Machine Learning Network Share Password Hunting Toolkit

SharpML is a proof of concept file share data mining tool using Machine Learning in Python and C#. The tool is discussed in more detail on this blog here, but is summarised below also. SharpML performs a number of Machine Learning Network Share Password Hunting operations with a view to mining file shares, querying Active Directory for users, dropping an ML model and associated rules, performing Active Directory authentication checks, with a view to automating the process of hunting for passwords in file shares by feeding the mined data into the ML model.

Machine Learning Network Share Password Hunting Toolkit

The ML model is written in Python, and has been developed using a custom algorithm to identify likelihoods of passwords. The model has been compiled with PyInstaller and sits as resource file in the C# wrapper, which interops between itself, the data and the model. The program logic can be seen below:

Currently it allows for a single file share to be assessed.

You will need to have read access to the file share you are targeting, after which the tool will perform its activities mostly autonomously.

There a compiled release in the release section, and it is to be noted that this tool is currently a PoC and subject to numerous improvements.


C:> SharpML.exe -u \fileshared$

Cobalt Strike

> execute-assembly SharpML.exe -u \fileshared$


  1. Marco Valentini
  2. Tom Kallo

To Do

  • When SharpML is run it will attempt to verify all users that it finds. If a restrictive domain lockout policy exits, it may attempt to verify users multiple times and lock the account out in event of multiple failed authentications
  • Some file size limitations need to be implemented in order for larger text based files not to cause a bottle neck when copying the raw data
  • Select the option of running multiple file shares simultaneously. By implementing an automatic share finder, allow SharpML to be completely autonomous and scour the whole network
  • Improve some program logic, including further options such as the choice of cehcking against 10,000 most common passwords or not.

Check Also

Whispers: A Powerful Static Code Analysis Tool for Credential Detection

“My little birds are everywhere, even in the North, they whisper to me the strangest …

Identifying harmful activity on your captured traffic

This Python script utilises Wireshark or TCPdump to analyse network traffic stored in a specified …

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.