Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DsGetDcNameWrapper Error, retrieving informations for GetDomain() call in SH 2.5.8 #122

Open
mickdec opened this issue Nov 29, 2024 · 2 comments

Comments

@mickdec
Copy link

mickdec commented Nov 29, 2024

Hi,
Sorry in advance if my explanations are not clear, its my first Issue, ever.

When i run SH 2.5.8 on a non linked domain trough LDAPS i got a GetDomain call failed at GetDomainsForEnumeration process.

image
image

Even if i specified the PDC as --domaincontroller, it seems that DsGetDcNameWrapper fail because DsGetDcName get a default null argument for computerName, resulting as DsGetDcName giving num 1355 (0x0000054B)

image
image

If i force the computerName parameter for DsGetDcName in DsGetDcNameWrapper at the process of GetDomainsForEnumeration, to be my --domaincontroller PDC argument, the process context becomes valid and Sharphound can continue his enumeration.

image
image

The error seems to continue after that, when processing ACE on each computer "the specified domain didn't exist." for GetDomain().
i am waiting now for SH to finish.

@mickdec
Copy link
Author

mickdec commented Nov 29, 2024

It can be a port problem (RPC 135 and/or Kerberos 88)

DcDiag with the Advertising test, which is using DsGetDcName() too return an RPC error in my case.

The ports 135 and 88 are closed from my VM using sharphound and the PDC.

I am not sure if it's the right explanation about this issue, but if it's the case, "manually" doing an LDAPS request to the DC asking for exemple (objectcategory=computer) using System.DirectoryServices trough powershell is working, without the port 135 and 88 opened.

Using DsGetDcName()(
[in] LPCSTR ComputerName,
[in] LPCSTR DomainName,
[in] GUID DomainGuid,
[in] LPCSTR SiteName,
[in] ULONG Flags,
[out] PDOMAIN_CONTROLLER_INFOA DomainControllerInfo
);

with ComputerName as the DC, and DomainName as the domain name (mydomain.com), did the job too, without the two ports open as well.

@rvazarkar
Copy link
Contributor

DsGetDcName is just one of several checks we do, but I think you're right in that theres no reason not to use a specified domain controller name in the first parameter to DsGetDcName

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants