Snaffler
When an attacker has some presence in your network, they will try to move laterally. They will look for things on the network that will give them access to other systems and data. e.g. plain text credentials stored in files. Does that actually happen?
Yes. Here’s a few scenarios:
- The IT team has documented a user onboarding guide which contains the password they give to all new users for a streamline experience. The guide is stored on their SharePoint site.
- Marketing has a tech savvy user who has created a script that automates sending out monthly emails. The script contains login details to the email sending service. Everyone on the team has access because it’s so useful!
- The engineering team have stored deployment and config scripts in their file share used for testing which contain test credentials that are still valid.
You must find these before an attacker can get their hands on them. How?
- Education - Educate everyone that storing credentials in plain text is a big no. Explain the risks of doing so and how security is everyone’s responsibility.
- Password Amnesty - Run a password amnesty campaign where every department is tasked to find if they have any plain text credentials stored in their files, drives, storage. Get backing from senior leaders to add weight to the ask. Advise on how to securely store any found credentials.
- SNAFFLER. This is a tool I found while researching ways to mitigate this problem.
https://github.com/SnaffCon/Snaffler
This talk by Ben Burkhart at CypherCon was also helpful: https://www.youtube.com/watch?v=DoY_d1J22Pw
Snaffler’s creators brilliantly describe it’s function in their ReadME page. Make sure to read it. In Summary, it’s a red team tool to find things like credentials or interesting files that are likely to contain things that can be useful to attackers. The creators disclaim that it is not meant to be used as an Audit tool but I did manage to find some interesting things through it.
It took me a while to get it downloaded and running. It was blocked at different levels including browser, IPS, EDR and CASB. I had to put in temporary exceptions to run it.
The output can be overwhelming, as warned by the creators. Use of the correct flags will help. A lot of people online also advised to have something that can parse the data. I used this one by a user called GonzoH to test all this.
https://www.reddit.com/r/Pentesting/comments/1erexhj/snaffler_parser/?rdt=49439
Here are some of the initial runs I did. I obviously will not be posting any of the output or any screenshots.
| Command | Description |
|---|---|
| Snaffler.exe -s -o <some path>\snaffler.log | Run and output to snaffler.log aswell as stdout |
| Snaffler.exe -s C:\ -o C:\<some path>\snaffler.log -r local | Run snaffler locally on C drive only and output to snaffler.log aswell as stdout |
| .\Snaffler.exe -o snafflerout.txt -s -y | -y puts in tsv format which snaffler parser requires |
| .\SnafflerPArser.ps1 -in <SnafflerOutputFile> | Parse snaffler dump , default txt csv and html files are produced. |
The output using the parser is nice. It has filters. It’s easier on the eye. It lists the data with the following columns:
- Check radio button
- Done radio button
- Severity (Black, Red, Yellow, Green)
- Rule
- Keyword
- Modified
- UNC
- file extension
- open link
- save link
- content
There are commercial solutions to finding plain text credentials on your network which may be worth looking into. As a start though, I found this to be a great tool to get started and present findings to stakeholders.
