Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TypeError: 'NoneType' object has no attribute 'extend' - Occurs trying to authenticate to LDAPS #167

Open
imhasin opened this issue Apr 2, 2024 · 8 comments
Open

TypeError: 'NoneType' object has no attribute 'extend' - Occurs trying to authenticate to LDAPS #167

imhasin opened this issue Apr 2, 2024 · 8 comments

Comments

@imhasin
Copy link

imhasin commented Apr 2, 2024
edited
Loading

Describe the bug
Running the bloodhound-python against one of the servers with regular command I faced the issue. I tried:

  1. using fqdn, just the host name, the IP
  2. made sure time is synced

To Reproduce

The following commands were used and both of the times same error occurs.

bloodhound-python -d rebound.htb -c all -u ldap_monitor -p '1GR8t@$$4u' -ns 10.129.229.114 --zip
bloodhound-python -u 'ldap_monitor' -p '1GR8t@$$4u' --dns-tcp -d rebound.htb -c all --zip -ns 10.129.229.114

Resulted in:

INFO: Found AD domain: rebound.htb
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
ERROR: Failure to authenticate with LDAP! Error 80090346: LdapErr: DSID-0C090726, comment: AcceptSecurityContext error, data 80090346, v4563
Traceback (most recent call last):
  File "/usr/local/bin/bloodhound-python", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/__init__.py", line 297, in main
    bloodhound.run(collect=collect,
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/__init__.py", line 73, in run
    self.pdc.prefetch_info('objectprops' in collect, 'acl' in collect)
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/ad/domain.py", line 393, in prefetch_info
    self.get_objecttype()
  File "/usr/local/lib/python3.9/dist-packages/bloodhound/ad/domain.py", line 225, in get_objecttype
    sresult = self.ldap.extend.standard.paged_search(self.ldap.server.info.other['schemaNamingContext'][0],
AttributeError: 'NoneType' object has no attribute 'extend'

bloodhound-python Info:

  1. It's setup using pip3 install bloodhound
  2. I tried setting it up in a python virtual environment but same issue.
  3. OS: ParrotOS, pwnbox from HackTheBox
@imhasin
Copy link
Author

imhasin commented Apr 2, 2024

I have a similar issue running bloodhound collection using netexec. Here's the issue I opened there. Pennyw0rth/NetExec#243 (comment)

@NeffIsBack
Copy link

NeffIsBack commented Apr 2, 2024
edited
Loading

I am running into a similar issue (besides the weird "Could not find Global Catalog in this domain" that i need to fix somehow):
image
image

EDIT: Now that i am looking at the error again it might be different though. Gonna try to get to the root cause later

@NeffIsBack
Copy link

Oh your stacktrace is different from the one you posted on NetExec:
Pennyw0rth/NetExec#243 (comment)
Pennyw0rth/NetExec#243 (comment)

The ones there have the exact same stacktrace as mine

@dirkjanm
Copy link
Owner

dirkjanm commented Apr 3, 2024

The issue from the first post is triggered because likely both signing and channel binding are enforced, which is currently not supported by BloodHound.py. As a result, the authentication fails, and a stacktrace is triggered further in the code.

@NeffIsBack
Copy link

Hi, the combination of signing and channel binding isn't supported with NTLM auth in netexec as well (turned them on for sake of demonstration):
image

I also checked the settings and these are currently on negioate signing and don't enforce binding:
image

@NeffIsBack
Copy link

Also user enumeration looks like its working:
image

@imhasin
Copy link
Author

imhasin commented Apr 4, 2024

This is a link to a writeup on the same box in the same step using bloodhound-python. It works for some reason.

oxdf@hacky$ bloodhound-python -d rebound.htb -c all -u oorend -p '1GR8t@$$4u' -ns 10.10.11.231 --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: gmsa.rebound.htb
INFO: Querying computer: dc01.rebound.htb
INFO: Skipping enumeration for gmsa.rebound.htb since it could not be resolved.
INFO: Done in 00M 22S
INFO: Compressing output into 20240317211834_bloodhound.zip

And this is a video walkthrough of using netexec bloodhound module. It also works fine there.

@CSpanias
Copy link

If you go further down on 0xdf's walkthrough (link directly above), it seems that is something to do with the -c all method. If you change that it works as expected.

aqUEcZY1Cr

@NeffIsBack the same goes when executing it through NetExec!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dirkjanm @NeffIsBack @CSpanias @imhasin