DCOnly option - unable to find usable domain controller

[forensic65x]

I have attempted the dconly option with multiple versions of sharphound, including the rolling version.

All of them give the error below.

I can ping and access the LDAP ports from the test system to all the DCs in the environment.

Any suggestions?

SharpHound.exe -c dconly -v 1 2022-03-31T07:30:48.5208302-05:00|INFORMATION|Resolved Collection Methods: Group, GPOLocalGroup, Trusts, ACL, Container, ObjectProps 2022-03-31T07:30:48.5208302-05:00|INFORMATION|Initializing SharpHound at 7:30 AM on 3/31/2022 2022-03-31T07:30:52.1616336-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:30:55.1617935-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:30:58.1150560-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:31:01.0683299-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:31:04.0216137-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:31:06.9748498-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:31:09.9788528-05:00|DEBUG|[CommonLib PortScanner]redacted did not respond to ping 2022-03-31T07:31:10.0059206-05:00|DEBUG|[CommonLib LDAPUtils]Unable to find usable domain controller for redacted 2022-03-31T07:31:10.0215640-05:00|ERROR|Unable to connect to LDAP, verify your credentials

[rvazarkar]

I'm not sure whats going on here, the code for checking if a DC is available is pretty straightforward, we use a TCPClient to check if port 389 is open on each DC that's available. For whatever reason, SharpHound is unable to contact any of them. It could be a firewall issue? You could also check on Wireshark/PCAP if you can access it to see what's going on on the wire

[forensic65x]

I confirmed that there are successful connections on port 389 to each of the domain controllers.

[forensic65x]

FYI - I just tried a previous version of sharphound.exe on the same system and it successfully ran with the -c DConly -v 1 command line.

sharphound.exe -c DConly -v 1

Initializing SharpHound at 1:42 PM on 3/31/2022

Resolved Collection Methods: Group, Trusts, ACL, ObjectProps, Container, GPOLocalGroup, DCOnly

[+] Creating Schema map for domain REDACTED using path CN=Schema,CN=Configuration,DC=REDACTED,DC=REDACTED [+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 31 MB RAM Status: 22905 objects finished (+22905 763.5)/s -- Using 324 MB RAM Status: 45809 objects finished (+22904 763.4833)/s -- Using 362 MB RAM [+] Creating Schema map for domain REDACTED using path CN=Schema,CN=Configuration,DC=REDACTED,DC=REDACTED [+] Creating Schema map for domain REDACTED using path CN=Schema,CN=Configuration,DC=REDACTED,DC=REDACTED [+] Creating Schema map for domain REDACTED using path CN=Schema,CN=Configuration,DC=REDACTED,DC=REDACTED [+] Creating Schema map for domain REDACTED using path CN=Schema,CN=Configuration,DC=REDACTED,DC=REDACTED Server does not support paging Server does not support paging Server does not support paging Server does not support paging Status: 68714 objects finished (+22905 763.4889)/s -- Using 324 MB RAM Status: 76223 objects finished (+7509 777.7857)/s -- Using 200 MB RAM Enumeration finished in 00:01:38.2887392 Compressing data to .\20220331134220_BloodHound.zip You can upload this file directly to the UI

SharpHound Enumeration Completed at 1:44 PM on 3/31/2022! Happy Graphing!

[yellow-starburst]

The only solution that I could think of is increasing the timeout. https://github.com/BloodHoundAD/SharpHoundCommon/pull/32