search

nicocha30 / ligolo-ng

An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.
GNU General Public License v3.0
2.87k stars 292 forks source link

macOS issues DCE/RPC connection failed #86

Closed MelForze closed 3 months ago

MelForze commented 4 months ago

Hi, I'm having a problem. I have been using ligolo on macOS to probe into a domain (GOAD) and when scanning for example bloodhound-python I get errors 

bloodhound-python -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -c ALL,LoggedOn -ns 192.168.56.11 --zip -gc north.sevenkingdoms.local
INFO: Found AD domain: north.sevenkingdoms.local
INFO: Obtaining TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domain
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server GC: north.sevenkingdoms.local
INFO: Connection to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 17 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trust
INFO: Start listing computers with 10 workers
INFO: Computer query: castelblack.north.sevenkingdoms.local
INFO: Computer query: winterfell.north.sevenkingdoms.local
WARNING: DCE/RPC connection failed: NETBIOS connection to remote host failed.
WARNING: DCE/RPC connection failed: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection failed: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: NETBIOS connection to remote host has timed out.
WARNING: Connection could not be established: ncacn_np:192.168.56.11[\PIPE\wkssvc].
WARNING: DCE/RPC connection failed: NETBIOS connection to the remote host has timed out.
WARNING: Connection failed: ncacn_np:192.168.56.22[\PIPE\wkssvc]
WARNING: DCE/RPC connection failed: NETBIOS connection to remote host terminated on timer.
WARNING: DCE/RPC connection failed: The NETBIOS connection to the remote host has timed out.
WARNING: DCE/RPC connection could not be established: NETBIOS connection to the remote host has timed out.
WARNING: The DCE/RPC connection could not be established: The NETBIOS connection to the remote host has timed out.
INFO: Executed in 00M 46S
INFO: Compressed the results into 20240707204014_bloodhound.zip

But if I do the same thing but from a linux system, everything works fine. 

bloodhound-python -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -c ALL,LoggedOn -ns 192.168.56.11 --zip -gc north.sevenkingdoms.local
INFO: Found AD domain: north.sevenkingdoms.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to GC LDAP server: north.sevenkingdoms.local
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 17 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: castelblack.north.sevenkingdoms.local
INFO: Querying computer: winterfell.north.sevenkingdoms.local
INFO: User with SID S-1-5-21-2652435097-3910646357-3314173649-1113 is logged in on castelblack.north.sevenkingdoms.local
INFO: User with SID S-1-5-21-2652435097-3910646357-3314173649-1121 is logged in on castelblack.north.sevenkingdoms.local
INFO: User with SID S-1-5-21-2652435097-3910646357-3314173649-1113 is logged in on winterfell.north.sevenkingdoms.local
INFO: Done in 00M 48S
INFO: Compressing output into 20240707210046_bloodhound.zip

I also noticed that this behavior is affected by /etc/hosts. When it has entries and when it doesn't. I don't have any other input.

nicocha30 commented 3 months ago

I also noticed that this behavior is affected by /etc/hosts. When it has entries and when it doesn't. I don't have any other input.

It is very possible that the errors are due to a DNS resolution problem. Try changing the DNS server of your machine to the DNS server of the agent through Ligolo-ng.

MelForze commented 3 months ago

I also noticed that this behavior is affected by /etc/hosts. When it has entries and when it doesn't. I don't have any other input.

It is very possible that the errors are due to a DNS resolution problem. Try changing the DNS server of your machine to the DNS server of the agent through Ligolo-ng.

hmm, that might work, I'll test it soon and let you know.