From d6c925178f78e839e7d394c1211ded0fe88694d2 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 30 Oct 2025 18:32:59 +0000 Subject: [PATCH] Add content from: ShareHound: An OpenGraph Collector for Network Shares --- .../pentesting-smb/README.md | 71 ++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/src/network-services-pentesting/pentesting-smb/README.md b/src/network-services-pentesting/pentesting-smb/README.md index d10ea746a2b..358874e3163 100644 --- a/src/network-services-pentesting/pentesting-smb/README.md +++ b/src/network-services-pentesting/pentesting-smb/README.md @@ -365,6 +365,74 @@ Specially interesting from shares are the files called **`Registry.xml`** as the > You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**. Also, don’t trust automated share listings: even if a share looks read-only, the underlying NTFS ACLs may allow writes. Always test with smbclient by uploading a small file to `\\\\SYSVOL\\\\scripts\\`. > If writable, you can [poison logon scripts for RCE at user logon](../../windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md#sysvolnetlogon-logon-script-poisoning). +### ShareHound – OpenGraph collector for SMB shares (BloodHound) + +[ShareHound](https://github.com/p0dalirius/sharehound) discovers domain SMB shares, traverses them, extracts ACLs, and emits an OpenGraph JSON file for BloodHound CE/Enterprise. + +- Baseline collection: + 1) LDAP: enumerate computer objects, read `dNSHostName` + 2) DNS: resolve each host + 3) SMB: list shares on reachable hosts + 4) Crawl shares (BFS/DFS), enumerate files/folders, capture permissions + +ShareQL-driven traversal +- [ShareQL](https://github.com/p0dalirius/shareql) is a first-match-wins DSL to allow/deny traversal by host/share/path and set per-rule max depth. Focus on interesting shares and cap recursion. + +Example ShareQL rules +```text +# Only crawl shares with name containing "backup", up to depth 2 +allow host * share * path * depth 0 +allow host * share *backup* path * depth 2 +deny host * share * path * +``` + +Usage +```bash +sharehound -ai "10.0.100.201" -au "user" -ap "Test123!" -ns "10.0.100.201" \ + -rf "rules/skip_common_shares.shareql" -rf "rules/max_depth_2.shareql" +``` +- Provide AD creds via `-ad`/`-au`/`-ap` (or use `-ad` with `-au`/`-ap`). Use `-r`/`-rf` for inline rules or files. +- Output: JSON OpenGraph; import in BloodHound to query hosts/shares/files and effective rights. +- Tip: Limit max depth to 1–2 unless your filters are very restrictive. + +BloodHound attack-surface queries +- Principals with write-like access on shares +```cypher +MATCH x=(p)-[r:CanWriteDacl|CanWriteOwner|CanDsWriteProperty|CanDsWriteExtendedProperties]->(s:NetworkShareSMB) +RETURN x +``` + +- Principals with FULL_CONTROL on shares +
+Cypher: principals with FULL_CONTROL on shares + +```cypher +MATCH (p:Principal)-[r]->(s:NetworkShareSMB) +WHERE (p)-[:CanDelete]->(s) + AND (p)-[:CanDsControlAccess]->(s) + AND (p)-[:CanDsCreateChild]->(s) + AND (p)-[:CanDsDeleteChild]->(s) + AND (p)-[:CanDsDeleteTree]->(s) + AND (p)-[:CanDsListContents]->(s) + AND (p)-[:CanDsListObject]->(s) + AND (p)-[:CanDsReadProperty]->(s) + AND (p)-[:CanDsWriteExtendedProperties]->(s) + AND (p)-[:CanDsWriteProperty]->(s) + AND (p)-[:CanReadControl]->(s) + AND (p)-[:CanWriteDacl]->(s) + AND (p)-[:CanWriteOwner]->(s) +RETURN p,r,s +``` + +
+ +- Hunt sensitive files by extension (e.g., VMDKs) +```cypher +MATCH p=(h:NetworkShareHost)-[:HasNetworkShare]->(s:NetworkShareSMB)-[:Contains*0..]->(f:File) +WHERE toLower(f.extension) = toLower(".vmdk") +RETURN p +``` + ## Read Registry You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try: @@ -618,6 +686,7 @@ Entry_6: - [NetExec (CME) wiki – Kerberos usage](https://www.netexec.wiki/) - [Pentesting Kerberos (88) – client setup and troubleshooting](../pentesting-kerberos-88/README.md) -- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html) +- [ShareHound (collector)](https://github.com/p0dalirius/sharehound) +- [ShareQL (DSL)](https://github.com/p0dalirius/shareql) {{#include ../../banners/hacktricks-training.md}}