Credential Hunting in Network Shares and Traffic

networking image

Big Picture:

Do you want to learn more about Networking and offensive networking attacks like myself? Then this article is for your. This is a summary of some basic snooping tactics I’ve used to try and see if I can find user (or ideally admin) credentials that may be exposed due to out of date protocols and systems. All of these snooping tactics were done in a control education environment and not on actually systems or user data. Don’t use these tactics for evil.

Hunting in Network Traffic

Legacy systems and misconfigurations often use unencrypted protocols that transmit credentials in cleartext. As a pen tester their usage will make your job easier. Packet capture tools can intercept usernames, passwords, NTLM hashes, and Kerberos tickets from insecure protocols. This is surprisingly effective in enterprise environments with older applications, embedded devices, or testing environments.

Understanding Unencrypted vs. Encrypted Protocols

Many protocols have both unencrypted and encrypted versions. From what I have found here are some common ones:

Web and file transfer: HTTP vs. HTTPS, FTP vs. FTPS/SFTP credentials cross the network in cleartext when unencrypted versions are used.

Email protocols: POP3, IMAP, and SMTP transmit credentials openly, while POP3S, IMAPS, and SMTPS use TLS encryption.

Network management: SNMP v1/v2c uses community strings as plaintext passwords. SNMPv3 added encryption, but many devices still use older versions.

Directory services: Unencrypted LDAP transmits bind credentials in cleartext, while LDAPS encrypts sessions. Captured LDAP traffic often reveals service account credentials.

Remote access: RDP and VNC without TLS/SSL send passwords unencrypted or with weak encryption.

File sharing: SMB 1.0/2.0 have weaker encryption than SMB 3.0 with TLS, but many environments support older versions for compatibility.

DNS: Traditional DNS doesn’t encrypt queries. DNS over HTTPS (DoH) addresses this, but adoption is limited.

Capturing Credentials with Wireshark

Wireshark is the standard pack analyzer that you can use to dive into web traffic and see what is happen on the packet-level. I could sure use more time experimenting with it so here are some useful filters you can use to try and find packets that may contain credentials amongst all the noise:

  • http.request.method == "POST" – HTTP form submissions with credentials
  • ftp – FTP USER and PASS commands
  • smtp.auth, pop.request, imap – Email authentication
  • ldap – Directory service bind operations
  • snmp – Community strings
  • http contains "password" – Broad string matching

Use Edit → Find Packet to search for “username,” “password,” or “passw.” Right-click packets and “Follow → TCP Stream” to see complete conversations where credentials appear in plaintext.

Automated Extraction with Pcredz

While Wireshark is great for manually going through thousands of packets, automation is king. Pcredz is a python-based tool that automatically extracts credentials from packet capture (.pcap) files and will save you lots of time digging through packets. If you run:

./Pcredz -f capture.pcap -t -v

It will extract FTP, POP, SMTP, IMAP, SNMP credentials; HTTP Basic Auth; NTLMv1/v2 hashes from SMB, LDAP, MSSQL, HTTP; Kerberos tickets; and credit card numbers (spooky). Instead of manually filtering each protocol in Wireshark, Pcredz processes everything in one pass and presents a comprehensive report in seconds.

Credential Hunting in Network Shares

Network shares (also called SMB or File Shares) are folders or drives on a computer that have been made accessible to other users over a network. Kind of like a communal filing cabinet. They typically can be found with the format \\ServerName(IP address)\\ShareName and are goldmines for credentials because users routinely store files with plaintext passwords, connection strings, and API keys. Unlike encrypted credential stores, these files are often accessible and unprotected.

Some targets you would want to look for within an enterprise environment would be IT shares (scripts with embedded credentials), Finance shares (database passwords in spreadsheets), HR shares (VPN credentials), and SYSVOL/NETLOGON (Group Policy scripts with service account credentials).

If you happen to get access to a Network Share, search for keywords like “password,” “passw,” “user,” “credential,” “token,” “key,” “secret.” Also look for file types: .ini, .cfg, .env, .ps1, .bat, .xml, .config, .xlsx. Miscellaneously named documents like: config.ini, credentials.txt, passwords.xlsx, backup_script.bat. Finally, look for domain references like “CORP” indicating domain credentials.

Windows Tools

There are some helpful windows tools that automate the discovery and scanning of network shares. Snaffler is a good one that enumerates all SMB shares it can access with your credentials and then recursively looks through directories to search for credential information. 

Snaffler.exe -s -o snaffler.log

PowerHuntShares is another tool that takes a different approach. PowerHuntShares focuses on share permissions and access control rather than file contents. It’s a Power-Shell based tool that looks at all SMB shares across a network and analyzes who has what level of access to that share. This will help you prioritize what shares to first investigate while on a pen-test. You can present these reports to clients as evidence of misconfigurations, showing exactly which shares need remediation. From an offensive perspective, it tells you which shares will be easiest to exploit and which might contain the most valuable information based on their names and permissions.

Linux Tools

MANSPIDER is a Python-based SMB content scanner specifically designed for Linux attack hosts. It’s particularly useful when you’re operating from Kali Linux or another Linux-based penetration testing platform and need to search Windows file shares for credentials.

docker run --rm -v /tmp/loot:/loot blacklanternsecurity/manspider -s 192.168.1.0/24 -u admin -p password -c password -d loot

MANSPIDER authenticates to target systems using the credentials you provide and then “crawls” all accessible SMB shares looking for files that it will actually open and read the contents of. It is run in a docker container that should be configured to include all the niche python libraries it requires.

NETEXEC – the post-exploitation swiss army knife that I’ve written about in other posts. It also has a spider module that will scan different accessible SMB shares, looking for patches to a specified pattern. Results include the full UNC path to each file, making it easy to navigate directly to interesting files for manual review. You can redirect output to a file for later analysis or pipe it to other tools for automated processing.

netexec smb 192.168.1.50 -u admin -p password --spider --content --pattern password

--spider crawls recursively, --content searches inside files, --pattern specifies keywords. Start with IT, Finance, HR, SYSVOL, and NETLOGON shares for highest value credentials.