Merge pull request #1540 from HackTricks-wiki/update_ShareHound__An_OpenGraph_Collector_for_Network_Sha_20251030_182759

ShareHound An OpenGraph Collector for Network Shares

Author: carlospolop

src/network-services-pentesting/pentesting-smb/README.md

@@ -365,6 +365,74 @@ Specially interesting from shares are the files called **`Registry.xml`** as the
 > You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**. Also, don’t trust automated share listings: even if a share looks read-only, the underlying NTFS ACLs may allow writes. Always test with smbclient by uploading a small file to `\\<dc>\\SYSVOL\\<domain>\\scripts\\`.
 > If writable, you can [poison logon scripts for RCE at user logon](../../windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md#sysvolnetlogon-logon-script-poisoning).
 
+### ShareHound – OpenGraph collector for SMB shares (BloodHound)
+
+[ShareHound](https://github.com/p0dalirius/sharehound) discovers domain SMB shares, traverses them, extracts ACLs, and emits an OpenGraph JSON file for BloodHound CE/Enterprise.
+
+- Baseline collection:
+  1) LDAP: enumerate computer objects, read `dNSHostName`
+  2) DNS: resolve each host
+  3) SMB: list shares on reachable hosts
+  4) Crawl shares (BFS/DFS), enumerate files/folders, capture permissions
+
+ShareQL-driven traversal
+- [ShareQL](https://github.com/p0dalirius/shareql) is a first-match-wins DSL to allow/deny traversal by host/share/path and set per-rule max depth. Focus on interesting shares and cap recursion.
+
+Example ShareQL rules
+```text
+# Only crawl shares with name containing "backup", up to depth 2
+allow host * share * path * depth 0
+allow host * share *backup* path * depth 2
+deny  host * share * path *
+```
+
+Usage
+```bash
+sharehound -ai "10.0.100.201" -au "user" -ap "Test123!" -ns "10.0.100.201" \
+  -rf "rules/skip_common_shares.shareql" -rf "rules/max_depth_2.shareql"
+```
+- Provide AD creds via `-ad`/`-au`/`-ap` (or use `-ad` with `-au`/`-ap`). Use `-r`/`-rf` for inline rules or files.
+- Output: JSON OpenGraph; import in BloodHound to query hosts/shares/files and effective rights.
+- Tip: Limit max depth to 1–2 unless your filters are very restrictive.
+
+BloodHound attack-surface queries
+- Principals with write-like access on shares
+```cypher
+MATCH x=(p)-[r:CanWriteDacl|CanWriteOwner|CanDsWriteProperty|CanDsWriteExtendedProperties]->(s:NetworkShareSMB)
+RETURN x
+```
+
+- Principals with FULL_CONTROL on shares
+<details>
+<summary>Cypher: principals with FULL_CONTROL on shares</summary>
+
+```cypher
+MATCH (p:Principal)-[r]->(s:NetworkShareSMB)
+WHERE (p)-[:CanDelete]->(s)
+  AND (p)-[:CanDsControlAccess]->(s)
+  AND (p)-[:CanDsCreateChild]->(s)
+  AND (p)-[:CanDsDeleteChild]->(s)
+  AND (p)-[:CanDsDeleteTree]->(s)
+  AND (p)-[:CanDsListContents]->(s)
+  AND (p)-[:CanDsListObject]->(s)
+  AND (p)-[:CanDsReadProperty]->(s)
+  AND (p)-[:CanDsWriteExtendedProperties]->(s)
+  AND (p)-[:CanDsWriteProperty]->(s)
+  AND (p)-[:CanReadControl]->(s)
+  AND (p)-[:CanWriteDacl]->(s)
+  AND (p)-[:CanWriteOwner]->(s)
+RETURN p,r,s
+```
+
+</details>
+
+- Hunt sensitive files by extension (e.g., VMDKs)
+```cypher
+MATCH p=(h:NetworkShareHost)-[:HasNetworkShare]->(s:NetworkShareSMB)-[:Contains*0..]->(f:File)
+WHERE toLower(f.extension) = toLower(".vmdk")
+RETURN p
+```
+
 ## Read Registry
 
 You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
@@ -618,6 +686,7 @@ Entry_6:
 
 - [NetExec (CME) wiki – Kerberos usage](https://www.netexec.wiki/)
 - [Pentesting Kerberos (88) – client setup and troubleshooting](../pentesting-kerberos-88/README.md)
-- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
+- [ShareHound (collector)](https://github.com/p0dalirius/sharehound)
+- [ShareQL (DSL)](https://github.com/p0dalirius/shareql)
 
 {{#include ../../banners/hacktricks-training.md}}