Features Request: Stealthiness, usage flexibility

[mgeeky]

Hi!

Thanks for a great tool, I'm really fond of it :-)

The tool is blazingly fast and stable, but that can trigger lots of events that would correlate into alerts and offenses.
To combat that and make it more usable for Red Teams that require running their ops low and slow, I could suggest a few features that would be really helpful:

1. Throttle time between subsequent connections: Just a delay before connecting to the next server.
2. Jitter that would be introducing variance in specified throttle time
3. List of servers to evaluate fed from parameter and from input file. There are use cases when we have for instance hundred of servers and would like to check only them for any exposed SMB shares. Can we have that implemented in SharpShares?
4. The option /filter is great as it acts as a blacklist. What about introducing whitelist-alike option as well? Something like /pattern. Also, both options - filter and new proposed pattern could accept regular expressions (or create dedicated switches for regular expression to avoid loosing performance while evaluating simple literal /filter and /pattern ones)
5. Accept username and password credentials to make authenticated shares scan on behalf of other user identity.
6. LDAP Filter: let me specify my custom LDAP Filter that would be use to pull list of computers to check their SMB shares from AD, based on OU or my custom LDAP filter.

Cheers!
Mariusz.

[mitchmoser]

Thanks for the kind words and feedback Mariusz!
Glad to see this tooling get around.

Looking over the suggested features, I will work to add all but #5 in the near term.

Regarding the feature of accepting username and password, I've briefly messed with the idea but the current technique used to retrieve the user's security groups would require a few more steps to get the impersonated user's SID in order to determine if they have write privileges to a share.
This technique also does not honor impersonated user contexts through techniques like Cobalt Strike's make_token or kerberos_ticket_use so a more robust solution would be worth pursuing.
I'd be happy to bounce some ideas around or review/accept a PR that solves this.
I've condensed the references and logic below:

SharpShares/SharpShares/Enums/Shares.cs

Line 130 in 961155e

WindowsIdentity identity = WindowsIdentity.GetCurrent();

SharpShares/SharpShares/Enums/Shares.cs

Line 149 in 961155e

AuthorizationRuleCollection rules = Directory.GetAccessControl(path).GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));

WindowsIdentity identity = WindowsIdentity.GetCurrent();
string userSID = identity.User.Value;
AuthorizationRuleCollection rules = Directory.GetAccessControl(path).GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
foreach (FileSystemAccessRule rule in rules)
{
    if (rule.IdentityReference.ToString() == userSID || identity.Groups.Contains(rule.IdentityReference))
        {
            if (rule.FileSystemRights.HasFlag(FileSystemRights.Write)) && rule.AccessControlType == AccessControlType.Allow)
                {
                     writeableShares.Add(share.shi1_netname);
                }
       }
}

I'll be implementing the remainder of the features in the meantime.
Thanks again!

[mgeeky]

Glad to hear you're keen to work on it!

Keep that fire burning. I'm sure your tool will come handy during every SMB enumeration attack phase of plenty of Red Teams all around the world.

Cheers!
Mariusz.

[naliferopoulos]

Regarding the points 1,2 & 3 of the original issue, at Hackcraft we have created a fork of SharpShares that supports sleep/jitter as well as specifying a list of targets. It also implements spidering and identification of interesting files based on a keyword whitelist. I hope this helps! In case a PR is welcome, please let me know :)