BloodHound.py icon indicating copy to clipboard operation
BloodHound.py copied to clipboard

Published 20 hours ago verified publisher icon dirkjanm

Kerberos ticket ccache authentication not working

Open smokeintheshell opened this issue 1 year ago • 1 comments
trafficstars

Attempting to use Kerberos with a ccache and -k -no-pass appears to not be working. After reading #141 I updated my BloodHound.py to 1.7.2 and reattempted using an obtained ticket but got the same errors:

KRB5CCNAME=<user>.ccache proxychains bloodhound-python -d <target domain> --zip -c All --dns-tcp -ns <DC IP> -dc <DC FQDN> -gc <DC FQDN> -k -no-pass
Traceback (most recent call last):
  File "/home/jkl/.local/bin/bloodhound-python", line 8, in <module>
    sys.exit(main())
  File "/home/jkl/.local/pipx/venvs/bloodhound/lib/python3.10/site-packages/bloodhound/__init__.py", line 297, in main
    auth = ADAuthentication(username=args.username, password=args.password, domain=args.domain, auth_method=args.auth_method)
  File "/home/jkl/.local/pipx/venvs/bloodhound/lib/python3.10/site-packages/bloodhound/ad/authentication.py", line 55, in __init__
    if '@' in self.username:
TypeError: argument of type 'NoneType' is not iterable

It looks like when specifying -k -no-pass and providing a ccache in KRB5CCNAME, bloodhound-python isn't using the ticket. If I then specify -u <UPN>, I get prompted for a password despite using -no-pass:

proxychains -q -f ./prox.conf bloodhound-python -d <target domain> --zip -c All --dns-tcp -ns <DC IP> -dc <DC FQDN> -gc <DC FQDN> -k -no-pass -u '<UPN>'
Password:

smokeintheshell avatar May 22 '24 14:05 smokeintheshell

hey, im also having his issue; have you found a solution? @smokeintheshell

gatariee avatar Sep 07 '24 09:09 gatariee

Happened to me with the exact version. any update? @gatariee @smokeintheshell

isfahany avatar Oct 31 '24 17:10 isfahany

Happened to me with the exact version. any update? @gatariee @smokeintheshell

I couldn't get bloodhound.py to work. A workaround would be to use netexec's bloodhound collectors modules instead of bloodhound.py, this has proven more consistent for me.

gatariee avatar Oct 31 '24 17:10 gatariee

no update for this on my side specifically with bloodhound-python. workarounds i've used are tunneling a windows box and using sharphound with an injected ticket and using nxc as @gatariee mentioned. It's been a hot minute since I looked into this, but out of curiosity @isfahany are you using a TGT or a ST for the LDAP service on the DC?

smokeintheshell avatar Oct 31 '24 17:10 smokeintheshell

ccache auth now works properly again, note that you have to explicitly specify a username (which must match with the one in your ccache). Only TGTs are supported in the ccache.

dirkjanm avatar Jan 02 '25 15:01 dirkjanm