惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
有赞技术团队
有赞技术团队
T
The Blog of Author Tim Ferriss
F
Fortinet All Blogs
D
DataBreaches.Net
F
Full Disclosure
腾讯CDC
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
爱范儿
爱范儿
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
The Register - Security
The Register - Security
WordPress大学
WordPress大学
博客园 - 聂微东
雷峰网
雷峰网
J
Java Code Geeks
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
A
Arctic Wolf
Scott Helme
Scott Helme
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
Know Your Adversary
Know Your Adversary
AWS News Blog
AWS News Blog
G
Google Developers Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
CERT Recently Published Vulnerability Notes
O
OpenAI News
Project Zero
Project Zero
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Application and Cybersecurity Blog
Application and Cybersecurity Blog
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
MongoDB | Blog
MongoDB | Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security

Darknet – Hacking Tools, Hacker News & Cyber Security

MSSQLand – Lightweight MS-SQL Interaction Tool for Lateral Movement and Post-Exploitation Credential Stuffing in 2025 - How Combolists, Infostealers and Account Takeover Became an Industry DumpBrowserSecrets – Browser Credential Harvesting with App-Bound Encryption Bypass Systemic Ransomware Events in 2025 – How Jaguar Land Rover Showed What a Category 3 Supply Chain Breach Looks Like Heisenberg Dependency Health Check – GitHub Action for Supply Chain Risk Dark Web Search Engines in 2025 – Enterprise Monitoring, APIs and IOC Hunting mcp-scan – Real-Time Guardrail Monitoring and Dynamic Proxy for MCP Servers Initial Access Brokers (IAB) in 2025 – From Dark Web Listings to Supply Chain Ransomware Events Reconnoitre – Open-Source Reconnaissance and Service Enumeration Tool
SmbCrawler – SMB Share Discovery and Secret-Hunting
Darknet · 2025-11-24 · via Darknet – Hacking Tools, Hacker News & Cyber Security

You are here: Home / Hacking Tools / SmbCrawler – SMB Share Discovery and Secret-Hunting

SmbCrawler is a credentialed SMB spider that takes domain credentials and a list of hosts, then aggressively walks network shares for you. It checks permissions, crawls directory trees, auto-downloads interesting files, and reports likely secrets such as passwords, SSH keys, configuration files, DPAPI blobs, and database dumps. For internal red teams, it is a purpose-built engine for turning “we have a foothold” into “we own the file servers”.

SmbCrawler - SMB Share Discovery and Secret-Hunting

Overview

Every serious internal pentest or red-team engagement ends up abusing SMB misconfiguration. Shared drives still hold plaintext creds, exported mailboxes, unprotected backups, and “temporary” dumps that never got cleaned up. Doing this manually with basic tools and Windows Explorer is slow and noisy. SmbCrawler solves that by automating the boring parts:

  • Take credentials once.
  • Feed it hostnames, IP ranges, or Nmap XML.
  • Let it enumerate shares, permissions, and directory structures at scale.
  • Automatically pull down files that match secret-hunting profiles into a structured SQLite-backed data store.

The result is an internal discovery and exfil pipeline that you can run in hours, not days, with a repeatable output format you can grep, query, and report from.

Features

From the live README, SmbCrawler ships with a carefully designed feature set:

  • Flexible target input – accepts hostnames, single IPs, IP ranges or Nmap XML files as input.
  • Permission checks – tests authentication as guest and as supplied user, share access, and (optionally) write access by creating a temporary directory.
  • Configurable crawl depth – control how deep to walk each share, with separate profiles to override depth for specific paths.
  • Pass-the-hash support – operate with NTLM hashes instead of cleartext passwords when necessary.
  • Interesting file detection – ships with profiles that flag and download likely high-value files (credentials, configs, dumps, keys).
  • Threaded, pausable engine – multi-threaded crawling with runtime controls to pause, skip hosts or shares, and inspect status.
  • SQLite-backed output – writes findings to a SQLite database and a structured output directory, plus optional interactive HTML reporting.

Installation

SmbCrawler is a Python tool published on PyPI. The author explicitly recommends using pipx so you do not pollute your system Python. Installation examples from the README:

# Minimal install
pipx install smbcrawler

# Recommended install with binary conversion helpers (PDF, XLSX, DOCX, ZIP...)
pipx install "smbcrawler[binary-conversion]"

The extra [binary-conversion] dependency pulls in MarkItDown so SmbCrawler can convert common binary formats to text before scanning them for secrets. For red-team use, you almost always want this turned on.

Usage

The README’s quick example shows a typical crawl against a file of targets with domain credentials:

$ smbcrawler crawl -i hosts.txt -u pen.tester -p iluvb0b -d contoso.local -t 10 -D 5

That command:

  • Uses hosts.txt as the target list.
  • Authenticates as pen.tester in the contoso.local domain.
  • Spawns 10 worker threads (-t 10).
  • Crawls each share up to depth 5 (-D 5).

At runtime, you can interact with the crawler:

  • p – pause and selectively skip hosts or shares.
  • <space> – print current progress.
  • s – show a more detailed status view.

The profile system does the heavy lifting. Profiles (YAML) define which files, directories, and shares are “interesting”, where to dig deeper, and which secrets to flag. You can supply your own profiles alongside the built-in defaults to target specific line-of-business apps or internal naming schemes.

Attack Scenario

Objective: turn one compromised Windows credential into complete knowledge of SMB data exposure, plus a curated bag of loot, in a single engagement sprint.

  1. Obtain valid domain credentials via phishing, password spraying or a prior foothold.
  2. Enumerate potential SMB hosts using existing tools (for example keimpx or Nmap scripts) and export them to a target file.
  3. Run SmbCrawler with a shallow depth (for example -D 1) and optional write checks to map which hosts and shares are readable and writable. Save this as a dedicated crawl file.
  4. Use the initial database to prioritise “high-value” shares, then rerun SmbCrawler with deeper depth and tuned profiles against a reduced host set.
  5. From the SQLite database and downloaded files, extract passwords, SSH keys, VPN configs, DPAPI blobs, application secrets and database dumps. Feed those into lateral movement tooling such as NetExec to pivot further.
  6. Optionally, map resulting privileges and paths in Active Directory with BloodHound, turning share-level findings into full graph-based attack paths.

Red Team Relevance

SmbCrawler hits a rare sweet spot between practicality and depth. It is fast enough to run routinely on real client networks, and opinionated enough to surface valuable loot instead of dumping terabytes of junk. From a red-team perspective, you can:

  • Quantify SMB exposure: “X hosts, Y readable shares, Z with write access, N high-value secrets found”.
  • Build repeatable playbooks for different client environments by shipping pre-tuned profiles with your engagement kit.
  • Tighten operational security: SmbCrawler lets you avoid noisy manual browsing and random PowerShell scripts scattered through jump boxes.

It also plays nicely with other offensive SMB tooling already covered on Darknet. Combine share discovery and credential validation (keimpx, CredNinja, NetExec) with SmbCrawler’s deep crawl to show how quickly a motivated attacker can move from “one set of creds” to “everyone’s home drive” in a typical enterprise.

Detection and Mitigation

From the blue-team side, SmbCrawler’s capabilities translate directly into controls you should prioritise:

  • Audit share permissions regularly – especially “Everyone” and “Authenticated Users” access on sensitive roots and profile shares.
  • Harden write access – limit where regular users can create directories and files; SmbCrawler’s write-check feature highlights exactly where an attacker could drop tooling or weaponised documents.
  • Reduce sensitive data on shares – remove or encrypt cleartext passwords, SSH keys, DPAPI master keys, and dumps from general-purpose shares.
  • Monitor for unusual enumeration patterns – multi-threaded crawlers often create recognisable patterns in SMB logs. Look for high-volume directory listings and repeated access to new hosts from a single source.
  • Feed SmbCrawler-like data into DLP and UEBA – if you cannot prevent broad read access, at least detect when unusual principals traverse large portions of your file estate.

Comparison

SmbCrawler sits in a crowded but uneven space:

  • Versus simple scanners (keimpx, basic Nmap scripts) – those excel at credential validity and share enumeration, but they do not deeply crawl content or classify secrets. SmbCrawler keeps going until it finds the actual loot.
  • Versus manual PowerShell and ad-hoc scripts – bespoke scripts are flexible but rigid to maintain and report from. SmbCrawler’s SQLite output and profile system provide a single, consistent source of truth per engagement.
  • Versus general recon frameworks (Sn1per, Scanners-Box) – frameworks give you breadth across many protocols; SmbCrawler gives you depth for one of the most abused internal attack surfaces: Windows file shares.

Conclusion

If your internal engagements touch Windows networks, SmbCrawler deserves a permanent slot in your toolkit. It turns a messy mix of SMB servers, legacy shares, and forgotten exports into a structured map of permissions and secrets you can actually act on. For defenders, running it in a controlled way gives you a painful but accurate picture of real data exposure – the same image a motivated attacker would see.

You can read more or download SmbCrawler here: https://github.com/SySS-Research/smbcrawler