search

dirkjanm / BloodHound.py

A Python based ingestor for BloodHound
MIT License
1.94k stars 330 forks source link

Kerberos ticket ccache authentication not working #185

Open smokeintheshell opened 5 months ago

smokeintheshell commented 5 months ago

Attempting to use Kerberos with a ccache and -k -no-pass appears to not be working. After reading #141 I updated my BloodHound.py to 1.7.2 and reattempted using an obtained ticket but got the same errors:

KRB5CCNAME=<user>.ccache proxychains bloodhound-python -d <target domain> --zip -c All --dns-tcp -ns <DC IP> -dc <DC FQDN> -gc <DC FQDN> -k -no-pass
Traceback (most recent call last):
  File "/home/jkl/.local/bin/bloodhound-python", line 8, in <module>
    sys.exit(main())
  File "/home/jkl/.local/pipx/venvs/bloodhound/lib/python3.10/site-packages/bloodhound/__init__.py", line 297, in main
    auth = ADAuthentication(username=args.username, password=args.password, domain=args.domain, auth_method=args.auth_method)
  File "/home/jkl/.local/pipx/venvs/bloodhound/lib/python3.10/site-packages/bloodhound/ad/authentication.py", line 55, in __init__
    if '@' in self.username:
TypeError: argument of type 'NoneType' is not iterable

It looks like when specifying -k -no-pass and providing a ccache in KRB5CCNAME, bloodhound-python isn't using the ticket. If I then specify -u <UPN>, I get prompted for a password despite using -no-pass:

proxychains -q -f ./prox.conf bloodhound-python -d <target domain> --zip -c All --dns-tcp -ns <DC IP> -dc <DC FQDN> -gc <DC FQDN> -k -no-pass -u '<UPN>'
Password:
gatariee commented 2 months ago

hey, im also having his issue; have you found a solution? @smokeintheshell

isfahany commented 2 weeks ago

Happened to me with the exact version. any update? @gatariee @smokeintheshell

gatariee commented 2 weeks ago

Happened to me with the exact version. any update? @gatariee @smokeintheshell

I couldn't get bloodhound.py to work. A workaround would be to use netexec's bloodhound collectors modules instead of bloodhound.py, this has proven more consistent for me.

smokeintheshell commented 2 weeks ago

no update for this on my side specifically with bloodhound-python. workarounds i've used are tunneling a windows box and using sharphound with an injected ticket and using nxc as @gatariee mentioned. It's been a hot minute since I looked into this, but out of curiosity @isfahany are you using a TGT or a ST for the LDAP service on the DC?