Impacket port of Snaffler.
snaffler-ng is a post-exploitation / red teaming tool designed to discover readable SMB shares, walk directory trees, and identify credentials and sensitive data on Windows systems.
- SMB share discovery (RPC / SMB)
- Recursive directory tree walking
- Regex-based file and content classification
- NTLM authentication (password or pass-the-hash)
- Kerberos authentication
- Multithreaded scanning (share / tree / file stages)
- Optional file download (“snaffling”)
- Resume support via SQLite state database
- Compatible with original and custom TOML rule sets
- Deterministic, ingestion-friendly logging (plain / JSON / TSV)
pip install snaffler-ngProviding only a domain triggers full domain discovery:
snaffler run \
-u USERNAME \
-p PASSWORD \
-d DOMAIN.LOCALThis will automatically:
- Query Active Directory for computer objects
- Enumerate SMB shares on discovered hosts
- Scan all readable shares
When using Kerberos, set KRB5CCNAME to a valid ticket cache and use hostnames/FQDNs:
snaffler run \
-k \
--use-kcache \
-d DOMAIN.LOCAL \
--dc-host CORP-DC02Scan a specific UNC path (no discovery):
snaffler run \
-u USERNAME \
-p PASSWORD \
--unc //192.168.1.10/ShareScan multiple computers (share discovery enabled):
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer 192.168.1.10 \
--computer 192.168.1.11Load target computers from file:
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txtsnaffler-ng supports three output formats, each with a distinct purpose:
Plain(default, human-readable)JSON(structured, SIEM-friendly)TSV(flat, ingestion-friendly)
Large environments are expected.
You can resume interrupted scans using the --resume argument:
snaffler run \
-u USERNAME \
-p PASSWORD \
--computer-file targets.txt \
--resumeState tracks processed shares, directories, and files to avoid re-scanning.
- NTLM username/password
- NTLM pass-the-hash (
--hash) - Kerberos (
-k) - Kerberos via existing ccache (
--use-kcache)