Skip to content

p0dalirius/ShareHound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

90 Commits
Go
Go
 
 
Python
Python
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

ShareHound: Mapping rights of network shares using BloodHound OpenGraph

A tool to map the access rights of network shares into BloodHound OpenGraphs.
Get BloodHound Enterprise Get BloodHound Community

Read the associated blog post: https://specterops.io/blog/2025/10/30/sharehound-an-opengraph-collector-for-network-shares/

Two implementations

This repository contains two implementations of ShareHound. They share the same goal — producing BloodHound OpenGraph JSON from SMB share permissions — but differ in language, runtime, and feature set. Pick whichever fits your workflow.

Implementation Path Author Best for
Python Python/ Remi Gascou (@podalirius_) @ SpecterOps The reference implementation; easy to extend and script
Go Go/ Javier Azofra @ Siemens Healthineers Large-scale scans (60,000+ hosts), checkpointing, static binaries

Each subdirectory has its own README with full installation, usage, and configuration details:

Features (common to both)

  • Map network shares of a domain and their rights in BloodHound OpenGraph format
  • Highly customizable rule matching via the ShareQL language
  • Multithreaded discovery of shares (Breadth First Search)
  • NTLM, Kerberos, and pass-the-hash authentication
  • CIDR range and target file support

Additional features in the Go implementation

  • ZIP-compressed streaming output (handles millions of edges)
  • Resumable scans via checkpoint files
  • --effective-access-only mode to drastically reduce graph size on large environments
  • Cross-platform static builds (Linux, Windows, macOS)

Quick start Cypher queries

Once you've imported the OpenGraph into BloodHound, these queries cover the most common needs. For more, see the per-implementation READMEs.

Find principals with Full Control access to a share

 
MATCH (p)-[r]->(s:NetworkShareSMB)
WHERE (p)-[:CanDelete]->(s)
  AND (p)-[:CanDsControlAccess]->(s)
  AND (p)-[:CanDsCreateChild]->(s)
  AND (p)-[:CanDsDeleteChild]->(s)
  AND (p)-[:CanDsDeleteTree]->(s)
  AND (p)-[:CanDsListContents]->(s)
  AND (p)-[:CanDsListObject]->(s)
  AND (p)-[:CanDsReadProperty]->(s)
  AND (p)-[:CanDsWriteExtendedProperties]->(s)
  AND (p)-[:CanDsWriteProperty]->(s)
  AND (p)-[:CanReadControl]->(s)
  AND (p)-[:CanWriteDacl]->(s)
  AND (p)-[:CanWriteOwner]->(s)
RETURN p,r,s

Find principals with Write access to a share

 
MATCH x=(p)-[r:CanWriteDacl|CanWriteOwner|CanDsWriteProperty|CanDsWriteExtendedProperties]->(s:NetworkShareSMB)
RETURN x

Find files by name (case insensitive)

 
MATCH p=(h:NetworkShareHost)-[:HasNetworkShare]->(s:NetworkShareSMB)-[:Contains*0..]->(f:File)
WHERE toLower(f.name) = toLower("flag.txt")
RETURN p

Find files by extension (case insensitive)

 
MATCH p=(h:NetworkShareHost)-[:HasNetworkShare]->(s:NetworkShareSMB)-[:Contains*0..]->(f:File)
WHERE toLower(f.extension) = toLower(".vmdk")
RETURN p

Find files a principal can effectively read (Go only)

CanEffectiveRead / CanEffectiveWrite / CanEffectiveExecute edges are emitted by the Go implementation when the same SID has matching rights at both the share and NTFS levels — i.e. the real access granted over SMB.

MATCH p=(principal)-[:CanEffectiveRead]->(f:File)
RETURN p

Credits

Contributing

Pull requests are welcome for either implementation. Open an issue if you want to discuss a new feature first.

About

A python tool to map the access rights of network shares into a BloodHound OpenGraphs easily

specterops.io/blog/2025/10/30/sharehound-an-opengraph-collector-for-network-shares/

Topics

network bloodhound shares opengraph sharehound

Resources

Readme
Activity

Stars

292 stars

Watchers

3 watching

Forks

22 forks
Report repository

Releases 3

1.0.2: Fixed Kerberos authentication Latest
Nov 20, 2025
+ 2 releases

Packages

 
 
 

Contributors

Languages