Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception while calling proto_flow() on target dc01: 'NoneType' object is not subscriptable #243

Open
imhasin opened this issue Apr 2, 2024 · 4 comments
Open

Exception while calling proto_flow() on target dc01: 'NoneType' object is not subscriptable #243

imhasin opened this issue Apr 2, 2024 · 4 comments
Labels
bug Something isn't working dependencies Pull requests that update a dependency file

Comments

@imhasin
Copy link

imhasin commented Apr 2, 2024
edited
Loading

Describe the bug
While using the ldap module of nxc with kerberos, the mentioned error occurs. I tried it:

  1. with and without --kdcHost flag
  2. using fqdn, just the host name, the IP
  3. made sure time is synced

First I was trying the bloodhound module and it failed in the step of getting a TGT. So I thought maybe that's where the bug is, so I got the TGT myself with impacket toolkit and exported it in the KRB5CCNAME and then tried using the use-kcache flag to use the cached TGT but the same error occured again.

Note: This box requires you to use kerberos with ldap module. Maybe this info will help somehow.

To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --kdcHost dc01
Resulted in:

SMB         dc01            445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)                                
LDAPS       dc01            636    DC01             [+] rebound.htb\ldap_monitor                                                                                                              
LDAPS       dc01            636    DC01             Resolved collection methods: dcom, session, psremote, acl, trusts, localadmin, rdp, objectprops, group, container                         
LDAPS       dc01            636    DC01             Using kerberos auth without ccache, getting TGT                                                                                           
[18:48:57] ERROR    Exception while calling proto_flow() on target dc01: 'NoneType' object is not subscriptable                                                              connection.py:127
                    ╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:122 in __init__                                                │                  
                    │                                                                                                                                                      │                  
                    │   119 │   │   │   sleep(value)                                                                                                                       │                  
                    │   120 │   │                                                                                                                                          │                  
                    │   121 │   │   try:                                                                                                                                   │                  
                    │ ❱ 122 │   │   │   self.proto_flow()                                                                                                                  │                  
                    │   123 │   │   except Exception as e:                                                                                                                 │                  
                    │   124 │   │   │   if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e):                                                                                   │                  
                    │   125 │   │   │   │   self.logger.error(f"Exception while calling proto_flow() on target                                                             │                  
                    │       {self.host}: {e}")                                                                                                                             │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:180 in proto_flow                                              │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:201 in call_cmd_args                                           │                  
                    │                                                                                                                                                      │                  
                    │   198 │   │   for attr, value in vars(self.args).items():                                                                                            │                  
                    │   199 │   │   │   if hasattr(self, attr) and callable(getattr(self, attr)) and value is not                                                          │                  
                    │       False and value is not None:                                                                                                                   │                  
                    │   200 │   │   │   │   self.logger.debug(f"Calling {attr}()")                                                                                         │                  
                    │ ❱ 201 │   │   │   │   getattr(self, attr)()                                                                                                          │                  
                    │   202 │                                                                                                                                              │                  
                    │   203 │   def call_modules(self):                                                                                                                    │                  
                    │   204 │   │   """Calls modules and performs various actions based on the module's attributes.                                                        │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap.py:1387 in bloodhound                                         │                  
                    │                                                                                                                                                      │                  
                    │   1384 │   │   bloodhound = BloodHound(ad, self.hostname, self.host, self.port)                                                                      │                  
                    │   1385 │   │   bloodhound.connect()                                                                                                                  │                  
                    │   1386 │   │                                                                                                                                         │                  
                    │ ❱ 1387 │   │   bloodhound.run(                                                                                                                       │                  
                    │   1388 │   │   │   collect=collect,                                                                                                                  │                  
                    │   1389 │   │   │   num_workers=10,                                                                                                                   │                  
                    │   1390 │   │   │   disable_pooling=False,                                                                                                            │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap/bloodhound.py:75 in run                                       │                  
                    │                                                                                                                                                      │         [20/1913]
                    │    72 │   │   │   )                                                                                                                                  │                  
                    │    73 │   │   │   # Initialize enumerator                                                                                                            │                  
                    │    74 │   │   │   membership_enum = MembershipEnumerator(self.ad, self.pdc, collect,                                                                 │                  
                    │       disable_pooling)                                                                                                                               │                  
                    │ ❱  75 │   │   │   membership_enum.enumerate_memberships(timestamp=timestamp,                                                                         │                  
                    │       fileNamePrefix=fileNamePrefix)                                                                                                                 │                  
                    │    76 │   │   elif "container" in collect:                                                                                                           │                  
                    │    77 │   │   │   # Fetch domains for later, computers if needed                                                                                     │                  
                    │    78 │   │   │   self.pdc.prefetch_info(                                                                                                            │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py:843 in enumerate_memberships               │                  
                    │                                                                                                                                                      │                  
                    │   840 │   │   """                                                                                                                                    │                  
                    │   841 │   │   Run appropriate enumeration tasks                                                                                                      │                  
                    │   842 │   │   """                                                                                                                                    │                  
                    │ ❱ 843 │   │   self.enumerate_users(timestamp, fileNamePrefix)                                                                                        │                  
                    │   844 │   │   self.enumerate_groups(timestamp, fileNamePrefix)                                                                                       │                  
                    │   845 │   │   if 'container' in self.collect:                                                                                                        │                  
                    │   846 │   │   │   self.do_container_collection(timestamp, fileNamePrefix)                                                                            │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py:183 in enumerate_users                     │                  
                    │                                                                                                                                                      │                  
                    │   180 │   │   │   │   │   │   │   object_sid =                                                                                                       │                  
                    │       self.addomain.computersidcache.get(target.lower())                                                                                             │                  
                    │   181 │   │   │   │   │   │   │   user['AllowedToDelegate'].append({                                                                                 │                  
                    │   182 │   │   │   │   │   │   │   │   'ObjectIdentifier': object_sid,                                                                                │                  
                    │ ❱ 183 │   │   │   │   │   │   │   │   'ObjectType': ADUtils.resolve_ad_entry(                                                                        │                  
                    │   184 │   │   │   │   │   │   │   │   │   self.addomain.objectresolver.resolve_sid(object_sid)                                                       │                  
                    │   185 │   │   │   │   │   │   │   │   )['type'],                                                                                                     │                  
                    │   186 │   │   │   │   │   │   │   })                                                                                                                 │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/utils.py:278 in resolve_ad_entry                                   │                  
                    │                                                                                                                                                      │                  
                    │   275 │   │   dn = ''                                                                                                                                │                  
                    │   276 │   │   domain = ''                                                                                                                            │                  
                    │   277 │   │                                                                                                                                          │                  
                    │ ❱ 278 │   │   account = ADUtils.get_entry_property(entry, 'sAMAccountName', '')                                                                      │                  
                    │   279 │   │   dn = ADUtils.get_entry_property(entry, 'distinguishedName', '')                                                                        │                  
                    │   280 │   │   if dn != '':                                                                                                                           │                  
                    │   281 │   │   │   domain = ADUtils.ldap2domain(dn)                                                                                                   │                  
                    │                                                                                                                                                      │                  
                    │ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/utils.py:362 in get_entry_property                                 │                  
                    │                                                                                                                                                      │                  
                    │   359 │   │   │   if raw:                                                                                                                            │                  
                    │   360 │   │   │   │   value = entry['raw_attributes'][prop]                                                                                          │                  
                    │   361 │   │   │   else:                                                                                                                              │                  
                    │ ❱ 362 │   │   │   │   value = entry['attributes'][prop]                                                                                              │                  
                    │   363 │   │   # Doesn't exist                                                                                                                        │                  
                    │   364 │   │   except KeyError:                                                                                                                       │                  
                    │   365 │   │   │   return default                                                                                                                     │                  
                    ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯                  
                    TypeError: 'NoneType' object is not subscriptable

This same error occurs using the following command after getting and exporting the TGT myself.
netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --use-kcache --kdcHost dc01

Expected behavior
The commands should go and grab TGT and then do the collection and zip them.

NetExec info

  • netexec installed using pipx
  • OS: ParrotOS, the pwnbox from HackTheBox
@imhasin
Copy link
Author

imhasin commented Apr 2, 2024

An interesting development:

I tried bloodhound-python to collect data and that is also failing. This could mean the problem is on the box's side.

└──╼ $bloodhound-python -d rebound.htb -c all -u ldap_monitor -p '1GR8t@$$4u' -ns 10.129.229.114 --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
Traceback (most recent call last):
  File "/home/imhasin/.bp/bin/bloodhound-python", line 8, in <module>
    sys.exit(main())
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 343, in main
    bloodhound.run(collect=collect,
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 81, in run
    membership_enum.enumerate_memberships(timestamp=timestamp, fileNamePrefix=fileNamePrefix)
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 843, in enumerate_memberships
    self.enumerate_users(timestamp, fileNamePrefix)
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 183, in enumerate_users
    'ObjectType': ADUtils.resolve_ad_entry(
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 278, in resolve_ad_entry
    account = ADUtils.get_entry_property(entry, 'sAMAccountName', '')
  File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 362, in get_entry_property
    value = entry['attributes'][prop]
TypeError: 'NoneType' object is not subscriptable

Here's the error trying bloodhound-python.

@NeffIsBack
Copy link
Contributor

I had the same error yesterday while running bloodhound against the DC02 (WINTERFELL) of the GOAD lab, but not against DC01 or DC03, i will try to dig into it, but maybe its related to bloodhound itself

@NeffIsBack NeffIsBack added the bug Something isn't working label Apr 2, 2024
@NeffIsBack
Copy link
Contributor

As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?

@imhasin
Copy link
Author

imhasin commented Apr 2, 2024

As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?

Sure, I will. Thanks for taking the time!

@imhasin imhasin mentioned this issue Apr 2, 2024
Open
@NeffIsBack NeffIsBack added the dependencies Pull requests that update a dependency file label Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NeffIsBack @imhasin