Sharphound block on object

[sca-vminne]

I ran sharphound on a domain and it end up being stuck on object number 492. I have tried collection method all and default but end up with the same thing. I scanned another domain but didn't encounter the problem.
At first, I tried let it run for 5 hours but he was still stuck. Then i started debugging (see steps after).
In the end I think i can say it doesn't come from the Active directory and not from the network. At least from what i could understand.
I'm running windows 11 and use sharphound version :

.\SharpHound.exe --version
2024-07-11T12:01:00.7095898+02:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
SharpHound 2.4.1

So I first import the module with the following :

Then, i launched the scan with :

Invoke-BloodHound -Domain domain.com -DomainController 1.1.1.1 -LdapUsername user@domain.com -LdapPassword "password" -CollectionMethods Default -v 0 -OutputDirectory "C:\Output"

And i ended up with :

2024-07-11T10:39:34.0535393+02:00|TRACE|Consumer 14 took 89534.1307 ms to process [email protected]
2024-07-11T10:39:34.1539360+02:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-07-11T10:39:34.1539360+02:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for F4AAF3D3-F4D7-4FF3-8DC5-D93BB65FDD1A: top, container, groupPolicyContainer
2024-07-11T10:39:34.1539360+02:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for F4AAF3D3-F4D7-4FF3-8DC5-D93BB65FDD1A: GPO
2024-07-11T10:39:34.1539360+02:00|TRACE|[CommonLib LDAPUtils]Creating ldap connection for DC with filter (objectclass=*)
2024-07-11T10:39:34.1539360+02:00|TRACE|[CommonLib LDAPUtils]Sending LDAP request for (objectclass=*)
2024-07-11T10:39:34.1669369+02:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-07-11T10:39:34.1669369+02:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 0B3E70C5-C023-45A1-AC51-FFC3F774610A: top, container, groupPolicyContainer
2024-07-11T10:39:34.1669369+02:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 0B3E70C5-C023-45A1-AC51-FFC3F774610A: GPO
2024-07-11T10:39:34.1669369+02:00|TRACE|[CommonLib LDAPUtils]Creating ldap connection for DC with filter (objectclass=*)
2024-07-11T10:39:34.1669369+02:00|TRACE|[CommonLib LDAPUtils]Sending LDAP request for (objectclass=*)
2024-07-11T10:39:34.1799776+02:00|DEBUG|[CommonLib Extensions]GetLabel - SamAccountTypeToType returned Base
2024-07-11T10:39:34.1799776+02:00|DEBUG|[CommonLib Extensions]GetLabel - ObjectClasses for 9E2793EF-1E4C-4C2D-9C2B-A5595E418716: top, container, groupPolicyContainer
2024-07-11T10:39:34.1799776+02:00|DEBUG|[CommonLib Extensions]GetLabel - Final label for 9E2793EF-1E4C-4C2D-9C2B-A5595E418716: GPO
2024-07-11T10:39:34.1809413+02:00|TRACE|Consumer 14 took 104391.5037 ms to process DOMAIN.COM
2024-07-11T10:39:46.2528738+02:00|INFORMATION|Status: 492 objects finished (+133 4.1)/s -- Using 144 MB RAM
2024-07-11T10:40:16.2584710+02:00|INFORMATION|Status: 492 objects finished (+0 3.28)/s -- Using 140 MB RAM
2024-07-11T10:40:46.2677042+02:00|INFORMATION|Status: 492 objects finished (+0 2.733333)/s -- Using 140 MB RAM
2024-07-11T10:41:16.2685980+02:00|INFORMATION|Status: 492 objects finished (+0 2.342857)/s -- Using 140 MB RAM
2024-07-11T10:41:46.2728939+02:00|INFORMATION|Status: 492 objects finished (+0 2.05)/s -- Using 140 MB RAM
2024-07-11T10:42:16.2832434+02:00|INFORMATION|Status: 492 objects finished (+0 1.822222)/s -- Using 140 MB RAM
2024-07-11T10:42:46.2910644+02:00|INFORMATION|Status: 492 objects finished (+0 1.64)/s -- Using 140 MB RAM
2024-07-11T10:43:16.3032454+02:00|INFORMATION|Status: 492 objects finished (+0 1.490909)/s -- Using 140 MB RAM

So I tried to test DNS resolution, LDAP connection,

• DNS resolution with : nslookup --> OK
• Port connection : 389 and 636 --> OK

Test-NetConnection -ComputerName 1.1.1.1 -Port 389 (or 636)

• LDAP with the following script --> OK

$username = "[email protected]"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($username, $password)
$ldapPath = "LDAP://1.1.1.1/DC=domain,DC=com" # I also tried with ldaps connection

try {
    $directoryEntry = New-Object System.DirectoryServices.DirectoryEntry($ldapPath, $credential.UserName, $credential.GetNetworkCredential().Password)
    $directoryEntry.RefreshCache()
    Write-Output "Connection successful"
} catch {
    Write-Output "Connection failed: $_"
}

[und3ath]

same here, hang indefinitevely on certain domain

[rvazarkar]

We did identify this issue recently, the problem appears to be in session collection. Theres an unknown edge case where we send API calls to computers and the API calls hang indefinitely. We'll be introducing a hard timeout on those API calls in an upcoming release to ensure that we deal with this scenario appropriately

[Flangvik]

Also running in this issue currently, any supert-dirty path we can implement ourself at the current time?

[rvazarkar]

I'm still trying to track down the cause of this. I added timeouts to all of the computer API calls, but there appears to be another hang in group processing for some reason. I'm away from my computer currently, but I can compile a test build with the computer API timeout fixes and attach it here tomorrow if you want to give it a whirl

[rvazarkar]

https://github.com/BloodHoundAD/SharpHound/releases/tag/v2.5.6

Give this version a try and see if it works

[und3ath]

https://github.com/BloodHoundAD/SharpHound/releases/tag/v2.5.6

Give this version a try and see if it works

No more issues with this version, Thanks for the fix !