ManSpider
ManSpider is a powerful SMB share enumeration and content-searching tool that crawls network shares in Active Directory environments to locate sensitive data, credentials, and misconfigurations. It combines aggressive file discovery with regex-based content analysis to extract passwords, API keys, connection strings, and other secrets from accessible shares.
Installation
Section titled “Installation”Pip Install
Section titled “Pip Install”pip install man-spiderFrom GitHub
Section titled “From GitHub”git clone https://github.com/blacklanternsecurity/MANSPIDER
cd MANSPIDER
pip install -r requirements.txt
python -m manspider --helpDocker
Section titled “Docker”docker pull blacklanternsecurity/manspider
docker run -it blacklanternsecurity/manspider manspider --help
docker run -it -v /tmp/loot:/tmp/loot blacklanternsecurity/manspider manspider TARGET -u user -p pass -o /tmp/lootQuick Start
Section titled “Quick Start”Basic Share Enumeration and Search
Section titled “Basic Share Enumeration and Search”# Search for files containing "password" across all accessible shares
manspider 192.168.1.100 -u administrator -p 'P@ssw0rd!' -c "password"
# Search multiple targets with regex pattern
manspider 192.168.1.0/24 -u domain\\user -p pass -c "API_KEY|api_key|apikey"
# Search by file extension
manspider 192.168.1.50 -u user -p pass -e docx xlsx pdf
# Combine content search with extension filtering
manspider 10.0.0.0/24 -u user -p pass -c "username.*password" -e conf txt iniAuthentication
Section titled “Authentication”Username and Password
Section titled “Username and Password”manspider TARGET -u username -p 'password'Domain Authentication
Section titled “Domain Authentication”# Format: domain\username
manspider TARGET -u 'COMPANY\Administrator' -p 'P@ss123!'
# Explicit domain flag
manspider TARGET -d COMPANY -u Administrator -p 'P@ss123!'NTLM Hash Authentication
Section titled “NTLM Hash Authentication”# Pass-the-hash style authentication (LM:NT format)
manspider TARGET -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99'
# Null hash
manspider TARGET -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee'Anonymous Access
Section titled “Anonymous Access”# Attempt to list shares without authentication
manspider TARGET -u '' -p ''Target Specification
Section titled “Target Specification”Single Host
Section titled “Single Host”manspider 192.168.1.100 -u user -p pass
manspider hostname.domain.local -u user -p passCIDR Range
Section titled “CIDR Range”# Scan entire subnet
manspider 192.168.1.0/24 -u user -p pass
# Scan larger ranges (use with caution)
manspider 10.0.0.0/16 -u user -p pass -t 50Multiple Targets from File
Section titled “Multiple Targets from File”# Create targets.txt with one target per line
manspider -l targets.txt -u user -p pass
# Targets file format:
# 192.168.1.100
# 192.168.1.101
# server.domain.localContent Search
Section titled “Content Search”Basic Regex Content Search
Section titled “Basic Regex Content Search”# Search within file contents for patterns
manspider TARGET -u user -p pass -c "password"
# Case-insensitive search
manspider TARGET -u user -p pass -c "(?i)password"
# Search for multiple patterns (OR logic)
manspider TARGET -u user -p pass -c "password|passwd|pwd|secret"Complex Regex Patterns
Section titled “Complex Regex Patterns”# Search for connection strings
manspider TARGET -u user -p pass -c "Server=.*User ID=.*Password"
# Find database credentials
manspider TARGET -u user -p pass -c "(user|username|uid|login)\s*[:=]\s*\w+"
# Search for AWS keys
manspider TARGET -u user -p pass -c "AKIA[0-9A-Z]{16}"
# Find private keys
manspider TARGET -u user -p pass -c "BEGIN RSA PRIVATE KEY|BEGIN OPENSSH PRIVATE KEY"Extension Filtering with Content Search
Section titled “Extension Filtering with Content Search”# Search only in configuration files
manspider TARGET -u user -p pass -c "password" -e conf ini xml
# Search in documents and configs
manspider TARGET -u user -p pass -c "api_key|secret" -e docx xlsx pdf conf ini
# Search in scripts
manspider TARGET -u user -p pass -c "password|token" -e ps1 sh bat vbsFile Type Support
Section titled “File Type Support”ManSpider can parse and search inside the following file types:
| File Type | Extensions | Searchable |
|---|---|---|
| Microsoft Word | .docx | Yes |
| Microsoft Excel | .xlsx | Yes |
| PDF Documents | Yes | |
| Text Files | .txt | Yes |
| Configuration Files | .conf, .config | Yes |
| XML Files | .xml | Yes |
| INI Files | .ini | Yes |
| PowerShell Scripts | .ps1 | Yes |
| Shell Scripts | .sh, .bash | Yes |
| Batch Scripts | .bat, .cmd | Yes |
| VBScript | .vbs | Yes |
| Python Scripts | .py | Yes |
| Java | .jar, .java | Yes |
Extension Filtering
Section titled “Extension Filtering”Target Specific Extensions
Section titled “Target Specific Extensions”# Single extension
manspider TARGET -u user -p pass -e docx
# Multiple extensions
manspider TARGET -u user -p pass -e docx xlsx pdf
# Common credential-containing extensions
manspider TARGET -u user -p pass -e conf ini xml txt ps1 bat
# Development files
manspider TARGET -u user -p pass -e py java js yml yaml jsonExclude Extensions
Section titled “Exclude Extensions”# Skip certain file types to speed up enumeration
manspider TARGET -u user -p pass --exclude-extensions exe dll sys msi isoShare Filtering
Section titled “Share Filtering”Target Specific Shares
Section titled “Target Specific Shares”# Search only in specified shares
manspider TARGET -u user -p pass --shares "C$" "ADMIN$"
# Include common data shares
manspider TARGET -u user -p pass --shares "Documents" "Data" "Shared"
# Search only SYSVOL (domain policy scripts)
manspider TARGET -d DOMAIN -u user -p pass --shares "SYSVOL"Exclude Shares
Section titled “Exclude Shares”# Skip noisy or irrelevant shares
manspider TARGET -u user -p pass --exclude-shares "PRINT$" "IPC$" "ADMIN$"
# Exclude multiple shares
manspider TARGET -u user -p pass --exclude-shares "Backup" "Archive" "Old"Size and Depth
Section titled “Size and Depth”Maximum File Size
Section titled “Maximum File Size”# Limit to files under 10MB
manspider TARGET -u user -p pass -s 10
# Smaller limit for faster scanning
manspider TARGET -u user -p pass -s 5
# Large limit for comprehensive search
manspider TARGET -u user -p pass -s 100Directory Depth
Section titled “Directory Depth”# Limit recursion depth (reduce runtime)
manspider TARGET -u user -p pass --maxdepth 5
# Search only top-level directories
manspider TARGET -u user -p pass --maxdepth 2
# Deep recursive search
manspider TARGET -u user -p pass --maxdepth 20Output
Section titled “Output”Save Loot to Directory
Section titled “Save Loot to Directory”# Specify output directory for found files
manspider TARGET -u user -p pass -c "password" -o /tmp/loot
# Organize by target
manspider 192.168.1.0/24 -u user -p pass -c "credential" -o ./domain_lootOutput Organization
Section titled “Output Organization”# Default structure
/tmp/loot/
192.168.1.100/
share_name/
folder/
file.txt
192.168.1.101/
Documents/
sensitive.docxQuiet Mode
Section titled “Quiet Mode”# Suppress verbose output
manspider TARGET -u user -p pass -c "password" -q
# Quiet with file output only
manspider TARGET -u user -p pass -c "secret" -q -o results/Threading
Section titled “Threading”Parallel Share Scanning
Section titled “Parallel Share Scanning”# Single-threaded (slower, less resource usage)
manspider TARGET -u user -p pass -t 1
# Default threading
manspider TARGET -u user -p pass -t 10
# Aggressive scanning (use carefully on networks)
manspider TARGET -u user -p pass -t 50
# Multiple targets with high thread count
manspider 192.168.1.0/24 -u user -p pass -t 20Common Search Patterns
Section titled “Common Search Patterns”Passwords and Credentials
Section titled “Passwords and Credentials”# Generic password search
manspider TARGET -u user -p pass -c "password|passwd|pwd"
# Username and password patterns
manspider TARGET -u user -p pass -c "(user|username|login)\s*[:=]\s*\w+.*password"
# Default credentials
manspider TARGET -u user -p pass -c "admin|root|test.*password"API Keys and Tokens
Section titled “API Keys and Tokens”# AWS API Keys
manspider TARGET -u user -p pass -c "AKIA[0-9A-Z]{16}|aws_secret_access_key"
# Generic API key patterns
manspider TARGET -u user -p pass -c "api_key|apikey|api-key|secret_token"
# Authentication tokens
manspider TARGET -u user -p pass -c "Authorization.*Bearer|token.*Bearer"Connection Strings
Section titled “Connection Strings”# SQL Server connections
manspider TARGET -u user -p pass -c "Server=.*User ID=.*Password=|Data Source=.*Integrated Security"
# Database URIs
manspider TARGET -u user -p pass -c "mongodb://|mysql://|postgresql://"
# Connection strings
manspider TARGET -u user -p pass -c "connection.*string|ConnectionString"Sensitive Data Patterns
Section titled “Sensitive Data Patterns”# Social Security Numbers
manspider TARGET -u user -p pass -c "\d{3}-\d{2}-\d{4}"
# Credit card numbers
manspider TARGET -u user -p pass -c "\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b"
# Private keys
manspider TARGET -u user -p pass -c "BEGIN.*PRIVATE KEY|BEGIN.*RSA KEY"Troubleshooting
Section titled “Troubleshooting”Authentication Failures
Section titled “Authentication Failures”# Verify credentials are correct
manspider TARGET -u user -p pass --list-shares
# Test with explicit domain
manspider TARGET -d COMPANY.LOCAL -u Administrator -p 'Pass123!'
# Check SMB port connectivity
nc -zv TARGET 445No Shares Found
Section titled “No Shares Found”# Ensure SMB is enabled and accessible
smbclient -L TARGET -U user%pass
# Try with explicit anonymous
manspider TARGET -u '' -p ''
# Check firewall blocking port 445Timeout Issues
Section titled “Timeout Issues”# Reduce thread count for unstable networks
manspider TARGET -u user -p pass -t 5
# Increase timeout (if supported)
manspider TARGET -u user -p pass --timeout 30
# Limit directory depth to speed up
manspider TARGET -u user -p pass --maxdepth 3Performance Optimization
Section titled “Performance Optimization”# Exclude large file types
manspider TARGET -u user -p pass --exclude-extensions exe dll iso bin
# Use smaller file size limit
manspider TARGET -u user -p pass -s 5
# Target specific shares only
manspider TARGET -u user -p pass --shares "Documents" "Data"Best Practices
Section titled “Best Practices”Operational Security
Section titled “Operational Security”- Always obtain proper authorization before running ManSpider
- Run scans during approved testing windows to minimize detection
- Use VPN or trusted network paths for authentication traffic
- Clear output directories and logs after engagement completion
- Use sleep/jitter if available to avoid triggering rate limits
Efficient Enumeration
Section titled “Efficient Enumeration”- Start with targeted shares (Documents, Data, Shared) before full scan
- Use specific regex patterns rather than broad searches
- Combine extension and content filters to reduce results
- Test patterns on single targets before full subnet scans
- Review noise in results and refine regex patterns
Pattern Selection
Section titled “Pattern Selection”- Start simple (password, credentials) before complex patterns
- Test regex locally before deploying at scale
- Use case-insensitive matching for flexibility
- Validate patterns don’t return excessive false positives
- Document custom patterns for team use
Post-Exploitation
Section titled “Post-Exploitation”- Prioritize files containing plaintext credentials
- Cross-reference credentials across multiple shares
- Check for hardcoded domain admin accounts
- Review configuration files for service account usage
- Document all findings with source share path
Related Tools
Section titled “Related Tools”| Tool | Purpose |
|---|---|
| Snaffler | .NET share enumeration with advanced filtering |
| CrackMapExec | Credential validation and lateral movement |
| spider_plus | CrackMapExec module for share spidering |
| smbmap | SMB enumeration and share mapping |
| ShareFinder | Find writable shares across networks |
| BloodHound | AD relationship and attack path analysis |