Describe the bug
When running bloodhound with netexec, it seems to try to pass ntlm authentication, and fails.
To Reproduce
Steps to reproduce the behavior i.e.:
Command: nxc ldap LUSDC.lustrous.vl --use-kcache -d lustrous.vl --bloodhound -c all --dns-server $IP --dns-timeout 10
Resulted in:
> nxc ldap LUSDC.lustrous.vl --use-kcache -d lustrous.vl --bloodhound -c all --dns-server 10.10.133.165 --dns-timeout 10
SMB 10.10.133.165 445 LUSDC [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP 10.10.133.165 389 LUSDC [+] lustrous.vl\svc_db from ccache
LDAP 10.10.133.165 389 LUSDC Resolved collection methods: trusts, group, dcom, container, objectprops, rdp, psremote, localadmin, session, acl
LDAP 10.10.133.165 389 LUSDC Using kerberos auth from ccache
[08:53:43] ERROR Exception while calling proto_flow() on target LUSDC.lustrous.vl: NTLM needs connection.py:168
domain\username and a password
╭────────────────────────── Traceback (most recent call last) ───────────────────────────╮
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:163 │
│ in __init__ │
│ │
│ 160 │ │ self.logger.info(f"Socket info: host={self.host}, hostname={self.hostnam │
│ kerberos={self.kerberos}, ipv6={self.is_ipv6}, link-local │
│ ipv6={self.is_link_local_ipv6}") │
│ 161 │ │ │
│ 162 │ │ try: │
│ ❱ 163 │ │ │ self.proto_flow() │
│ 164 │ │ except Exception as e: │
│ 165 │ │ │ if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e): │
│ 166 │ │ │ │ self.logger.error(f"Exception while calling proto_flow() on targ │
│ {target}: {e}") │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:230 │
│ in proto_flow │
│ │
│ 227 │ │ │ │ │ self.call_modules() │
│ 228 │ │ │ │ else: │
│ 229 │ │ │ │ │ self.logger.debug("Calling command arguments") │
│ ❱ 230 │ │ │ │ │ self.call_cmd_args() │
│ 231 │ │
│ 232 │ def call_cmd_args(self): │
│ 233 │ │ """Calls all the methods specified by the command line arguments │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:251 │
│ in call_cmd_args │
│ │
│ 248 │ │ for attr, value in vars(self.args).items(): │
│ 249 │ │ │ if hasattr(self, attr) and callable(getattr(self, attr)) and value i │
│ False and value is not None: │
│ 250 │ │ │ │ self.logger.debug(f"Calling {attr}()") │
│ ❱ 251 │ │ │ │ getattr(self, attr)() │
│ 252 │ │
│ 253 │ def call_modules(self): │
│ 254 │ │ """Calls modules and performs various actions based on the module's attr │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap.py │
│ :1427 in bloodhound │
│ │
│ 1424 │ │ bloodhound = BloodHound(ad, self.hostname, self.host, self.port) │
│ 1425 │ │ bloodhound.connect() │
│ 1426 │ │ │
│ ❱ 1427 │ │ bloodhound.run( │
│ 1428 │ │ │ collect=collect, │
│ 1429 │ │ │ num_workers=10, │
│ 1430 │ │ │ disable_pooling=False, │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap/bl │
│ oodhound.py:68 in run │
│ │
│ 65 │ │ │
│ 66 │ │ if "group" in collect or "objectprops" in collect or "acl" in collect: │
│ 67 │ │ │ # Fetch domains for later, computers if needed │
│ ❱ 68 │ │ │ self.pdc.prefetch_info( │
│ 69 │ │ │ │ "objectprops" in collect, │
│ 70 │ │ │ │ "acl" in collect, │
│ 71 │ │ │ │ cache_computers=do_computer_enum, │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
│ py:572 in prefetch_info │
│ │
│ 569 │ │ return entries │
│ 570 │ │
│ 571 │ def prefetch_info(self, props=False, acls=False, cache_computers=False): │
│ ❱ 572 │ │ self.get_objecttype() │
│ 573 │ │ self.get_domains(acl=acls) │
│ 574 │ │ self.get_forest_domains() │
│ 575 │ │ if cache_computers: │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
│ py:261 in get_objecttype │
│ │
│ 258 │ │ self.objecttype_guid_map = dict() │
│ 259 │ │ │
│ 260 │ │ if self.ldap is None: │
│ ❱ 261 │ │ │ self.ldap_connect() │
│ 262 │ │ │
│ 263 │ │ sresult = │
│ self.ldap.extend.standard.paged_search(self.ldap.server.info.other['schemaNaming │
│ ][0], │
│ 264 │ │ │ │ │ │ │ │ │ │ │ │ │ │ '(objectClass=*)', │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/domain. │
│ py:72 in ldap_connect │
│ │
│ 69 │ │ for r in q: │
│ 70 │ │ │ ip = r.address │
│ 71 │ │ │
│ ❱ 72 │ │ ldap = self.ad.auth.getLDAPConnection(hostname=self.hostname, ip=ip, │
│ 73 │ │ │ │ │ │ │ │ │ │ │ baseDN=self.ad.baseDN, protocol=pr │
│ 74 │ │ if resolver: │
│ 75 │ │ │ self.resolverldap = ldap │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/authent │
│ ication.py:115 in getLDAPConnection │
│ │
│ 112 │ │ if not bound: │
│ 113 │ │ │ conn = Connection(server, user=ldaplogin, auto_referrals=False, │
│ password=ldappass, authentication=NTLM) │
│ 114 │ │ │ logging.debug('Authenticating to LDAP server with NTLM') │
│ ❱ 115 │ │ │ bound = conn.bind() │
│ 116 │ │ │
│ 117 │ │ if not bound: │
│ 118 │ │ │ result = conn.result │
│ │
│ /home/kali/.local/pipx/venvs/netexec/lib/python3.9/site-packages/ldap3/core/connection │
│ .py:635 in bind │
│ │
│ 632 │ │ │ │ │ │ self.last_error = 'NTLM needs domain\\username and a pa │
│ 633 │ │ │ │ │ │ if log_enabled(ERROR): │
│ 634 │ │ │ │ │ │ │ log(ERROR, '%s for <%s>', self.last_error, self) │
│ ❱ 635 │ │ │ │ │ │ raise LDAPUnknownAuthenticationMethodError(self.last_er │
│ 636 │ │ │ │ else: │
│ 637 │ │ │ │ │ self.last_error = 'unknown authentication method' │
│ 638 │ │ │ │ │ if log_enabled(ERROR): │
╰────────────────────────────────────────────────────────────────────────────────────────╯
LDAPUnknownAuthenticationMethodError: NTLM needs domain\username and a password
Traceback (most recent call last):
...
Expected behavior
Expected behavior should be similar as to running with a user/pass, or user/hash
➜ lustrous nxc ldap LUSDC.lustrous.vl -u $USER -H $HASH -d lustrous.vl --bloodhound -c all --dns-server $IP --dns-timeout 10
SMB 10.10.133.165 445 LUSDC [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP 10.10.133.165 389 LUSDC [+] lustrous.vl\svc_db:e9e4f101deca969c1b531486554e8400
LDAP 10.10.133.165 389 LUSDC Resolved collection methods: container, objectprops, localadmin, trusts, acl, session, rdp, dcom, psremote, group
LDAP 10.10.133.165 389 LUSDC Done in 00M 24S
LDAP 10.10.133.165 389 LUSDC Compressing output into /home/kali/.nxc/logs/LUSDC_10.10.133.165_2024-07-02_091146_bloodhound.zip
Screenshots
If applicable, add screenshots to help explain your problem.
this image shows using the ticket to get share data, and without - confirming the validity of the ticket

this image shows detail about the ticket:

this image shows the command execution failing, and the start of the traceback above:

NetExec info
- OS: kali
- Version of nxc: 1.2.0 - ItsAlwaysDNS - 669a55f
- Installed from: apt/github/pip/docker/...? Please try with latest release before openning an issue
pipx
prior to opening this ticket, I ran: pipx install git+https://github.com/Pennyw0rth/NetExec --force
Additional context
No other context, but just wanted to mention how incredibly useful this tool is and I appreciate any help.
Describe the bug
When running bloodhound with netexec, it seems to try to pass ntlm authentication, and fails.
To Reproduce
Steps to reproduce the behavior i.e.:
Command:
nxc ldap LUSDC.lustrous.vl --use-kcache -d lustrous.vl --bloodhound -c all --dns-server $IP --dns-timeout 10Resulted in:
Expected behavior
Expected behavior should be similar as to running with a user/pass, or user/hash
Screenshots



If applicable, add screenshots to help explain your problem.
this image shows using the ticket to get share data, and without - confirming the validity of the ticket
this image shows detail about the ticket:
this image shows the command execution failing, and the start of the traceback above:
NetExec info
pipx
prior to opening this ticket, I ran: pipx install git+https://github.com/Pennyw0rth/NetExec --force
Additional context
No other context, but just wanted to mention how incredibly useful this tool is and I appreciate any help.