search

dirkjanm / BloodHound.py

A Python based ingestor for BloodHound
MIT License
1.89k stars 322 forks source link

Retrieving trust forest data #176

Open n3rada opened 4 months ago

n3rada commented 4 months ago

In an environment where DMZDC01.HOME.COM has a trust relationship like this:

dn: CN=dev.com,CN=System,DC=home,DC=com
cn: dev.com
securityIdentifier: S-1-5-21-1135011135-3178090508-3151492220
name: dev.com
trustDirection: bidirectional
trustPartner: dev.com
trustType: Windows domain running Active Directory
trustAttributes: FOREST_TRANSITIVE
flatName: DEV

It is possible to retrieve all dev.com data from the dc01 while running SharpHound:

sliver (LOVELY_HONESTY) > execute-assembly /home/kali/backpack/winaries/SharpHound-v1.1.1/SharpHound.exe '-c all,LoggedOn,GPOLocalGroup -d comply.com -v 1'
2024-04-28T09:21:44.4238613-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-04-28T09:21:44.5332372-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-04-28T09:21:44.5488628-07:00|INFORMATION|Initializing SharpHound at 9:21 AM on 4/28/2024
2024-04-28T09:21:44.8270927-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for dev.com : rdc02.dev.com
2024-04-28T09:21:44.9962054-07:00|INFORMATION|Loaded cache with stats: 116 ID to type mappings.
 118 name to SID mappings.
 0 machine sid mappings.
 5 sid to domain mappings.
 0 global catalog mappings.
2024-04-28T09:21:44.9962054-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-04-28T09:21:45.0587119-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for home.com : dmzdc01.home.com
2024-04-28T09:21:45.2099560-07:00|INFORMATION|Beginning LDAP search for dev.com
2024-04-28T09:21:45.2461661-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-04-28T09:21:45.2461661-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-04-28T09:21:45.2712512-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:45.2712512-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 4256AFBB-54AE-4C54-989B-CC602C85C08D: top, container
2024-04-28T09:21:45.2712512-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 4256AFBB-54AE-4C54-989B-CC602C85C08D: Container
2024-04-28T09:21:45.2788286-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:45.2788286-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 5382E506-20CC-4B00-96E8-4A680DAA98CA: top, container
2024-04-28T09:21:45.2788286-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 5382E506-20CC-4B00-96E8-4A680DAA98CA: Container
2024-04-28T09:21:45.7961899-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:45.7961899-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 040A1EBF-BED0-43C4-B339-43429FF9E931: top, container
2024-04-28T09:21:45.7961899-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 040A1EBF-BED0-43C4-B339-43429FF9E931: Container
2024-04-28T09:21:46.8162026-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:46.8162026-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 8F6E5AE9-8AA1-4ECA-80E5-1B8144EB30C8: top, container
2024-04-28T09:21:46.8162026-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 8F6E5AE9-8AA1-4ECA-80E5-1B8144EB30C8: Container
2024-04-28T09:21:47.3188991-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:47.3188991-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 9FB8A3B4-D9AD-49F8-BB83-610E545DA6E0: top, container
2024-04-28T09:21:47.3188991-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 9FB8A3B4-D9AD-49F8-BB83-610E545DA6E0: Container
2024-04-28T09:21:48.3063014-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:48.3063014-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 03F343C3-618E-4864-90F6-42DFAC63D4AF: top, container
2024-04-28T09:21:48.3063014-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 03F343C3-618E-4864-90F6-42DFAC63D4AF: Container
2024-04-28T09:21:49.3096264-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:49.3096264-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 850FB158-F1D0-4530-8ADE-7CF5454CDD8E: top, container
2024-04-28T09:21:49.3096264-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 850FB158-F1D0-4530-8ADE-7CF5454CDD8E: Container
2024-04-28T09:21:50.2972502-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:50.2972502-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 3CA382AB-EFAE-4D67-978C-A03F0AF6A972: top, container
2024-04-28T09:21:50.2972502-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 3CA382AB-EFAE-4D67-978C-A03F0AF6A972: Container
2024-04-28T09:21:51.3003128-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:51.3003128-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 0AD49009-FBB2-4E99-ACE8-B518A5DA0856: top, container, rpcContainer
2024-04-28T09:21:51.3003128-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 0AD49009-FBB2-4E99-ACE8-B518A5DA0856: Container
2024-04-28T09:21:51.8190313-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:51.8190313-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 3DB637EE-A74D-4E80-8AF2-B37039BEFF8B: top, container
2024-04-28T09:21:51.8190313-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 3DB637EE-A74D-4E80-8AF2-B37039BEFF8B: Container
2024-04-28T09:21:52.8067612-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:52.8067612-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for AA13F528-794C-479E-A7B6-D4390B5CE6D4: top, container
2024-04-28T09:21:52.8067612-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for AA13F528-794C-479E-A7B6-D4390B5CE6D4: Container
2024-04-28T09:21:53.8099255-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:53.8099255-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 5E7D650B-3DC3-4A16-89E6-C78FA9204D73: top, container, groupPolicyContainer
2024-04-28T09:21:53.8099255-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 5E7D650B-3DC3-4A16-89E6-C78FA9204D73: GPO
2024-04-28T09:21:53.8299817-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:53.8299817-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 53E2013D-6DBC-4AB1-9D9A-BDA92432C3D8: top, container, groupPolicyContainer
2024-04-28T09:21:53.8299817-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 53E2013D-6DBC-4AB1-9D9A-BDA92432C3D8: GPO
2024-04-28T09:21:53.8311220-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:53.8311220-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for AC4BCD10-8C71-453A-8824-4EEB28FF140E: top, container
2024-04-28T09:21:53.8311220-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for AC4BCD10-8C71-453A-8824-4EEB28FF140E: Container
2024-04-28T09:21:54.8013366-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:54.8013366-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 013E881A-0E09-4188-953F-F78CBF4A1C2F: top, container
2024-04-28T09:21:54.8013366-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 013E881A-0E09-4188-953F-F78CBF4A1C2F: Container
2024-04-28T09:21:55.3044308-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:55.3044308-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 08DA2244-B415-496F-82CD-5DAB8C7F944B: top, container
2024-04-28T09:21:55.3044308-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 08DA2244-B415-496F-82CD-5DAB8C7F944B: Container
2024-04-28T09:21:56.3079220-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:56.3079220-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for C71D8C5F-04C8-4C9C-AA66-11912A5E6D1F: top, container
2024-04-28T09:21:56.3079220-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for C71D8C5F-04C8-4C9C-AA66-11912A5E6D1F: Container
2024-04-28T09:21:57.3112956-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:57.3112956-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 11C95A66-997D-4FCD-BEFD-F06FEEC2648D: top, container
2024-04-28T09:21:57.3112956-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 11C95A66-997D-4FCD-BEFD-F06FEEC2648D: Container
2024-04-28T09:21:58.2988763-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:58.2988763-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 484416FB-E895-4707-8C98-8B1AAD570422: top, container
2024-04-28T09:21:58.2988763-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 484416FB-E895-4707-8C98-8B1AAD570422: Container
2024-04-28T09:21:59.3020219-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:59.3020219-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 57024E69-420F-4FA6-92ED-EE82F213BC67: top, container
2024-04-28T09:21:59.3020219-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 57024E69-420F-4FA6-92ED-EE82F213BC67: Container
2024-04-28T09:21:59.8050886-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:21:59.8050886-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for F7BD7E4E-89AE-4C7F-98C7-F247FC9DAEFF: top, container
2024-04-28T09:21:59.8050886-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for F7BD7E4E-89AE-4C7F-98C7-F247FC9DAEFF: Container
2024-04-28T09:22:00.8085852-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:00.8085852-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 6A14D697-A21B-435E-99DD-1E8FEC289EF6: top, container
2024-04-28T09:22:00.8085852-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 6A14D697-A21B-435E-99DD-1E8FEC289EF6: Container
2024-04-28T09:22:01.7966196-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:01.7966196-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 2FEE540A-1DC5-416B-AD89-1808DB4A46FF: top, container, msImaging-PSPs
2024-04-28T09:22:01.7966196-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 2FEE540A-1DC5-416B-AD89-1808DB4A46FF: Container
2024-04-28T09:22:15.8086213-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 45 MB RAM
2024-04-28T09:22:21.8110147-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:22.8132657-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:29.3190030-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib ACLProc]Owner is null for DNSADMINS@dev.COM
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3211661-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Group
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib ACLProc]Owner is null for DNSUPDATEPROXY@dev.COM
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned User
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned User
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned User
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for S-1-5-21-1135011135-3178090508-3151492220-1104: top, person, organizationalPerson, user
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for S-1-5-21-1135011135-3178090508-3151492220-1104: Base
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for S-1-5-21-1135011135-3178090508-3151492220-1105: top, person, organizationalPerson, user
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for S-1-5-21-1135011135-3178090508-3151492220-1105: Base
2024-04-28T09:22:30.3528236-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned User
2024-04-28T09:22:30.3684458-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Computer
2024-04-28T09:22:30.3840717-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.3840717-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 6A62EA2F-A1B2-4FC3-883E-E88FBAD2B8CE: top, organizationalUnit
2024-04-28T09:22:30.3840717-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 6A62EA2F-A1B2-4FC3-883E-E88FBAD2B8CE: OU
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 211A9CE4-AB13-4693-8F1E-0E147B49A648: top, organizationalUnit
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 211A9CE4-AB13-4693-8F1E-0E147B49A648: OU
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for S-1-5-21-1135011135-3178090508-3151492220: top, domain, domainDNS
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for S-1-5-21-1135011135-3178090508-3151492220: Domain
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 56 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 51 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 53 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 26 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 31 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 36 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 20 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 11 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 49 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 24 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 39 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 50 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 12 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 25 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 13 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 19 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 15 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 18 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 16 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 27 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.4778182-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 547B369F-267C-4BBE-B986-ED49B30770BE: top, organizationalUnit
2024-04-28T09:22:30.4778182-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 547B369F-267C-4BBE-B986-ED49B30770BE: OU
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 52 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 40 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 54 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 17 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 41 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 21 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 22 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 23 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 29 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 30 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 32 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 33 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 34 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 35 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 37 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 38 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 48 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 42 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 43 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 44 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 45 completed
2024-04-28T09:22:30.3996953-07:00|DEBUG|Consumer task on thread 46 completed
2024-04-28T09:22:30.4309442-07:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-04-28T09:22:30.4788974-07:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for F86CA649-3278-4DF3-A752-4EDE79446944: top, organizationalUnit
2024-04-28T09:22:30.4788974-07:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for F86CA649-3278-4DF3-A752-4EDE79446944: OU
2024-04-28T09:22:30.4309442-07:00|DEBUG|Consumer task on thread 47 completed
2024-04-28T09:22:30.4794076-07:00|DEBUG|Consumer task on thread 28 completed
2024-04-28T09:22:30.4794076-07:00|DEBUG|Consumer task on thread 8 completed
2024-04-28T09:22:30.4794076-07:00|DEBUG|Consumer task on thread 4 completed
2024-04-28T09:22:30.4828717-07:00|DEBUG|Consumer task on thread 14 completed
2024-04-28T09:22:30.4828717-07:00|DEBUG|Consumer task on thread 9 completed
2024-04-28T09:22:30.4853092-07:00|DEBUG|[CommonLib CompSessions]NetSessionEnum failed on RDC02.dev.COM: ERROR_ACCESS_DENIED
2024-04-28T09:22:30.4931632-07:00|DEBUG|Consumer task on thread 55 completed
2024-04-28T09:22:30.5413931-07:00|DEBUG|Consumer task on thread 6 completed
2024-04-28T09:22:30.5413931-07:00|INFORMATION|Consumers finished, closing output channel
2024-04-28T09:22:30.5717691-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-04-28T09:22:30.8065334-07:00|INFORMATION|Status: 94 objects finished (+94 2.088889)/s -- Using 49 MB RAM
2024-04-28T09:22:30.8065334-07:00|INFORMATION|Enumeration finished in 00:00:45.5871616
2024-04-28T09:22:30.8534113-07:00|INFORMATION|Saving cache with stats: 116 ID to type mappings.
 118 name to SID mappings.
 0 machine sid mappings.
 5 sid to domain mappings.
 0 global catalog mappings.
2024-04-28T09:22:30.8534113-07:00|INFORMATION|SharpHound Enumeration Completed at 9:22 AM on 4/28/2024! Happy Graphing!

But with bloodhoun-python it fails:

bloodhound-python -u 'Administrator' --hashes ':289136c329f3e42331048a0465b2290a' -ns '172.16.186.168' -c "all,LoggedOn" -d 'dev.com' --zip --dns-tcp -v
DEBUG: Authentication: NT hash
DEBUG: Resolved collection methods: rdp, objectprops, acl, session, container, loggedon, trusts, psremote, group, localadmin, dcom
DEBUG: Using DNS to retrieve domain information
DEBUG: Querying domain controller information from DNS
DEBUG: Using domain hint: dev.com
INFO: Found AD domain: dev.com
DEBUG: Found primary DC: rdc02.dev.com
DEBUG: Found Global Catalog server: rdc02.dev.com
DEBUG: Found Global Catalog server: cdc07.ops.dev.com
DEBUG: Found KDC for enumeration domain: rdc02.dev.com
INFO: Getting TGT for user
DEBUG: Trying to connect to KDC at rdc02.dev.com:88
DEBUG: Traceback (most recent call last):
  File "/home/kali/git/public/BloodHound.py/.venv/lib/python3.11/site-packages/impacket/krb5/kerberosv5.py", line 61, in sendReceive
    af, socktype, proto, canonname, sa = socket.getaddrinfo(targetHost, port, 0, socket.SOCK_STREAM)[0]
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/git/public/BloodHound.py/bloodhound/ad/authentication.py", line 273, in get_tgt
    tgt, cipher, _, session_key = getKerberosTGT(
                                  ^^^^^^^^^^^^^^^
  File "/home/kali/git/public/BloodHound.py/.venv/lib/python3.11/site-packages/impacket/krb5/kerberosv5.py", line 185, in getKerberosTGT
    r = sendReceive(message, domain, kdcHost)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/public/BloodHound.py/.venv/lib/python3.11/site-packages/impacket/krb5/kerberosv5.py", line 65, in sendReceive
    raise socket.error("Connection error (%s:%s)" % (targetHost, port), e)
OSError: [Errno Connection error (rdc02.dev.com:88)] [Errno -2] Name or service not known

WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (rdc02.dev.com:88)] [Errno -2] Name or service not known
DEBUG: Using LDAP server: rdc02.dev.com
DEBUG: Using base DN: DC=dev,DC=com
DEBUG: Using kerberos KDC: rdc02.dev.com
DEBUG: Using kerberos realm: dev.COM
INFO: Connecting to LDAP server: rdc02.dev.com
DEBUG: Using protocol ldap
DEBUG: Authenticating to LDAP server with NTLM
ERROR: Failure to authenticate with LDAP! Error 8009030C: LdapErr: DSID-0C0906C2, comment: AcceptSecurityContext error, data 52e, v4563
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/kali/git/public/BloodHound.py/bloodhound/__init__.py", line 343, in main
    bloodhound.run(collect=collect,
  File "/home/kali/git/public/BloodHound.py/bloodhound/__init__.py", line 78, in run
    self.pdc.prefetch_info('objectprops' in collect, 'acl' in collect, cache_computers=do_computer_enum)
  File "/home/kali/git/public/BloodHound.py/bloodhound/ad/domain.py", line 572, in prefetch_info
    self.get_objecttype()
  File "/home/kali/git/public/BloodHound.py/bloodhound/ad/domain.py", line 261, in get_objecttype
    self.ldap_connect()
  File "/home/kali/git/public/BloodHound.py/bloodhound/ad/domain.py", line 72, in ldap_connect
    ldap = self.ad.auth.getLDAPConnection(hostname=self.hostname, ip=ip,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/public/BloodHound.py/bloodhound/ad/authentication.py", line 175, in getLDAPConnection
    raise CollectionException(
bloodhound.ad.utils.CollectionException: Could not authenticate to LDAP. Check your credentials and LDAP server requirements.

Using klist after SharpHound execution result in created tickets:

C:\Users\Administrator\Documents>klist

Current LogonId is 0:0x68bf1

Cached Tickets: (6)

#0>     Client: pete @ home.com
        Server: krbtgt/dev.com @ home.com
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 4/28/2024 9:36:32 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: DMZDC01

#1>     Client: pete @ home.com
        Server: krbtgt/home.com @ home.com
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 4/28/2024 9:35:42 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DMZDC01

#2>     Client: pete @ home.com
        Server: HOST/RDC02.dev.com @ dev.com
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 4/28/2024 9:36:32 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: rdc02.dev.com

#3>     Client: pete @ home.com
        Server: cifs/RDC02.dev.com @ dev.com
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 4/28/2024 9:36:32 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: rdc02.dev.com

#4>     Client: pete @ home.com
        Server: ldap/rdc02.dev.com @ dev.com
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 4/28/2024 9:35:42 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: rdc02.dev.com

#5>     Client: pete @ home.com
        Server: ldap/rdc02.dev.com/dev.com @ dev.com
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 4/28/2024 9:35:42 (local)
        End Time:   4/28/2024 19:35:42 (local)
        Renew Time: 5/5/2024 9:35:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION
        Kdc Called: rdc02.dev.com

Maybe bloodhound.py needs to forge the same tickets.

n3rada commented 4 months ago

I have found something. I need to put in my /etc/resolv.conf first dc as the name server and add @home.com to the username and it will work. That solves the problem:

nslookup rdc02.dev.com 172.16.186.168
Server:         172.16.186.168
Address:        172.16.186.168#53

Non-authoritative answer:
Name:   rdc02.dev.com
Address: 172.16.186.160