Skip to content

v0.52.0 — Snaffler-replacement enumeration sprint

Choose a tag to compare

View all tags
@byevincent byevincent released this 11 Jun 04:29
· 9 commits to main since this release
v0.52.0
e4c51c9

One command Snaffler replacement. ShareSift becomes a self-contained Linux-native attacker workflow:

sharesift hunt --ad-domain corp.local --dc dc01.corp.local \
    -u alice -p PW --output-dir ./engagement

Takes a domain + creds and returns ranked credential findings across every joined host's readable shares. No Snaffler binary, no nxc --shares glue, no shell pipe.

What shipped

Capability Module / CLI
LDAP-based AD computer object enumeration share/ad.py
AD-wide share discovery sharesift discover --ad-domain corp.local -u U -p P
End-to-end Snaffler-replacement sweep sharesift hunt --ad-domain corp.local -u U -p P --output-dir ./out
Pass-the-Hash via LDAP NTLM share/ad.py (lm:nt password encoding)
Kerberos via LDAP SASL GSSAPI share/ad.py (KRB5CCNAME ccache)
DFS detection utilities (opt-in) hunt --detect-dfs

Operator workflows

AD-wide credential hunt:

sharesift hunt --ad-domain corp.local --dc dc01.corp.local \
    -u alice -p PW --output-dir ./engagement

Pass-the-Hash from dumped NT hash:

sharesift hunt --ad-domain corp.local \
    -u svc_backup -H 'aad3b...:1c63...' \
    --output-dir ./engagement

Kerberos via existing ccache:

kinit alice@CORP.LOCAL
sharesift hunt --ad-domain corp.local --use-kcache \
    --output-dir ./engagement

Findings from the foundation audit

Most of the originally-scoped v0.52-v0.55 sprint (R/W ACL probe fixing Snaffler #184, Snaffler skip-list, Kerberos ccache, NetrShareEnum) was already shipped in v0.39 + v0.40. Real gaps were three: LDAP discovery, DFS, hunt command. Sprint compressed from ~5 weeks to one session.

Honest scope caveats

  • LDAP path tested against ldap3 mocks, not a live DC. First-run on GOAD will validate.
  • DFS referral resolution not yet shipped — detection utilities only, opt-in via --detect-dfs (heuristic false-positives on every FQDN host). Full referral chasing queues for v0.53.
  • No live-AD head-to-head benchmark yet. sharesift hunt vs Snaffler.exe -s -d corp.local on a GOAD-class lab queues for v0.55.

Tests

46 new (24 LDAP discovery + 11 DFS detection + 11 hunt orchestration). Full suite: 1299 passed, 51 skipped, 0 failed.

See docs/v0p52_results.md and docs/v0p52_snaffler_replacement_plan.md for the full sprint writeup.

Assets 2
Loading