Skip to content

v0.41.0 — engagement-shape datastore + OpSec polish (combined v0.40 + v0.41)

Choose a tag to compare

View all tags
@byevincent byevincent released this 09 Jun 17:19
· 32 commits to main since this release
v0.41.0
20470ab

Batched ship covering v0.40 + v0.41. The v0.40.0 tag exists in git for historical accuracy; this is the single GitHub release page for both. v0.40 lands the smbcrawler-shape engagement datastore (the missing piece for multi-day pentests) plus the two biggest operator-noise complaints (System32 noise + accidental 5GB-VMDK reads). v0.41 wraps the OpSec defaults in a single `--stealth` flag.

Headline

```bash

The complete end-to-end engagement workflow, three commands

pipx install 'sharesift[smb,network-enum]'

sharesift discover //10.10.10.0/24 -u u -p p > targets.txt

sharesift batch --targets targets.txt -u u -p p \
--output-dir ./engagement \
--db ./engagement/.sharesift.db \
--stealth

sharesift query --db ./engagement/.sharesift.db --preset live-creds
```

What shipped

Engagement datastore (v0.40)

One `.sharesift.db` per pentest holds hosts / shares / files / hits across multi-day engagements:

```sql
hosts(host, alive, port, first_seen, last_seen)
shares(host, share, type, comment, can_read, can_write, first_seen, last_seen)
files(host, share, rel_path, size, content_hash, first_seen, last_seen)
hits(host, share, rel_path, rule, tier, snippet, ts)
```

WAL journal mode + indexes on `hits(tier)`, `hits(rule)`, `files(content_hash)`. `first_seen` / `last_seen` per row gives v0.42 the primitives for incremental-crawl resume.

`sharesift batch --db PATH` integration

`batch` now populates the engagement DB as each target processes. Per-target failures don't abort the batch.

`sharesift query` subcommand

Ad-hoc inspection plus pre-baked presets:

Preset Query
`live-creds` Black + Red hits
`writable-shares` shares with `can_write = 1`
`hosts-by-hits` host ranking by hit count
`rules-by-hits` top 30 rules by hit count
`blacks` Black tier only

Output as aligned text (default) or JSONL (`--json`). Writes rejected — mutations go through `scan` / `batch`.

Default noise-exclusion globs (v0.40)

53 patterns covering Windows System32/SysWOW64 binaries, dev directories (`node_modules/`, `.git/objects/`, `pycache/`, `venv/`, `vendor/`), OS caches (`Library/Caches/`, `AppData/Local/Temp/`), binary artifacts (`.pyc`, `.so`), and heavy media (`.iso`, `.vmdk`, `.mp4`, `.jpg`).

Closes Snaffler issue #178 (the most-referenced operator complaint about Snaffler) by default. Operator overrides:

  • `--exclude-glob PATTERN` (repeatable) — add operator patterns
  • `--no-default-excludes` — disable the default list

`--max-file-size` flag (v0.40)

Caps bytes read per file. Human-readable suffixes (5M, 100K, 1G). Default 10M. Prevents accidentally pulling a 5GB VMDK or NTUSER.DAT over the wire. Files larger than the cap are read up to the cap (partial extraction rather than skip).

`--stealth` preset (v0.41)

One flag wraps the OpSec-conscious defaults:

```bash
sharesift //10.10.10.5/Finance$ -u user -p pass --stealth
```

Equivalent to `--max-file-size 256K --read-threads 1` (SMB3 encryption already on by default). Explicit operator overrides win.

The six-release displacement arc

Release Theme
v0.35 Remote-share addressable (no mount)
v0.36 Finder quality (1.6× rule coverage + correct R/W)
v0.37 Drop-in workflows (TOML, pipx, batch)
v0.38 Parallel reads (1.5× speedup default)
v0.39 Network-wide discovery (CIDR → discovered share list)
v0.40 + v0.41 Engagement-shape (SQLite DB + query + noise exclusions + max-file-size + --stealth)

Install

```bash
pipx install 'sharesift[smb,network-enum]' # full pentester stack
pipx install 'sharesift[smb]' # single-share only
pipx install sharesift # Stage 1 only
```

What's queued

  • v0.42+ — PyInstaller single-file binary (proper bundle-size investigation), resume after crash + content-hash dedup (wires the v0.40 `first_seen`/`last_seen` primitives), GhostWriter / SysReptor exporters from the engagement datastore, status heartbeat, Markdown report bundle

Full backlog: `docs/pentester_backlog.md`.

Docs

1222 passing tests + 21 live SMB integration tests, 0 regressions.

Note: this is the first "batched" release per operator request that the GitHub Releases page was getting noisy with near-daily releases. Going forward, ~3-4 versions land per release page; tags exist in git for every version.

Assets 2
Loading