fox-it / invoke-aclpwn Goto Github PK

I am receiving the following error below.

Not sure if its related but I am running it from a non-domain member system.

I specified the domain, username and password and it successfully bound to AD.

....
[] Getting schema classes...
[] Found 4729 schema classes
[] Getting extended rights from schema...
[] Found 142 extended rights
[*] Running SharpHound v2.0.0...
Get-SharpHoundACL : [Get-SharpHoundACL] No ACL input available.
At \github\Invoke-ACLPwn\Invoke-ACLPwn.ps1:1724 char:17

• ... InputPath = Get-SharpHoundACL -sharpHoundLocation $sharpHoundLocation ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-SharpHoundACL

I am getting the following error even though it completes.

Given its not finding any chains, is this error something I can ignore or is it causing the script not to find any chains?

You cannot call a method on a null-valued expression.
At \Invoke-ACLPwn.ps1:1754 char:60

• ... ere-Object {$_.PrincipalName.ToString().ToLower() -like "$($g.NTAccou ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At \Invoke-ACLPwn.ps1:1754 char:60

• ... ere-Object {$_.PrincipalName.ToString().ToLower() -like "$($g.NTAccou ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At \Invoke-ACLPwn.ps1:1754 char:60

• ... ere-Object {$_.PrincipalName.ToString().ToLower() -like "$($g.NTAccou ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

[] Parsing ACL. This might take a while...
[] No chain found :(

I Get The Following Exception in the parsing process.

[] Found 4882 ACLs
[] Parsing ACL. This might take a while...
[Get-DistinguishedNameForObject] User not found.
In C:\Invoke-ACLPwn-master\Invoke-ACLPwn-master\Invoke-ACLPwn.ps1:144 Zeichen:9

•     throw '[Get-DistinguishedNameForObject] User not found.'
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: ([Get-Distinguis...User not found.:String) [], RuntimeException
  • FullyQualifiedErrorId : [Get-DistinguishedNameForObject] User not found.

Some ideas, how to fix this?

This renders Invoke-ACLPwn useless in its current behavior when used in conjunction with an recent version of SharpHound

Problem

The new functionality allowing the use of Bloodhound 2.0 Json output to be parsed fails silently if sharphound.exe produces Json files larger than 2Mb. ConvertFrom-Json has a hardcoded 2Mb input limit.

Possible Solution

replace the Json parse line 1489:
$tmp = ConvertFrom-Json $content -ErrorAction SilentlyContinue
with:

[void][System.Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")        
$jsonserial= New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer 
$jsonserial.MaxJsonLength  = 67108864 #64Mb
$tmp = $jsonserial.DeserializeObject($content)

Running this tool with a user in the root domain of the forest works as expected. I have experienced the following failures:

• Specifying a user in a child domain
• setting the -domain param to a child domain with a child domain user
  Error:

[Get-AttrForADObject] User not found.
At B:\Invoke-ACLPwn.ps1:109 char:9
+         throw '[Get-AttrForADObject] User not found.'
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: ([Get-AttrForADObject] User not found.:String) [], RuntimeException
    + FullyQualifiedErrorId : [Get-AttrForADObject] User not found.