New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aces missing from Users.json?? - version 2 (BloodhoundCE) #25
Comments
Hi @LarsVonZipper, I'll be analysing this more in detail during the week. Thank you for the information. 👍 |
Thanks @g0h4n I appreciate it. Let me know if I can help in someway. |
Hey @g0h4n, The .CSV files are a bit redacted but hopefully you get the gist. They are the "Aces" component of the same user collected with the older and newer (v2) version of RustHound. Regards |
Thanks for all the additional information, I appreciate it, it should help me! 😄 |
I was unable to reproduce the issue Could you please pass the JSON files into the script and send me the two examples? #!/usr/bin/python3
import json
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('-f', action='store',
metavar='<JSON_filename>',
help='JSON file',
required=True)
parser.add_argument('-V', action='store',
metavar='<v1 or v2>',
help='Version',
required=True)
args = parser.parse_args()
filename = vars(args)['f']
version = vars(args)['V']
print("[?] filename: ",filename)
print("[?] version: ",version)
with open(filename, "r") as f:
datas = json.load(f)
for jsonObj in datas["data"]:
name = jsonObj["Properties"]["name"]
aces = jsonObj["Aces"]
print("[+] Name '"+name+"' parsed")
#print("[?] Aces: ",aces)
with open(name+"_"+version+".json","w") as f2:
f2.write(str(aces))
f2.close
print("[+] File '"+name+"_"+version+".json"+"' created") Example: #v1.1.69
python3 parse_json.py -f v1.1.69/2024xxxxxxxxxx_essos-local_users.json -V v1
#v2.0.0
python3 parse_json.py -f v2.0.0/2024xxxxxxxxxx_essos-local_users.json -V v2 |
Thanks for the update @g0h4n |
This version allows you to add a limit on the number of users to parse and I've added a reglex to automatically replace the contents of the SID in order to anonymise it. #!/usr/bin/python3
import json
import argparse
import re
parser = argparse.ArgumentParser()
parser.add_argument('-f', action='store',
metavar='<JSON_filename>',
help='JSON file',
required=True)
parser.add_argument('-V', action='store',
metavar='<v1 or v2>',
help='Version',
required=True)
parser.add_argument('-n', type=int,
action='store',
metavar='<integer>',
help='Number users like -n 10',
required=True)
args = parser.parse_args()
filename = vars(args)['f']
version = vars(args)['V']
number = vars(args)['n']
print("[?] filename: ",filename)
print("[?] version: ",version)
print("[?] limit: ",str(number))
with open(filename, "r") as f:
datas = json.load(f)
cpt = 0
for jsonObj in datas["data"]:
if cpt == number:
exit()
try:
name = re.sub(r'@([a-zA-Z0-9]+.[a-zA-Z0-9]+)', '@ANONYMOUS.LOCAL', str(jsonObj["Properties"]["name"]))
except:
name = jsonObj["Properties"]["name"]
aces = jsonObj["Aces"]
aces = re.sub(r'S-1-5-21-(\d+-\d+\-\d+)', 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx', str(aces))
aces = re.sub(r'([a-zA-Z0-9]+.[a-zA-Z0-9]+)-S-', 'ANONYMOUS.LOCAL-S-', str(aces))
print("["+str(cpt+1)+"] Name '"+name+"' parsed")
#print("[?] Aces: ",aces)
with open(name+"_"+version+".json","w") as f2:
f2.write(str(aces))
f2.close
print("["+str(cpt+1)+"] File '"+name+"_"+version+".json"+"' created")
cpt += 1 Examples: #v1.1.69
python3 parse_json.py -f v1.1.69/2024xxxxxxxxxx_essos-local_users.json -V v1 -n 10
#v2.0.0
python3 parse_json.py -f v2.0.0/2024xxxxxxxxxx_essos-local_users.json -V v2 -n 10 Could you please make sure you send me the users where the ACEs are different? |
Please see attached. |
Hi,
It's probably me but ...,
When I use Rusthound from the v2-branch, there seems to be numerous 'missing' Aces in the users.json when I compare the results to those captured using rusthound from the main-branch version??
For example, there is a user account that has “Write all properties” access that applies to “Descendant User objects” set on the domain object.
With data collected using the main-branch Rusthound, all users in that domain have an Ace that referenced the said user account as having “IsInherited: true”, “GenericWrite” (correct). Whereas, data collected using the v2-branch Rusthound failed to record this on any user account?
Then, when I took a random user from data collected using the main-branch version, there were 68 Aces recorded. Data for the same user, collected at the same time using the v2-branch version only recorded 52.
Obviously the specific numbers are relative to the domain but the fact there was a large discrepancy worried me a little
The text was updated successfully, but these errors were encountered: