Skip to content

feat: add --shares-depth flag for subdirectory write permission checking#1188

Closed
sup3rDav3 wants to merge 2 commits intoPennyw0rth:mainfrom
sup3rDav3:fix/smb-shares-depth
Closed

feat: add --shares-depth flag for subdirectory write permission checking#1188
sup3rDav3 wants to merge 2 commits intoPennyw0rth:mainfrom
sup3rDav3:fix/smb-shares-depth

Conversation

@sup3rDav3
Copy link
Copy Markdown

@sup3rDav3 sup3rDav3 commented Apr 6, 2026

Description

Fixes #1186: Write permissions were only checked on top-level share directories, not subdirectories. A writable subdirectory (e.g. SYSVOL\scripts) would not be detected even if the user had write access to it.

Adds a new --shares-depth argument that recursively checks subdirectories for write access up to the specified depth. Default is 0 (root only) so existing behavior is completely unchanged.

This PR was developed with the assistance of Claude (Anthropic) via claude.ai. Claude assisted with the implementation approach, and ruff linting fixes. All code was reviewed and tested by the author against a live Windows Server 2022 domain controller.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Deprecation of feature or functionality
  • This change requires a documentation update
  • This requires a third party update (such as Impacket, Dploot, lsassy, etc)
  • This PR was created with the assistance of AI (Claude via claude.ai — see description above)

Setup guide for the review

Environment:

  • Kali Linux (attacker machine)
  • Python 3.13
  • NetExec installed via poetry in dev mode

Target:

  • Windows Server 2022 domain controller
  • Domain: ad.local
  • Test user: lowpriv (standard domain user with READ on SYSVOL root, WRITE on SYSVOL\ad.local\scripts)

Reproduce the bug (before fix):
nxc smb TARGET -u lowpriv -p PASS --shares
Result: SYSVOL shows READ only — writable scripts folder not detected

Test the fix:
nxc smb TARGET -u lowpriv -p PASS --shares --shares-depth 2
Result: SYSVOL shows READ,WRITE (ad.local\scripts)

Other usage:
nxc smb TARGET -u USER -p PASS --shares --shares-depth 1
nxc smb TARGET -u USER -p PASS --shares write --shares-depth 2
nxc smb TARGET -u USER -p PASS --shares --no-write-check --shares-depth 2

Screenshots (if appropriate):

image

Checklist:

  • I have ran Ruff against my changes
  • I have added or updated the tests/e2e_commands.txt file if necessary
  • If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

sup3rDav3 added 2 commits April 5, 2026 23:27
@sup3rDav3
feat: add --shares-depth flag for subdirectory write permission checking
275d782 
- Adds --shares-depth argument to SMB protocol (default: 0, root only)
- When depth > 0, recursively checks subdirectories for write access
- Only runs subdir check when root write check fails (no performance impact by default)
- Reports writable subdirectories inline e.g. READ,WRITE (ad.local\scripts)
- Respects --no-write-check flag
- Compatible with --shares write filter
- Fixes: write permissions were only checked on top-level share directories
- Tested against Windows Server 2022 - detected writable SYSVOL\scripts subdir

Closes Pennyw0rth#1186
@sup3rDav3
test: add shares-depth to e2e test commands
c685981
@NeffIsBack
Copy link
Copy Markdown
Member

NeffIsBack commented Apr 6, 2026

All code was reviewed and tested by the author against a live Windows Server 2022 domain controller.

Either you have not reviewed the code (and changes) or I am really curious why you have introduced +1300 lines of formatting changes.

@sup3rDav3
Copy link
Copy Markdown
Author

sup3rDav3 commented Apr 6, 2026

All code was reviewed and tested by the author against a live Windows Server 2022 domain controller.

Either you have not reviewed the code (and changes) or I am really curious why you have introduced +1300 lines of formatting changes.

I'm not quite sure what happened TBH. Got PRs semi-mixed up, IDE got squirrelley (tabs vs. spaces formatting issues). The fix was really only 20-25 new lines. Feel free to delete this mess and so I can refine my process. Thanks.

@NeffIsBack
Copy link
Copy Markdown
Member

NeffIsBack commented Apr 6, 2026

All code was reviewed and tested by the author against a live Windows Server 2022 domain controller.

Either you have not reviewed the code (and changes) or I am really curious why you have introduced +1300 lines of formatting changes.

I'm not quite sure what happened TBH. Got PRs semi-mixed up, IDE got squirrelley (tabs vs. spaces formatting issues). The fix was really only 20-25 new lines. Feel free to delete this mess and so I can refine my process. Thanks.

Okay, then I will close this for now. If #1138 is validated that it properly works and integrated, we should probably go for a similar solution, because this one here would result in hundreds or thousands of folders to be written.

@NeffIsBack NeffIsBack closed this Apr 6, 2026
@NeffIsBack NeffIsBack mentioned this pull request Apr 6, 2026
Closed
14 tasks
@sup3rDav3
Copy link
Copy Markdown
Author

sup3rDav3 commented Apr 14, 2026

All code was reviewed and tested by the author against a live Windows Server 2022 domain controller.

Either you have not reviewed the code (and changes) or I am really curious why you have introduced +1300 lines of formatting changes.

I'm not quite sure what happened TBH. Got PRs semi-mixed up, IDE got squirrelley (tabs vs. spaces formatting issues). The fix was really only 20-25 new lines. Feel free to delete this mess and so I can refine my process. Thanks.

Okay, then I will close this for now. If #1138 is validated that it properly works and integrated, we should probably go for a similar solution, because this one here would result in hundreds or thousands of folders to be written.

Fair enough, sorry for the confusion and thanks for your time. Back to #1176 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@Marshall-Hallenbeck Marshall-Hallenbeck Awaiting requested review from Marshall-Hallenbeck Marshall-Hallenbeck is a code owner

@NeffIsBack NeffIsBack Awaiting requested review from NeffIsBack NeffIsBack is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SMB Write permissions for subdirectories

2 participants

@sup3rDav3 @NeffIsBack