Closed jbfuzier closed 1 year ago
Sorry, This issue is related to the new bloodhound CE.
This seems to still be an issue in BH 4.3.1 (for posterity I am running it on Kali and using the bloodhound-python ingestor).
In the node graph, many green user nodes show the SID instead of the account name, and the "Node Info" tab does not contain the data from the JSON file. In fact, when you click on a user node which does have info correctly populated, any of the incomplete "SID" nodes you click on after this will show the previous user node's info. Likely some sort of caching issues, because old values aren't erased?
For example, I click on a green node labeled John@Domain.com
, and then if I go and click on a user node labeled SID-1-5-21-###
, in the Node Info tab, it will still show John@Domain.com
, along with John's SID and other information. This is very confusing.
If I grep the JSON user file I uploaded to bloodhound for SID-1-5-21-###
all of the proper data is there. It's just not being loaded into Neo properly, or maybe BH GUI isn't reading from Neo properly.
I'm not sure why this issue is closed. From comments above it doesn't look like it was addressed last year. Can we leave this open since it is an ongoing bug? Or, if this is being tracked in another issue can we link to that issue here before closing please?
Silly me. This repo is getting archived soon. I will try installing Bloodhound CE from the repo linked in the readme
Hello,
Describe the bug We have a 730Mo users json generated by sharphound 2.0.0. In the file, the information related to the user is populated
Example (redated) :
{"Properties":{"domain":"XXXX.XXXX.NET","name":"USERXXXX@XXXX.XXXX.NET","distinguishedname":"CN=USERXXXX,DC=XXXX,DC=XXXX,DC=NET","domainsid":"S-1-5-21-XXXXXXXXXXXXXXXXXXXXXXXXXXX","highvalue":false,"samaccountname":"USERXXXX","description":null,"whencreated":1037706616,"sensitive":false,"dontreqpreauth":false,"passwordnotreqd":false,"unconstraineddelegation":false,"pwdneverexpires":false,"enabled":true,"trustedtoauth":false,"lastlogon":1692544133,"lastlogontimestamp":1692377878,"pwdlastset":1685978889,"serviceprincipalnames":[],"hasspn":false,"displayname":"USERXXXX","email":"USERXXXX@email.com","title":"USERXXXX","homedirectory":null,"userpassword":null,"unixpassword":null,"unicodepassword":null,"sfupassword":null,"logonscript":null,"admincount":false,"sidhistory":[]},"AllowedToDelegate":[],"PrimaryGroupSID":"S-1-5-21-XXXXXXX-XXXXXXXXXXXXXXXXXX","HasSIDHistory":[],"SPNTargets":[],"Aces":[{"PrincipalSID":"S-1-5-21-XXXXXXXXXXXXXXXXXX","PrincipalType":"User","RightName":"Owns","IsInherited":false},{"PrincipalSID":"XXXX.XXXX.NET-S-1-5-32-548","PrincipalType":"Group","RightName":"GenericAll","IsInherited":false},{"PrincipalSID":"S-1-5-21-XXXXXX-XXXXX-XXXXX-XXXX","PrincipalType":"Group","RightName":"GenericAll","IsInherited":false}],"ObjectIdentifier":"S-1-5-21-XXXXXXXXXXXXXXXXXXXXXXX","IsDeleted":false,"IsACLProtected":false,"ContainedBy":null}
Screenshots
Screenshot showing the issue (the user exists in the AD, the SID is resolvable and attributes such as samaccountname are available in the user json file
On the same bloodhound install, with the same sharphound flags acquired from the same PC with the same account but for a different domain we got the expected result :
Data quality show a coherent number of users :
Ingestion appears as complete :
BUT after sometime it changes to :
Ingestion logs :
Thanks