I am trying to run the following: Sharphound.exe -d abc.xyz --domaincontroller 10.x.x.x -c DCOnly --ldapusername [email protected] --ldappassword mypassword

But the server where I ran the executable is in ghi.jkl.mno.mydomain

I get the error as below,

Creating schema map for domain abc.xyz using path CN=Schema, CN=Configuration, DC=jkl, DC=mno, DC=mydomain

I understand that it is still picks up only the DC of the server from where sharphound is running and not checking for the remote DC. I don't have a trust relationship between abc.xyz and ghi.jkl.mno.mydomain.

Hi! Recently I used SharpHound v2.0.0 to collect data. However, when I attempted to upload the ZIP file into BloodHound, it stays at 0% forever. Only _computers.json faces this issue. The rest of the JSON files are fine. If I use back the older version of SharpHound such as v1.1.0, it works fine.

On the README, the --collectallproperties flag claims to "Collect all LDAP properties from objects"; however, this does not actually appear to be the case.

Test Scenario:

• Create a new user in Active Directory.
• Configure this user's homePhone and manager properties within AD
• Run .\SharpHound.exe --CollectAllProperties

Result:
When viewing the TIMESTAMP_users.json file, the JSON object for this new user does not contain the details for the properties set above.

The option to collect all LDAP properties for each object appears to have been introduced in 2020 in the SharpHound3 repository. In my limited testing though, builds from this time/repo were also failing to collect the two aforementioned fields.

Tools such as SysInternals' ADExplorer and @p0dalirius' ldap2json are good examples of projects that are successfully dumping out the details of all LDAP properties.

Use Case: Often times these additional attributes will contain pieces of data relevant to understanding the target's environment, the value of a particular user, etc. Additionally, collecting these attributes would help make the tool more feature-complete for defenders wishing to use BloodHound to create a complete picture of their AD environment.

Using the latest version of Sharphound + Bloodhound GUI I've noticed that importing new session loop data removes owned flags from User objects (and potentially computer objects too).

The session data is correctly imported without errors but after the import I have to manually re-add the owned flags. At the same time custom attributes added to objects from neo4j are fine and are not impacted. Let me know if there is something I can pull from logs to help with triaging.

After uploading the pre-built SharpHound.ps1 script to an Azure Cloud Shell session, attempting to run it generates the following error:

PS /home/terry> . .\SharpHound.ps1
PS /home/terry> Invoke-BloodHound -CollectionMethod all                                                                                              MethodInvocationException: /home/terry/SharpHound.ps1:638
Line |
 638 |      $Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Load" with "1" argument(s): "Bad IL format."
InvalidOperation: /home/terry/SharpHound.ps1:641
Line |
 641 |      $Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("At …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.
InvalidOperation: /home/terry/SharpHound.ps1:642
Line |
 642 |      $Assembly.GetType("Sharphound.Program").GetMethod("InvokeSharpHou …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

The reason for using SharpHound powershell rather than the AzureHound binary is that the later requires authentication to execute (even in Cloud Shell), but I'm unsure if that's the case for SharpHound?

Hello!
I'm using bloodhound-python to dump from various DCs, two of them work fine but the third one gives me this error:
Tried to match the server's time, no luck.
I couldn't find anything useful online.
Any idea why this is happening? Thanks!

Hi,
It's possible to used it without ldap flags.?!
Thanks

Hi!

The license for this repository is currently missing.
Would you be able to add a license?

Hey,

While working on a lab, I came across a strange issue,

A compromised user doesn't have the CanRDP edge using the latest collector,
I know people have seen this edge month ago, do you know what can be wrong ?

In execution right, everything is at 0 but the user is able to RDP.

Context of execution: user domain
Commandline: .\SharpHound.exe --CollectionMethods all,gpolocalgroup

If you have any idea how to troubleshoot this don't hesitate,

Thanks

I ran into an issue where I specified an output directory (it exists), but for some reason when sharphound ran, it gave an "Illegal Characters in Path" error and died. Rohan said to file a bug and thinks it relates to the following code:

`public string ResolveFileName(string filename, string extension, bool addTimestamp)
{
var finalFilename = filename;
if (!filename.EndsWith(extension))
finalFilename = $"{filename}.{extension}";

        if (extension is "json" or "zip" && Flags.RandomizeFilenames)
            finalFilename = $"{Path.GetRandomFileName()}";

        if (addTimestamp) finalFilename = $"{CurrentLoopTime}_{finalFilename}";

        if (OutputPrefix != null) finalFilename = $"{OutputPrefix}_{finalFilename}";

        var finalPath = Path.Combine(OutputDirectory, finalFilename);

        return finalPath;
    }`

Hello,

Does SharpHound.ps1 attempt to log into workstations when querying AD?

Thanks

I have an issue with data collection from an active directory that actually has 200k accounts. The collection of data is running for long time (more than 3 days), though I used the the flag -c DCOnly. Is there any additonal flag that I can use to collect the data faster?

After running sharphound command in various ways using ps1 and exe extension on windows to gather information. The gather is mostly not proper. Looking at the below 2 screenshots it can be observed that even after trying several times to run sharp hound in various ways. I failed to receive expected data.

Figure 1# Expected Output

Figure 2# Getting this Output even after various tries. (Only got once the expected output by luck.)

If we take a look closely the complete jeffadmin path is missing and this can be really a big flaw.
I'm am using all the latest versions and even tried with 4.3.0 but still no luck.

Please fix this ASAP.

SharpHound is documented as having a command line option called skipregistryloggedon.

However, looking in the code, this option does not actually do anything. The value is obtained here, but doesn't seem to be referenced anywhere else in the SharpHound/SharpHoundCommon repositories.

Given that the default behavior has been to use registry session collection, might consider remove this command line option.

Running with session collection method consistently errors out. Following is an example of output.

2022-02-11T13:01:52.5051256-06:00|INFORMATION|Consumers finished, closing output channel
2022-02-11T13:01:52.6260499-06:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound.Writers.JsonDataWriter1.<FlushWriter>d__9.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Runtime.OutputWriter.<FlushWriters>d__18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Runtime.OutputWriter.<StartWriter>d__17.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Runtime.CollectionTask.<StartCollection>d__10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.SharpLinks.<AwaitBaseRunCompletion>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Program.<>c__DisplayClass0_0.<<Main>b__1>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at CommandLine.ParserResultExtensions.<WithParsedAsync>d__201.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.Program.

Hello,

I think there is a problem with the latest version of SharpHound 1.0.3. Some queries are impossible in BH and there is a big difference between SharHound 1.03 / BloodHound 4.1 and SharpHound.ps1 / Bloodhound 4.0.3 (cf. screenshots).

FYI, all tests are performed with the same user on the same machine and I used the same query : Shortest Path To Here on DC04.

SharpHound 1.0.3 + BloodHound 4.1.0

20220530053518_BloodHound.zip

SharpHound.ps1 + BloodHound 4..0.3

20220530060550_BloodHound.zip

Bloodhound.py + Bloodhound 4.1.0

20220530114827_bloodhound.zip

Thank you.

This is about Bloodhound version 5.0.0, which hasn't been released yet.

When running SharpHound it does not always complete. Perhaps something in the formatting of the object or similar prevents the collector from completing, not sure where to continue debugging as the iIssue will persist across multiple runs, but then go away after a day or two. The below is a short snipper from the logs of how its gets stuck.

2023-06-13T11:14:21.1899097+02:00|INFORMATION|Status: 40641 objects finished (+0 2.383217)/s -- Using 197 MB RAM
2023-06-13T11:14:51.2089165+02:00|INFORMATION|Status: 40641 objects finished (+0 2.379032)/s -- Using 197 MB RAM
2023-06-13T11:15:21.2265545+02:00|INFORMATION|Status: 40641 objects finished (+0 2.374861)/s -- Using 197 MB RAM
2023-06-13T11:15:51.2484637+02:00|INFORMATION|Status: 40641 objects finished (+0 2.370705)/s -- Using 197 MB RAM
2023-06-13T11:16:21.2634082+02:00|INFORMATION|Status: 40641 objects finished (+0 2.366564)/s -- Using 197 MB RAM
2023-06-13T11:16:51.2739820+02:00|INFORMATION|Status: 40641 objects finished (+0 2.362437)/s -- Using 197 MB RAM
2023-06-13T11:17:21.2826521+02:00|INFORMATION|Status: 40641 objects finished (+0 2.358324)/s -- Using 197 MB RAM
2023-06-13T11:17:51.3035011+02:00|INFORMATION|Status: 40641 objects finished (+0 2.354226)/s -- Using 197 MB RAM
2023-06-13T11:18:21.3104761+02:00|INFORMATION|Status: 40641 objects finished (+0 2.350142)/s -- Using 197 MB RAM
2023-06-13T11:18:51.3152642+02:00|INFORMATION|Status: 40641 objects finished (+0 2.346072)/s -- Using 197 MB RAM
2023-06-13T11:19:21.3350742+02:00|INFORMATION|Status: 40641 objects finished (+0 2.341881)/s -- Using 197 MB RAM
2023-06-13T11:19:51.3454471+02:00|INFORMATION|Status: 40641 objects finished (+0 2.337839)/s -- Using 197 MB RAM
2023-06-13T11:20:21.3646640+02:00|INFORMATION|Status: 40641 objects finished (+0 2.333812)/s -- Using 197 MB RAM
2023-06-13T11:20:51.3725154+02:00|INFORMATION|Status: 40641 objects finished (+0 2.329798)/s -- Using 197 MB RAM
2023-06-13T11:21:21.3881302+02:00|INFORMATION|Status: 40641 objects finished (+0 2.325798)/s -- Using 197 MB RAM
2023-06-13T11:21:51.4066873+02:00|INFORMATION|Status: 40641 objects finished (+0 2.321812)/s -- Using 197 MB RAM

I am not sure if I missing something, but it seems that the user name value is not a true representation of what is in AD and that the value is derived from the distinguishedName and/or sAMAccountName account and domain name.

SharpHound.exe --collectionmethods All,GPOLocalGroup --domain TestDom.corp --prettyprint --collectallproperties

As can be seen above the name assigned is "[email protected]", but this is not anywhere in the AD and should ideally be the value of the UPN "[email protected]".

So the tl;dr is should the user name not be the userPrincipalName (UPN) as this is more representative of what is in AD?

I've noticed that the latest version of SharpHound (2.3.3) appears to not find delegation correctly for BHCE. I've gathered this with data within GOAD and noticed that some of the edges I've seen in the past are no longer there. I've validated that these permissions do exist in the domain still and were not removed from GOAD.

Specifically, I've noticed the AllowedToDelegate edge is missing from users, as well as the Unconstrained Delegation setting.

Additionally, I've been able to gather these edges from the latest version of BloodHound.py (bloodhound-ce branch) which properly shows the delegation.

The images below focus specifically on the user sansa.stark, the user jon.snow is missing the AllowedToDelegate edge as well.

SharpHound.exe (v2.3.3) Collection

The user sansa.stark is marked without Unconstrained Delegation

findDelegation.py Results

The user sansa.stark is labeled with Unconstrained Delegation

BloodHound.py Collection

The user sansa.stark is properly marked with Unconstrained Delegation

Is this a known issue or some other type of deployment issue? Are there any known workarounds for this issue?

I've attached copies of the data collection here as well. Please let me know if you need more data, screenshots, or samples - I would be happy to gather them! Thanks!

NORTH_20240410083414_BloodHound-2.3.3.zip

ce_branch_bloodhoundpy_north_20240411011008_bloodhound.zip

https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/Options.cs

I have validated with "net view" that I am able to see resources on the target domain. However, SharpHound.exe is reporting that the LDAP connection test if failing:

<DATE_TIME>|ERROR|LDAP Connection Test Failed. Check if you're in a domain context!

Hi,

we run SharpHound and it times out after 3000 sometimes 4000 users. We tried the latest two releases and also the rolling release, same behaviour:

2022-04-22T10:20:40.8650782+02:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-04-22T10:20:40.8790787+02:00|INFORMATION|Initializing SharpHound at 10:20 AM on 4/22/2022 2022-04-22T10:20:41.4651864+02:00|INFORMATION|Loaded cache with stats: 2759 ID to type mappings. 2714 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-04-22T10:20:41.4731854+02:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-04-22T10:20:41.8938564+02:00|INFORMATION|Beginning LDAP search for domain.local 2022-04-22T10:21:19.4294650+02:00|INFORMATION|Status: 180 objects finished (+180 4.864865)/s -- Using 195 MB RAM 2022-04-22T10:21:50.6994925+02:00|INFORMATION|Status: 2378 objects finished (+2198 34.97059)/s -- Using 226 MB RAM 2022-04-22T10:22:19.9352352+02:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 81. (null). The LDAP server is unavailable.. Filter: (objectsid=\01\05\00\00\00\00\00\05\15\00\00\00\79\11\FE\21\56\64\FC\24\0F\44\89\1D\F3\55\02\00). Domain: domain.local System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__33.MoveNext() in D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\LDAPUtils.cs:line 833 2022-04-22T10:22:19.9352352+02:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 81. (null). The LDAP server is unavailable.. Filter: (samaccountname=INNKDI210D$). Domain: domain.local System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__33.MoveNext() in D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\LDAPUtils.cs:line 833 2022-04-22T10:22:19.9352352+02:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 81. (null). The LDAP server is unavailable.. Filter: (objectsid=\01\05\00\00\00\00\00\05\15\00\00\00\79\11\FE\21\56\64\FC\24\0F\44\89\1D\5A\1B\02\00). Domain: domain.local System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)

Thanks

As captioned, beacon was dead upon execution of latest version 1.1.0. Old versions work perfectly.

Cobalt strike 4.6.1 is in use, 1MB limit has been changed for execute-assembly

May I know anything I need to do to run it properly? Thanks!

Hello,

I'm trying to run Sharphound to collect data for Neo4j database but am running into some trouble. Everytime I run Sharphound (Either the .exe or .ps1) I encounter the errors below:

2023-01-05T10:28:56.0830263-06:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 81. (null). The LDAP server is unavailable.. Filter: (&(samaccounttype=REDACTED)(samaccountname=REDACTED)). Domain: (null) System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. at System.DirectoryServices.Protocols.LdapConnection.Connect() at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__33.MoveNext() 2023-01-05T10:28:56.2370976-06:00|INFORMATION|Producer has finished, closing LDAP channel 2023-01-05T10:28:56.2401740-06:00|INFORMATION|LDAP channel closed, waiting for consumers 2023-01-05T10:29:02.7019920-06:00|INFORMATION|Status: REDACTED objects finished (+4340 144.6667)/s -- Using 73 MB RAM 2023-01-05T10:29:17.1756469-06:00|WARNING|[CommonLib LDAPUtils]LDAP Exception in Loop: 52. (null). The LDAP server returned an unknown error.. Filter: (&(samaccounttype=REDACTED)(samaccountname=REDACTED)). Domain: (null) System.DirectoryServices.Protocols.LdapException: The LDAP server returned an unknown error. at System.DirectoryServices.Protocols.LdapConnection.Connect() at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__33.MoveNext() 2023-01-05T10:29:32.7066748-06:00|INFORMATION|Status: REDACTED objects finished (+0 72.33334)/s -- Using 73 MB RAM

It ends up generating about 20 of these error messages before exiting. I found another issue open on the Bloodhound Github #510. In this thread rvazarkar said it was a non issue. However, my .json output is still not importing. Saying that the data is from an incompatible collector. I ensured that both my Bloodhound and Sharphound version matched (version 4.2). I also attempted to standardize the .json file according to the .json documentation here and attempted to fix the data at the end of the file manually.

The command I used to run is here:

.\sharphound.exe -c Default -d REDACTED --ldapusername REDACTED --ldappassword REDACTED --secureldap --throttle 200 --stealth --outputdirectory C:\Temp\Bloodhound_output --> I have also just tried the .exe and .ps1 with no command line arguments and similar errors occurred. This is from a domain joined computer and is on ethernet.

File Fix Example below:
"Status":null,"Aces":[],"ObjectIdentifier":"REDACTED","IsDele --> The .json output file is cut off at the end.

I attempted to fix this by removing the last entry until the next 'Properties' and adding a }]} --> this looked similar to the documentation.

Regardless, I am needing some help figuring out where I am going wrong. I can't find any fix on Github and have combed the documentation thoroughly. Any help would be greatly appreciated. If you need more information let me know. I'll do my best to provide redacted error output.

Adding the "--collectallproperties" tag to get additional all LDAP information does not appear to collect anything additional.

The below image shows a comparison of a collection run with (left) and without (right) the "--collectallproperties" tag.

Full commands that was run:
SharpHound.exe --collectionmethods All,GPOLocalGroup --domain TestDom.corp --prettyprint
SharpHound.exe --collectionmethods All,GPOLocalGroup --domain TestDom.corp --prettyprint --collectallproperties

Hello, when trying to build for master, the following stacktrace occurs (only the relevant bits):

nd.AssemblyInfo.cs /warnaserror+:NU1605
C:\builder\SharpHound\src\Sharphound.cs(130,34): warning CS0168: The variable 'e' is declared but never used [C:\builder\SharpHound\Sharphound.csproj]
C:\builder\SharpHound\src\Runtime\ObjectProcessors.cs(41,89): error CS1739: The best overload for 'ComputerSessionProcessor' does not have a parameter named 'doLocalAdminSessionEnum' [C:\builder\SharpHound\Sharphound.csproj]
  CompilerServer: server - server processed compilation - b4b18880-9e52-4df7-8cc6-f9874b0d4069
Done Building Project "C:\builder\SharpHound\Sharphound.csproj" (default targets) -- FAILED.
Done Building Project "C:\builder\SharpHound\Sharphound.sln" (default targets) -- FAILED.
Build FAILED.
"C:\builder\SharpHound\Sharphound.sln" (default target) (1) ->
"C:\builder\SharpHound\Sharphound.csproj" (default target) (2) ->
(CoreCompile target) -> 
  C:\builder\SharpHound\src\Sharphound.cs(130,34): warning CS0168: The variable 'e' is declared but never used [C:\builder\SharpHound\Sharphound.csproj]
"C:\builder\SharpHound\Sharphound.sln" (default target) (1) ->
"C:\builder\SharpHound\Sharphound.csproj" (default target) (2) ->
(CoreCompile target) -> 
  C:\builder\SharpHound\src\Runtime\ObjectProcessors.cs(41,89): error CS1739: The best overload for 'ComputerSessionProcessor' does not have a parameter named 'doLocalAdminSessionEnum' [C:\builder\SharpHound\Sharphound.csproj]
    1 Warning(s)
    1 Error(s)
Time Elapsed 00:00:02.96

Is there an easy way to work around this ?

Cheers,
ArnCo

I have attempted the dconly option with multiple versions of sharphound, including the rolling version.

All of them give the error below.

I can ping and access the LDAP ports from the test system to all the DCs in the environment.

Any suggestions?

SharpHound.exe -c dconly -v 1
2022-03-31T07:30:48.5208302-05:00|INFORMATION|Resolved Collection Methods: Group, GPOLocalGroup, Trusts, ACL, Container, ObjectProps
2022-03-31T07:30:48.5208302-05:00|INFORMATION|Initializing SharpHound at 7:30 AM on 3/31/2022
2022-03-31T07:30:52.1616336-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:30:55.1617935-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:30:58.1150560-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:31:01.0683299-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:31:04.0216137-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:31:06.9748498-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:31:09.9788528-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping
2022-03-31T07:31:10.0059206-05:00|DEBUG|[CommonLib LDAPUtils]Unable to find usable domain controller for redacted
2022-03-31T07:31:10.0215640-05:00|ERROR|Unable to connect to LDAP, verify your credentials

I am getting an interesting error with the newest version of Sharphound. This does not happen on older versions.

My Command line is:
SharpHound.exe -c DCOnly -d corp.stigs.local --memcache

Here is the error I am getting:

2022-03-04T19:54:07.5687182-05:00|ERROR|error in consumer System.NullReferenceException: Object reference not set to an instance of an object. at SharpHoundCommonLib.Processors.GPOLocalGroupProcessor.<ProcessGPOXmlFile>d__13.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source) at SharpHoundCommonLib.Processors.GPOLocalGroupProcessor.<ReadGPOLocalGroups>d__10.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Runtime.ObjectProcessors.<ProcessOUObject>d__21.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Sharphound.Runtime.ObjectProcessors.<ProcessObject>d__15.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Sharphound.Runtime.LDAPConsumer.<ConsumeSearchResults>d__0.MoveNext()

Sharphound does finish and this is not a show stopper.

Hello,

Just wondered if I could get some clarification from somebody more in the know than myself. I've recently been working with Domain Trusts and have a similar issue to: dirkjanm/BloodHound.py#84 (comment)

When looking for domain trusts in Bloodhound, I was not seeing anything. I know they exist as I've enumerated trusts using another tool but when loading Sharphound data into Bloodhound the trusts are not displayed.

I came across the issue linked above whereby Bloodhound.py was using int values to identify trust directions and types. This was confirmed as a bug and fixed.

I appear to be having the same issues with Sharphound. The data is displayed as an integer, when bloodhound is looking for a string, see below:

{ "TargetDomainSid": "redacted", "TargetDomainName": "redacted", "IsTransitive": true, "SidFilteringEnabled": false, "TrustDirection": 1, "TrustType": 4 }

When the above is loaded into Bloodhound, the trusts are not displayed. If I manually modify this with the correct string as shown below, Bloodhound displays the trust:

{ "TargetDomainSid": "redacted", "TargetDomainName": "redacted", "IsTransitive": true, "SidFilteringEnabled": false, "TrustDirection": "Inbound", "TrustType": "Forest" }

Is this also a bug in Sharphound, or is there something I'm missing here?

./sharphound.exe -d domain --ldapusername redacted --ldappassword -redacted

2023-10-30T18:48:32.7077262-07:00|WARNING|[CommonLib LDAPUtils]Failed to setup LDAP Query Filter
SharpHoundCommonLib.Exceptions.LDAPQueryException: Error creating LDAP connection: GetDomain call failed for REDACTED
at SharpHoundCommonLib.LDAPUtils.d__51.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at SharpHoundCommonLib.LDAPUtils.SetupLDAPQueryFilter(String ldapFilter, SearchScope scope, String[] props, Boolean includeAcl, String domainName, Boolean showDeleted, String adsPath, Boolean globalCatalog, Boolean skipCache)

does anyone also encounter this issue? I'm trying to run it and it keeps on showing multiple warnings in different domains and endpoints. I wonder if this also affects the results because when I try to upload the _computer.json it stucks at 0% forever.

Objective: To avoid having the password appear in the command line, as that is logged by EDR tools.

Using these parameters the timing execution is not affected.

SharpHound does not account for Item Level Targetting when collecting local group membership collection from GPOs linked to OUs,

Group Policy Preference in a GPO can add groups or users into local administrators group only if the host has a matching NETBIOS name or member of an AD group.

I know it will be impossible for SharpHound to account for some item level targeting options such as WMI, but I believe ones that are likely used for managing local groups can, such as hostname, OU and security group membership.

Item level targeting details:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v=ws.11)

hi,

would be great to have the name of the domain (or forest) in the filename, e.g. not just

20240125120250_BloodHound.zip

but
20240125120250_BloodHound_corpdomain.zip

to have a better overview if running it on multiple domains on the same box. don't know if that breaks some toolchains but those changes would also be small.

regards
arnim

I am not able to see any information within the GUI when I run the exe for SharpHound. I am getting a LDAPUtils error. Not sure what I am doing wrong here.

C:\BloodHound-master\Collectors>SharpHound.exe
2022-10-04T14:12:46.1607153-04:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-10-04T14:12:46.4526949-04:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-10-04T14:12:46.5907875-04:00|INFORMATION|Initializing SharpHound at 2:12 PM on 10/4/2022
2022-10-04T14:12:47.2694541-04:00|INFORMATION|Loaded cache with stats: 1676 ID to type mappings.
1703 name to SID mappings.
2 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-10-04T14:12:47.2851464-04:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-10-04T14:12:50.0546130-04:00|INFORMATION|Beginning LDAP search for (Domain Name)
2022-10-04T14:12:51.2285422-04:00|WARNING|[CommonLib LDAPUtils]Error getting forest, ENTDC sid is likely incorrect
2022-10-04T14:13:20.5612937-04:00|INFORMATION|Status: 28 objects finished (+28 0.9333333)/s -- Using 75 MB RAM
2022-10-04T14:13:22.5268360-04:00|INFORMATION|Producer has finished, closing LDAP channel
2022-10-04T14:13:22.5450233-04:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-10-04T14:13:50.5691061-04:00|INFORMATION|Status: 1572 objects finished (+1544 26.2)/s -- Using 112 MB RAM
2022-10-04T14:14:20.5765643-04:00|INFORMATION|Status: 1572 objects finished (+0 17.46667)/s -- Using 111 MB RAM
2022-10-04T14:14:50.5789122-04:00|INFORMATION|Status: 1572 objects finished (+0 13.1)/s -- Using 111 MB RAM
2022-10-04T14:15:02.3067222-04:00|INFORMATION|Consumers finished, closing output channel
2022-10-04T14:15:20.5797691-04:00|INFORMATION|Status: 1573 objects finished (+1 10.48667)/s -- Using 111 MB RAM
2022-10-04T14:15:50.5890055-04:00|INFORMATION|Status: 1573 objects finished (+1 8.738889)/s -- Using 65 MB RAM
2022-10-04T14:16:20.6042959-04:00|INFORMATION|Status: 1573 objects finished (+1 7.490476)/s -- Using 65 MB RAM
2022-10-04T14:16:50.6171137-04:00|INFORMATION|Status: 1573 objects finished (+1 6.554167)/s -- Using 65 MB RAM
2022-10-04T14:17:20.6213105-04:00|INFORMATION|Status: 1573 objects finished (+1 5.825926)/s -- Using 65 MB RAM
2022-10-04T14:17:50.6357360-04:00|INFORMATION|Status: 1573 objects finished (+1 5.243333)/s -- Using 65 MB RAM
2022-10-04T14:18:20.6363538-04:00|INFORMATION|Status: 1573 objects finished (+1 4.766667)/s -- Using 65 MB RAM
2022-10-04T14:18:50.6501391-04:00|INFORMATION|Status: 1573 objects finished (+1 4.369444)/s -- Using 65 MB RAM
2022-10-04T14:19:20.6622993-04:00|INFORMATION|Status: 1573 objects finished (+1 4.033333)/s -- Using 65 MB RAM
2022-10-04T14:19:50.6755601-04:00|INFORMATION|Status: 1573 objects finished (+1 3.745238)/s -- Using 65 MB RAM
2022-10-04T14:20:20.6760826-04:00|INFORMATION|Status: 1573 objects finished (+1 3.495556)/s -- Using 66 MB RAM
Closing writers
2022-10-04T14:20:29.4441393-04:00|INFORMATION|Output channel closed, waiting for output task to complete
2022-10-04T14:20:29.5233383-04:00|INFORMATION|Status: 1589 objects finished (+16 3.461874)/s -- Using 66 MB RAM
2022-10-04T14:20:29.5233383-04:00|INFORMATION|Enumeration finished in 00:07:39.4917317
2022-10-04T14:20:29.7464177-04:00|INFORMATION|Saving cache with stats: 1676 ID to type mappings.
1703 name to SID mappings.
2 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-10-04T14:20:29.7626413-04:00|INFORMATION|SharpHound Enumeration Completed at 2:20 PM on 10/4/2022! Happy Graphing!

There is a bug in the "memcache" option. No matter specified or not .bin file is written to disk.

Tested with version 1.0.2

I used this as collection method -c All,GPOLocalGroup,SPNTargets,LoggedOn, I have a user here which has WriteSPN on 2 computers, but for some reason sharphound does not find this.

Saw this as a closed issue, having trouble with it today using both the compiled SharpHound and the one packaged with Bloodhound

Hi,

I get the same error as in #15 when using the collection method "all" or GPOLocalGroups.
This seems to me that the collection method all does execute the GPOLocalGroups collection which it should not if I understand the picture here correctly https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html

Regards
Alex

GPOLocalGroup.txt
All.txt

Is there a way to make it work ?

Hi,

I figured out, that some users will be declared as a group, these objects also have three labels.

labels(s)[0] = 'Group'
labels(s)[1] = 'User'
labels(s)[2] = 'Base'

instead of

labels(s)[0] = 'User'
labels(s)[1] = 'Base'

try this in your lab e.g. with the following query:

match (s) where labels(s)[0] = 'Group' return s.name,s.lastlogontimestamp, labels(s)[0],labels(s)[1],labels(s)[2] order by s.lastlogontimestamp

but BH5 CE shows the object, as a correct type.

This is a bug in Sharphound 2.4.1?

TIA

• Holger

Description:

I executed SharpHound.exe (Version 2.0.0) on a none-domain-joined machine and provided the target domain, domain controller and ldap credentials via arguments. I expected that all required login attempts to collect the data would use as account name <provided_domain>\<provided_username>. However, when data was collected for trusted domains, the logins were performed using <trusted_domain>\<provided_username>. Since the same user account name existed in the other trusted domains (but with different passwords), this increased the "incorrect login attempts" count. After several executions this lead to a lockout of the user account in all trusted domains.
I'm unsure if this behavior is intended and that I just called SharpHound the wrong way, but I was expecting that all logins would be performed with the ldap username with the provided domain name. Or do I need to also specify the domain with the ldap username argument?

Steps to Reproduce:

1. Create a network with two domains (DomainA.NET and DomainB.NET and create a trust relationship between them) with the same username in both domains but with different passwords.
   In my case I tested it with a domain administrator account, e.g.: "DomainA.NET\DomainAdmin" with password "Password1" and "DomainB.NET\DomainAdmin" with password "Password2"

2. Create a Windows Client (in my case it was Windows 10 system which was not domain joined) and execute the following command on the system:

SharpHound.exe --CollectionMethods All,GPOLocalGroup,SPNTargets,LoggedOn --collectallproperties --memcache --Domain DomainA.NET --domaincontroller DC01.DomainA.NET --ldapusername DomainAdmin --ldappassword Password1

3. Execute the command multiple times until the configured account lockout treshhold is reached. => "DomainB.NET\DomainAdmin" will get locked because SharpHound will attempt to perform a login as LDAP user "DomainAdmin" also in DomainB because of the trust relationship, however, this user has as password "Password2" and not "Password1".

Expected Behavior:

I expected that all logins would be performed as "DomainA.NET\DomainAdmin" user, even when querying data from "DomainB.NET". Actually, I also assumed that no connections to DC01.DomainB.NET would be established and that no logins with accounts in DomainB would be attempted.
I expected that the "--Domain" and "--ldapusername" flags are combined to form the final username which is used to perform the login and not that a login as "DomainB.NET\DomainAdmin" is attempted at all.

Actual Behavior:

A login as "DomainB.NET\DomainAdmin" is attempted which can lead to an account lockout after multiple executions.

Environment Information:

BloodHound: -

Collector: 2.0.0