bloodhoundad / sharphound2 Goto Github PK

In a production domain we observed a crash due to a null pointer exception during the stealth enumeration for groups.
The issue is around https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152

We have a computer object without a dnshostname property, so dnshostname is null in https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L95
Therefore the code falls back to trying to DNS resolve the computer, with its FQDN and shortname. However this computer doesn't resolve. So it returns null https://github.com/BloodHoundAD/SharpHound/blob/f164a3b11bb4b892c286cb70d8e65184bfcf1fd0/Sharphound2/Extensions.cs#L114

(I don't know how this situation happened in this domain... But I bet other domains could have the same case).

Then the null resolvedEntry https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L152 is passed to GroupHelpers.ProcessAdObject

And it crashes with a NPE at line: https://github.com/BloodHoundAD/SharpHound/blob/e781f3f4a9e46fd7b2cfa0eefe1ee1ee5f096e8d/Sharphound2/Enumeration/GroupHelpers.cs#L32

I think this issue isn't present in the default collection method (non-stealth) because there is a check for null https://github.com/BloodHoundAD/SharpHound/blob/91700a7bca5b5afa28cd724936bdff45eed19c53/Sharphound2/Enumeration/EnumerationRunner.cs#L448

Thank you for making this great tool. I really appreciate it.

I am looking to enumerate just a subset of the computers in a domain. I found the 'ComputeFile' parameter in Sharphound.ps1 and tried that.

Unfortunately, it did not save any output to CSV format when I used the CSVFolder parameter. Sharphound does successfully enumerate the hosts, because I see data in the Bloodhound.bin file. The only problem is that no csv file appears to be created.

Am I doing something wrong?

This is my command (after loading the Sharphound.ps1 script):

Invoke-BloodHound -CollectionMethod LoggedOn -ComputerFile computers.txt -CSVFolder 'C:\Data'

My computers.txt file contains the following:

hostname1
hostname2

Thank you!

After running sharphound.exe and trying to import the .csv files, I get a failure on the local_admins.csv. I compared it to the BloodHound PowerShell .csv, and it appears it is missing the header row. I added the header, and the file imported without issue.

Running latest build, and with default + verbose

Unhandled Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: key
   at System.Collections.Concurrent.ConcurrentDictionary`2.TryGetValue(TKey key, TValue& value)
   at Sharphound2.DnsManager.HostExistsDns(String host, String& name)
   at Sharphound2.Extensions.ResolveAdEntry(SearchResultEntry result)
   at Sharphound2.Enumeration.LocalAdminHelpers.<GetGpoAdmins>d__13.MoveNext()
   at Sharphound2.Enumeration.EnumerationRunner.StartStealthEnumeration()
   at Sharphound2.Sharphound.Main(String[] args)

The user_props.csv file created by Sharphound contains display-names with "", braking the csv

Example:
[email protected],"Display name "my fancy name" in AD",False, (...)

Forest lookup in SharpHound v2.1.0 fails when querying from a non-domain workstation. The native powershell module Get-ADForest works fine and finds all four domains from the forest, when pointed to the same server, so the problem should not be in credentials allthough the error message claims so.

cmd> runas /netonly /user:domain\user "powershell -executionpolicy bypass"

PS ...\BloodHound-master\Ingestors\DebugBuilds> .\SharpHound.exe --Domain "my.domain" --CollectionMethod "DCOnly" --SearchForest

Unhandled Exception: System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest.
at System.DirectoryServices.ActiveDirectory.DirectoryContext.GetLoggedOnDomain()
at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
at System.DirectoryServices.ActiveDirectory.DirectoryContext.isRootDomain()
at System.DirectoryServices.ActiveDirectory.Forest.GetForest(DirectoryContext context)
at Sharphound2.Utils.GetForestDomains() in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Utils.cs:line 804
at Sharphound2.Utils.CreateDomainList() in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Utils.cs:line 788
at Sharphound2.Utils..ctor(Options cli) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Utils.cs:line 70
at Sharphound2.Utils.CreateInstance(Options cli) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Utils.cs:line 44
at Sharphound2.Sharphound.Main(String[] args) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Sharphound.cs:line 494

PS> get-adforest -Server my.domain

..
DomainNamingMaster : dc.my.domain
Domains : {my.domain, other.my.domain, other.foo, other.bar}
ForestMode : Windows2008R2Forest
GlobalCatalogs : {dc.my.domain, ...}
Name : my.domain
..

Running powershell 5.1 in windows 10.

The title says it all :)
Don't hesitate to ask if you need further information.

Neo4j 3.2.6 on Windows
SharpHound latest release
BloodHound latest release (1.4)
Same on Windows and Linux

I run SharpHound.exe with the option -c All from metasploit meterpreter on Windows 2003 server and the following error occurs.
Can Anyone help solving this issue.
Unhandled Exception: System.MissingMethodException: Method not found: 'Boolean System.Threading.WaitHandle.WaitOne(System.TimeSpan)'.
at Sharphound2.Utils.DoPing(String hostname, Int32 port)
at Sharphound2.Utils.GetUsableDomainControllers()
at Sharphound2.Sharphound.Main(String[] args)

Hello,

I am trying to ocnnect to my Active Directory server from a remote client. I am using the following options:

Invoke-BloodHound -CollectionMethod All -Domain example.com -Credential $credential -DomainController fqdn.example.com -Verbose

Where $credential was created in two possible ways:

• $credential = New-Object System.Management.Automation.PSCredential($username,$password)
• $credential = Get-Credential

In any case, I can't connect to the LDAP service of my Active Diretory:

Unable to contact domain example.com
LDAP connection test failed, probably can't contact domain

The domain name can be resolved properly and I verified that the ports (389 and 636) are opened and reachable.

I can't connect to LDAP neither authenticated nor anonymously.

What is going wrong?

Hi, first of all thank you for this amazing project.
One point: If a user has e.g. ResetPassword rights on an domain controller object, wouldn't this be a privilege escalation vulnerability because of the dc sync privilege of a domain controller object?
The same with an exchange server object, because this object can manipulate ACEs of the domain root.
At the moment you just care about computer object acls if they have LAPS installed.
Or am i wrong? Thank you!

Hi,

I am seeing some huge differences between group collection from bloodhound.ps1 & sharphound.exe.
Both were runned on the same domain from the same PC with the same account, results are consistent accross several runs.

After normalizing the data & diffing here is the verdict :

2833179 lines in sharphound
4363527 lines in bloodhound
2831326 lines in both
**1532201 lines missing in sharphound**
1853 lines missing in bloodhound

I do not see any pattern on what's missing in sharphound :(

Using commit 3355c35 (03/05/18) :
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/BloodHound_Old.ps1
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe

I'm doubtful this is an "issue" with the ingestor, I just can't figure out a solution for the current environment. I've tried multiple variations, from specifying OU, domain and DC; increasing threads; different collection modes; increasing verbosity just to get some insight; and it runs with a repetitive "status nnn objects enumerated" message, which seems to indicate it's working! I've let it run for more than 72 hours for a single OU (recognizing that isn't terribly descriptive). If I hit Ctrl+C, I get a "waiting for cleanup" message, followed by status messages that also never seem to end (waited several hours). For the environment in question, my only successfully completed runs were limited to collection of groups and trusts. Any ideas/suggestions are much appreciated!

I"m getting partial results back when running sharphound vs bloodhound (and what is actually in the Administrators group). With the old powershell script I get all users in the Administrators group but with sharphound I only get a subset of that. Here are the commands I'm running.

Bloodhound
PS > Invoke-BloodHound -CollectionMethod LocalGroup -ComputerName \'**removed**\' -CSVFolder C:\Data\ -CSVPrefix "bloodhound"

Sharphound:
SharpHound.exe --SkipPing -c LocalGroup --ComputerFile host.txt --CSVFolder C:\Data --SVPrefix sharphound

The one thing I did notices is that for sharphound all of the objects returned are in the same domain but objects for other domains under the same parent are not returned. The bloodhound ps1 did return the objects for other domains without issue.

I am running SharpHound as a standard domain user. In the past, we were able to run BloodHound with no issues. I am using the default collection and running it with -verbose. We will get an initial run of 862 objects and it never increases from there all the output continues to show is below:

Initializing BloodHound at 11:40 AM on 2/7/2019
Resolved Collection Methods to Group, LocalGroup, Session, Trusts
Starting Enumeration for [redacted]
Status: 862 objects enumerated (+862 28.73333/s --- Using 90 MB RAM )
Status: 862 objects enumerated (+0 14.36667/s --- Using 90 MB RAM )
Status: 862 objects enumerated (+0 9.577778/s --- Using 47 MB RAM )

I have tried with multiple different options and flags and I cannot seem to get it to work.

Hi,

I am having an unhandled exception while running the session collection. It occurs on different PCs.

Here is the stack trace :

Exception non gérée : System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
à Sharphound2.Utils.ResolveHost(String hostName)
à Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
à Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
à System.Threading.Tasks.Task.InnerInvoke()
à System.Threading.Tasks.Task.Execute()
--- Fin de la trace de la pile d'exception interne ---
à System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
à System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout)
à System.Threading.Tasks.Task.WaitAll(Task[] tasks)
à Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
à Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
à Sharphound2.Utils.ResolveHost(String hostName)
à Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
à Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
à System.Threading.Tasks.Task.InnerInvoke()
à System.Threading.Tasks.Task.Execute()<---

---> (Inner Exception #1) System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet.
à Sharphound2.Utils.ResolveHost(String hostName)
à Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
à Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
à System.Threading.Tasks.Task.InnerInvoke()
à System.Threading.Tasks.Task.Execute()<---

With this build https://github.com/BloodHoundAD/SharpHound/files/1816599/Sharphound.zip (the last one from issue #20 ).

`C:\Users\test\Desktop>SharpHound.exe --stealth
Initializing BloodHound at 10:48 AM on 3/27/2019
Note: All stealth options are single threaded
Note: You specified Stealth and LocalGroup which is equivalent to GPOLocalGroup
Resolved Collection Methods to Group, GPOLocalGroup, Session, Trusts, RDP, DCOM
Starting Stealth Enumeration for Domain.com

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound2.Enumeration.TrustHelpers.DoTrustEnumeration(ResolvedEntry resolved, Domain& obj)
at Sharphound2.Enumeration.EnumerationRunner.StartStealthEnumeration()
at Sharphound2.Sharphound.Main(String[] args)

C:\Users\test\Desktop>`

Hello guys,

While i was trying to explicitly specify the ip of the domain controller with the following command (SharpHound.ps1), i was thinking that the root dse will be directly requested to the ldap service on this DC ip:

Invoke-BloodHound -DomainController 10.10.10.10
Initializing BloodHound at 23:58 on 01/08/2019
Unable to contact domain. Try from a domain context!

Unfortunately, i captured the traffic and i still found the type SRV DNS requests used to discover the DC (_ldap._tcp.dc._msdcs). The fact is that my ip is never contacted. For example during an engagement how are you doing if you are doing a port redirection on a pivot machine ?

On wireshark no ip dest 10.10.10.10 appears (10.10.10.10 is up, etc ...).

I'm working on a Microsoft Windows 10 Pro machine with the master branch of BloodHound.

Thanks in advance,

Will you add those new features to this C# version?

When using the GPOLocalGroup collection method Sharphound threads can hang due to some GPOs having a lowercase "S" in the SID in the GptTmpl.inf file.

The following fixes the issue and is consistent with the previous regex's in the file using 'IgnoreCase':-

paul@kali2017-1:~/tools/SharpHound/Sharphound2/Enumeration$ diff LocalGroupHelpers.cs LocalGroupHelpers.cs.orig
29c29
<         private static readonly Regex ExtractRid = new Regex(@"S-1-5-32-([0-9]{3})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
---
>         private static readonly Regex ExtractRid = new Regex(@"S-1-5-32-([0-9]{3})", RegexOptions.Compiled);

Hello,

I managed to dump ACLs with Bloodhound_old.ps1 from a remounted ntds.dit (with dsamain -allowNonAdminAccess -dbpath <ntds.dit path> -ldapPort 1234) with the -DomainController localhost:1234 option but it does not work anymore with Sharphound

Could you either add an -ldapPort option to Sharphound or at least allow the -DomainController option to support a <FQDN|IP>:<port> syntax ?

Cheers !

Hello there,

I've noticed couple of caveats to CollectionMethod selection on highly secured/segmented networks. No SharpHound output can be provided here, but only brief description of my findings after playing around.

Network: A big domain, of dozen of domain controllers, subdomains, trusts, tens of thousands of AD objects. Enumeration over VPN, LDAP. From a local admin authenticated session.

1. Since the network is basically cutting out ICMP traffic, there is no way to gather up SMB Sessions, which I guess makes methods like: Session, ComputerOnly, LoggedOn, SessionLoop fail. SharpHound after couple of tries yielded me around 500-1500 objects, always failing around that 1500 mark. No explanatory message in -Verbose. Informed me that 0 hosts failed ping, 0 hosts timedout. SharpHound finishes in 00:01:30.
2. I've tried playing with --SkipPing and ping timeout - nothing changed in the output
3. Specyfing manually following methods: --CollectionMethod Group,RDP,LocalGroup,DCOM,Trusts,ACL,Container,ObjectProps - resulted in 1500 objects as well.
4. Running --SkipPing --CollectionMethod Default in turn, rapidly yielded 26237 objects enumerated, but then got severly slowed down to +11-121 of increment per one line of status (30 seconds I suppose).
5. Playing with --DomainController had no reflection on the results.

So there is definitely a corner case about CollectionMethod setup, when ICMP is filtered-out, the network is well segmented. Due to the nature of project where I've tested this Ingestor, I don't think I will be able to help in debugging it further, sorry for that.

In Sharphound.cs, the LocalAdmin option (now replaced by "LocalGroup"?) is still in the default options (and in the version of the PS script being distributed with Bloodhound).

[OptionArray('c', "CollectionMethod", DefaultValue = new[] {"Default"}, HelpText = "Collection Method (Group, **LocalAdmin**, GPOLocalGroup,

Very minor issue. SharpHound help (-?) suggests that I can use -f to specify a CSV Folder path to store CSV files. Additionally it specifies that I can use -p to specify a CSV Prefix.

If I run the following command, the help is displayed, suggesting there is a syntax error:
sharphound.exe -d domain.name -f c:\output\path

However the following command does work:
sharphound.exe -d domain.name --CSVFolder c:\output\path

This is the same issue with -p and --CSVPrefix flags.

I have created BloodHoundAD/SharpHound#40 with a fix for a potential DoS attack in bigger environments with large AD databases.

The query triggered by Util.cs Line 261 "entry = DoSearch($"(securityidentifier={dSid})", SearchScope.Subtree, new[] { "cn" }, useGc: true)" will iterate through every object for the whole directory partition. Whats even worse is that there is no negative caching, meaning that the query will be fired up multiple times even if it did not return any results.

I have multiple valid domain user credentials, but no access to a domain joined computer.

Now I'm trying to run SharpHound on a Windows VM (that did not join the domain), but BloudHound does not allow me to specify the credential (the only options are for Neo4j REST APIs)

Any ideas?

The old ingestor fully supports HTTPS

Used Version: BloodHound 2.0.5
OS: Win10

When calling SharpHound with the following command I get and unhandled exception:

& .\SharpHound.exe --CollectionMethod Group,ObjectProps

SharpHound.exe : 
Au caractère C:\Users\tgien\Desktop\\BloodHound\BloodHound-win32-x64\resources\app\Ingestors\StartSharpHoundDebug.ps1:1 : 1
+ & .\SharpHound.exe --CollectionMethod Group,ObjectProps
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
Unhandled Exception:
 
System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.ArgumentNullException: Value cannot be null.
Parameter name: String
   at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
   at System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info)
   at Sharphound2.Enumeration.ObjectPropertyHelpers.GetProps(SearchResultEntry entry, ResolvedEntry resolved, Domain& obj)
   at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass19_0.<StartRunner>b__0()
   at System.Threading.Tasks.Task.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout)
   at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
   at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
   at Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.ArgumentNullException: Value cannot be null.
Parameter name: String
   at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
   at System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info)
   at Sharphound2.Enumeration.ObjectPropertyHelpers.GetProps(SearchResultEntry entry, ResolvedEntry resolved, Domain& obj)
   at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass19_0.<StartRunner>b__0()
   at System.Threading.Tasks.Task.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()<---

You can cause SharpHound to crash with 'illegal characters' if the folder paths contain a trailing backslash for example:

sharphound.exe -d [domain] --CSVFolder "C:\new folder"
works

sharphound.exe -d [domain] --CSVFolder "C:\new folder\"
causes a crash

The following crash occurs:

Unhandled Exception: System.ArgumentException: Illegal characters in path.
at System.IO.Path.CheckInvalidPathChars(String path)
at System.IO.Path.Combine(String path1, String path2)
at Sharphound2.Cache..ctor(Options opts)
at Sharphound2.Cache.CreateInstance(Options opts)
at Sharphound2.Sharphound.Main(String[] args)

Here is a process dump of the crash for analysis:
https://www.dropbox.com/s/8ruboe3hadsvhty/SharpHound.exe_171204_114455.dmp?dl=1

UPDATE: If you escape the last backslash it doesn't crash. For example:

sharphound.exe -d [domain] --CSVFolder "C:\new folder\\"

https://github.com/BloodHoundAD/SharpHound/blob/master/Sharphound2/Enumeration/LocalGroupHelpers.cs#L748 in a small AD environment will not produce a noticeable impact, but in larger enterprise environments this will generate hugely inefficient LDAP queries that will consume CPU resources and ultimately result in a denial of service on the target server. A better method would be to utilise GPMgmt.GPM (RSAT GPMC tools) which will provide near instant results. I do not have a C# example for you as I am not a C# coder. But I have a PowerShell example.

$GPOGUID = "11111111-2222-3333-4444-555555555555"
$gpm = New-Object -ComObject GPMgmt.GPM
$constants = $gpm.GetConstants()
$GPODomain = $gpm.GetDomain($env:USERDNSDOMAIN,$null,$constants.UsePDC)
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpmSearchCriteria.Add($constants.SearchPropertyGPOID,$constants.SearchOpEquals,"{$($GPOGUID)}")
$GPO = $GPODomain.SearchGPOs($gpmSearchCriteria) | Select-Object -First 1
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpmSearchCriteria.Add($constants.SearchPropertySOMLinks,$constants.SearchOpContains,$GPO)
$somlist = $GPODomain.SearchSOMs($gpmSearchCriteria)
$somlist

Below is a side by side of the difference difference between the 2 methods in a test environment. GPMgmt.GPM vs. LDAP is almost 100x quicker. In larger environments the time taken and impact from the inefficient LDAP query will be exponentially worse.

Hi,

We noticed that BloodHound gives an incorrect output; it shows that multiple users owns 1 policy, which is not possible.

The following tool is used: https://www.microfocus.com/en-us/products/netiq-group-policy-administrator/overview and might be causing some issues.

PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-GPO -Name "Default Domain Controllers Policy" 

DisplayName      : Default Domain Controllers Policy
DomainName       : xxxxxxxxx
Owner            : XXX\FUNCTIONAL_ACCOUNT
Id               : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 20/04/2002 10:46:22 AM
ModificationTime : 13/12/2018 11:03:36 AM
UserVersion      : AD Version: 10, SysVol Version: 10
ComputerVersion  : AD Version: 179, SysVol Version: 179
WmiFilter        : 

Hi,

I am running the latest release of Invoke-BloodHound ingestor and I am experiencing a huge memory usage in my test environment.

PS C:\Users\Public\phra> Invoke-BloodHound -CollectionMethod All -Stealth -StatusInterval 60000 -ExcludeDc
Initializing BloodHound at 11:51 on 9-4-2019
Note: All stealth options are single threaded
Note: You specified Stealth and LocalGroup which is equivalent to GPOLocalGroup
Resolved Collection Methods to Group, GPOLocalGroup, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM
Starting Stealth Enumeration for contoso.com
Status: 55 objects enumerated (+55 0,9166667/s --- Using 169 MB RAM )
Status: 55 objects enumerated (+0 0,4365079/s --- Using 280 MB RAM )
Status: 112 objects enumerated (+57 0,6021506/s --- Using 164 MB RAM )
Status: 2374 objects enumerated (+2262 9,650407/s --- Using 361 MB RAM )
Status: 5490 objects enumerated (+3115 17,94118/s --- Using 658 MB RAM )
Status: 8500 objects enumerated (+3010 23,22404/s --- Using 874 MB RAM )
Status: 11050 objects enumerated (+2550 25,93897/s --- Using 1104 MB RAM )
Status: 14000 objects enumerated (+2950 28,80659/s --- Using 1389 MB RAM )
Status: 17302 objects enumerated (+3302 31,68864/s --- Using 1667 MB RAM )
Status: 20733 objects enumerated (+3431 34,21287/s --- Using 1950 MB RAM )
Status: 24226 objects enumerated (+3493 36,37537/s --- Using 2261 MB RAM )
Status: 27710 objects enumerated (+3483 38,16805/s --- Using 2554 MB RAM )
Status: 30661 objects enumerated (+2951 39,00891/s --- Using 2733 MB RAM )
Status: 33259 objects enumerated (+2598 39,31324/s --- Using 2958 MB RAM )
Status: 36000 objects enumerated (+2741 39,7351/s --- Using 3248 MB RAM )
Status: 38706 objects enumerated (+2706 40,06832/s --- Using 3405 MB RAM )
Status: 40568 objects enumerated (+1862 39,53996/s --- Using 3600 MB RAM )
Status: 43144 objects enumerated (+2576 39,72744/s --- Using 3835 MB RAM )
Status: 46205 objects enumerated (+3061 40,3185/s --- Using 4064 MB RAM )
Status: 49500 objects enumerated (+3295 41,04478/s --- Using 4268 MB RAM )
Status: 52307 objects enumerated (+2807 41,31675/s --- Using 4570 MB RAM )
Status: 55437 objects enumerated (+3130 41,80769/s --- Using 4773 MB RAM )
Status: 58375 objects enumerated (+2937 42,1176/s --- Using 4971 MB RAM )
Status: 61177 objects enumerated (+2802 42,30775/s --- Using 5215 MB RAM )
Status: 64167 objects enumerated (+2989 42,60757/s --- Using 5475 MB RAM )
Status: 67000 objects enumerated (+2833 42,78416/s --- Using 5641 MB RAM )
Status: 69500 objects enumerated (+2500 42,71666/s --- Using 5882 MB RAM )
Status: 72389 objects enumerated (+2889 42,9099/s --- Using 6112 MB RAM )
Doing stealth session enumeration
Status: 72806 objects enumerated (+417 42,90277/s --- Using 6168 MB RAM )
Finished stealth enumeration for contoso.com in 00:28:17.3126623
0 hosts failed ping. 0 hosts timedout.

Hi!

Faced problem, where I had to stop loop after some 20+h (with Ctrl+C). This gave me ~30MB sessions.json file, which BloodHound refused to load in, throwing error: "Unrecognized file".

Problem is due to file truncation (wasn't added necessary JSON closing symbols as well as meta tree). I was able to recover file format by parsing this file in python. If anyone faced the same problem, here's the algorithm:

1. Add trailing brackets to file contents: ']}'
2. Parse as json (jsondict = json.loads(file_contents))
3. Count sessions (len(jsondict['sesstions']))
4. Remove trailing '}', add meta tree (,"meta":{"count":,"type":"sessions"}})

After that BloodHound takes the collected data.

It would be nice to implement Excepction catching logic during SessionLoop, so if Ctrl+C happens, SharpHound performs necessary formatting by itself.

P.S.
Thanks for your work! Beautiful tool!
You're pushing industry in correct direction!

Dmitry

My system is apart of the domain and when running sharphound to map out structure I do not see rdp privelges. The following is the snytax that I use along with the message that is shown after running it.
\SharpHound.exe -d domain.org
Initializing BloodHound at 12:07 PM on 9/25/2019
LDAP connection test failed, probably can't contact domain

Any suggestions would be greatly appreciated.

When reading your source code, I found out you were using RawSecurityDescriptor which is a little difficult to use.
Are there any reason you used this class instead of ActiveDirectorySecurity?

Indeed, you can get it through:
SearchResult.GetDirectoryEntry().ObjectSecurity

As an alternative, you can use:
ActiveDirectorySecurity sd = new ActiveDirectorySecurity();
sd.SetSecurityDescriptorBinaryForm(binaryData);

Vincent

When I open a powershell session (enter-pssession) to a remote system and execute SharpHound on the remote system it hangs for a few minutes before returning the below exception. Otherwise, if I run it locally on my machine it works fine. Same network.

Initializing BloodHound at 11:08 AM on 9/22/2017
Starting enumeration for xxxxxxxx
.\SharpHound.exe :
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Unhandled Exception:
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at Sharphound2.Utils.GetDomainSid(String domainName)
at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
at Sharphound2.Sharphound.Main(String[] args)

PS C:\BloodHound\Ingestors> .\SharpHound.exe
Initializing BloodHound at 12:21 PM on 10/18/2017
Starting Default enumeration for example.net
Status: 0 objects enumerated (+0 0/s --- Using 53 MB RAM )
Status: 0 objects enumerated (+0 0/s --- Using 32 MB RAM )
Finished enumeration for example.net in 00:01:00.8284660
0 hosts failed ping. 0 hosts timedout.

The only file that gets generated is a 131 byte BloodHound.bin file. The old ingestor worked. What is going wrong?

As discussed in Slack error message as follows:
system.timeoutexception in particular GetNetSessions

OS:
Windows 2008 R2 Enterprise

Build:
Public Release SharpHound 2.1 Mar 14,2019, 5:25PM GMT-5

AV:
No

Software:
CS 3.13 beacon 32 bits

Command line:
shell SharpHound.exe -c SessionLoop --MaxLoopTime 2h --LoopDelay 600

[*] Tasked beacon to run: SharpHound.exe -c SessionLoop --MaxLoopTime 2h --LoopDelay 600
[+] host called home, sent: 93 bytes
[+] received output:
Initializing BloodHound at 11:02 on 02/04/2019

Session Loop mode specified. Looping will end on 02/04/2019 at 13:02
Looping will start after any other collection methods
Resolved Collection Methods to SessionLoop
Starting Enumeration for testing.local
Status: 1318 objects enumerated (+1318 Infinito/s --- Using 60 MB RAM )
Finished enumeration for testing.local in 00:00:00.4436419
0 hosts failed ping. 0 hosts timedout.
Starting Session Loop Mode.
Status: 472 objects enumerated (+422 8,137931/s --- Using 86 MB RAM
Status: 1318 objects enumerated (+1 5,293173/s --- Using 54 MB RAM )
Finished enumeration for testing.local in 00:04:09.8017908
X hosts failed ping. X hosts timedout.

Unhandled Exception: System.InvalidOperationException: Cannot see if a key has been pressed when either application does not have a console or when console input has been redirected from a file. Try Console.In.Peek.

at System.Console.get_KeyAvailable()

at Sharphound2.Enumeration.EnumerationRunner.StartSessionLoopEnumeration()

at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()

at Sharphound2.Sharphound.Main(String[] args)

Command Line Used:
execute-assembly /root/SharpHound.exe -c SessionLoop --MaxLoopTime 2h --LoopDelay 600

....................
....................
Status: 1318 objects enumerated (+1 5,293173/s --- Using 54 MB RAM )
Finished enumeration for testing.local in 00:04:09.8017908
X hosts failed ping. X hosts timedout.
[-] Invoke_3 on EntryPoint failed.

I think the error is something with this

https://github.com/BloodHoundAD/SharpHound/blob/master/Sharphound2/Enumeration/EnumerationRunner.cs#L461

or maybe this

https://github.com/BloodHoundAD/SharpHound/blob/master/Sharphound2/Enumeration/EnumerationRunner.cs#L567

Not sure - maybe a linked domain (with trust) doesn't exist or respond? Sharphound was executed with defaults (i.e.: no args).

Status: 21310 objects enumerated (+230 20.23742/s --- Using 70 MB RAM )
Status: 21612 objects enumerated (+302 19.95568/s --- Using 68 MB RAM )
Status: 22024 objects enumerated (+412 19.78796/s --- Using 69 MB RAM )
Status: 22043 objects enumerated (+19 19.28521/s --- Using 55 MB RAM )
Status: 22043 objects enumerated (+0 18.79199/s --- Using 55 MB RAM )
Status: 22043 objects enumerated (+0 18.32336/s --- Using 49 MB RAM )
Status: 22043 objects enumerated (+0 17.87753/s --- Using 49 MB RAM )
Status: 22043 objects enumerated (+0 17.45289/s --- Using 49 MB RAM )
Status: 22044 objects enumerated (+1 17.04872/s --- Using 48 MB RAM )
Status: 22044 objects enumerated (+0 16.66213/s --- Using 45 MB RAM )

Unhandled Exception: System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Sharphound2.Utils.GetDomain(String domainName)
at Sharphound2.Utils.ResolveHost(String hostName)
at Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
at Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Sharphound2.Utils.GetDomain(String domainName)
at Sharphound2.Utils.ResolveHost(String hostName)
at Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()<---

---> (Inner Exception #1) System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Sharphound2.Utils.GetDomain(String domainName)
at Sharphound2.Utils.ResolveHost(String hostName)
at Sharphound2.Enumeration.SessionHelpers.d__8.MoveNext()
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()<---

I have encounted following issue:
Having a user from a foreign Domain (doesnt matter if same/foreign Forest) in a security group, SharpHound does not collect that user and write it into the .json file, thus not showing up in the database.

To be precise, my case looks like this:
I have Forest A with domain1.com and subdomain sub.domain1.com
And Forest B with domain2.com.
Theres a 2-way trust configured between both Forests.
User john from domain2.com is member of the Administrators group in sub.domain1.com.

SharpHound does not collect any informations about user john being in the Administrators group.
Running Sharphound with --debug -c Group --LdapFilter "(distinguishedname=CN=Administrators,CN=Builtin,DC=sub,DC=domain1,DC=com)" shows that SharpHound is actually fetching the informations ("Creating SecurityIdentifier from SID" and next resolving the foreign domain), but does not write it into the .json.

According to BlueCookieMonster from Slack, ForeignSecurityPrincipal collection is only working if its done in a user context from the parent domain.

Hi,

According to my field experience - default artifact's name raises an immediate alert from various EDR/HIPS agents, like FireEye HX. I'd like to propose a way to generate host-dependent unique name, that would be for instance generated from tuple of ($Env:Hostname, $Env:Username, $Env:Userdnsdomain). Such a tuple could then be fed to some kind of hashing/mangling function that would create randomized cache file effectively bypassing simple artifact-based HIPS rules.

CacheFile - Filename for the Sharphound cache. (Default: BloodHound.bin)

Just tested SharpHound on a large domain, super large.

And SharpHound just quit upon System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundExce ption exception?

Perhaps it should continue to run

Complete output:

Status: 178 objects enumerated (+178 4.810811/s --- Using 72 MB RAM )
Status: 7172 objects enumerated (+6993 107.0448/s --- Using 109 MB RAM )
Status: 26169 objects enumerated (+18997 269.7835/s --- Using 88 MB RAM )
Status: 75899 objects enumerated (+49730 597.6299/s --- Using 126 MB RAM )
Status: 114979 objects enumerated (+39079 732.3503/s --- Using 172 MB RAM )
Status: 169889 objects enumerated (+54905 908.4973/s --- Using 226 MB RAM )
Status: 170844 objects enumerated (+955 787.2996/s --- Using 221 MB RAM )
Status: 170955 objects enumerated (+111 692.1255/s --- Using 221 MB RAM )
Status: 171235 objects enumerated (+280 618.1769/s --- Using 221 MB RAM )
Status: 172495 objects enumerated (+1260 561.873/s --- Using 226 MB RAM )
Status: 178632 objects enumerated (+6137 530.0653/s --- Using 231 MB RAM )
Status: 178632 objects enumerated (+0 486.7357/s --- Using 230 MB RAM )
Status: 180088 objects enumerated (+1456 453.6222/s --- Using 226 MB RAM )
Status: 180089 objects enumerated (+1 421.7541/s --- Using 224 MB RAM )
Status: 180089 objects enumerated (+0 394.0678/s --- Using 225 MB RAM )
Status: 180089 objects enumerated (+0 369.7926/s --- Using 224 MB RAM )
Status: 180089 objects enumerated (+0 348.3346/s --- Using 224 MB RAM )
Status: 180089 objects enumerated (+0 329.2303/s --- Using 224 MB RAM )
Status: 180091 objects enumerated (+2 312.1161/s --- Using 222 MB RAM )
Status: 180092 objects enumerated (+1 296.6919/s --- Using 221 MB RAM )
Status: 180092 objects enumerated (+0 282.719/s --- Using 222 MB RAM )
Status: 180092 objects enumerated (+0 270.003/s --- Using 221 MB RAM )
Status: 180092 objects enumerated (+0 258.3816/s --- Using 221 MB RAM )
Status: 180093 objects enumerated (+1 247.7208/s --- Using 220 MB RAM )
Status: 180093 objects enumerated (+0 237.9036/s --- Using 220 MB RAM )
Status: 180094 objects enumerated (+1 228.5457/s --- Using 219 MB RAM )
Status: 180094 objects enumerated (+0 220.1638/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 212.375/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 205.1185/s --- Using 72 MB RAM )
Status: 180094 objects enumerated (+0 198.3414/s --- Using 72 MB RAM )
Status: 180094 objects enumerated (+0 191.9979/s --- Using 72 MB RAM )
Status: 180094 objects enumerated (+0 186.0475/s --- Using 72 MB RAM )
Status: 180094 objects enumerated (+0 180.4549/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 175.1887/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 170.2212/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 165.5276/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 161.0859/s --- Using 73 MB RAM )
Status: 180094 objects enumerated (+0 156.8763/s --- Using 74 MB RAM )
Status: 180094 objects enumerated (+0 152.8811/s --- Using 74 MB RAM )
Status: 180094 objects enumerated (+0 149.0844/s --- Using 74 MB RAM )
Status: 180094 objects enumerated (+0 145.4717/s --- Using 74 MB RAM )
Status: 180094 objects enumerated (+0 142.03/s --- Using 74 MB RAM )

未处理的异常:  System.AggregateException: AggregateException_ctor_DefaultMessage
 ---> System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundExce
ption: 指定的域不存在，或无法与之取得联系。
   在 System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext
 context)
   在 Sharphound2.Utils.GetDomain(String domainName)
   在 Sharphound2.Utils.ResolveHost(String hostName)
   在 Sharphound2.Enumeration.SessionHelpers.<GetNetSessions>d__8.MoveNext()
   在 Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.<StartRunn
er>b__0()
   在 System.Threading.Tasks.Task.InnerInvoke()
   在 System.Threading.Tasks.Task.Execute()
   --- 内部异常堆栈跟踪的结尾 ---
   在 System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeou
t, CancellationToken cancellationToken)
   在 System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeou
t)
   在 System.Threading.Tasks.Task.WaitAll(Task[] tasks)
   在 Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
   在 Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.DirectoryServices.ActiveDirectory.ActiveDirecto
ryObjectNotFoundException: 指定的域不存在，或无法与之取得联系。
   在 System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext
 context)
   在 Sharphound2.Utils.GetDomain(String domainName)
   在 Sharphound2.Utils.ResolveHost(String hostName)
   在 Sharphound2.Enumeration.SessionHelpers.<GetNetSessions>d__8.MoveNext()
   在 Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass14_0.<StartRunn
er>b__0()
   在 System.Threading.Tasks.Task.InnerInvoke()
   在 System.Threading.Tasks.Task.Execute()<---

When I try to collect ObjectProps the binary crashes. All other methods are working fine. I tried it under Windows 10, Windows Server 2012 R2 and Windows Server 2016. I get the same result on all systems.

PS C:\tmp> .\SharpHound.exe -c Objectprops --Verbose
Initializing BloodHound at 15:42 on 20.10.2017
Starting ObjectProps enumeration for example.com
Waiting for enumeration threads to finish
Status: 27 objects enumerated (+27 +unendlich/s --- Using 29 MB RAM )
Waiting for writer thread to finish

Unhandled Exception: System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound2.OutputObjects.UserProp.StringToCsvCell(String str)
at Sharphound2.OutputObjects.UserProp.ToCsv()
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass16_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.Wait()
at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
at Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound2.OutputObjects.UserProp.StringToCsvCell(String str)
at Sharphound2.OutputObjects.UserProp.ToCsv()
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass16_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()<---

With a few code changes you can probably get your Group enumeration to go about 20x faster:

Finished enumeration for XXX.COM in 00:02:20.2612317

vs

Finished enumeration for XXX.COM in 00:00:05.3291053

Not sure about other queries - probably wont be as affected but will bring some additional speed gains.

At the moment you are recycling your LdapConnection for each query. Due to the way group membership is performed you are spinning up a new LdapConnection per group (in my domain that was only a small amount of groups, in large domains it can be tens of thousands+). Each LdapConnection has to do the whole Krb handshake on top of the ldap connection so it takes forever.

I just assigned conn to a local variable in Utils, made sure GetLdapConnection returned this value if it wasn't null, and stripped the using blocks around conn (in 3 places afaik). I haven't submitted a pull request as it was dirty, but its something I would recommend looking into.

Edit: I am running from non-domain joined /netonly command prompt - maybe if you are domain joined the Krb ticket is recycled? so the delay isn't quite as big. Unsure - haven't tested :)

Edit2: You probably want some exception/error checking if that LdapConnection gets destroyed at anypoint.

Status: 52786 objects enumerated (+0 18.12706/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2550s
Status: 52786 objects enumerated (+0 17.94222/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2580s
Status: 52786 objects enumerated (+0 17.7611/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2610s
Status: 52786 objects enumerated (+0 17.58361/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2640s
Status: 52786 objects enumerated (+0 17.40963/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2670s
Status: 52786 objects enumerated (+0 17.23906/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2700s
Status: 52786 objects enumerated (+0 17.0718/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2730s
Status: 52786 objects enumerated (+0 16.90775/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2760s
Status: 52786 objects enumerated (+0 16.74683/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2790s
Status: 52786 objects enumerated (+0 16.58894/s --- Using 59 MB RAM )
Still processing computer - hahah.edu.edu: 2820s
Status: 52786 objects enumerated (+0 16.434/s --- Using 59 MB RAM )

Always hang on computer? what happend

Situation: I'm doing a ComputerOnly collection which includes Session collection. Therefore, I except to get a ..._sessions.json file in the output zip.
Observed: the "sessions" file is missing. The reason being that no session was found so the file was not created.
Expected: since I've asked SharpHound to perform sessions collection, I expected to get a sessions file, even if it's just empty.

I understand why it's that way, but it makes one wonder if it's a bug or normal.

I seem to run in a loop if I use sharphound (any version, any syntax).

Doesn't really matter which syntax I use, I always get the LDAPMessage when I sniff the LDAP traffic with Wireshark:

Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) primitive tag:5 was unexpected

SharpHound.exe --debug -v
Debug Mode activated!
Initializing BloodHound at 2:18 PM on 4/4/2019
Found usable Domain Controller for somedomain.net : ADSERVER.somedomain.net
Resolved Collection Methods to Group, LocalAdmin, Session, Trusts, RDP, DCOM
Starting Enumeration for csmglobal.net
Debug: Creating connection
Debug: Getting search request
Debug: Creating page control
Debug: Starting loop

After the loop I see several minutes of timeout and after this very limited LDAP traffic.

Sharphound.exe: 80F8EDE906A1237FBE6DA83591A66C0A1EA75B0EF1D8CCDDCD67C3BA1498057C (latest)

This works and is written to the csv:
Access: Write all properties
Applies to: this object and all descendant objects

Access: "Reset password".
Applies to: this object only

The following permissions are ignored and not written to the csv:

Access: "Reset password"
Applies to: Descendant User objects

The same seems to apply to situations where the permissions are set to apply to "Descendant Computer objects".

When rerunning sharphound against the same domain a 2nd time:

Unhandled Exception: System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.ArgumentException: Item has already been added. Key in dictionary: 'rootdomainnamingcontext' Key being added: 'rootdomainnamingcontext'
at System.Collections.Hashtable.Insert(Object key, Object nvalue, Boolean add)
at System.Collections.Hashtable.SyncHashtable.Add(Object key, Object value)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.get_Forest()
at Sharphound2.Utils.GetForest(String domain)
at Sharphound2.Enumeration.AclHelpers.GetObjectAces(SearchResultEntry entry, ResolvedEntry resolved, Gpo& g)
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass19_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration()
at Sharphound2.Sharphound.Main(String[] args)
---> (Inner Exception #0) System.ArgumentException: Item has already been added. Key in dictionary: 'rootdomainnamingcontext' Key being added: 'rootdomainnamingcontext'
at System.Collections.Hashtable.Insert(Object key, Object nvalue, Boolean add)
at System.Collections.Hashtable.SyncHashtable.Add(Object key, Object value)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.get_Forest()
at Sharphound2.Utils.GetForest(String domain)
at Sharphound2.Enumeration.AclHelpers.GetObjectAces(SearchResultEntry entry, ResolvedEntry resolved, Gpo& g)
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass19_0.b__0()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()<---

Some part of the Default collection methods crash for a rather large domain. I started the collection on a non-domain workstation by using runas. Collecting just the Groups works.
Running sharphound version 2.1.0.

.\SharpHound.exe --Domain "my.domain" --Verbose --StatusInterval 10000

...
Status: 175701 objects enumerated (+1703 81.41844/s --- Using 229 MB RAM )
Status: 181865 objects enumerated (+6164 83.88607/s --- Using 238 MB RAM )
Status: 186061 objects enumerated (+4195 85.42746/s --- Using 275 MB RAM )
Waiting for enumeration threads to finish
Status: 187378 objects enumerated (+1317 85.63894/s --- Using 224 MB RAM )
Status: 187378 objects enumerated (+0 85.24932/s --- Using 224 MB RAM )
Status: 187378 objects enumerated (+0 84.86323/s --- Using 223 MB RAM )
Status: 187378 objects enumerated (+0 84.48061/s --- Using 223 MB RAM )
Status: 187378 objects enumerated (+0 84.10143/s --- Using 223 MB RAM )
Status: 187378 objects enumerated (+0 83.72565/s --- Using 223 MB RAM )
Status: 187378 objects enumerated (+0 83.3532/s --- Using 223 MB RAM )

Unhandled Exception: System.AggregateException: AggregateException_ctor_DefaultMessage ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound2.Enumeration.TrustHelpers.DoTrustEnumeration(ResolvedEntry resolved, Domain& obj) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Enumeration\TrustHelpers.cs:line 97
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass22_0.b__0() in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Enumeration\EnumerationRunner.cs:line 1183
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks, Int32 millisecondsTimeout)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
at Sharphound2.Enumeration.EnumerationRunner.StartEnumeration() in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Enumeration\EnumerationRunner.cs:line 657
at Sharphound2.Sharphound.Main(String[] args) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Sharphound.cs:line 701
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
at Sharphound2.Enumeration.TrustHelpers.DoTrustEnumeration(ResolvedEntry resolved, Domain& obj) in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Enumeration\TrustHelpers.cs:line 97
at Sharphound2.Enumeration.EnumerationRunner.<>c__DisplayClass22_0.b__0() in C:\Users\rvazarkar\documents\visual studio 2017\Projects\Sharphound2\Sharphound2\Enumeration\EnumerationRunner.cs:line 1183
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()<---