Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login attempt with wrong domain name with trusted domain can lead to account lockout #62

Open
Qwertyhshsdhsh opened this issue Sep 5, 2023 · 1 comment
Open

Login attempt with wrong domain name with trusted domain can lead to account lockout #62

Qwertyhshsdhsh opened this issue Sep 5, 2023 · 1 comment

Comments

@Qwertyhshsdhsh
Copy link

Description:

I executed SharpHound.exe (Version 2.0.0) on a none-domain-joined machine and provided the target domain, domain controller and ldap credentials via arguments. I expected that all required login attempts to collect the data would use as account name <provided_domain>\<provided_username>. However, when data was collected for trusted domains, the logins were performed using <trusted_domain>\<provided_username>. Since the same user account name existed in the other trusted domains (but with different passwords), this increased the "incorrect login attempts" count. After several executions this lead to a lockout of the user account in all trusted domains.
I'm unsure if this behavior is intended and that I just called SharpHound the wrong way, but I was expecting that all logins would be performed with the ldap username with the provided domain name. Or do I need to also specify the domain with the ldap username argument?

Steps to Reproduce:

  1. Create a network with two domains (DomainA.NET and DomainB.NET and create a trust relationship between them) with the same username in both domains but with different passwords.
    In my case I tested it with a domain administrator account, e.g.: "DomainA.NET\DomainAdmin" with password "Password1" and "DomainB.NET\DomainAdmin" with password "Password2"

  2. Create a Windows Client (in my case it was Windows 10 system which was not domain joined) and execute the following command on the system:

SharpHound.exe --CollectionMethods All,GPOLocalGroup,SPNTargets,LoggedOn --collectallproperties --memcache --Domain DomainA.NET --domaincontroller DC01.DomainA.NET --ldapusername DomainAdmin --ldappassword Password1

  1. Execute the command multiple times until the configured account lockout treshhold is reached. => "DomainB.NET\DomainAdmin" will get locked because SharpHound will attempt to perform a login as LDAP user "DomainAdmin" also in DomainB because of the trust relationship, however, this user has as password "Password2" and not "Password1".

Expected Behavior:

I expected that all logins would be performed as "DomainA.NET\DomainAdmin" user, even when querying data from "DomainB.NET". Actually, I also assumed that no connections to DC01.DomainB.NET would be established and that no logins with accounts in DomainB would be attempted.
I expected that the "--Domain" and "--ldapusername" flags are combined to form the final username which is used to perform the login and not that a login as "DomainB.NET\DomainAdmin" is attempted at all.

Actual Behavior:

A login as "DomainB.NET\DomainAdmin" is attempted which can lead to an account lockout after multiple executions.

Environment Information:

BloodHound: -

Collector: 2.0.0
@rvazarkar
Copy link
Contributor

I'll have to do some testing to see if you can specify a DOMAIN prefix on a username, like DOMAINA\DomainAdmin. Have you tried that yet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rvazarkar @Qwertyhshsdhsh