search

SnaffCon / Snaffler

a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )
GNU General Public License v3.0
2.11k stars 212 forks source link

Latest Release not finding relevant files or content? #135

Closed ville87 closed 12 months ago

ville87 commented 12 months ago

I used Snaffler today (latest release, version 1.0.135) to test something and realized that it doesn't find anything on a target share... For testing purposes, I created an SMB share on a server, added some test files (including the testfiles from the Snaffler repository in snafflertest/bait/winsxs and snafflertest/dir) and ran Snaffler as follows:

PS C:\_Data\excluded> .\Snaffler.exe -i \\server1.lab.local\DataShare01 -s -o C:\_Data\excluded\snaffout.log -v trace
 .::::::.:::.    :::.  :::.    .-:::::'.-:::::':::    .,:::::: :::::::..
;;;`    ``;;;;,  `;;;  ;;`;;   ;;;'''' ;;;'''' ;;;    ;;;;'''' ;;;;``;;;;
'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[     [[cccc   [[[,/[[['
  '''    $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$'     $$""   $$$$$$c
 88b    dP 888    Y88 888   888,888     888   o88oo,.__888oo,__ 888b '88bo,
  'YMmMY'  MMM     YM YMM   ''` 'MM,    'MM,  ''''YUMMM''''YUMMMMMMM   'W'
                         by l0ss and Sh3r4 - github.com/SnaffCon/Snaffler

\\server1.lab.local\DataShare01

[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Info] Parsing args...
[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Degub] Logging to file at C:\_Data\excluded\snaffout.log
[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Degub] Requested verbosity level: trace
[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Degub] Enabled logging to stdout.
[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Degub] Disabled finding shares.
[LAB\jdoe@client1] 2023-11-08 08:11:22Z [Degub] Target path is \\server1.lab.local\DataShare01
[LAB\jdoe@client1] 2023-11-08 08:11:23Z [Info] Parsed args successfully.
[LAB\jdoe@client1] 2023-11-08 08:11:23Z [Degub] Set verbosity level to trace.
[LAB\jdoe@client1] 2023-11-08 08:11:23Z [Info] Creating a TreeWalker task for
[LAB\jdoe@client1] 2023-11-08 08:11:23Z [Info] Created all TreeWalker tasks.
[LAB\jdoe@client1] 2023-11-08 08:16:23Z [Info] Status Update:
ShareFinder Tasks Completed: 0
ShareFinder Tasks Remaining: 0
ShareFinder Tasks Running: 0
TreeWalker Tasks Completed: 0
TreeWalker Tasks Remaining: 1
TreeWalker Tasks Running: 1
FileScanner Tasks Completed: 0
FileScanner Tasks Remaining: 0
FileScanner Tasks Running: 0
74.6MB RAM in use.

ShareScanner queue finished, rebalancing workload.
Insufficient FileScanner queue size, rebalancing workload.
Max ShareFinder Threads: 0
Max TreeWalker Threads: 21
Max FileScanner Threads: 39
Been Snafflin' for 00:05:00.0321450 and we ain't done yet...

[LAB\jdoe@client1] 2023-11-08 08:16:23Z [Info] Status Update:
ShareFinder Tasks Completed: 0
ShareFinder Tasks Remaining: 0
ShareFinder Tasks Running: 0
TreeWalker Tasks Completed: 1
TreeWalker Tasks Remaining: 0
TreeWalker Tasks Running: 0
FileScanner Tasks Completed: 0
FileScanner Tasks Remaining: 0
FileScanner Tasks Running: 0
74.6MB RAM in use.

Insufficient FileScanner queue size, rebalancing workload.
Max ShareFinder Threads: 0
Max TreeWalker Threads: 22
Max FileScanner Threads: 38
Been Snafflin' for 00:05:00.0341542 and we ain't done yet...

[LAB\jdoe@client1] 2023-11-08 08:16:23Z [Info] Finished at 11/8/2023 8:16:23 AM
[LAB\jdoe@client1] 2023-11-08 08:16:23Z [Info] Snafflin' took 00:05:00.0341542
Snaffler out.
I snaffled 'til the snafflin was done.

The following PowerShell command and output shows, that it should indeed find something relevant:

PS C:\Users\jdoe> whoami
lab\jdoe
PS C:\Users\jdoe> Get-ChildItem -Recurse -Filter "*.xml" -Path \\server1.lab.local\DataShare01

    Directory: \\server1.lab.local\DataShare01\cvelistV5-main\cvelistV5-main\cves\2010\5xxx

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         11/8/2023   5:50 AM           2353 unattend.xml

    Directory: \\server1.lab.local\DataShare01\cvelistV5-main\cvelistV5-main\cves\2015\6xxx

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/18/2023   6:36 AM              0 credentials.xml
-a----         9/18/2023   6:36 AM              0 filezilla.xml

[ ... ]
PS C:\Users\jdoe> hostname
client1

Am I missing something here or is it not working as expected?

l0ss commented 12 months ago

Can you please retest with the full snafflertest folder? That 'bait' folder is full of things that snaffler should not be interested in, but i'm interested to see that it didn't trigger on the 'credentials.xml' or 'filezilla.xml' files.

FWIW i just ran a local test on the snafflertest folder and it seemed to find those files just fine.

Btw please run with -v trace if possible.

l0ss commented 12 months ago

I also notice that your output log says 

[LAB\jdoe@client1] 2023-11-08 08:11:23Z [Info] Creating a TreeWalker task for

with nothing else on the line, where it should have the path that you passed with the -i argument. Any chance you have something weird going on with your arguments/CLI?

ville87 commented 12 months ago

I retested, this time also from a cmd.exe instead of within powershell.exe but same result. I also put the path into doublequotes for testings sake:

C:\_Data\excluded>snaffler2.exe -i "\\server1.lab.local\DataShare01" -s -o "C:\_Data\excluded\snaffout2.log" -v trace
 .::::::.:::.    :::.  :::.    .-:::::'.-:::::':::    .,:::::: :::::::..
;;;`    ``;;;;,  `;;;  ;;`;;   ;;;'''' ;;;'''' ;;;    ;;;;'''' ;;;;``;;;;
'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[     [[cccc   [[[,/[[['
  '''    $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$'     $$""   $$$$$$c
 88b    dP 888    Y88 888   888,888     888   o88oo,.__888oo,__ 888b '88bo,
  'YMmMY'  MMM     YM YMM   ''` 'MM,    'MM,  ''''YUMMM''''YUMMMMMMM   'W'
                         by l0ss and Sh3r4 - github.com/SnaffCon/Snaffler

\\server1.lab.local\DataShare01

[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Info] Parsing args...
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Logging to file at C:\_Data\excluded\snaffout2.log
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Requested verbosity level: trace
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Enabled logging to stdout.
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Disabled finding shares.
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Target path is \\server1.lab.local\DataShare01
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Info] Parsed args successfully.
[LAB\jdoe@client1] 2023-11-08 12:03:04Z [Degub] Set verbosity level to trace.
[LAB\jdoe@client1] 2023-11-08 12:03:05Z [Info] Creating a TreeWalker task for
[LAB\jdoe@client1] 2023-11-08 12:03:05Z [Info] Created all TreeWalker tasks.
[LAB\jdoe@client1] 2023-11-08 12:08:05Z [Info] Status Update:
ShareFinder Tasks Completed: 0
ShareFinder Tasks Remaining: 0
ShareFinder Tasks Running: 0
TreeWalker Tasks Completed: 0
TreeWalker Tasks Remaining: 1
TreeWalker Tasks Running: 1
FileScanner Tasks Completed: 0
FileScanner Tasks Remaining: 0
FileScanner Tasks Running: 0
74.3MB RAM in use.

ShareScanner queue finished, rebalancing workload.
Insufficient FileScanner queue size, rebalancing workload.
Max ShareFinder Threads: 0
Max TreeWalker Threads: 21
Max FileScanner Threads: 39
Been Snafflin' for 00:05:00.0250300 and we ain't done yet...

[LAB\jdoe@client1] 2023-11-08 12:08:05Z [Info] Status Update:
ShareFinder Tasks Completed: 0
ShareFinder Tasks Remaining: 0
ShareFinder Tasks Running: 0
TreeWalker Tasks Completed: 1
TreeWalker Tasks Remaining: 0
TreeWalker Tasks Running: 0
FileScanner Tasks Completed: 0
FileScanner Tasks Remaining: 0
FileScanner Tasks Running: 0
74.3MB RAM in use.

Insufficient FileScanner queue size, rebalancing workload.
Max ShareFinder Threads: 0
Max TreeWalker Threads: 22
Max FileScanner Threads: 38
Been Snafflin' for 00:05:00.0400389 and we ain't done yet...

[LAB\jdoe@client1] 2023-11-08 12:08:05Z [Info] Finished at 11/8/2023 12:08:05 PM
[LAB\jdoe@client1] 2023-11-08 12:08:05Z [Info] Snafflin' took 00:05:00.0400389
Snaffler out.
I snaffled 'til the snafflin was done.

Proof that the files are there: 

C:\_Data\excluded>dir \\server1\DataShare01\cvelistV5-main\cvelistV5-main\cves\2012\10xxx\snafflertest\
 Volume in drive \\server1\DataShare01 is Windows
 Volume Serial Number is B04B-F532

 Directory of \\server1\DataShare01\cvelistV5-main\cvelistV5-main\cves\2012\10xxx\snafflertest

11/08/2023  12:06 PM    <DIR>          .
11/08/2023  12:06 PM    <DIR>          ..
09/17/2023  11:36 PM                 0 .agilekeychain
09/17/2023  11:36 PM                 0 .bashrc
09/17/2023  11:36 PM                 0 .bash_history
09/17/2023  11:36 PM                 0 .dbeaver-data-sources.xml
09/17/2023  11:36 PM                 0 .dockercfg
09/17/2023  11:36 PM                 0 .env
09/17/2023  11:36 PM                 0 .exports
09/17/2023  11:36 PM                 0 .extra
09/17/2023  11:36 PM                 0 .functions
11/08/2023  12:06 PM    <DIR>          .gem
09/17/2023  11:36 PM                 0 .git-credentials
09/17/2023  11:36 PM                 0 .gitconfig
09/17/2023  11:36 PM                 0 .htpasswd
09/17/2023  11:36 PM                 0 .irb_history
09/17/2023  11:36 PM                 0 .keychain
09/17/2023  11:36 PM                 0 .mysql_history
09/17/2023  11:36 PM                 0 .netrc
09/17/2023  11:36 PM                 0 .npmrc
09/17/2023  11:36 PM                 0 .pgpass
09/17/2023  11:36 PM                 0 .profile
09/17/2023  11:36 PM                 0 .psql_history
11/08/2023  12:06 PM    <DIR>          .purple
09/17/2023  11:36 PM                 0 .s3vfg
09/17/2023  11:36 PM                 0 .secret_token.rb
09/17/2023  11:36 PM                 0 .sh_history
09/17/2023  11:36 PM                 0 .tugboat
09/17/2023  11:36 PM                 0 .zshrc
09/17/2023  11:36 PM                 0 .zsh_history
09/17/2023  11:36 PM                 0 admins.rdp
09/17/2023  11:36 PM                 0 bad.psafe3
11/08/2023  12:06 PM    <DIR>          bait
[...]
ville87 commented 12 months ago

Copying the snafflertest folder locally and rerunning the command against the local path just works fine:

C:\_Data\excluded>snaffler2.exe -i c:\_Data\excluded -s -o snaffout4.log -v trace
 .::::::.:::.    :::.  :::.    .-:::::'.-:::::':::    .,:::::: :::::::..
;;;`    ``;;;;,  `;;;  ;;`;;   ;;;'''' ;;;'''' ;;;    ;;;;'''' ;;;;``;;;;
'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[     [[cccc   [[[,/[[['
  '''    $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$'     $$""   $$$$$$c
 88b    dP 888    Y88 888   888,888     888   o88oo,.__888oo,__ 888b '88bo,
  'YMmMY'  MMM     YM YMM   ''` 'MM,    'MM,  ''''YUMMM''''YUMMMMMMM   'W'
                         by l0ss and Sh3r4 - github.com/SnaffCon/Snaffler

c:\_Data\excluded
c:\_Data
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Info] Parsing args...
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Logging to file at snaffout4.log
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Requested verbosity level: trace
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Enabled logging to stdout.
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Disabled finding shares.
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Target path is c:\_Data\excluded
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Info] Parsed args successfully.
[LAB\jdoe@client1] 2023-11-08 12:14:49Z [Degub] Set verbosity level to trace.
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [Info] Creating a TreeWalker task for c:\_Data
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [Info] Created all TreeWalker tasks.
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [Trace] Skipped scanning on c:\_Data\excluded\snafflertest\bait\winsxs due to Discard rule match.
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [Trace] Skipped scanning on c:\_Data\excluded\snaffler\Snaffler-master\snafflertest\bait\winsxs due to Discard rule match.
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Black}<KeepPassMgrsByExtension|R|^\.agilekeychain$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.agilekeychain) .agilekeychain
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellRcFilesByName|R|^\.bashrc$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.bashrc) .bashrc
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellHistoryByName|R|^\.bash_history$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.bash_history) .bash_history
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Red}<KeepDbMgtConfigByName|R|^\.dbeaver-data-sources\.xml$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.dbeaver-data-sources.xml) .dbeaver-data-sources.xml
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellRcFilesByName|R|^\.env$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.env) .env
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellRcFilesByName|R|^\.exports$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.exports) .exports
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellRcFilesByName|R|^\.extra$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.extra) .extra
[LAB\jdoe@client1] 2023-11-08 12:14:50Z [File] {Green}<KeepShellRcFilesByName|R|^\.functions$|0B|2023-09-17 23:36:28Z>(c:\_Data\excluded\snafflertest\.functions) .functions
[...]
l0ss commented 12 months ago

OK now that i've had a chance to test, I can confirm that there's something squirrelly happening with the -i argument.

ville87 commented 12 months ago

Thank you for fixing! šŸ‘ šŸ˜Š