Permission Checking and rules for it

SnaffCon / Snaffler

a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )

GNU General Public License v3.0

2k stars 203 forks source link

Permission Checking and rules for it #101

Open cmprmsd opened 1 year ago

cmprmsd commented 1 year ago

Hey l0ss!

I think we forgot to open a new issue for the permission checks discussed in https://github.com/SnaffCon/Snaffler/issues/84 I just noticed that the permissions are still hardcoded and thought, it may be worth a shot to get this done.

You mentioned a better way that you worked on in group3r. I'll have a look at it if I find some spare time.

For the future it would make sense to have rules to identify e.g. folders like Microsoft's autostart folder write access in order to place some evil stuff in it during engagements. We could brainstorm also on some other folders that might be critical like wwwroot or /var/www.

Have a great weekend!

l0ss commented 1 year ago

Yeah Group3r has the better method in it - it's still imperfect but it's as good as it's going to get without a bunch of noisy NetLocalGroupEnum stuff.

Off the top of my head, writable things that should be considered interesting: Webroots like those you mentioned above Any executable file type or xml or inf file in the SYSVOL Policies dir All kinds of stuff in the user's homedir - it would be good to write these rules so they can properly identify cases where they're remapping the user's desktop etc to a share as this seems to be pretty common.

l0ss commented 1 year ago

ok so the aclcrimes branch should have the ability to semi-accurately get the R/W/M status of a file if you wanna take that for a spin. If that's all working properly it shouldn't be too hard to make it possible to write rules for it too.

l0ss commented 1 year ago

@cmprmsd reminder to please test the aclcrimes branch out.

cmprmsd commented 1 year ago

Nooooooo! I l0ss't track of this issue!

package main

import (
"fmt"
"math/rand"
"time"
)

func main() {
rand.Seed(time.Now().Unix())

excuses := []string{"I have a lot of work to do for my job.", "I have a lot of errands to run.", "I have a lot of family responsibilities.", "I'm in the middle of a big project for school.", "I'm training for a marathon.", "I have a lot of social commitments.", "I have a lot of appointments to attend.", "I'm trying to catch up on sleep."}

fmt.Println(excuses[rand.Intn(len(excuses))])
}

I'll check it out asap! Thanks for implementing this functionality! I'll also share some additional rules 🍀

cmprmsd commented 1 year ago

Did a quick run in a DetectionLab. On local drives it seems to randomly display R W (M) or just R. I could not find a clear pattern.

On network drives e.g. the DC only R was shown. I might have issues with using a local user vagrant right from the initial lab setup that has local admin rights everywhere. Will retry with a domain user tomorrow.

cmprmsd commented 1 year ago

Just did this right away ^^ Observations with a domain user (administrative):

The shares all show up with R only although e.g. for \dc\C$ there is write access
The flags for W and M seem to show up only on files where explicitly permissions are set for the user (vagrant) as you can see here where program files shows up as read-only but the vagrant user folder shows up as writable: