Pennyw0rth
Exception while calling proto_flow() on target dc01: 'NoneType' object is not subscriptable
Describe the bug While using the ldap module of nxc with kerberos, the mentioned error occurs. I tried it:
- with and without
--kdcHostflag - using fqdn, just the host name, the IP
- made sure time is synced
First I was trying the bloodhound module and it failed in the step of getting a TGT. So I thought maybe that's where the bug is, so I got the TGT myself with impacket toolkit and exported it in the KRB5CCNAME and then tried using the use-kcache flag to use the cached TGT but the same error occured again.
Note: This box requires you to use kerberos with ldap module. Maybe this info will help somehow.
To Reproduce
Steps to reproduce the behavior i.e.:
Command: netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --kdcHost dc01
Resulted in:
SMB dc01 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
LDAPS dc01 636 DC01 [+] rebound.htb\ldap_monitor
LDAPS dc01 636 DC01 Resolved collection methods: dcom, session, psremote, acl, trusts, localadmin, rdp, objectprops, group, container
LDAPS dc01 636 DC01 Using kerberos auth without ccache, getting TGT
[18:48:57] ERROR Exception while calling proto_flow() on target dc01: 'NoneType' object is not subscriptable connection.py:127
╭───────────────────────────────────────────────────────── Traceback (most recent call last) ──────────────────────────────────────────────────────────╮
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:122 in __init__ │
│ │
│ 119 │ │ │ sleep(value) │
│ 120 │ │ │
│ 121 │ │ try: │
│ ❱ 122 │ │ │ self.proto_flow() │
│ 123 │ │ except Exception as e: │
│ 124 │ │ │ if "ERROR_DEPENDENT_SERVICES_RUNNING" in str(e): │
│ 125 │ │ │ │ self.logger.error(f"Exception while calling proto_flow() on target │
│ {self.host}: {e}") │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:180 in proto_flow │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/connection.py:201 in call_cmd_args │
│ │
│ 198 │ │ for attr, value in vars(self.args).items(): │
│ 199 │ │ │ if hasattr(self, attr) and callable(getattr(self, attr)) and value is not │
│ False and value is not None: │
│ 200 │ │ │ │ self.logger.debug(f"Calling {attr}()") │
│ ❱ 201 │ │ │ │ getattr(self, attr)() │
│ 202 │ │
│ 203 │ def call_modules(self): │
│ 204 │ │ """Calls modules and performs various actions based on the module's attributes. │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap.py:1387 in bloodhound │
│ │
│ 1384 │ │ bloodhound = BloodHound(ad, self.hostname, self.host, self.port) │
│ 1385 │ │ bloodhound.connect() │
│ 1386 │ │ │
│ ❱ 1387 │ │ bloodhound.run( │
│ 1388 │ │ │ collect=collect, │
│ 1389 │ │ │ num_workers=10, │
│ 1390 │ │ │ disable_pooling=False, │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/nxc/protocols/ldap/bloodhound.py:75 in run │
│ │ [20/1913]
│ 72 │ │ │ ) │
│ 73 │ │ │ # Initialize enumerator │
│ 74 │ │ │ membership_enum = MembershipEnumerator(self.ad, self.pdc, collect, │
│ disable_pooling) │
│ ❱ 75 │ │ │ membership_enum.enumerate_memberships(timestamp=timestamp, │
│ fileNamePrefix=fileNamePrefix) │
│ 76 │ │ elif "container" in collect: │
│ 77 │ │ │ # Fetch domains for later, computers if needed │
│ 78 │ │ │ self.pdc.prefetch_info( │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py:843 in enumerate_memberships │
│ │
│ 840 │ │ """ │
│ 841 │ │ Run appropriate enumeration tasks │
│ 842 │ │ """ │
│ ❱ 843 │ │ self.enumerate_users(timestamp, fileNamePrefix) │
│ 844 │ │ self.enumerate_groups(timestamp, fileNamePrefix) │
│ 845 │ │ if 'container' in self.collect: │
│ 846 │ │ │ self.do_container_collection(timestamp, fileNamePrefix) │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py:183 in enumerate_users │
│ │
│ 180 │ │ │ │ │ │ │ object_sid = │
│ self.addomain.computersidcache.get(target.lower()) │
│ 181 │ │ │ │ │ │ │ user['AllowedToDelegate'].append({ │
│ 182 │ │ │ │ │ │ │ │ 'ObjectIdentifier': object_sid, │
│ ❱ 183 │ │ │ │ │ │ │ │ 'ObjectType': ADUtils.resolve_ad_entry( │
│ 184 │ │ │ │ │ │ │ │ │ self.addomain.objectresolver.resolve_sid(object_sid) │
│ 185 │ │ │ │ │ │ │ │ )['type'], │
│ 186 │ │ │ │ │ │ │ }) │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/utils.py:278 in resolve_ad_entry │
│ │
│ 275 │ │ dn = '' │
│ 276 │ │ domain = '' │
│ 277 │ │ │
│ ❱ 278 │ │ account = ADUtils.get_entry_property(entry, 'sAMAccountName', '') │
│ 279 │ │ dn = ADUtils.get_entry_property(entry, 'distinguishedName', '') │
│ 280 │ │ if dn != '': │
│ 281 │ │ │ domain = ADUtils.ldap2domain(dn) │
│ │
│ /home/imhasin/.local/pipx/venvs/netexec/lib/python3.9/site-packages/bloodhound/ad/utils.py:362 in get_entry_property │
│ │
│ 359 │ │ │ if raw: │
│ 360 │ │ │ │ value = entry['raw_attributes'][prop] │
│ 361 │ │ │ else: │
│ ❱ 362 │ │ │ │ value = entry['attributes'][prop] │
│ 363 │ │ # Doesn't exist │
│ 364 │ │ except KeyError: │
│ 365 │ │ │ return default │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
TypeError: 'NoneType' object is not subscriptable
This same error occurs using the following command after getting and exporting the TGT myself.
netexec ldap dc01 -u 'ldap_monitor' -p '1GR8t@$$4u' --bloodhound -k -ns 10.129.229.114 --collection ALL --use-kcache --kdcHost dc01
Expected behavior The commands should go and grab TGT and then do the collection and zip them.
NetExec info
- netexec installed using pipx
- OS: ParrotOS, the pwnbox from HackTheBox
An interesting development:
I tried bloodhound-python to collect data and that is also failing. This could mean the problem is on the box's side.
└──╼ $bloodhound-python -d rebound.htb -c all -u ldap_monitor -p '1GR8t@$$4u' -ns 10.129.229.114 --zip
INFO: Found AD domain: rebound.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
Traceback (most recent call last):
File "/home/imhasin/.bp/bin/bloodhound-python", line 8, in <module>
sys.exit(main())
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 343, in main
bloodhound.run(collect=collect,
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/__init__.py", line 81, in run
membership_enum.enumerate_memberships(timestamp=timestamp, fileNamePrefix=fileNamePrefix)
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 843, in enumerate_memberships
self.enumerate_users(timestamp, fileNamePrefix)
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/enumeration/memberships.py", line 183, in enumerate_users
'ObjectType': ADUtils.resolve_ad_entry(
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 278, in resolve_ad_entry
account = ADUtils.get_entry_property(entry, 'sAMAccountName', '')
File "/home/imhasin/.bp/lib/python3.9/site-packages/bloodhound/ad/utils.py", line 362, in get_entry_property
value = entry['attributes'][prop]
TypeError: 'NoneType' object is not subscriptable
Here's the error trying bloodhound-python.
I had the same error yesterday while running bloodhound against the DC02 (WINTERFELL) of the GOAD lab, but not against DC01 or DC03, i will try to dig into it, but maybe its related to bloodhound itself
As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?
As this is also applicable to the bloodhound-python project could you also open up an issue on dirk-jan's repository?
Sure, I will. Thanks for taking the time!