impacket
impacket copied to clipboard
fortra
Feature Request - LDAP JSON Export into BloodHound Format
Noticed that impacket relay to LDAP was generating information about the domain in multiple formats including JSON - got my hopes up that this would import into BloodHound, and was disappointed to find it was not compatible. Would be super handy if an initial relay to LDAP could immediately be imported into BloodHound.
This is an interesting one! Would having an LDAP socks proxy help running SharpHound on a relayed connection? Or maybe is worth some thought making @dirkjanm's BloodHound.py integrate with ntlmrelayx somehow?
There is one for the old (CSV) format but not yet for the 2.0 format. This request is tracked here: https://github.com/dirkjanm/ldapdomaindump/issues/14 but as very few people seem to use it I'm not sure this is something I will spend time at developing further.
@martingalloar that would be possible but for the LDAP connection BloodHound.py requires at least 2 sockets to LDAP and 1 to the GC as well in multi-domain environments.
The easiest way to go for this right now is with the feature to add a machine account via the relayed connection, which you can use to run bloodhound or other gathering tools.
I think it's only not popular because not a lot of people know ntlmrelayx.py dumps domain information when you use LDAP. I was recently in an environment where no user could add a computer account however I was able to dump the domain information with ntlmrelayx.py The passwords were too complex to crack.
I wasn't able to run bloodhound because I didn't have valid creds. I did however have a ton of domain information thanks to ntlmrelayx.py dumping it for me. I then had the thought that lead me here to see if it would be possible to just provide an option for bloodhound format etc. I was planning on working on it for myself. Reading @dirkjanm's notes I'm not sure it's feezible. If it is I don't mind spending the time to work it out.
So it appears that someone has started making a conversion... Any chance of importing this functionality and outputting in bloodhound-compatible format in addition to the usual outputs?
https://github.com/blurbdust/ldd2bh
Hello I think the drawback of using standard bloodhound ingestor is also its recognition by different HIDS systems . So including the above would be nice to have. Regards
On Tue, Oct 26, 2021 at 9:20 PM ad0nis @.***> wrote:
So it appears that someone has started making a conversion... Any chance of importing this functionality and outputting in bloodhound-compatible format in addition to the usual outputs?
https://github.com/blurbdust/ldd2bh
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SecureAuthCorp/impacket/issues/706#issuecomment-952239134, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABFYQVKLYI27ZJRQ3NYXVILUI35QLANCNFSM4JRPNQAA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
I agree, this would be very useful in situations where you can relay NTLMv2 hashes but don't have creds.
So if I am reading these docs right, it looks like the tools to do this were eventually built...
https://github.com/dirkjanm/ldapdomaindump
Any chance they can be merged back into impacket now, so that a relayed ldap connection can output bloodhound-compatible files automatically?