TypeError: 'NoneType' object has no attribute 'extend' - Occurs trying to authenticate to LDAPS

[imhasin]

Describe the bug Running the bloodhound-python against one of the servers with regular command I faced the issue. I tried:

1. using fqdn, just the host name, the IP
2. made sure time is synced

To Reproduce

The following commands were used and both of the times same error occurs.

bloodhound-python -d rebound.htb -c all -u ldap_monitor -p '1GR8t@$$4u' -ns 10.129.229.114 --zip bloodhound-python -u 'ldap_monitor' -p '1GR8t@$$4u' --dns-tcp -d rebound.htb -c all --zip -ns 10.129.229.114

Resulted in:

INFO: Found AD domain: rebound.htb
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
ERROR: Failure to authenticate with LDAP! Error 80090346: LdapErr: DSID-0C090726, comment: AcceptSecurityContext error, data 80090346, v4563
Traceback (most recent call last):
  File "/usr/local/bin/bloodhound-python", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/__init__.py", line 297, in main
    bloodhound.run(collect=collect,
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/__init__.py", line 73, in run
    self.pdc.prefetch_info('objectprops' in collect, 'acl' in collect)
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/ad/domain.py", line 393, in prefetch_info
    self.get_objecttype()
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/ad/domain.py", line 225, in get_objecttype
    sresult = self.ldap.extend.standard.paged_search(self.ldap.server.info.other['schemaNamingContext'][0],
AttributeError: 'NoneType' object has no attribute 'extend'

bloodhound-python Info:

1. It's setup using pip3 install bloodhound
2. I tried setting it up in a python virtual environment but same issue.
3. OS: ParrotOS, pwnbox from HackTheBox

[imhasin]

I have a similar issue running bloodhound collection using netexec. Here's the issue I opened there. https://github.com/Pennyw0rth/NetExec/issues/243#issue-2220199048

[NeffIsBack]

I am running into a similar issue (besides the weird "Could not find Global Catalog in this domain" that i need to fix somehow):

EDIT: Now that i am looking at the error again it might be different though. Gonna try to get to the root cause later

[NeffIsBack]

Oh your stacktrace is different from the one you posted on NetExec: https://github.com/Pennyw0rth/NetExec/issues/243#issue-2220199048 https://github.com/Pennyw0rth/NetExec/issues/243#issuecomment-2031722146

The ones there have the exact same stacktrace as mine

[dirkjanm]

The issue from the first post is triggered because likely both signing and channel binding are enforced, which is currently not supported by BloodHound.py. As a result, the authentication fails, and a stacktrace is triggered further in the code.

[NeffIsBack]

Hi, the combination of signing and channel binding isn't supported with NTLM auth in netexec as well (turned them on for sake of demonstration):

I also checked the settings and these are currently on negioate signing and don't enforce binding:

[NeffIsBack]

Also user enumeration looks like its working:

[imhasin]

This is a link to a writeup on the same box in the same step using bloodhound-python. It works for some reason.

oxdf@hacky$ bloodhound-python -d rebound.htb -c all -u oorend -p '1GR8t@$$4u' -ns 10.10.11.231 --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: gmsa.rebound.htb
INFO: Querying computer: dc01.rebound.htb
INFO: Skipping enumeration for gmsa.rebound.htb since it could not be resolved.
INFO: Done in 00M 22S
INFO: Compressing output into 20240317211834_bloodhound.zip

And this is a video walkthrough of using netexec bloodhound module. It also works fine there.

[CSpanias]

If you go further down on 0xdf's walkthrough (link directly above), it seems that is something to do with the -c all method. If you change that it works as expected.

@NeffIsBack the same goes when executing it through NetExec!