Regex-based content scanning with context extraction
  • Certificate/private key detection (PEM, DER, PKCS12)
  • Triage severity levels: Black (critical) / Red (high) / Yellow (medium) / Green (low)
  • DFS namespace discovery and deduplication via LDAP
  • Resume interrupted scans via SQLite state tracking
  • Accepts piped NetExec (nxc) SMB --shares output via --stdin
  • Multiple output formats: plain, JSON, TSV
  • Multi-threaded (60 threads default, configurable)
  • Custom TOML rule files
  • File download (snaffling) of matched findings

There is no equivalent tool in Kali. The closest tools and why they fall short:

  • NetExec (nxc) --shares: Lists share names and permissions but does NOT walk directories or read file contents. snaffler-ng picks up where nxc leaves off (and can pipe nxc output directly via --stdin).
  • enum4linux-ng: Enumerates shares and basic SMB info but does not scan file contents.
  • smbmap: Can list shares and files but has no classification engine, no regex content scanning, no triage severity, no rule system.
  • smbclient: Manual interactive browsing - no automation, no classification.

snaffler-ng automates deep inspection of SMB share contents during post-exploitation, with intelligent classification that surfaces credentials, config files with secrets, private keys, and sensitive data.

Usage examples

Scan a specific share with NTLM auth

snaffler -u admin -p 'Password1' --unc //10.0.0.5/ShareName

Discover domain shares and scan everything

snaffler -u admin -p 'Password1' -d CORP.LOCAL --dc-host dc01.corp.local

Pipe NetExec share output directly

nxc smb 10.0.0.0/24 -u admin -p 'Password1' --shares | snaffler --stdin -u admin -p 'Password1'

Kerberos with ccache

snaffler -k --use-kcache -d CORP.LOCAL --dc-host dc01.corp.local

Only show high-severity findings, output JSON

snaffler -u admin -p 'Password1' --unc //10.0.0.5/C$ -b 2 -t json -o results.json

Download matched files locally

snaffler -u admin -p 'Password1' --unc //10.0.0.5/Share -m ./loot/

Dependencies (all in Kali repos)

  • python3-impacket (>= 0.11.0)
  • python3-typer (>= 0.12.0)
  • python3-rich (>= 13.0.0)
  • python3-tomlkit
  • python3-cryptography

Packaging

  • debian/ directory ready (pybuild + pyproject, follows Kali conventions)
  • Man page included (snaffler.1)
  • Autopkgtest: snaffler --help
  • Builds clean .deb with dpkg-buildpackage
  • Git tags on all releases (v1.1.1)
  • Also available on PyPI: pip install snaffler-ng

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2026-02-20 21:14 totekuh New Issue