search

CasperGN / ActiveDirectoryEnumeration

Enumerate AD through LDAP with a collection of helpfull scripts being bundled
MIT License
139 stars 40 forks source link

RecursionError: maximum recursion depth exceeded #22

Closed kalidor closed 4 years ago

kalidor commented 4 years ago

Describe the bug Playing with Cascade machine on hackthebox, I want to try your tools. ps: I root the box,

To Reproduce

./activeDirectoryEnum.py -u arksvc@cascade.local -o outputfile --no-creds 10.10.10.182
[huge amount of error repeated errors]
Traceback (most recent call last):
  File "./activeDirectoryEnum.py", line 799, in <module>
    enumAD = EnumAD(args.dc, args.secure, file_to_write, args.smb, args.bloodhound, args.kerberos_preauth, args.spn, args.user)
  File "./activeDirectoryEnum.py", line 75, in __init__
    self.runWithoutCreds()
  File "./activeDirectoryEnum.py", line 122, in runWithoutCreds
    self.search()
  File "./activeDirectoryEnum.py", line 177, in search
    self.conn.search(self.dc_string[:-1], '(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))', attributes=self.ldapProps, search_scope=SUBTREE)
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/core/connection.py", line 782, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 139, in post_send_search
    responses, result = self.get_response(message_id)
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 352, in get_response
    ref_response, ref_result = self.do_operation_on_referral(self._outstanding[message_id], responses[-2]['referrals'])
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 762, in do_operation_on_referral
    referral_connection.search(selected_referral['base'] or request['base'],
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/core/connection.py", line 782, in search
    response = self.post_send_search(self.send('searchRequest', request, controls))
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/sync.py", line 139, in post_send_search
    responses, result = self.get_response(message_id)
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 352, in get_response
    ref_response, ref_result = self.do_operation_on_referral(self._outstanding[message_id], responses[-2]['referrals'])
  File "/home/m1/.local/lib/python3.8/site-packages/ldap3/strategy/base.py", line 762, in do_operation_on_referral
    referral_connection.search(selected_referral['base'] or request['base'],

The output file is not created, so i don't really know where it's crashing...

Expected behavior Some output, and no error :-)

CasperGN commented 4 years ago

Hi!

Thanks for the submission. Could you try changing the ip with cascade.local as well as adding the machine and domain to your host file (since there is no zone to query for DNS) And rerun? Another note to add is that when running with —no-creds the -u flag is not required. Eventually check out https://github.com/CasperGN/ActiveDirectoryEnumeration/pull/15 which is practically tested on cascade.

Cheers! / C

CasperGN commented 4 years ago

Added as bug either way as this exception should be caught.

CasperGN commented 4 years ago

Note to self: Possible catch of this issue can be the regex for domain name validation:

$ grep "domainRE" activeDirectoryEnum.py 
    domainRE = re.compile(r'^((?:[a-zA-Z0-9-.]+)?(?:[a-zA-Z0-9-.]+)?[a-zA-Z0-9-]+\.[a-zA-Z]+)$')

The removal of 0-9 and - from the last matchgroup ensures that ip's in dc argument would trigger a fail and exit.

@kalidor The issue is from Pythons protection against stack overflow (from what i've gathered atleast) as there is recursive functions (most likely in the ldap calls) that tries to exceed 1000. The problem is that it (the code) is not aware which domain to query LDAP ojects from regardless of binding succesfully on the dc's IP. A quick test with:

$ echo "10.10.10.182 cascade.local" >> /etc/hosts; ./activeDirectoryEnum.py cascade.local --no-creds -o cascade.local
[ INFO ] Attempting to get objects without credentials
[ OK ] Bound to LDAP server: cascade.local
[ OK ] Got all Computer objects
[ OK ] Got all Person objects
[ OK ] Got all Group objects
[ OK ] Got all SPN objects
[ OK ] Got all ACL objects
[ OK ] Got all GPO objects
[ OK ] Got all Domains
[ OK ] Got all OUs
[ OK ] Got all deleted users
[ INFO ] Searching for juicy info in deleted users
[ INFO ] Found possible password in properties
[ INFO ] Attempting to determine if it is a password
[ INFO ] User: "<redacted>" with: "<redacted>" was not cleartext
...

Can you see if this also works for you?

Cheers! / C

CasperGN commented 4 years ago

Ref. PR: https://github.com/CasperGN/ActiveDirectoryEnumeration/pull/23

kalidor commented 4 years ago

As you suggested, using cascade.local instead of IP works like a charm.