SharpHound2 icon indicating copy to clipboard operation
SharpHound2 copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Sharphound never completes

Open secure-cake opened this issue 5 years ago • 7 comments

I'm doubtful this is an "issue" with the ingestor, I just can't figure out a solution for the current environment. I've tried multiple variations, from specifying OU, domain and DC; increasing threads; different collection modes; increasing verbosity just to get some insight; and it runs with a repetitive "status nnn objects enumerated" message, which seems to indicate it's working! I've let it run for more than 72 hours for a single OU (recognizing that isn't terribly descriptive). If I hit Ctrl+C, I get a "waiting for cleanup" message, followed by status messages that also never seem to end (waited several hours). For the environment in question, my only successfully completed runs were limited to collection of groups and trusts. Any ideas/suggestions are much appreciated!

secure-cake avatar Apr 24 '19 15:04 secure-cake

Actually, I just ran into this on a domain that I'm on. The issue is actually because if an OU has a large number of objects, it can actually take a long time for SharpHound to process the computer objects inside. I have a fix for this in place that I'll be deploying. If you eliminate the Container collection method, the rest of it should work (in theory)

rvazarkar avatar Apr 24 '19 15:04 rvazarkar

Excellent and thank you!

secure-cake avatar Apr 24 '19 15:04 secure-cake

we have the same issue as described in the first post. hoping for a fix...

tecxx avatar Jun 03 '19 16:06 tecxx

with the latest source code updates this seems to be fixed now. thank you!

tecxx avatar Jun 21 '19 07:06 tecxx

Should be closed in https://github.com/BloodHoundAD/SharpHound/commit/c6f43e35e6a4f69cd965582c27d051511e2343b9

jeffmcjunkin avatar Jul 02 '19 16:07 jeffmcjunkin

It's obviously entirely possible that my current working environment is unique, but I pulled the latest BH content from GitHub as of 7/2 and the following command has been running for seven days, with repeated status of "395 objects enumerated" for the duration. Happy to test something else/different and any input is appreciated!

"SharpHound.exe -v -d mydomain.com --domainctonroller mydc1 --ou ou=servers,dc=mydomain,dc=com -c group,localgroup,localadmin,trusts"

[cid:57d19f60-4cca-47b8-b30b-c9fda7a16858]

Thank you!

Patterson Cake

Haven Information Security, LLC

360.713.2011

From: Jeff McJunkin [email protected] Sent: Tuesday, July 2, 2019 9:00 AM To: BloodHoundAD/SharpHound Cc: Patterson Cake; Author Subject: Re: [BloodHoundAD/SharpHound] Sharphound never completes (#73)

Should be closed in c6f43e3https://github.com/BloodHoundAD/SharpHound/commit/c6f43e35e6a4f69cd965582c27d051511e2343b9

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/BloodHoundAD/SharpHound/issues/73?email_source=notifications&email_token=AL425J62SDYBFZMF2JIPQ73P5N3RTA5CNFSM4HIFCAH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZBYB4I#issuecomment-507740401, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AL425J5WWNTDZVGRRSTTXX3P5N3RTANCNFSM4HIFCAHQ.

secure-cake avatar Jul 09 '19 15:07 secure-cake

Can you run individual collection methods to figure out if one of them in particular is causing the lockup?

rvazarkar avatar Jul 11 '19 14:07 rvazarkar