Collection on DC without username/password

[asekhar]

It will be great to have an option equivalent to "SharpHound.exe --CollectionMethods All,GPOLocalGroup" that allows collecting data from a domain controller as local system rather than having to specify a username/password.

[lkarlslund]

I'm not sure what you're asking, adalanche can already do this?

If you run "adalanche collect activedirectory" directly on a DC, it should work just as if you were doing it remote.

You can force localhost by using --server=127.0.0.1

If you want to force local GPO paths, use --gpopath="C:\Windows\SYSVOL\sysvol\domain.local\Policies" but the logic in adalanche would disable ACL analysis for GPO files then (that's the way it's done at the moment)

[asekhar]

When i run it as system with the options specified, i get the following error:

LDAP Result Code 200 "Network Error": write tcp 10.128.0.8:56458->10.128.0.8:636: wsasend: An existing connection was forcibly closed by the remote host.

[lkarlslund]

Try --port=389 --tlsmode=NoTLS, you probably don't have working CA infrastructure?

[asekhar]

that worked. thanks.

[ll3N1GmAll]

I too am getting the same error. Using adalanche.exe --port=398 --tlsmode=NoTLS throws errors about --port and --tlsmode being "unknown flags". --help provides no insight about these proposed options.

[ll3N1GmAll]

using this worked: adalanche.exe collect activedirectory --port=398 --tlsmode=NoTLS

[asekhar]

The latest release does not seem to work using this command. I am trying to run it as localsystem as:

adalanche collect activedirectory -port=389 --tlsmode=NoTLS

but get the following error:

11:19:07.131  INFORMA  Adalanche Open Source v2023.5.3 (commit aa4c038), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
11:19:07.216  WARNING  Problem connecting to DC 127.0.0.1: The specified target is unknown or unreachable
11:19:07.216   ERROR   All DCs failed login attempts