Skip to content

Issue gathering bloodhound data when passing a ticket #363

Description

@taskhostw0

Describe the bug
When running bloodhound with netexec, it seems to try to pass ntlm authentication, and fails.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: nxc ldap LUSDC.lustrous.vl --use-kcache -d lustrous.vl --bloodhound -c all --dns-server $IP --dns-timeout 10
Resulted in:

> nxc ldap LUSDC.lustrous.vl --use-kcache -d lustrous.vl --bloodhound -c all --dns-server 10.10.133.165 --dns-timeout 10
SMB         10.10.133.165   445    LUSDC            [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP        10.10.133.165   389    LUSDC            [+] lustrous.vl\svc_db from ccache
LDAP        10.10.133.165   389    LUSDC            Resolved collection methods: trusts, group, dcom, container, objectprops, rdp, psremote, localadmin, session, acl
LDAP        10.10.133.165   389    LUSDC            Using kerberos auth from ccache
[08:53:43] ERROR    Exception while calling proto_flow() on target LUSDC.lustrous.vl: NTLM needs               connection.py:168
                    domain\username and a password
                    ╭────────────────────────── Traceback (most recent call last) ───────────────────────────╮
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:163 │
                    │ in __init__                                                                            │
                    │                                                                                        │
                    │   160 │   │   self.logger.info(f"Socket info: host={self.host}, hostname={self.hostnam │
                    │       kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local                        │
                    │       ipv6={self.is_link_local_ipv6}")                                                 │
                    │   161 │   │                                                                            │
                    │   162 │   │   try:                                                                     │
                    │ ❱ 163 │   │   │   self.proto_flow()                                                    │
                    │   164 │   │   except Exception as e:                                                   │
                    │   165 │   │   │   if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):                     │
                    │   166 │   │   │   │   self.logger.error(f"Exception while calling proto_flow() on targ │
                    │       {target}: {e}")                                                                  │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:230 │
                    │ in proto_flow                                                                          │
                    │                                                                                        │
                    │   227 │   │   │   │   │   self.call_modules()                                          │
                    │   228 │   │   │   │   else:                                                            │
                    │   229 │   │   │   │   │   self.logger.debug("Calling command arguments")               │
                    │ ❱ 230 │   │   │   │   │   self.call_cmd_args()                                         │
                    │   231 │                                                                                │
                    │   232 │   def call_cmd_args(self):                                                     │
                    │   233 │   │   """Calls all the methods specified by the command line arguments         │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:251 │
                    │ in call_cmd_args                                                                       │
                    │                                                                                        │
                    │   248 │   │   for attr, value in vars(self.args).items():                              │
                    │   249 │   │   │   if hasattr(self, attr) and callable(getattr(self, attr)) and value i │
                    │       False and value is not None:                                                     │
                    │   250 │   │   │   │   self.logger.debug(f"Calling {attr}()")                           │
                    │ ❱ 251 │   │   │   │   getattr(self, attr)()                                            │
                    │   252 │                                                                                │
                    │   253 │   def call_modules(self):                                                      │
                    │   254 │   │   """Calls modules and performs various actions based on the module's attr │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap.py │
                    │ :1427 in bloodhound                                                                    │
                    │                                                                                        │
                    │   1424 │   │   bloodhound = BloodHound(ad, self.hostname, self.host, self.port)        │
                    │   1425 │   │   bloodhound.connect()                                                    │
                    │   1426 │   │                                                                           │
                    │ ❱ 1427 │   │   bloodhound.run(                                                         │
                    │   1428 │   │   │   collect=collect,                                                    │
                    │   1429 │   │   │   num_workers=10,                                                     │
                    │   1430 │   │   │   disable_pooling=False,                                              │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap/bl │
                    │ oodhound.py:68 in run                                                                  │
                    │                                                                                        │
                    │    65 │   │                                                                            │
                    │    66 │   │   if "group" in collect or "objectprops" in collect or "acl" in collect:   │
                    │    67 │   │   │   # Fetch domains for later, computers if needed                       │
                    │ ❱  68 │   │   │   self.pdc.prefetch_info(                                              │
                    │    69 │   │   │   │   "objectprops" in collect,                                        │
                    │    70 │   │   │   │   "acl" in collect,                                                │
                    │    71 │   │   │   │   cache_computers=do_computer_enum,                                │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
                    │ py:572 in prefetch_info                                                                │
                    │                                                                                        │
                    │   569 │   │   return entries                                                           │
                    │   570 │                                                                                │
                    │   571 │   def prefetch_info(self, props=False, acls=False, cache_computers=False):     │
                    │ ❱ 572 │   │   self.get_objecttype()                                                    │
                    │   573 │   │   self.get_domains(acl=acls)                                               │
                    │   574 │   │   self.get_forest_domains()                                                │
                    │   575 │   │   if cache_computers:                                                      │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
                    │ py:261 in get_objecttype                                                               │
                    │                                                                                        │
                    │   258 │   │   self.objecttype_guid_map = dict()                                        │
                    │   259 │   │                                                                            │
                    │   260 │   │   if self.ldap is None:                                                    │
                    │ ❱ 261 │   │   │   self.ldap_connect()                                                  │
                    │   262 │   │                                                                            │
                    │   263 │   │   sresult =                                                                │
                    │       self.ldap.extend.standard.paged_search(self.ldap.server.info.other['schemaNaming │
                    │       ][0],                                                                            │
                    │   264 │   │   │   │   │   │   │   │   │   │   │   │   │   │    '(objectClass=*)',      │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
                    │ py:72 in ldap_connect                                                                  │
                    │                                                                                        │
                    │    69 │   │   for r in q:                                                              │
                    │    70 │   │   │   ip = r.address                                                       │
                    │    71 │   │                                                                            │
                    │ ❱  72 │   │   ldap = self.ad.auth.getLDAPConnection(hostname=self.hostname, ip=ip,     │
                    │    73 │   │   │   │   │   │   │   │   │   │   │     baseDN=self.ad.baseDN, protocol=pr │
                    │    74 │   │   if resolver:                                                             │
                    │    75 │   │   │   self.resolverldap = ldap                                             │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/authent │
                    │ ication.py:115 in getLDAPConnection                                                    │
                    │                                                                                        │
                    │   112 │   │   if not bound:                                                            │
                    │   113 │   │   │   conn = Connection(server, user=ldaplogin, auto_referrals=False,      │
                    │       password=ldappass, authentication=NTLM)                                          │
                    │   114 │   │   │   logging.debug('Authenticating to LDAP server with NTLM')             │
                    │ ❱ 115 │   │   │   bound = conn.bind()                                                  │
                    │   116 │   │                                                                            │
                    │   117 │   │   if not bound:                                                            │
                    │   118 │   │   │   result = conn.result                                                 │
                    │                                                                                        │
                    │ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/ldap3/core/connection │
                    │ .py:635 in bind                                                                        │
                    │                                                                                        │
                    │    632 │   │   │   │   │   │   self.last_error = 'NTLM needs domain\\username and a pa │
                    │    633 │   │   │   │   │   │   if log_enabled(ERROR):                                  │
                    │    634 │   │   │   │   │   │   │   log(ERROR, '%s for <%s>', self.last_error, self)    │
                    │ ❱  635 │   │   │   │   │   │   raise LDAPUnknownAuthenticationMethodError(self.last_er │
                    │    636 │   │   │   │   else:                                                           │
                    │    637 │   │   │   │   │   self.last_error = 'unknown authentication method'           │
                    │    638 │   │   │   │   │   if log_enabled(ERROR):                                      │
                    ╰────────────────────────────────────────────────────────────────────────────────────────╯
                    LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password
Traceback (most recent call last):
...

Expected behavior
Expected behavior should be similar as to running with a user/pass, or user/hash

➜  lustrous nxc ldap LUSDC.lustrous.vl -u $USER -H $HASH -d lustrous.vl --bloodhound -c all --dns-server $IP --dns-timeout 10
SMB         10.10.133.165   445    LUSDC            [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP        10.10.133.165   389    LUSDC            [+] lustrous.vl\svc_db:e9e4f101deca969c1b531486554e8400
LDAP        10.10.133.165   389    LUSDC            Resolved collection methods: container, objectprops, localadmin, trusts, acl, session, rdp, dcom, psremote, group
LDAP        10.10.133.165   389    LUSDC            Done in 00M 24S
LDAP        10.10.133.165   389    LUSDC            Compressing output into /home/kali/.nxc/logs/LUSDC_10.10.133.165_2024-07-02_091146_bloodhound.zip

Screenshots
If applicable, add screenshots to help explain your problem.
this image shows using the ticket to get share data, and without - confirming the validity of the ticket
image
this image shows detail about the ticket:
image
this image shows the command execution failing, and the start of the traceback above:
image

NetExec info

  • OS: kali
  • Version of nxc: 1.2.0 - ItsAlwaysDNS - 669a55f
  • Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
    pipx
    prior to opening this ticket, I ran: pipx install git+https://github.com/Pennyw0rth/NetExec --force

Additional context
No other context, but just wanted to mention how incredibly useful this tool is and I appreciate any help.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions