Closed cnotin closed 6 years ago
In a production domain we observed a crash due to a null pointer exception during the stealth enumeration for groups. The issue is around https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152
We have a computer object without a dnshostname property, so dnshostname is null in https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L95 Therefore the code falls back to trying to DNS resolve the computer, with its FQDN and shortname. However this computer doesn't resolve. So it returns null https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L114
dnshostname
(I don't know how this situation happened in this domain... But I bet other domains could have the same case).
Then the null resolvedEntry https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152 is passed to GroupHelpers.ProcessAdObject
resolvedEntry
GroupHelpers.ProcessAdObject
And it crashes with a NPE at line: https://github.com/BloodHoundAD/SharpHound/blob/e781f3f4a9e46fd7b2cfa0eefe1ee1ee5f096e8d/Sharphound2/Enumeration/GroupHelpers.cs#L32
I think this issue isn't present in the default collection method (non-stealth) because there is a check for null https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L448
In a production domain we observed a crash due to a null pointer exception during the stealth enumeration for groups. The issue is around https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152
We have a computer object without a dnshostname property, so
dnshostnameis null in https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L95 Therefore the code falls back to trying to DNS resolve the computer, with its FQDN and shortname. However this computer doesn't resolve. So it returns null https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L114(I don't know how this situation happened in this domain... But I bet other domains could have the same case).
Then the null
resolvedEntryhttps://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152 is passed toGroupHelpers.ProcessAdObjectAnd it crashes with a NPE at line: https://github.com/BloodHoundAD/SharpHound/blob/e781f3f4a9e46fd7b2cfa0eefe1ee1ee5f096e8d/Sharphound2/Enumeration/GroupHelpers.cs#L32
I think this issue isn't present in the default collection method (non-stealth) because there is a check for null https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L448