WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Refactor Permissions & Add Options #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
p0rtL6 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Refactor Permissions & Add Options #169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
19153a7
Refactor permissions checking and logging, add option to skip scannin…
p0rtL6 Apr 4, 2025
f8db4f2
Update README
p0rtL6 Apr 6, 2025
3a28c4b
Move unauthorized exception handling into canRw
p0rtL6 Apr 8, 2025
511c280
Initialize RwStatus as default on share results
p0rtL6 Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ The key incantations are:

`-a` Skips file enumeration, just gives you a list of listable shares on the target hosts.

`-g` Skips file enumeration, just gives you a list of shares and folders on the target hosts. (combine with `-w `for the most useful results)

`-u` Makes Snaffler pull a list of account names from AD, choose the ones that look most-interesting, and then use them in a search rule.

`-d` Domain to search for computers to search for shares on to search for files in. Easy.
Expand All @@ -80,6 +82,8 @@ The key incantations are:

`-p` Path to a directory full of .toml formatted rules. Snaffler will load all of these in place of the default ruleset.

`-w` Log everything (currently just logs directories walked but not marked for snaffling)

## What does any of this log output mean?

Hopefully this annotated example will help:
Expand Down
21 changes: 20 additions & 1 deletion SnaffCore/Classifiers/DirClassifier.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
using SnaffCore.Concurrency;
using System.IO;
using SnaffCore.Classifiers.EffectiveAccess;
using SnaffCore.Concurrency;
using static SnaffCore.Config.Options;

namespace SnaffCore.Classifiers
{
Expand All @@ -20,6 +23,11 @@ public DirResult ClassifyDir(string dir)
Triage = ClassifierRule.Triage,
ScanDir = true,
};

DirectoryInfo dirInfo = new DirectoryInfo(dir);
EffectivePermissions effPerms = new EffectivePermissions(MyOptions.CurrentUser);
dirResult.RwStatus = effPerms.CanRw(dirInfo);

// check if it matches
TextClassifier textClassifier = new TextClassifier(ClassifierRule);
TextResult textResult = textClassifier.TextMatch(dir);
Expand All @@ -30,6 +38,10 @@ public DirResult ClassifyDir(string dir)
{
case MatchAction.Discard:
dirResult.ScanDir = false;
if (MyOptions.LogEverything)
{
Mq.DirResult(dirResult);
}
return dirResult;
case MatchAction.Snaffle:
dirResult.Triage = ClassifierRule.Triage;
Expand All @@ -40,6 +52,12 @@ public DirResult ClassifyDir(string dir)
return null;
}
}

if (MyOptions.LogEverything)
{
Mq.DirResult(dirResult);
}

return dirResult;
}
}
Expand All @@ -48,6 +66,7 @@ public class DirResult
{
public bool ScanDir { get; set; }
public string DirPath { get; set; }
public RwStatus RwStatus { get; set; }
public Triage Triage { get; set; }
}
}
72 changes: 72 additions & 0 deletions SnaffCore/Classifiers/EffectiveAccess.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@


using System;
using System.IO;
using System.Security.AccessControl;
using System.Security.Principal;

namespace SnaffCore.Classifiers.EffectiveAccess
{
public class RwStatus
Expand All @@ -9,4 +14,71 @@ public class RwStatus
public bool CanModify { get; set; }
}

public class EffectivePermissions
{
private readonly string _username;

public EffectivePermissions(string username)
{
_username = username;
}

public RwStatus CanRw(AuthorizationRuleCollection acl)
{
RwStatus rwStatus = new RwStatus();

try
{
foreach (FileSystemAccessRule rule in acl)
{
if (rule.IdentityReference.Value.Equals(_username, StringComparison.OrdinalIgnoreCase))
{
if (((rule.FileSystemRights & FileSystemRights.Read) == FileSystemRights.Read) ||
((rule.FileSystemRights & FileSystemRights.ReadAndExecute) == FileSystemRights.ReadAndExecute) ||
((rule.FileSystemRights & FileSystemRights.ReadData) == FileSystemRights.ReadData) ||
((rule.FileSystemRights & FileSystemRights.ListDirectory) == FileSystemRights.ListDirectory))
{
rwStatus.CanRead = true;
}
if (((rule.FileSystemRights & FileSystemRights.Write) == FileSystemRights.Write) ||
((rule.FileSystemRights & FileSystemRights.Modify) == FileSystemRights.Modify) ||
((rule.FileSystemRights & FileSystemRights.FullControl) == FileSystemRights.FullControl) ||
((rule.FileSystemRights & FileSystemRights.TakeOwnership) == FileSystemRights.TakeOwnership) ||
((rule.FileSystemRights & FileSystemRights.ChangePermissions) == FileSystemRights.ChangePermissions) ||
((rule.FileSystemRights & FileSystemRights.AppendData) == FileSystemRights.AppendData) ||
((rule.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData) ||
((rule.FileSystemRights & FileSystemRights.CreateFiles) == FileSystemRights.CreateFiles) ||
((rule.FileSystemRights & FileSystemRights.CreateDirectories) == FileSystemRights.CreateDirectories))
{
rwStatus.CanWrite = true;
}
if (((rule.FileSystemRights & FileSystemRights.Modify) == FileSystemRights.Modify) ||
((rule.FileSystemRights & FileSystemRights.FullControl) == FileSystemRights.FullControl) ||
((rule.FileSystemRights & FileSystemRights.TakeOwnership) == FileSystemRights.TakeOwnership) ||
((rule.FileSystemRights & FileSystemRights.ChangePermissions) == FileSystemRights.ChangePermissions))
{
rwStatus.CanModify = true;
}
}
}
}
catch (UnauthorizedAccessException) { }

return rwStatus;
}

public RwStatus CanRw(FileInfo fileInfo)
{
FileSecurity fileSecurity = fileInfo.GetAccessControl();
AuthorizationRuleCollection acl = fileSecurity.GetAccessRules(true, true, typeof(NTAccount));
return CanRw(acl);
}

public RwStatus CanRw(DirectoryInfo dirInfo)
{
DirectorySecurity dirSecurity = dirInfo.GetAccessControl();
AuthorizationRuleCollection acl = dirSecurity.GetAccessRules(true, true, typeof(NTAccount));
return CanRw(acl);
}
}
}
68 changes: 2 additions & 66 deletions SnaffCore/Classifiers/FileResult.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,8 @@ public class FileResult

public FileResult(FileInfo fileInfo)
{
//EffectivePermissions effPerms = new EffectivePermissions(MyOptions.CurrentUser);

// get an aggressively simplified version of the file's ACL
//this.RwStatus = effPerms.CanRw(fileInfo);
try
{
File.OpenRead(fileInfo.FullName);
this.RwStatus = new RwStatus() { CanRead = true, CanModify = false, CanWrite = false };
}
catch (Exception e)
{
this.RwStatus = new RwStatus() { CanModify = false, CanRead = false, CanWrite = false };
}
EffectivePermissions effPerms = new EffectivePermissions(MyOptions.CurrentUser);
this.RwStatus = effPerms.CanRw(fileInfo);

// nasty debug
this.FileInfo = fileInfo;
Expand Down Expand Up @@ -56,58 +45,5 @@ public void SnaffleFile(FileInfo fileInfo, string snafflePath)
Directory.CreateDirectory(snaffleDirPath);
File.Copy(sourcePath, (Path.Combine(snafflePath, cleanedPath)), true);
}

/*
public static EffectivePermissions.RwStatus CanRw(FileInfo fileInfo)
{
BlockingMq Mq = BlockingMq.GetMq();

try
{
EffectivePermissions.RwStatus rwStatus = new EffectivePermissions.RwStatus { CanWrite = false, CanRead = false, CanModify = false };
EffectivePermissions effPerms = new EffectivePermissions();
string dir = fileInfo.DirectoryName;

// we hard code this otherwise it tries to do some madness where it uses RPC with a share server to check file access, then fails if you're not admin on that host.
string hostname = "localhost";

string whoami = WindowsIdentity.GetCurrent().Name;

string[] accessStrings = effPerms.GetEffectivePermissions(fileInfo, whoami);

string[] readRights = new string[] { "Read", "ReadAndExecute", "ReadData", "ListDirectory" };
string[] writeRights = new string[] { "Write", "Modify", "FullControl", "TakeOwnership", "ChangePermissions", "AppendData", "WriteData", "CreateFiles", "CreateDirectories" };
string[] modifyRights = new string[] { "Modify", "FullControl", "TakeOwnership", "ChangePermissions" };

foreach (string access in accessStrings)
{
if (access == "FullControl")
{
rwStatus.CanModify = true;
rwStatus.CanRead = true;
rwStatus.CanWrite = true;
}
if (readRights.Contains(access)){
rwStatus.CanRead = true;
}
if (writeRights.Contains(access))
{
rwStatus.CanWrite = true;
}
if (modifyRights.Contains(access))
{
rwStatus.CanModify = true;
}
}

return rwStatus;
}
catch (Exception e)
{
Mq.Error(e.ToString());
return new EffectivePermissions.RwStatus { CanWrite = false, CanRead = false }; ;
}
}
*/
}
}
16 changes: 11 additions & 5 deletions SnaffCore/Classifiers/ShareClassifier.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using SnaffCore.Concurrency;
using SnaffCore.Classifiers.EffectiveAccess;
using SnaffCore.Concurrency;
using System;
using System.IO;
using static SnaffCore.Config.Options;
Expand Down Expand Up @@ -32,11 +33,18 @@ public bool ClassifyShare(string share)
// in this context snaffle means 'send a report up the queue, and scan the share further'
if (IsShareReadable(share))
{
// is this supposed to be here?
DirectoryInfo shareInfo = new DirectoryInfo(share);

EffectivePermissions effPerms = new EffectivePermissions(MyOptions.CurrentUser);
RwStatus rwStatus = effPerms.CanRw(shareInfo);

ShareResult shareResult = new ShareResult()
{
Triage = ClassifierRule.Triage,
Listable = true,
SharePath = share
SharePath = share,
RwStatus = rwStatus
};
Mq.ShareResult(shareResult);
}
Expand Down Expand Up @@ -76,9 +84,7 @@ public class ShareResult
public string SharePath { get; set; }
public string ShareComment { get; set; }
public bool Listable { get; set; }
public bool RootWritable { get; set; }
public bool RootReadable { get; set; }
public bool RootModifyable { get; set; }
public RwStatus RwStatus { get; set; }
public Triage Triage { get; set; } = Triage.Gray;
}
}
2 changes: 2 additions & 0 deletions SnaffCore/Config/Options.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ public partial class Options
public bool ScanSysvol { get; set; } = true;
public bool ScanNetlogon { get; set; } = true;
public bool ScanFoundShares { get; set; } = true;
public bool ScanFoundFiles { get; set; } = true;
public bool LogEverything { get; set; } = false;
public int InterestLevel { get; set; } = 0;
public bool DfsOnly { get; set; } = false;
public bool DfsShareDiscovery { get; set; } = false;
Expand Down
28 changes: 8 additions & 20 deletions SnaffCore/ShareFind/ShareFinder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ public class ShareFinder
private BlockingMq Mq { get; set; }
private BlockingStaticTaskScheduler TreeTaskScheduler { get; set; }
private TreeWalker TreeWalker { get; set; }
//private EffectivePermissions effectivePermissions { get; set; } = new EffectivePermissions(MyOptions.CurrentUser);
private EffectivePermissions EffectivePermissions { get; set; } = new EffectivePermissions(MyOptions.CurrentUser);

public ShareFinder()
{
Expand Down Expand Up @@ -94,7 +94,8 @@ internal void GetComputerShares(string computer)
{
Listable = true,
SharePath = shareName,
ShareComment = hostShareInfo.shi1_remark.ToString()
ShareComment = hostShareInfo.shi1_remark.ToString(),
RwStatus = new RwStatus()
};

// Try to find this computer+share in the list of DFS targets
Expand Down Expand Up @@ -159,26 +160,13 @@ internal void GetComputerShares(string computer)
// Share is readable, report as green (the old default/min of the Triage enum )
shareResult.Triage = Triage.Green;

try
{
DirectoryInfo dirInfo = new DirectoryInfo(shareResult.SharePath);

//EffectivePermissions.RwStatus rwStatus = effectivePermissions.CanRw(dirInfo);

shareResult.RootModifyable = false;
shareResult.RootWritable = false;
shareResult.RootReadable = true;
DirectoryInfo dirInfo = new DirectoryInfo(shareResult.SharePath);
RwStatus rwStatus = EffectivePermissions.CanRw(dirInfo);
shareResult.RwStatus = rwStatus;

/*
if (rwStatus.CanWrite || rwStatus.CanModify)
{
triage = Triage.Yellow;
}
*/
}
catch (System.UnauthorizedAccessException e)
if (rwStatus.CanWrite || rwStatus.CanModify)
{
Mq.Error("Failed to get permissions on " + shareResult.SharePath);
shareResult.Triage = Triage.Yellow;
}

if (MyOptions.ScanFoundShares)
Expand Down
Loading