Open imhasin opened 7 months ago
An interesting development:
I tried bloodhound-python to collect data and that is also failing. This could mean the problem is on the box's side.
└──╼ $bloodhound-python -d rebound.htb -c all -u ldap_monitor -p '1GR8t@$$4u' -ns 10.129.229.114 --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
Traceback (most recent call last):
File "/home/imhasin/.bp/bin/bloodhound-python", line 8, in <module>
sys.exit(main())
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 343, in main
bloodhound.run(collect=collect,
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 81, in run
membership_enum.enumerate_memberships(timestamp=timestamp, fileNamePrefix=fileNamePrefix)
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 843, in enumerate_memberships
self.enumerate_users(timestamp, fileNamePrefix)
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 183, in enumerate_users
'ObjectType': ADUtils.resolve_ad_entry(
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 278, in resolve_ad_entry
account = ADUtils.get_entry_property(entry, 'sAMAccountName', '')
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 362, in get_entry_property
value = entry['attributes'][prop]
TypeError: 'NoneType' object is not subscriptable
Here's the error trying bloodhound-python.
I had the same error yesterday while running bloodhound against the DC02 (WINTERFELL) of the GOAD lab, but not against DC01 or DC03, i will try to dig into it, but maybe its related to bloodhound itself
As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?
As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?
Sure, I will. Thanks for taking the time!
Describe the bug While using the ldap module of nxc with kerberos, the mentioned error occurs. I tried it:
--kdcHost
flagFirst I was trying the bloodhound module and it failed in the step of getting a TGT. So I thought maybe that's where the bug is, so I got the TGT myself with impacket toolkit and exported it in the KRB5CCNAME and then tried using the
use-kcache
flag to use the cached TGT but the same error occured again.Note: This box requires you to use kerberos with ldap module. Maybe this info will help somehow.
To Reproduce Steps to reproduce the behavior i.e.: Command:
netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --kdcHost dc01
Resulted in:This same error occurs using the following command after getting and exporting the TGT myself.
netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --use-kcache --kdcHost dc01
Expected behavior The commands should go and grab TGT and then do the collection and zip them.
NetExec info