Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bloodhound connection issues when multiple dns ip's are resolved #207

Open
shyam0904a opened this issue Jan 15, 2025 · 1 comment · May be fixed by #208
Open

Bloodhound connection issues when multiple dns ip's are resolved #207

shyam0904a opened this issue Jan 15, 2025 · 1 comment · May be fixed by #208

Comments

@shyam0904a
Copy link

Here i'm trying to gather information from the internal domain which is accessed through ligolo tunnel. Net exec and other tools work fine in this setup but bloodhound python fails to do so.

Here is the sample ldap connection that i have written to test if is is a library issue but here it works fine

image

Here is the connection with bloodhound python to the same server in similar env

image

Here the connection remains close but on the sample script that i've used has a connection open

from ldap3 import Server, Connection, NTLM, ALL
ldap_server = 'ldap://{IP}:389'
domain = ''
username = ''
password = ''

user_ntlm = f"{domain}\\{username}"

print("[DEBUG] LDAP server URL:", ldap_server)
print("[DEBUG] NTLM User:", user_ntlm)
try:
    print("[DEBUG] Creating server object...")
    server = Server(ldap_server, get_info=ALL)  # Use get_info=ALL for full server info

    print("[DEBUG] Server object created:", server)

    print("[DEBUG] Establishing connection with NTLM authentication...")
    conn = Connection(
        server,
        user=user_ntlm,
        password=password,
        authentication=NTLM,
        auto_bind=True
    )
    print(conn)
    print("[INFO] Successfully connected and bound to the LDAP server!")

    search_base = 'DC=,DC='  
    search_filter = '(objectClass=user)' 
    attributes = ['cn'] 

    print(f"[DEBUG] Performing LDAP search in base '{search_base}' with filter '{search_filter}'...")
    conn.search(search_base, search_filter, attributes=attributes)


except Exception as e:
    print("[ERROR] An error occurred during LDAP operation:")
    print(e)

finally:
    if 'conn' in locals() and conn.bound:
        print("[DEBUG] Unbinding connection...")
        conn.unbind()
        print("[INFO] Connection unbound.")
        print("Connection unbound.")
@shyam0904a shyam0904a reopened this Jan 15, 2025
@shyam0904a
Copy link
Author

shyam0904a commented Jan 15, 2025
edited
Loading

EDIT: Post Further debugging it is noticed that when querying the dc it is resolving to another internal ip as it is part of 2 subnets, rather than the specified dc hostname - ip mentioned on the resolv.conf.

image

image

This is causing bloodhound to resolve to the second ip which isn't reachable from the tunnel 1

It would be useful if we can have a -dc-ip feature which would be used for building up the ldap connection string

@shyam0904a shyam0904a changed the title Bloodhound connection issues when used with ligolo-ng Bloodhound connection issues when multiple dns ip's are resolved Jan 15, 2025
@shyam0904a shyam0904a linked a pull request Jan 15, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added option to mention custom LDAP server IP shyam0904a/BloodHound.py
1 participant
@shyam0904a