Giters

NH-RED-TEAM / RustHound

Active Directory data collector for BloodHound written in Rust. 🦀

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Crashing when parsing group

shorefall opened this issue · comments

commented

Love this tool
Any idea why it would crash multiple times when parsing groups?
image

commented

Hello @shorefall,

Thanks!
Could you please copy/past all the "panicked line"?
I think I need to modify rust code to remove the unwrap() function.

commented

Sure thing here it is:
[2022-12-12T11:17:33Z DEBUG rusthound::json::parser::bh_41] Parse group: CN=GUESTS,CN=BUILTIN,DC=x,DC=x thread 'main' panicked at 'called Result::unwrap()on anErrvalue: Error(Error { input: [140, 59,2......., 2, 0, 0], code: Switch })', src/enums/acl.rs:78:64 note: run withRUST_BACKTRACE=1 environment variable to display a backtrace

commented

Hope you can use that :)
Regular bloodhound.py isn't letting me authenticate for some reason so I would really appreciate if you got this to work.

commented

Could you please run RustHound again with -vv for Trace output and with RUST_BACKTRACE set to 1.

export RUST_BACKTRACE=1 ; rusthound -d x.x (....) -vv

And could you please send me the 5 lines before the crash?

I would like to know if it crashes all the time on the same group?

Thanks!

commented

Yes it crashes on the same group each time.

commented

2022-12-12T11:55:06Z TRACE rusthound::enums::acl] SID for this ACE: domain-S-1-5-32-554
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] TYPE: 0x00
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] ACE MASK for ACETYPE 0x00: 4
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] SID for this ACE: domain-S-1-5-32-544
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] TYPE: 0x00
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] ACE MASK for ACETYPE 0x00: 983485
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] RESULT: [Object {"RightName": String("Owns"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-512"), "PrincipalType": String("Base")}, Object {"RightName": String("GenericWrite"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("WriteOwner"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("WriteDacl"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("GenericAll"), "IsInherited": Bool(true), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-519"), "PrincipalType": String("")}, Object {"RightName": String("GenericWrite"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}, Object {"RightName": String("WriteOwner"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}, Object {"RightName": String("WriteDacl"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}]
⠐ Parsing LDAP objects: 0% [2022-12-12T11:55:06Z DEBUG rusthound::json::parser::bh_41] Parse group: CN=GUESTS,CN=BUILTIN,DC=x,DC=x
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] SECURITY-DESCRIPTOR: SecurityDescriptor { revision: 1, sbz1: 0, control: 35844, offset_owner: 25352, offset_group: 25368, offset_sacl: 0, offset_dacl: 20 }
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] OWNER-SID: "domain-S-1-5-32-544"
[2022-12-12T11:55:06Z TRACE rusthound::enums::acl] GROUP-SID: "domain-S-1-5-32-544"
thread 'main' panicked at 'called Result::unwrap() on an Err value: Error(Error { input: [140,

end of output:
e: Switch })', src/enums/acl.rs:78:64
stack backtrace:
0: rust_begin_unwind
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:575:5
1: core::panicking::panic_fmt
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/panicking.rs:64:14
2: core::result::unwrap_failed
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/result.rs:1791:5
3: rusthound::enums::acl::parse_ntsecuritydescriptor
4: rusthound::json::parser::bh_41::parse_group
5: rusthound::json::parser::parse_result_type
6: tokio::runtime::park::CachedParkThread::block_on
7: tokio::runtime::runtime::Runtime::block_on
8: rusthound::main
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.

commented

And full backtrace:

commented

[2022-12-12T12:40:31Z TRACE rusthound::enums::acl] RESULT: [Object {"RightName": String("Owns"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-512"), "PrincipalType": String("Base")}, Object {"RightName": String("GenericWrite"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("WriteOwner"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("WriteDacl"), "IsInherited": Bool(false), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-553"), "PrincipalType": String("")}, Object {"RightName": String("GenericAll"), "IsInherited": Bool(true), "PrincipalSID": String("S-1-5-21-114038840-737157106-355810188-519"), "PrincipalType": String("")}, Object {"RightName": String("GenericWrite"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}, Object {"RightName": String("WriteOwner"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}, Object {"RightName": String("WriteDacl"), "IsInherited": Bool(true), "PrincipalSID": String("domain-S-1-5-32-544"), "PrincipalType": String("")}]
⠐ Parsing LDAP objects: 0% [2022-12-12T12:40:31Z DEBUG rusthound::json::parser::bh_41] Parse group: CN=GUESTS,CN=BUILTIN,DC=domain,DC=INTRAWORLD
[2022-12-12T12:40:31Z TRACE rusthound::enums::acl] SECURITY-DESCRIPTOR: SecurityDescriptor { revision: 1, sbz1: 0, control: 35844, offset_owner: 25352, offset_group: 25368, offset_sacl: 0, offset_dacl: 20 }
[2022-12-12T12:40:31Z TRACE rusthound::enums::acl] OWNER-SID: "domain-S-1-5-32-544"
[2022-12-12T12:40:31Z TRACE rusthound::enums::acl] GROUP-SID: "domain-S-1-5-32-544"
thread 'main' panicked at 'called Result::unwrap() on an Err value: Error(Error { input: [140

e: Switch })', src/enums/acl.rs:78:64
stack backtrace:
0: 0x55aa54bed7ea - std::backtrace_rs::backtrace::libunwind::trace::h3bfe63c4aecfa0e2
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x55aa54bed7ea - std::backtrace_rs::backtrace::trace_unsynchronized::h978c02637c6cb8f9
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x55aa54bed7ea - std::sys_common::backtrace::_print_fmt::h86a708dcb1665377
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/sys_common/backtrace.rs:65:5
3: 0x55aa54bed7ea - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hdbf89765373fb801
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/sys_common/backtrace.rs:44:22
4: 0x55aa54c110be - core::fmt::write::hbf11a3bb4e6d2aba
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/fmt/mod.rs:1208:17
5: 0x55aa54be8485 - std::io::Write::write_fmt::hd68261eacc348bbd
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/io/mod.rs:1682:15
6: 0x55aa54bed5b5 - std::sys_common::backtrace::_print::ha8e375b58cdeca4a
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/sys_common/backtrace.rs:47:5
7: 0x55aa54bed5b5 - std::sys_common::backtrace::print::he3086c07df1167ca
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/sys_common/backtrace.rs:34:9
8: 0x55aa54beed9f - std::panicking::default_hook::{{closure}}::h0c12a9095c948e43
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:267:22
9: 0x55aa54beeadb - std::panicking::default_hook::h1ae5478ad617eb24
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:286:9
10: 0x55aa54bef4ac - std::panicking::rust_panic_with_hook::h63a24f957ccb5d93
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:688:13
11: 0x55aa54bef249 - std::panicking::begin_panic_handler::{{closure}}::h1499194b322f3b28
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:579:13
12: 0x55aa54bedc9c - std::sys_common::backtrace::__rust_end_short_backtrace::h5569dab7b5c29ca8
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/sys_common/backtrace.rs:137:18
13: 0x55aa54beef52 - rust_begin_unwind
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:575:5
14: 0x55aa54749f73 - core::panicking::panic_fmt::h81b99a9e904184d4
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/panicking.rs:64:14
15: 0x55aa5474a403 - core::result::unwrap_failed::h524cd100bfaa4af3
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/result.rs:1791:5
16: 0x55aa547c31e6 - rusthound::enums::acl::parse_ntsecuritydescriptor::h66e7daec1d265c0e
17: 0x55aa548e687f - rusthound::json::parser::bh_41::parse_group::h1a2c5830576a26e2
18: 0x55aa548dd7a9 - rusthound::json::parser::parse_result_type::h19f6602c9b397043
19: 0x55aa5488c5b2 - tokio::runtime::park::CachedParkThread::block_on::h10609428f44a44bb
20: 0x55aa547e76c5 - tokio::runtime::runtime::Runtime::block_on::h2d4d71ef86d3f195
21: 0x55aa548114bd - rusthound::main::h47f26a0e5bebcdc9
22: 0x55aa548f9746 - std::sys_common::backtrace::__rust_begin_short_backtrace::hd61f088cdf9132c1
23: 0x55aa54802223 - std::rt::lang_start::{{closure}}::hdc066142d5b94130
24: 0x55aa54be207c - core::ops::function::impls::<impl core::ops::function::FnOnce for &F>::call_once::h78c42ac725efa1cf
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/core/src/ops/function.rs:606:13
25: 0x55aa54be207c - std::panicking::try::do_call::he9c2e2d3c1d542c9
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:483:40
26: 0x55aa54be207c - std::panicking::try::h1c6aa5d0fbd926ce
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:447:19
27: 0x55aa54be207c - std::panic::catch_unwind::h8c18c387443a8343
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panic.rs:137:14
28: 0x55aa54be207c - std::rt::lang_start_internal::{{closure}}::h121da69a0c637bbc
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/rt.rs:148:48
29: 0x55aa54be207c - std::panicking::try::do_call::h02c50a2227007615
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:483:40
30: 0x55aa54be207c - std::panicking::try::h2e22346eb385c3b2
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panicking.rs:447:19
31: 0x55aa54be207c - std::panic::catch_unwind::hba27888842669aa2
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/panic.rs:137:14
32: 0x55aa54be207c - std::rt::lang_start_internal::hfeb0a6ef3b443c94
at /rustc/bdb07a8ec8e77aa10fb84fae1d4ff71c21180bb4/library/std/src/rt.rs:148:20
33: 0x55aa54811595 - main
34: 0x7ff51e42920a -
35: 0x7ff51e4292bc - __libc_start_main
36: 0x55aa5474a5e1 - _start
37: 0x0 -

commented

Thanks for informations.

I don't understand why the security descriptor doesn't want to be parsed for your GUESTS group.
I take note, I removed the unwrap() to replace it with errors.

These will surely be more verbose.
The execution should not crash anymore but the objects that will have the error will not have their ACL.

Could you please do a test again?

cd RustHound
git pull
cargo b
target/debug/rusthound -d x.x -u username -p password -v -o /tmp/output

And if is possible could you please check the "Aces" value for "GUESTS" group in "/tmp/output/x-x_groups.json"?

Thanks.

commented

It worked now thank you so much!!