Skip to content

v0.53.0 — DFS referral resolution + GOAD benchmark harness

Choose a tag to compare

View all tags
@byevincent byevincent released this 11 Jun 17:37
· 8 commits to main since this release
v0.53.0
e4b0ed9

DFS just works. v0.52's hunt command now handles \\corp.local\dept\hr-shaped UNCs transparently:

# No flag needed — auto-resolved
sharesift hunt //corp.local/dept/hr -u alice -p PW \
    --output-dir /tmp/dfs-hunt

Behind the scenes: SmbShare catches STATUS_PATH_NOT_COVERED on tree-connect, queries FSCTL_DFS_GET_REFERRALS over IPC$, parses the referral chain, and retargets to the resolved fileserver. Implementation mirrors smbclient._pool.dfs_request (private API in jborean93/smbprotocol; we reimplement using public primitives so we don't bind to internals).

What shipped

DFS referral resolution

  • share/dfs.pyDfsResolution dataclass + dfs_request_via_ipc (IOCTL wire-format) + first_target_unc + resolve_dfs_path (orchestration) + is_path_not_covered
  • share/smb.pySmbShare.auto_resolve_dfs=True (default), catches PathNotCovered, chases referrals via IPC$, retries against the resolved fileserver. Original target preserved as _original_target.
  • hunt --detect-dfs is now informational-only — auto-resolution runs regardless.

GOAD benchmark harness

For when you stand up GOAD (or any AD lab):

python tools/goad_benchmark.py \
    --ad-domain sevenkingdoms.local --dc 192.168.56.10 \
    -u khal.drogo -p horse \
    --snaffler-tsv ./snaffler_run.tsv \
    --output-dir ./goad_bench_$(date +%Y-%m-%d)

Produces scorecard.md with per-category recall comparison across 19 buckets (GPP cpassword, KeePass, AWS, browser stores, SCCM NAA, etc.) clustering Snaffler's rule labels and ShareSift's rule IDs around shared credential shapes. See docs/goad_benchmark_methodology.md for the lab setup recipe.

Tests

+36 tests (18 DFS resolution + 18 GOAD harness). Full suite: 1391 passed, 29 skipped, 0 failed.

Honest caveats

  • DFS resolution mocked-only — no live-DC validation yet. The first run against a real domain DFS namespace will surface any wire-format edge cases (V4-specific server_type bits, multi-target priority ordering when proximity differs).
  • GOAD benchmark harness pure-function-tested — the actual subprocess.run invocation and TSV-file roundtrip await the lab being up.
  • v0.52 LDAP smoke test still pending — until ShareSift is pointed at a real AD (HTB, GOAD, work), the LDAP + DFS paths are mock-validated only.

What v0.53 doesn't handle

  • Interlink referrals (referral chains across namespaces)
  • Referral caching (every connection re-queries)
  • Sticky target hints (always picks first entry, no failover)
  • Multi-DC LDAP failover

All queued for v0.54+.

See docs/v0p53_results.md for the full sprint writeup.

Assets 2
Loading