Tool for hunting credentials and sensitive data across SMB shares in Active Directory environments. Enumerates domain hosts, discovers readable shares, and searches for files of interest.
Must be run from a domain-joined host or in a domain-user context
.NET executable (Windows only)
.\Snaffler.exe -s -d domain.local -o snaffler.log -v data
Flag Description
-sPrint results to console -dDomain to search -oOutput log file path -vVerbosity level
Level Description
dataResults only (recommended — easiest to review) infoResults + informational messages debugVerbose debug output traceMaximum verbosity
Color Meaning
Red High interest — keys, database dumps, credentials Green Shares discovered Black Notable files — password databases, VPN configs
Category Extensions
Credential stores .kdb, .kwallet, .psafe3Keys .key, .keypair, .ppk, .keychainDatabase dumps .sqldump, .mdfVPN / Network configs .tblkConfig files web.config, .conf, .iniScripts with passwords .ps1, .bat, .cmd, .vbs
Output can be very large in big environments — always use -o to write to a log file
Use -v data to keep console output manageable
Let Snaffler run in the background and review results later
Provide raw Snaffler output to clients as supplemental data to help them prioritize share lockdown
Pair with CrackMapExec spider_plus for complementary share enumeration