Bug - Split objects into types

Mazars-Tech / AD_Miner

AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses

GNU General Public License v3.0

1.01k stars 103 forks source link

Bug - Split objects into types #126

Closed TH3xACE closed 2 months ago

TH3xACE commented 4 months ago

[144/145] [+]From cache : Paths between two global admins belonging to different tenants - 0 objects [145/145] [+]From cache : Paths between tenants admin and domain admins - 0 objects [+]Requests finished ! [+]Computing domains objects [+]Generate paths to objects that can GPLink GPOs on OUs [+]Split objects into types... Traceback (most recent call last): File "/workspace/ctools/AD_Tools/AD_Miner/.venv/bin/AD-miner", line 6, in sys.exit(main()) File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/main.py", line 182, in main domains = Domains(arguments, neo4j) File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/sources/modules/domains.py", line 243, in init self.generatePathToDa() File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/sources/modules/domains.py", line 666, in generatePathToDa self.ou_to_domain_admin[path.nodes[-1].domain].append(path) KeyError: 'ADTEST.ROOT.NET'

jmbesnard commented 4 months ago

Thanks for sharing this issue. Could you please tell us whether you are using BH legacy or BH CE to ingest the data ?

Also, were the data generated by Sharphound or Rusthound or bloodhound.py ?

Do your data contain on-prem and/or Azure ?

Could you please also run the following cypher (either using cypher-shell or from the neo4j web interface - NOT from the BH cypher prompt):

MATCH (d:Domain) WITH collect(d.domain) AS doms MATCH (n) where NOT n.domain IN doms return n.name and tell us if this return anything

Thanks

TH3xACE commented 4 months ago

The tools seems amazing... and looking forward to be able to test it fully

BH used: Legacy (version 4.2.0)
Collector: rusthound
Target: on-prem

Returned nothing with the cypher : MATCH (d:Domain) WITH collect(d.domain) AS doms MATCH (n) where NOT n.domain IN doms return n.name

Thanks for the rapid response :)

jmbesnard commented 4 months ago

We are observing different issues with data coming from rusthound. Would it be possible for you to collect with sharphound or even dirkjan's script? That's not going to fix the bug of course but would at least give us some clues if rusthound's involvement in this issue is confirmed. Also feel free to join our discord server (as we might answer in a faster fashion). Thanks

TH3xACE commented 4 months ago

Thank you I will join the discord. I have used dump not made wih rusthound and works fine. I guess the issue is with rusthound. Do you know what is the issue ? how it works on BH if the data collected has some issues. I guess it is a known issue ? data collected with Rusthound

cmprmsd commented 3 months ago

Any updates on this issue? I'm having the same problem :dagger: Oh, I see there is https://github.com/Mazars-Tech/AD_Miner/pull/125

TH3xACE commented 3 months ago

The issue seems to be related to the collected data when using rusthound. Using another collector seems to work. The issue/bug is not fixed but is like a workaround despite identifying the issue and correcting it would be great.

@jmbesnard if you perform two collections from the same environment using SharpHound and RustHound, does comparing the two collections (json) will not help identifying the issue and could alter AD-MINER to take care of some malformed json or else when collecting with RH ?

TH3xACE commented 3 months ago

@cmprmsd does the https://github.com/Mazars-Tech/AD_Miner/pull/125 helped to fix the issue ?? works now with RH??

cmprmsd commented 3 months ago

I cloned the repo ran poetry install and poetry shell, confirmed with which ad-miner that it is using the venv but it seems the error persists.

cmprmsd commented 3 months ago

[+]Requests finished !
[+]Computing domains objects
[+]Generate paths to objects that can GPLink GPOs on OUs
[+]Split objects into types...
Traceback (most recent call last):
  File "adminer/AD_Miner/.venv/bin/AD-miner", line 6, in <module>
    sys.exit(main())
             ^^^^^^
  File "adminer/AD_Miner/ad_miner/__main__.py", line 182, in main
    domains = Domains(arguments, neo4j)
              ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "adminer/AD_Miner/ad_miner/sources/modules/domains.py", line 243, in __init__
    self.generatePathToDa()
  File "adminer/AD_Miner/ad_miner/sources/modules/domains.py", line 666, in generatePathToDa
    self.ou_to_domain_admin[path.nodes[-1].domain].append(path)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'a.b.LOCAL.INT'

jmbesnard commented 3 months ago

The change was pushed into main and does not appear in the release. A new release will be issued in a few minutes. Once that is done, could you please retry and let us know ? Thanks

cmprmsd commented 3 months ago

@jmbesnard Thanks, but isn't this what I do, when I clone the repo and run the poetry commands from above?

jmbesnard commented 3 months ago

True, I misread the comment. @TH3xACE I did try that and could not reproduce the problem unfortunately.

jmbesnard commented 3 months ago

@cmprmsd also feel free to join us on Discord as it may be easier to further discuss the issue

jmbesnard commented 2 months ago

Not receiving any updates on this issue so closing it.