Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to connect to LDAP, verify your credentials #10

Open
anasbousselham opened this issue Feb 16, 2022 · 34 comments
Open

Unable to connect to LDAP, verify your credentials #10

anasbousselham opened this issue Feb 16, 2022 · 34 comments
Labels
bug Something isn't working

Comments

@anasbousselham
Copy link

Hi,
It's possible to used it without ldap flags.?!
Thanks

@yellow-starburst
Copy link

yes it is possible to be used without ldap flags.
Can you close the ticket now?

@anasbousselham
Copy link
Author

I have this error without any flag!

@rvazarkar
Copy link
Contributor

Are you running this through netonly? Do you have a proper domain authentication?

@x3rz
Copy link

x3rz commented Feb 19, 2022

I have this error without any flag!

Same issue for me without supplying any creds it is showing me that error

@gabemarshall
Copy link

@rvazarkar I'm also experiencing this. I'm running it through netonly and have proper domain auth (Powerview works fine, old versions of Invoke-Bloodhound work).

CleanShot 2022-02-24 at 12 13 47

@lungdart
Copy link

lungdart commented Feb 24, 2022

Same situation here on the HTB forest machine.

image

When I checkout the old version of SharpHound from the bloodhound repo commit 6a95882e0e88c398f97f2a82a956eef5b3b10ae8, the identical command works (But then starts throwing stack traces later on)

I guess I'll keep going back into the commits until I can find a stable version...

@walterone
Copy link

still got the same issue, has anyone found a workaround yet?

@rvazarkar
Copy link
Contributor

rvazarkar commented Feb 28, 2022

        ///     Tests the current LDAP config to ensure its valid by pulling a domain object
        /// </summary>
        /// <returns>True if connection was successful, else false</returns>
        public bool TestLDAPConfig(string domain)
        {
            var filter = new LDAPFilter();
            filter.AddDomains();

            var resDomain = GetDomain(domain)?.Name ?? domain;
            
            var result = QueryLDAP(filter.GetFilter(), SearchScope.Subtree, CommonProperties.ObjectID, resDomain)
                .DefaultIfEmpty(null).FirstOrDefault();

            return result != null;
        }

This is how we test for a valid LDAP connection: we query for domain objects and make sure we can get at least one. For whatever reason, that test is failing and we're getting nothing back. If you run with -v 0 it might give you some more insight as to where the check is failing, you can report back with that information

@walterone
Copy link

The verbose option only shows the TRACE info of the "TestConnection link" in the TestConnection() Function.

./sh.exe -v 0
2022-03-01T01:29:38.8844100-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-01T01:29:38.9000386-08:00|TRACE|Entering initialize link
2022-03-01T01:29:38.9000386-08:00|INFORMATION|Initializing SharpHound at 1:29 AM on 3/1/2022
2022-03-01T01:29:38.9000386-08:00|TRACE|Entering TestConnection link
2022-03-01T01:29:39.0719120-08:00|ERROR|Unable to connect to LDAP, verify your credentials
2022-03-01T01:29:39.0719120-08:00|TRACE|Exiting TestConnection link

Using powershell AD functionality and/or powerview it's possible to retrive objects in the domain.
Also it looks like that the issue is mainly related to the HTB Forest machine, i still have to try in other environments

@rvazarkar
Copy link
Contributor

I beleive I know whats causing this, I'll have a new build soon

@YB1-cyber
Copy link

YB1-cyber commented Mar 4, 2022

@rvazarkar
I joined the "unable to connect to LDAP" club , and also a friend of mine...
so if you can update here , it'll nice

BTW
I wonder:
A) Can you tell why the .ps1 collector had been removed ?
B) Will SharpHound.ps1 support the new format (matching bloodhound 4.1+) when we get it back ?

@rvazarkar
Copy link
Contributor

rvazarkar commented Mar 7, 2022

Should be fixed in v1.0.3. Reopen if the problem is still there

@YB1-cyber it was removed because I ran out of time when doing this release, and yes it will

@chinformer
Copy link

Hey, I can confirm this is still affecting v1.0.3. I've just compiled the -dev 1.0.3 version (x64) no other changes and when supplying --ldapusername and --ldappassword the error is:

2022-03-18T16:18:27.4755485+00:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote

2022-03-18T16:18:27.4876460+00:00|INFORMATION|Initializing sharpyhounds at 16:18 on 18/03/2022

2022-03-18T16:18:27.9424135+00:00|ERROR|Unable to connect to LDAP, verify your credentials

@n0kovo
Copy link

n0kovo commented Apr 16, 2022

+1
Same issue with 1.0.3 (x64)

@chinformer
Copy link

@rvazarkar any update on the potential fix for this? I added the original comment on the 18th March 2022 :). Thank you

@rvazarkar
Copy link
Contributor

Open a new issue, and use -v 0 to get verbose logging so I can see where the issue is happening

@ronemp
Copy link

ronemp commented Jul 6, 2022

Is this issue resolved?

@mc702
Copy link

mc702 commented Aug 15, 2022

C:>SharpHound.exe -c All -v 0
2022-08-15T13:22:29.7881493+08:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2022-08-15T13:22:29.8979655+08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-08-15T13:22:29.9130347+08:00|TRACE|Entering initialize link
2022-08-15T13:22:29.9130347+08:00|INFORMATION|Initializing SharpHound at 1:22 PM on 8/15/2022
2022-08-15T13:22:29.9130347+08:00|TRACE|Entering TestConnection link
2022-08-15T13:22:48.4446266+08:00|TRACE|[CommonLib LDAPUtils]Creating ldap connection for DC with filter (objectclass=domain)
2022-08-15T13:22:48.4446266+08:00|DEBUG|[CommonLib LDAPUtils]Unable to create ldap connection for domain (null)
2022-08-15T13:22:48.4446266+08:00|TRACE|[CommonLib LDAPUtils]LDAP connection is null for filter (objectclass=domain) and domain (null)
2022-08-15T13:22:48.4446266+08:00|ERROR|Unable to connect to LDAP, verify your credentials
2022-08-15T13:22:48.4446266+08:00|TRACE|Exiting TestConnection link

same here

@Castle1984
Copy link

hmm,same issue
|ERROR|Unable to connect to LDAP, verify your credentials

@asmar-shikhamirli
Copy link

Having the same issue here, has anyone got a solution?

@0nopnop
Copy link

0nopnop commented Dec 16, 2022

@rvazarkar any update on the issue and whether the changes have been made? I commented a while back (in Apr)

@pkyria14
Copy link

pkyria14 commented Jul 7, 2023

Still having the same issue. any updates?

@Trailingslashes
Copy link

@pkyria14, I had to reboot the windows machine to get this command to work.

@ProjectsFromB
Copy link

Anyone have any luck or workarounds?

@BaronSam3di
Copy link

Hi im also getting this error. Specifically

*Evil-WinRM* PS C:\Users\FSmith\Documents> ./Sharphound.exe -c all, gpolocalgroup -v 0
2024-01-31T18:10:30.6811548-08:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-01-31T18:10:30.8217740-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-01-31T18:10:30.8373984-08:00|TRACE|Entering initialize link
2024-01-31T18:10:30.8373984-08:00|INFORMATION|Initializing SharpHound at 6:10 PM on 1/31/2024
2024-01-31T18:10:30.8373984-08:00|TRACE|Entering TestConnection link
2024-01-31T18:10:58.9768518-08:00|TRACE|[CommonLib LDAPUtils]Testing LDAP connection for domain (null)
2024-01-31T18:10:58.9768518-08:00|TRACE|[CommonLib LDAPUtils]Creating ldap connection for DC with filter (objectclass=domain)
2024-01-31T18:10:58.9768518-08:00|DEBUG|[CommonLib LDAPUtils]Unable to create ldap connection for domain (null)
2024-01-31T18:10:58.9768518-08:00|WARNING|[CommonLib LDAPUtils]LDAP connection is null for filter (objectclass=domain) and domain Default Domain
2024-01-31T18:10:58.9768518-08:00|TRACE|[CommonLib LDAPUtils]Result object from LDAP connection test is null
2024-01-31T18:10:58.9768518-08:00|ERROR|Unable to connect to LDAP, verify your credentials
2024-01-31T18:10:58.9768518-08:00|TRACE|Exiting TestConnection link
*Evil-WinRM* PS C:\Users\FSmith\Documents> 

Is this issue a dupe of something or should it be reopened if still unresolved 😌

@JonasBK
Copy link
Collaborator

JonasBK commented Jan 31, 2024

Hi @BaronSam3di,
Try the latest SharpHound version here: https://github.com/BloodHoundAD/SharpHound/releases/latest

@stuartw1
Copy link
Contributor

stuartw1 commented Mar 18, 2024

I had this error message today. My target environment had 389 disabled and 636 open for LDAPS

I used the -SecureLDAP flag, but this didnt work and returned an "unable to connect to LDAP" error until I tried -DisableCertVerification and -DisableSigning, which made it work perfectly. Interestingly I had to provide domain, ldapusername and ldappassword too, with ldapusername set to user.name@internal.example.com rather than INTERNAL\user.name

Perhaps the error message could be expanded - either to include if it is a connection security fault, or to suggest trying flags that drop security validation measures if appropriate. It would be good if the logs contained the port that was being tried also.

@vcap-kali
Copy link

people are asking for workarounds, and I still observe this on HTB Sauna and Forest as of today, WHY is this issue closed then @JonasBK ?!

still getting the "ERROR|Unable to connect to LDAP, verify your credentials"

.\SharpHound.exe --DisableCertVerification --DisableSigning --Domain EGOTISTICAL-BANK.LOCAL --ldapusername svc_loanmgr --ldappassword '...'

@superswan
Copy link

superswan commented Apr 8, 2024

Same issue with SharpHound 2.3.3 and 1.1.1

PS C:\Users\vim\Downloads\sharphound-v2.3.3> .\SharpHound.exe --version
2024-04-07T18:57:38.3685762-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
SharpHound 2.3.3
PS C:\Users\vim\Downloads\sharphound-v2.3.3> .\SharpHound.exe -c localadmin
2024-04-07T18:58:44.0134919-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-04-07T18:58:44.1537624-07:00|INFORMATION|Resolved Collection Methods: LocalAdmin
2024-04-07T18:58:44.1699613-07:00|INFORMATION|Initializing SharpHound at 6:58 PM on 4/7/2024
2024-04-07T18:58:57.9663013-07:00|WARNING|[CommonLib LDAPUtils]Failed to setup LDAP Query Filter: Error creating LDAP connection: GetDomain call failed for
2024-04-07T18:58:57.9663013-07:00|ERROR|Error running SharpHound: Failed to setup LDAP Query Filter
   at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__40.MoveNext()
   at System.Linq.Enumerable.<DefaultIfEmptyIterator>d__93`1.MoveNext()
   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   at SharpHoundCommonLib.LDAPUtils.TestLDAPConfig(String domain)
   at Sharphound.SharpLinks.TestConnection(IContext context) in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 148
   at Sharphound.Program.<>c__DisplayClass0_0.<<Main>b__1>d.MoveNext() in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 532
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at CommandLine.ParserResultExtensions.<WithParsedAsync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sharphound.Program.<Main>d__0.MoveNext() in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 406

It appears to be a permissions issue, above output was ran as local admin user from console session. Runs fine as SYSTEM under remote shell.

@slokie-so slokie-so reopened this Apr 9, 2024
@slokie-so slokie-so added the bug Something isn't working label Apr 9, 2024
@nga1hte
Copy link

nga1hte commented Apr 11, 2024

people are asking for workarounds, and I still observe this on HTB Sauna and Forest as of today, WHY is this issue closed then @JonasBK ?!

still getting the "ERROR|Unable to connect to LDAP, verify your credentials"

.\SharpHound.exe --DisableCertVerification --DisableSigning --Domain EGOTISTICAL-BANK.LOCAL --ldapusername svc_loanmgr --ldappassword '...'

Resetting the machine works for me.

@htinaunglu
Copy link

people are asking for workarounds, and I still observe this on HTB Sauna and Forest as of today, WHY is this issue closed then @JonasBK ?!

still getting the "ERROR|Unable to connect to LDAP, verify your credentials"

.\SharpHound.exe --DisableCertVerification --DisableSigning --Domain EGOTISTICAL-BANK.LOCAL --ldapusername svc_loanmgr --ldappassword '...'

Came here for exact issue

@k0rg
Copy link

k0rg commented Apr 15, 2024

I had this error message today. My target environment had 389 disabled and 636 open for LDAPS

I used the -SecureLDAP flag, but this didnt work and returned an "unable to connect to LDAP" error until I tried -DisableCertVerification and -DisableSigning, which made it work perfectly. Interestingly I had to provide domain, ldapusername and ldappassword too, with ldapusername set to user.name@internal.example.com rather than INTERNAL\user.name

Perhaps the error message could be expanded - either to include if it is a connection security fault, or to suggest trying flags that drop security validation measures if appropriate. It would be good if the logs contained the port that was being tried also.

This is what worked for me: adding the two LDAP flags and changing the username from DOMAIN\username to username@domain.com

@StavrosCaptain
Copy link

StavrosCaptain commented Jul 30, 2024

If you have problem with Sharphound as above, do the following (example from sauna machine in HTB):

a) bloodhound-python -u svc_loanmgr -p '<PASSWORD>' -d EGOTISTICALBANK.LOCAL -ns 10.10.10.175 -c All
b) zip info.zip *.json
c) drag&drop the .zip file in BloodHound

To install bloodhound-python:
sudo apt install bloodhound
sudo pip install bloodhound-python

@PurpleLinux
Copy link

Just a quick note to anyone perusing, if you don't ad the -d <domain> flag, you will also get this error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests