Skip to content

v0.54.0 — three engagement fixes from HTB smoke tests

Choose a tag to compare

View all tags
@byevincent byevincent released this 11 Jun 19:04
· 5 commits to main since this release
v0.54.0
d2fd7d5

Three real bugs from yesterday's HTB Active + Multimaster smoke tests, all fixed and live-validated where possible.

v0.54.1 — DFS-namespace-root probe (LIVE-VALIDATED)

Surfaced on Multimaster's `\\\dfs` share. Regular SMB2 CREATE on a DFS namespace root returns STATUS_INVALID_PARAMETER (DFS-aware Open required). v0.53's R/W probe was filtering DFS shares out before the walker could touch them.

`SmbShare._probe_access_mask` now treats INVALID_PARAMETER as probe-inconclusive with caller-supplied fallback: read=True (DFS roots ARE walkable), write=False (namespace roots aren't writable). Validated live on `\\10.129.13.28\dfs` — share enters target list with `access: R`.

v0.54.2 — SMB3 encryption auto-fallback

Surfaced on Active.htb (Server 2008 R2, only does SMB 2.0/2.1). Default `--encrypt=True` failed with "SMB encryption is required but the connection does not support it."

`SmbShare._ensure_connected` inspects the negotiated dialect after `Connection.connect()`. Below SMB 3.0 (0x0300) and not `--require-encrypt`: session built with `require_encryption=False`. Legacy Windows targets just work. New `--require-encrypt` flag for opsec engagements where unencrypted is unacceptable.

v0.54.3 — Anonymous SMB via impacket fallback

Surfaced on Active.htb's `Replication` share. smbprotocol+pyspnego rejects empty credentials (`SpnegoError (16): Operation not supported or available`). impacket's null-session login works.

`SmbShare` now lazily constructs an `ImpacketSmbWalker` backend when `auth.anonymous=True`, delegating walk/read_bytes/probe_share_access. Mirrors the smbprotocol contract: sorted deterministic walk, UNC output, byte-cap on reads. Live re-validation pending (Active.htb despawned between fix and re-test).

Tests

+32 tests: 5 DFS-probe + 5 encrypt-fallback + 17 anonymous (split TestAnonymousDispatch + TestImpacketWalker) + 5 v0.35 updates. Full suite: 1418 passed, 29 skipped, 0 failed.

Queued for v0.55

  • DFS-aware Opens for walking INTO namespace roots (smbprotocol `tree.is_dfs_share` flag handling). v0.54.1 lets DFS shares enter the target list; v0.55 lets the walker descend into them. Multimaster's `Development` link still trips this — `_list_directory` on the namespace root needs DFS flags set.
  • GOAD-validated head-to-head benchmark.
Assets 2
Loading