Could not get domain information via 'lsaquery': timed out
adibdz opened this issue · comments
Hi, I have an issue when I use this tool for test on TryHackMe "Basic Pentesting".
run:
python3 enum4linux-ng.py -R IpAddress
the output:
====================================
| Domain Information via RPC for IpAddress |
====================================
[-] Could not get domain information via 'lsaquery': timed out
Traceback (most recent call last):
File "/myhome/enum4linux-ng.py", line 2708, in <module>
main()
File "/myhome/enum4linux-ng.py", line 2693, in main
enum.run()
File "/myhome/enum4linux-ng.py", line 2183, in run
self.run_modules(modules)
File "/myhome/enum4linux-ng.py", line 2314, in run_modules
self.cycle_params.set_enumerated_input(self.output.as_dict())
File "/myhome/enum4linux-ng.py", line 1498, in set_enumerated_input
if "domain_sid" in enum_input and "NULL SID" not in enum_input["domain_sid"]:
TypeError: argument of type 'NoneType' is not iterable
Meanwhile if I change this :
if "domain_sid" in enum_input and "NULL SID" not in enum_input["domain_sid"]:
to:
if "domain_sid" in enum_input and "NULL SID" not in enum_input:
the error gone, but:
[-] Could not get domain information via 'lsaquery': timed out
still there
Thanks a lot for taking time and reporting this issue. I see the issue for the TypeError and will fix this in a moment.
The second "issue" is not really an issue. You get a timeout because you seemingly did not get an answer in time from the remote system. Could you try increasing the timeout like that:
python3 enum4linux-ng.py -R IpAddress -t 10
@adibdz
Let's double check: Does the latest fix solve the TypeError?
And does using -t help or do you still get the timeout?
Edit:
Hi, I have an issue when I use this tool for test on TryHackMe "Basic Pentesting".
I just tried this machine, it works fine for me. The timeout you get could be from the OpenVPN connection, so try playing with the timeout parameter as mentioned above. Also try reconnecting via OpenVPN. In addition, you could check if this manual command is working for you, which should give you the Domain Name and Domain SID:
rpcclient -U % IpAddress -c lsaquery
Ya using -t 10 fixing the issue. This is the output:
====================================================
| Domain Information via RPC for IpAddress |
====================================================
[+] Domain: WORKGROUP
[+] SID: NULL SID
[+] Host is part of a workgroup (not a domain)
===================================================================
| Users, Groups and Machines on IpAddress via RID Cycling |
===================================================================
[*] Trying to enumerate SIDs
[+] Found 3 SID(s)
[*] Trying SID S-1-22-1
[+] Found user 'Unix User\kay' (RID 1000)
[+] Found user 'Unix User\jan' (RID 1001)
[*] Trying SID S-1-5-21-2853212168-2008227510-3551253869
[+] Found user 'BASIC2\nobody' (RID 501)
[+] Found domain group 'BASIC2\None' (RID 513)
[*] Trying SID S-1-5-32
[+] Found builtin group 'BUILTIN\Administrators' (RID 544)
[+] Found builtin group 'BUILTIN\Users' (RID 545)
[+] Found builtin group 'BUILTIN\Guests' (RID 546)
[+] Found builtin group 'BUILTIN\Power Users' (RID 547)
[+] Found builtin group 'BUILTIN\Account Operators' (RID 548)
[+] Found builtin group 'BUILTIN\Server Operators' (RID 549)
[+] Found builtin group 'BUILTIN\Print Operators' (RID 550)
[+] Found 3 user(s), 8 group(s), 0 machine(s) in total
Completed after 2236.92 seconds
Thanks a lot @cddmp
Glad it works now, though it took a very long time, 2236 seconds are 37 minutes! I assume the round trip time from your location to the TryHackMe server is very long, therefore it takes ages for every request (and the RID cycling needs a lot of requests).
Maybe I have some time in the future to make this multi threaded, this could improve speed for you.
Thanks again for reporting, this helped to fix a bug!