search

MichaelGrafnetter / DSInternals

Directory Services Internals (DSInternals) PowerShell Module and Framework
https://www.dsinternals.com
MIT License
1.64k stars 253 forks source link

Get-ADReplAccount : The input is shorter than the minimum length. #172

Closed m4xx75 closed 6 months ago

m4xx75 commented 9 months ago

Hello,

When I try to do a Test-PasswordQuality, I systematically encounter this error message after a few minutes: Get-ADReplAccount : The input is shorter than the minimum length.

I tried with and without a dictionary file, the result is always the same. My account is member of "Domain Admins". Using DSInternals v4.12

Thanks.

MichaelGrafnetter commented 9 months ago

Hello @m4xx75 , would you please be able to share the exception stack trace?

m4xx75 commented 9 months ago

Hello @MichaelGrafnetter

Thank you for the feedback, and sorry for my late return (I was on vacation). Here is the trace of the error:

Get-ADReplAccount : The input is shorter than the minimum length.
Parameter name: blob
Actual value was 0.
At C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1:11 char:11
+ $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingCon ...
+           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ADReplAccount], ArgumentOutOfRangeException
    + FullyQualifiedErrorId : System.ArgumentOutOfRangeException,DSInternals.PowerShell.Commands.GetADReplAccountCommand

Resolv-Error:

PSMessageDetails      : 
Exception             : System.ArgumentOutOfRangeException: The input is shorter than the minimum length.
                        Parameter name: blob
                        Actual value was 0.
                           at DSInternals.Common.Validator.AssertMinLength(Byte[] data, Int32 minLength, String paramName)
                           at DSInternals.Common.Cryptography.CngSoftwareProviderTransportBlob..ctor(Byte[] blob)
                           at DSInternals.Common.Data.RoamedCredential..ctor(Byte[] blob, String accountName, SecurityIdentifier accountSid)
                           at DSInternals.Common.Data.DSAccount.LoadRoamedCredentials(DirectoryObject dsObject)
                           at DSInternals.Common.Data.DSAccount..ctor(DirectoryObject dsObject, String netBIOSDomainName, DirectorySecretDecryptor pek)
                           at DSInternals.Replication.DirectoryReplicationClient.<GetAccounts>d__17.MoveNext()
                           at DSInternals.PowerShell.Commands.GetADReplAccountCommand.ReturnAllAccounts()
                           at System.Management.Automation.CommandProcessor.ProcessRecord()
TargetObject          : 
CategoryInfo          : NotSpecified: (:) [Get-ADReplAccount], ArgumentOutOfRangeException
FullyQualifiedErrorId : System.ArgumentOutOfRangeException,DSInternals.PowerShell.Commands.GetADReplAccountCommand
ErrorDetails          : 
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1: line 11
PipelineIterationInfo : {}

MyCommand             : Get-ADReplAccount
BoundParameters       : {}
UnboundArguments      : {}
ScriptLineNumber      : 11
OffsetInLine          : 11
HistoryId             : 2
ScriptName            : C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1
Line                  : $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingContext "DC=domain,DC=local" | Test-PasswordQuality # -WeakPasswordHashesSortedFile D:\pwnedpasswords_ntlm.txt
PositionMessage       : At C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1:11 char:11
                        + $result = Get-ADReplAccount -All -Server "dc.domain.local" -NamingCon ...
                        +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot          : C:\Users\$env:USERNAME\Desktop
PSCommandPath         : C:\Users\$env:USERNAME\Desktop\Test-PasswordQuality.ps1
InvocationName        : Get-ADReplAccount
PipelineLength        : 0
PipelinePosition      : 0
ExpectingInput        : False
CommandOrigin         : Internal
DisplayScriptPosition : 

00000000000000000000000000000000000000000000000000000000000000000000000000000000

Message        : The input is shorter than the minimum length.
                 Parameter name: blob
                 Actual value was 0.
ActualValue    : 0
ParamName      : blob
Data           : {}
InnerException : 
TargetSite     : Void AssertMinLength(Byte[], Int32, System.String)
StackTrace     :    at DSInternals.Common.Validator.AssertMinLength(Byte[] data, Int32 minLength, String paramName)
                    at DSInternals.Common.Cryptography.CngSoftwareProviderTransportBlob..ctor(Byte[] blob)
                    at DSInternals.Common.Data.RoamedCredential..ctor(Byte[] blob, String accountName, SecurityIdentifier accountSid)
                    at DSInternals.Common.Data.DSAccount.LoadRoamedCredentials(DirectoryObject dsObject)
                    at DSInternals.Common.Data.DSAccount..ctor(DirectoryObject dsObject, String netBIOSDomainName, DirectorySecretDecryptor pek)
                    at DSInternals.Replication.DirectoryReplicationClient.<GetAccounts>d__17.MoveNext()
                    at DSInternals.PowerShell.Commands.GetADReplAccountCommand.ReturnAllAccounts()
                    at System.Management.Automation.CommandProcessor.ProcessRecord()
HelpLink       : 
Source         : DSInternals.Common
HResult        : -2146233086

Don't hesitate if you need more information THANKS

MichaelGrafnetter commented 9 months ago

@m4xx75 Thanks for the info. There is apparently an empty CNG private key file stored in the ms-PKI-AccountCredentials attribute of one of the user accounts. I will need to update my code to deal with this non-standard situation.

m4xx75 commented 9 months ago

Hello @MichaelGrafnetter ,

Thank you for this feedback. Actually, I have a number of accounts with this attribute empty.

Do you have any idea when you'll be able to update your tool?

THANKS.

MichaelGrafnetter commented 9 months ago

Can't promise any specific date. The problem is not an empty attribute, that would be absolutely OK. But your DB contains private keys of length 0, which is definitely strange and I haven't seen that before. Unfortunately, Microsoft's implementation of DPAPI is undocumented, which makes it harder to catch all the possible scenarios in my test lab.

m4xx75 commented 9 months ago

Okay @MichaelGrafnetter , thank you for this clarification.

By any chance, could you tell me how to detect these accounts with a powershell command?

I looked around, I came across your article "#CQLabs – Extracting Roamed Private Keys from Active Directory by Michael Grafnetter", but I couldn't find a cmdlet on the internet that allows me to do this.

The goal would be to correct these accounts in order to bypass the problem that I am encountering.

THANKS.

m4xx75 commented 8 months ago

Hello @MichaelGrafnetter, do you have any news? THANKS.

MichaelGrafnetter commented 6 months ago

@m4xx75 The issue should be resolved in DSInternals 4.14, which is more tolerant to malformed roamed credentials.