Closed
Conversation
This plan provides a complete roadmap for porting ShareHound from Python to Go with full feature parity, including: - Detailed module-by-module porting guide with Go code examples - Complete node types (NetworkShareHost, NetworkShareSMB, File, Directory, etc.) - Complete edge types (28 edge kinds for share and NTFS permissions) - Exact access mask mappings for share-level and NTFS-level permissions - ShareQL rule engine grammar and implementation guide - BloodHound OpenGraph JSON output format specification - 8-phase implementation timeline - Go dependency recommendations (go-smb2, go-ldap, gokrb5, etc.) - Risk assessment and testing strategy https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
This commit adds a complete Go implementation of ShareHound: - pkg/kinds: Node and edge type constants matching Python version - internal/config: Configuration management with all CLI flags - internal/credentials: Authentication handling (NTLM, Kerberos, PTH) - internal/logger: Logging system with task-specific loggers - internal/utils: Network, DNS, file size, and time utilities - internal/smb: SMB session management and security descriptor parsing - internal/sid: SID resolution with caching - internal/graph: OpenGraph structures for BloodHound integration - internal/collector: Share and NTFS rights collectors - internal/rules: ShareQL parser and rule evaluator - internal/targets: Target loading from files, CLI, and CIDR expansion - internal/worker: Connection pooling and concurrent processing - internal/status: Progress tracking and display - cmd/sharehound: CLI entry point with all flags Includes Makefile for cross-platform builds and comprehensive README. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Comprehensive README with full documentation of all node/edge types - Added usage examples, CLI options tables, and Cypher query examples - Documented ShareQL rule syntax and conditions - Fixed gofmt formatting in smb package files https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Add LDAP client package for Active Directory queries - Implement GetComputers() to enumerate all AD computer objects - Implement GetServers() to enumerate Windows Server machines - Implement GetSubnets() to get subnets from AD Sites and Services - Update targets loader to use AD enumeration when no explicit targets provided - Add go-ldap/ldap/v3 dependency When no --target or --targets-file is specified, ShareHound now automatically queries Active Directory for all computers and servers to scan. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Use SearchWithPaging instead of Search to handle Active Directory's default MaxPageSize limit of 1000 results. This allows enumeration of large domains with many computer objects. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
The semaphore.Acquire() call was passing nil as the context, which causes a panic when the semaphore tries to access the context. Use context.Background() instead. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
This commit adds three major enhancements: 1. Real SMB2 security descriptor retrieval via SRVSVC RPC - New SRVSVC client for share-level security descriptors - RPC bind and NetrShareGetInfo operations - Proper NDR parsing and security descriptor extraction 2. Comprehensive unit tests for core packages - Security descriptor parsing tests - SID parsing and well-known SID detection tests - ShareQL parser tests for all rule types - Evaluator tests for rule evaluation logic 3. Resumable scans with checkpointing - New checkpoint package for scan state persistence - Periodic and signal-triggered checkpoint saves - Resume capability with --resume and --checkpoint flags - Graceful shutdown on SIGINT/SIGTERM Also includes: - Custom JSON unmarshal for Node to handle kind as string or array - Helper methods for SID (IsEveryone, IsBuiltinAdministrators, etc.) - Graph methods for getting and restoring nodes/edges https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Changes made to match https://bloodhound.specterops.io/opengraph/schema: 1. Output structure changed from {data, edges} to: - {metadata: {source_kind}, graph: {nodes, edges}} 2. Node changes: - "kind" field renamed to "kinds" (always an array per schema) - UnmarshalJSON handles both "kind" and "kinds" for compatibility 3. Edge changes: - "start" and "end" changed from strings to objects with "id" field - Added support for match_by and kind filters on endpoints - EdgeEndpoint type for structured start/end references - UnmarshalJSON handles both object and string formats 4. Tests added for schema compliance: - Node marshal/unmarshal tests - Edge marshal/unmarshal tests - Full OpenGraph output format verification https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Critical bug fix: - Directories were not being added to the graph - only files were - Added ogc.AddPathToGraph() call for directories when rules allow processing - This should significantly increase output size for share traversal NTFS security descriptors: - Updated GetFileSecurityDescriptor to not error, return nil gracefully - Added security_query.go with SMB2 constants for future implementation - Documented that go-smb2 library doesn't expose SMB2 QUERY_INFO for security descriptors, limiting NTFS permission collection - Share-level permissions still work via SRVSVC RPC Known limitation: - File/directory NTFS permissions cannot be collected due to go-smb2 not supporting SMB2_0_INFO_SECURITY queries. Options to fix: 1. Fork go-smb2 to add security descriptor query support 2. Implement raw SMB2 protocol handling 3. Use a different SMB library that supports this https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Switch to medianexapp/go-smb2 fork which has native SecurityInfoRaw() method for querying NTFS security descriptors on files and directories. This enables the Go port to collect file/directory permissions matching the Python version's feature parity. - Replace hirochachacha/go-smb2 with medianexapp/go-smb2 fork - Update session.go to use new DialConn API with context - Simplify smb2_security.go to use native SecurityInfoRaw method - Remove reflection-based workarounds from security_query.go https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Add documentation clarifying that nil is returned when security descriptor cannot be retrieved (e.g., access denied), and that directory listing and traversal still work even without READ_CONTROL permission. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Change default depth from 3 to 0 (unlimited) to match Python behavior Python version accepts --depth but ignores it, traversing all levels - Add createdAt and modifiedAt properties to directory and file nodes - Extract CreationTime from go-smb2 FileStat for accurate timestamps This fixes the major output size discrepancy between Python (2.99GB) and Go (21MB) versions by ensuring unlimited depth traversal. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Add comprehensive integration test suite for SMB functionality: - TestIntegrationConnect: Basic connection test - TestIntegrationListShares: Share enumeration test - TestIntegrationListContents: Directory listing test - TestIntegrationSecurityDescriptor: NTFS permission retrieval test - TestIntegrationDirectoryTraversal: Recursive traversal test - TestIntegrationShareSecurityDescriptor: SRVSVC RPC test - BenchmarkListContents: Performance benchmark Tests require environment variables: SMB_TEST_HOST, SMB_TEST_USER, SMB_TEST_PASSWORD Optional: SMB_TEST_DOMAIN, SMB_TEST_SHARE Run with: go test -v ./internal/smb -run TestIntegration https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Add streaming JSON export to handle large graphs without loading all in memory - Auto-detect .gz extension and apply gzip compression - Change default output to opengraph.json.gz for automatic compression - Use buffered I/O for better write performance - Add test verifying gzip compression (achieves ~92% size reduction) This fixes "not enough space on disk" errors when exporting large graphs with millions of edges by significantly reducing output file size. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Replace gzip with ZIP archive format for better compatibility - ZIP streams directly from memory during export - Default output changed to opengraph.zip - Contains single JSON file inside the archive - Test shows 90% compression ratio ZIP format requested for broader tool compatibility. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
- Document ZIP compression for large outputs (~90% size reduction) - Update default depth to 0 (unlimited) to match Python behavior - Add checkpoint/resume documentation for resumable scans - Add integration test documentation and usage - Update go-smb2 dependency to medianexapp fork with NTFS support - Add go-ldap to dependencies list - Include examples for checkpoint and resume functionality https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
BloodHound OpenGraph schema requires edge endpoints to have a 'value' property, not 'id'. Updated EdgeEndpoint struct and marshaling/ unmarshaling to comply with the schema while maintaining backward compatibility for reading legacy formats. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Ignore compiled sharehound binary and bin directory. https://claude.ai/code/session_01UpqzZj746HrwJMPUPTJkiC
Contributor
Author
|
not ready yet |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.