smbcrawler

smbcrawler

166 Stars

smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares

SySS-Research
Red-team
May 31, 2025
166 stars
View on GitHub
Share on:
X LinkedIn Facebook WhatsApp Telegram Reddit Email
Category
Red-team
GitHub Stars
166
Project Added On
May 31, 2025
Contributors
4

README.md

View on GitHub

SmbCrawler

SmbCrawler is no-nonsense tool that takes credentials and a list of hosts
and ‘crawls’ (or ‘spiders’) through those shares. Features:

  • takes host names, IP addresses, IP ranges, or an nmap xml file as input
  • checks permissions (check for ‘write’ permissions is opt-in, because it
    requires creating an empty directory on the share)
  • crawling depth is customizable
  • outputs results in machine-readable formats or as an interactive HTML report
  • pass-the-hash support
  • auto-download interesting files
  • report potential secrets
  • threaded
  • pausable
  • interactively skip single shares and hosts

Installation

If you require instructions on how to install a Python package, I recommend
you make sure you have pipx
installed and run pipx install smbcrawler.

SmbCrawler can automatically convert some binary files like PDF, XLSX, DOCX, ZIP, etc. to plain text using MarkItDown.
Because this package is pulling a lot of dependencies, it is marked as an extra.
However, it is highly recommended to get the best results. If you want to automatically convert binaries, install SmbCrawler like this:

pipx install 'smbcrawler[binary-conversion]'

Adding shell completion is highly recommended. As a Python app using the
click library, you can add tab completion to bash, zsh and fish using the usual
mechanism.

Example

Run it like this (10 threads, maximum depth 5):

$ smbcrawler crawl -i hosts.txt -u pen.tester -p iluvb0b -d contoso.local -t 10 -D 5

Major changes in version 1.0

SmbCrawler has undergone a major overhaul. The most significant changes are:

  • We cleaned up the CLI and introduced a “profile” mechanism to steer the
    behavior of the crawler
  • The output is now a sqlite database instead of scattered JSON files
  • Permissions are now reported more granularly

The old CLI arguments regarding “interesting files”, “boring shares” and so
on was clunky and confusing. Instead we now use “profiles; see below for
details.

Also, I realized I basically reinvented relational databases, except did so
very poorly, so why not use sqlite directly?
The sqlite approach enables us to produce a nice interactive HTML report
with good performance. You can still export results in various formats if
you need to use the data in some tool pipeline.

The old way SmbCrawler reported permissions sometimes wasn’t very useful.
For example, it’s not uncommon that you have read permissions in the root
directory of the share, but all sub directories are protected, e.g. for user
profiles. SmbCrawler will now report how deep it was able to read the
directory tree of a share and whether it maxed out or could have gone deeper
if you had supplied a higher value for the maximum depth argument.

If you prefer the old version, it’s still available on PyPI and installable
with pipx install smbcrawler==0.2.0, for example.

Usage

During run time, you can use the following keys:

  • p: pause the crawler and skip single hosts or shares
  • <space>: print the current progress
  • s: print a more detailed status update

For more information, run smbcrawler -h.

Notes

Even in medium sized networks, SmbCrawler will find tons of data. The
challenge is to reduce false positives.

Notes on permissions

It’s important to realize that permissions can apply on the service level
and on the file system level. The remote SMB service may allow you to
authenticate and your user account may have read permissions in principle,
but it could lack these permissions on the file system.

SmbCrawler will report if you have permissions to:

  • authenticate against a target as guest and list shares
  • authenticate against a target with the user creds
  • access a share as guest
  • access a share with the user creds
  • create a directory in the share’s root directory
  • the deepest directory level of a share that could be accessed (limited by the
    --depth argument)

Because it is non-trivial to check permissions of SMB shares without
attempting the action in question, SmbCrawler will attempt to create a
directory on each share. Its name is smbcrawler_DELETEME_<8 random characters>
and will be deleted immediately, but be aware anyway.

[!WARNING]
Sometimes you have the permission to create directories, but not to delete
them, so you will leave an empty directory there.

Profiles

To decide what to do with certain shares, files or directories, SmbCrawler
has a feature called “profiles”. Take a look at the default
profile.

Profiles are loaded from files with extensions *.yml or *.yaml from
these locations:

  • The built-in default profile
  • $XDG_DATA_HOME/smbcrawler/ (~/.local/share/smbcrawler by default)
  • The current working directory
  • The extra directory defined by --extra-profile-directory
  • The extra files defined by --extra-profile-file

Profiles from each location override previous definitions.

The regex value defines whether a profile matches, and the last matching
profile will be used. All regular expressions are case-insensitive, mirroring
the most common behavior in the Windows world.

Since it can be confusing how profiles from different sources work together,
make sure to make use of the --dry-run parameter. It shows you the
effective configuration and does nothing more.

Let’s look at each section, which is always a list of dictionaries. Each of
the keys of the dictionary is an arbitrary label and each of the values
is again a dictionary with different properties.

Files

  • comment: A helpful string describing this profile
  • regex: A regular expression that defines which files this profile
    applies to. The last regex that matches is the one that counts.
  • regex_flags: An array of flags which will be passed to the regex match
    function
  • high_value (default: false): If a file is “high value”, its presence will be reported,
    but it will not necessarily be downloaded (think virtual hard drives -
    important, but too large to download automatically)
  • download (default: true): If true, the first 200KiBi will be
    downloaded (or the entire file if high_value=true) and parsed for
    secrets

Shares and directories

  • comment, regex, regex_flags: Same as above
  • high_value: its presence will be reported and crawl depth changed to
    infinity
  • crawl_depth: Crawl this share or directory up to a different depth than
    what is defined by the --depth argument

Secrets

  • comment, regex_flags: Same as above
  • regex: A regular expression matching the secret. The secret itself can
    be a named group with the name secret.

Typical workflow

It makes sense to first run SmbCrawler with crawling depth 0 to get an idea of
what you’re dealing with. In this first run, you can enable the write check
with -w:

$ smbcrawler -C permissions_check.crwl crawl -D0 -t10 -w \
    -i <INPUT FILE> -u <USER> -d <DOMAIN> -p <PASSWORD>

Afterwards, you can identify interesting and boring shares for your next run
or several runs. Some shares like SYSVOL and NETLOGON appear many times,
so you should set the crawl depth to zero on your next run and pick one host
to scan these duplicate shares in a third run. Here is an example:

$ smbcrawler -C dc_only.crwl crawl -D -1 <DC IP> \
    -u <USER> -d <DOMAIN> -p <PASSWORD>
$ smbcrawler -C full.crwl crawl -D5 -t10 -i <NEW INPUT FILE> \
    -u <USER> -d <DOMAIN> -p <PASSWORD> \
    --extra-profile-file skip_sysvol.yml

Here, skip_sysvol.yml would be:

shares:
  sysvol:
    comment: "Skip sysvol and netlogon share"
    regex: 'SYSVOL|NETLOGON'
    crawl_depth: 0

Feel free to include other shares here which you may think are not worth
crawling.

Output

The raw data is contained in an SQLite database and a directory (output.crwl and
output.crwl.d by default). The directory contains two more directories: one with
the downloaded files unique-ified by the hash content and a directory
mirroring all shares with symlinks pointing to the content files. The latter
is good for grepping through all downloaded files.

The data can be transformed to various formats. You can also simply access
the database with sqlitebrowser, for example. Some useful views have been
pre-defined. Or you can output JSON and use jq to mangle the data.

If you want to display all shares that you were able to read beyond the root
directory in a LaTeX table, for instance, use this query:

SELECT target_id || " & " || name || " & " || remark || " \\"
FROM share
WHERE read_level > 0
ORDER BY target_id, name

There is also an experimental HTML output feature. It may not be entirely
useful yet for large amounts of data.

Help out

If you notice a lot of false positives or false negatives in the reported
secrets, please help out and let me know. Community input is important when
trying to improve automatic detection. Best case scenario: provide a pull
request with changes to the default profile file.

Credits

Adrian Vollmer, SySS GmbH

License

MIT License; see LICENSE for details.

Tool Information

Author

SySS-Research

Project Added On

May 31, 2025

License

Open Source

Tags

pentest red-team-tools shares smb smbcrawler
View on GitHub

Related Tools

CarbonCopy

CarbonCopy

A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux

Stable
AdvPhishing

AdvPhishing

This is Advance Phishing Tool ! OTP PHISHING

Stable
msldap

msldap

LDAP library for auditing MS AD

Stable
View more Red-team tools