Missing results in sharphound group collection compared to bloodhound #20
Comments
|
Can you validate the missing groups and make sure they exist? We've made lots of changes to sharphound that make group collection different. Can you get an idea of what the missing groups are as well? |
|
Commands used for collection : BloodHound_Old.ps1 :
SharpHound.exe:
|
|
You can't use the -d and -s flag at the same time. Just use -s for sharphound |
|
Do you think the -d & -s could cause such issue ? I noticed the issue first, because with sharphound, the group that is holding my domain admins has no user in it. I just doubled check with When looking inside the diff, I do not see anything obvious, it seems pretty random, there are users, groups, computers missing. Nothing special about those. |
|
Theres no functional difference between sharphound enumeration and the old bloodhound enumeration as far as pulling down groups, and I've never seen a discrepancy that large before. It's also basically impossible to debug this issue remotely. If you can find the reason for the discrepancy, let me know. I'll leave this issue open for now. |
|
As a side note, are the missing users/computers from a specific domain? Or your current domain? Or a mix of all of them |
|
From my current domain. |
|
Does it compile with visual studio express ? |
|
I compile using Visual Studio 2017 Community |
|
I have a similar issue due to LocalGroup function where the result generated by SharpHound is missing some members. For example: Two domain groups as a member of a local administrators group. SharpHound returns one group and BloodHound both. What I‘m noticing is, that the scope of the missing group is ‚DomainLocal‘ whereas the scope of the other group is ‚Global‘. |
|
Just to make sure I am understanding properly this : is in charge of getting the list of member in a given group (identified by its DN : entry) ? |
|
Thats correct. However, we don't look at group objects directly, we look at user/computer/group objects and resolve the memberof property |
|
thanks, I will keep digging |
|
Are you sure it is not this : which gets a list of all users, computers & groups and then : resolves which groups those users,computers&groups are members of ? |
|
The first line gets all the items. The second item is in charge of actually processing the group membership information. |
|
I just pushed a bunch of changes to group collection. Why dont you give them a try and see if it works properly now. Applies to you as well @dschaudel. |
|
On second thought, give me a bit more time to fix some more bugs |
|
Alright...fixed some more stuff...here you go |
|
Solved my issue! Thank you! |
|
Unfortunatly still the same... I did some digging, the ldap query bellow does not returns everything it should. I added some logging of the items returned by this query, across several runs, all results start the same, but there are a few thousands more or less results at the end of the file. My guess is that there is some kind of timeout in the ldap query (around 30mn it seems), and that in those 30mn we do not have the time to fetch all the results needed. |
|
Bloodhound used DirectorySearcher, sharphound SearchRequest, is there a reason for the switch ? |
|
|
We switched because the Protocols API is faster, has less overhead, and allows us to support encryption properly. If you think its a timeout problem, why not try doing each domain individually? |
|
Heres another build you can try. I upped the LdapConnection timeout to 60 seconds from the default 30, and took out a possible bad check in the paging |
|
The timeout is not a client side timeout, it is someting set on the server side (see quoted msdn doc). The idea is to split the huge ldap query into smaller one so that no query reaches the server timeout (around 30mn it seems). Firstly, I do a ldap query to fetch all OUs (|(objectClass=builtinDomain)(objectClass=organizationalUnit)) (I am not sure if users & group can be in another class of object ?). For each OU, I do a ldap query with a seachScope of OneLevel and the OU's dn as adsPath. It is likely slower, but it allows to handle very large domains. It would also be good if we are able to get the number of results before iterating in order to check that at the end the number of iteration is equal to the number of expected results (that would allow to catch the error I had before the workaround). I can share my changes with you if you want, but right now the code is too ugly ! |
|
As far as I know, theres no way to get the number of objects without actually enumerating all the objects. If this is a server side timeout, then why is the original BloodHound.ps1 working fine? It should be subject to the same timeout. |
|
Also, are you on the BloodHound Slack channel? Its much easier to figure this out there |
|
I think I understand why the old BloodHound.ps1 doesn't have this problem, since the query is split between collection methods. I guess we might have to go back to seperate ldap queries for each collection method if all else fails... |
|
I am running some tests, I will get more results tomorrow but at first
sight it seems that directorysearcher behaves correctly and returns all
expected results. Too soon to say for certain, I will double check that
tomorrow.
Le mar. 13 mars 2018 à 19:55, Rohan Vazarkar <notifications@github.com> a
écrit :
… I think I understand why the old BloodHound.ps1 doesn't have this problem,
since the query is split between collection methods. I guess we might have
to go back to seperate ldap queries for each collection method if all else
fails...
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<BloodHoundAD/SharpHound#20 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEeKMFBRE4ecKajp57WmIKT3Q5cVFk6rks5teBYkgaJpZM4Si7NV>
.
|
|
Here is the result of my tests, every scenarios runned 3 times to be sure. This represent the number of results returned by the ldap query :
Small variations are likely due to the "life" of the directory which is as you can see quite large.
What we can conclude from that, is that SearchRequest is somehow not reliable when dealing with very large directories. DirectorySearcher seems reliable, this is what is also used in bloodhound ps1, so that explains why bloodhound had no issue getting accurate results. Howerver it has quite a large memory & speed overhead. |
|
Did you configure DirectorySearcher in any way? Set any particular properties? |
|
@jbfuzier could you try this build and see if its giving you a timeout error properly? |
|
I will try the new build. Nothing special with Directory searcher config, I just did the same as in bloodhoundold.ps1. |
|
It raises an explicit message about the timeout : (~given up on operation because client wait time has been exceeded)
|
|
Interestingly, that indicates its a client timeout, not a server timeout. I wonder if something is getting hung up in processing thats causing issues |
|
Nice finding ! What is weird is that is does not always stop at the same result & also not exactly at the same time. |
|
@jbfuzier if you don't mind running again, can you try this new build. I upped the client timeout to 5 minutes, which is an absurd number in the context of LDAP. If it runs into the same issue, I'll re-investigate, but if we can avoid re-architecting the ldap search, I'm sure going to try. Thanks for being so helpful too, I appreciate it. |
|
Interestingly, the build you ran before had an ldap timeout double the regular, and it got an extra 150k objects compared to the first run, so this definitely looks like a client side issue |
|
Well done ! |
|
Sure did. So looks like we've fixed the issue! Hooray! Thanks a lot for your help!
…On Fri, Mar 16, 2018, 7:50 AM jbfuzier ***@***.***> wrote:
Well done !
The number of result is in the same range as with the old collector.
Did you keep the client timeout detection in this build ?
Waiting for enumeration threads to finish
Status: 845257 objects enumerated (+6257 179,4601/s --- Using 487 MB RAM )
Waiting for writer thread to finish
Finished enumeration for corp.mydomain.net in 01:18:30.7954386
0 hosts failed ping. 0 hosts timedout.
Removed 4111261 duplicate lines from .\group_membership.csv
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<BloodHoundAD/SharpHound#20 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFdJfohC6GP4irXskH35qXMSI7k7FqfRks5te6cZgaJpZM4Si7NV>
.
|
|
Thanks for your time. Just for the record, here is the last messages exchanged with the non working version :
(Don't know what to make of that...) |
|
Just LDAP terminating the connection, not too worried. I've committed these changes to master already. Again, thanks a lot for your patience |
Hi,
I am seeing some huge differences between group collection from bloodhound.ps1 & sharphound.exe.
Both were runned on the same domain from the same PC with the same account, results are consistent accross several runs.
After normalizing the data & diffing here is the verdict :
I do not see any pattern on what's missing in sharphound :(
Using commit 3355c35 (03/05/18) :
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/BloodHound_Old.ps1
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe
The text was updated successfully, but these errors were encountered: