SharpHound icon indicating copy to clipboard operation
SharpHound copied to clipboard
verified publisher icon BloodHoundAD

SharpHound 2.7.2 incomplete domain users enumeration

Open hubert3 opened this issue 3 months ago • 7 comments

Running SharpHound 2.7.2 with -c all or -c dconly only results in 2000-2500 users being enumerated in our environment when there are actually more than 120,000 users that were reliably enumerated with earlier versions.

Earlier version of Sharphound returning a complete set of users:

% jsonpp 20250715194931_users.json | tail
    }
  ],
  "meta": {
    "methods": 6583295,
    "type": "users",
    "count": 146090,
    "version": 6,
    "collectorversion": "2.6.7.0"
  }
}%

Current version:

% jsonpp 20250924134957_users.json | tail
    }
  ],
  "meta": {
    "methods": 15725567,
    "type": "users",
    "count": 2516,
    "version": 6,
    "collectorversion": "2.7.2.0"
  }
}

The number of users returned varies significantly from 2000 or 2500 up to 80,000 and 120,000 on some attempts. It seems possible this was introduced by new timeout code.

hubert3 avatar Sep 24 '25 08:09 hubert3

I’m experiencing the same issue with version 2.7.1.

Fasiru avatar Sep 25 '25 07:09 Fasiru

Looking into this one. v2.7 introduced adapting timeout logics around external system calls like LDAP queries. It's possible that these user queries are especially slow, timing out, and then even defeating the retry logics intended to avoid exactly this scenario.

The boundary between adaptive-timeout-backoff and query retries is pretty fuzzy. These may just be "missing" each other when they need to align ....

Will experiment and return.

definitelynotagoblin avatar Sep 29 '25 21:09 definitelynotagoblin

@definitelynotagoblin thanks, it would be great if this could be fixed as we have to run a limited set of collection methods with v2.6.x to avoid SH never completing in our environment. I can provide a full console output log privately of a SH 2.7.2 run that completes but encounters this incomplete user enum issue.

hubert3 avatar Oct 01 '25 08:10 hubert3

bumping, been running SH for 8 hours and have only collected ~1500 objects out of 100,000+ that older versions could identify in less than 20 seconds in 2.5.7-8

44xo avatar Oct 02 '25 20:10 44xo

Hello, same problem here.

With 2.5.9 => fast enum even on large domain. With 2.7.x => very slow enum (like 15-20 time longer) and sometimes SID are not resolved for all users OR results are incomplete.

onSec-fr avatar Oct 03 '25 13:10 onSec-fr

Hey folks - appreciate the information and the comparisons between versions, it's really helpful information! We're actively digging into these issues and looking for solutions - stay tuned!

StephenHinck avatar Oct 03 '25 16:10 StephenHinck

It seems very likely that - in cases where query time spikes suddenly as may happen when running large User queries - retries are exhausting before our adaptive timeout logic decides to back off its more aggressive strategies.

Because LDAP queries are already gated behind connection tests though, we can be pretty confident that they will get responses back, and we're not getting as much value out of enforcing adaptive timeout cutoffs on these volatile tasks.

The above PR trades the more aggressive adaptive timeout strategy for the old, generous one.

definitelynotagoblin avatar Oct 06 '25 21:10 definitelynotagoblin