lkarlslund / adalanche Goto Github PK

Hey, i created a snapshot of the ad using the sysinternals tool and that did work. Now i try to collect the data using this command .\adalanche-windows-x64-v2024.1.11.exe collect activedirectory --adexplorerfile=adexplorer64.dat but i get this output with an error:

09:43:08.939  INFORMA  Adalanche Open Source v2024.1.11 (commit 0161570), (c) 2020-2024 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
09:43:09.007  INFORMA  Collecting objects from AD Explorer snapshot adexplorer64.dat ...
09:43:09.015  INFORMA  Loading raw AD Explorer snapshot into memory
09:43:09.087  INFORMA  Reading header (takes a while) ...
09:43:12.749   ERROR   problem collecting Active Directory objects: failed to get values for object 5522: EOF

When following the build commands provided on a Linux machine, I get the following errors:

┌─[root@htb-arw6grxvuj]─[/home/htb-ac-413848]
└──╼ #git clone https://github.com/lkarlslund/Adalanche Adalanche
cd Adalanche
pwsh build.ps1
<SNIP>
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)
modules/query/nodefilter.go:4:2: package cmp is not in GOROOT (/usr/lib/go-1.19/src/cmp)
/root/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:9:2: package slices is not in GOROOT (/usr/lib/go-1.19/src/slices)

Any thoughts on why this is so (pardon me I am not that knowledgable when it comes to Go)?

Could you please explain how to combine the data from multiple domains/forests? Can I drop all in the single data directory ? Something else ?
Also what is the meaning of FML triplet in UI ? What excatly happens when I switch these ? Is there any more detailed docs or blogpost besides README.md ?

Thanks

The latest release does not seem to work using this command. I am trying to run it as localsystem as:

adalanche collect activedirectory --port=389 --tlsmode=NoTLS

but get the following error:

11:19:07.131  INFORMA  Adalanche Open Source v2023.5.3 (commit aa4c038), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
11:19:07.216  WARNING  Problem connecting to DC 127.0.0.1: The specified target is unknown or unreachable
11:19:07.216   ERROR   All DCs failed login attempts

i have tried:

adalanche collect activedirectory --port=389 --tlsmode=NoTLS --server=127.0.0.1

and

adalanche collect activedirectory

Separate issue (maybe) from the other panic issue I opened today. I saw this before the other issue, but didn't want to submit two issues simultaneously. The data files I'm processing here are all taken from ADExplorer snapshots generated using the 'git pull' copy from this morning. This analyze run is from 'git pull' taken just now. Perhaps I need to re-gen the data files with the current flavor of adalanche? Or would get the same result, maybe.

Howdy,
Testing out Adalanche and I was unable to use to auto mode or plaintext. I used ADExplorer to create a snapshot and then loaded it into Adalanche.

C:\Users\me\Desktop>adalanche-windows-x64-v2022.8.26.exe collect activedirectory --adexplorerfile=ad-dump.dat
15:31:26.531 INFORMA Adalanche Open Source v2022.8.26 (commit 4c82445), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
15:31:26.546 INFORMA Collecting objects from AD Explorer snapshot ad-dump.dat ...
15:31:26.546 INFORMA Loading raw AD Explorer snapshot into memory
15:31:26.651 INFORMA Reading header (takes a while) ...
15:31:27.633 ERROR problem collecting Active Directory objects: failed to get values for object 5407: unhandled attribute type 28

Not sure what to try after this.

Any ideas?

On a fully updraded Ubuntu 18 I get the following when trying to run adalanche

./adalanche flag redefined: authmode
panic: ./adalanche flag redefined: authmode

goroutine 1 [running]:
flag.(*FlagSet).Var(0xc000032720, 0xa6a280, 0xc000116cf0, 0x9b2964, 0x8, 0x9d0e18, 0x62)
	/usr/local/go/src/flag/flag.go:871 +0x485
flag.(*FlagSet).StringVar(...)
	/usr/local/go/src/flag/flag.go:760
flag.(*FlagSet).String(0xc000032720, 0x9b2964, 0x8, 0x9aedf1, 0x4, 0x9d0e18, 0x62, 0xc000116ce0)
	/usr/local/go/src/flag/flag.go:773 +0xa5
flag.String(...)
	/usr/local/go/src/flag/flag.go:780
main.main()
	/home/msaulnier/adalanche/main.go:93 +0x325

I'm pretty new to Go, but from what I understand authmode is defined twice in the code..

I get the same error regardless of the flags I pass to it.

Thank you.

It will be great to have an option equivalent to "SharpHound.exe --CollectionMethods All,GPOLocalGroup" that allows collecting data from a domain controller as local system rather than having to specify a username/password.

OS: Windows
Elevated: yes
Command: .\adalanche-windows-amd64-v2023.5.3.exe
`12:13:07.999 WARNING Scheduled task: \REDACTED\SYSVOL\REDACTED\scripts\Modify-CIMV2\Set-cimV2.bat ... FIXME!
12:13:08.040 INFORMA Loaded 83 files, skipped 0 files
12:13:08.643 INFORMA Loader Active Directory produced 9929 objects in 1 collections
12:13:08.664 INFORMA Loader Group Policy produced 1301 objects in 1 collections
12:13:08.665 INFORMA Loader LocalMachine JSON file produced 1 objects in 1 collections
12:13:08.666 INFORMA We produced a total of 11231 objects from data
12:13:08.919 INFORMA Domain REDACTED has a incoming trust with REDACTED
Preprocessing Active Directory priority BeforeMergeHigh [11332/22664] ██████████████████████████████████████████████████████████████████████████████ 50.00% | 0spanic: runtime error: index out of range [65535] with length 511

goroutine 218 [running]:
github.com/lkarlslund/adalanche/modules/engine.(*Object).get(0xc002887d80?, 0x7da0?)
/home/runner/work/Adalanche/Adalanche/modules/engine/object.go:486 +0x76
github.com/lkarlslund/adalanche/modules/engine.(*Object).attr(0xffff00c00085ad30?, 0x39e0?)
/home/runner/work/Adalanche/Adalanche/modules/engine/object.go:500 +0x25
github.com/lkarlslund/adalanche/modules/engine.(*Object).Attr(0x12232d4?, 0x508?)
/home/runner/work/Adalanche/Adalanche/modules/engine/object.go:512 +0x34
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.init.0.func32.1(0xc0008fa9c0)
/home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/analyze/analyze-ad.go:689 +0x54
github.com/lkarlslund/adalanche/modules/engine.(*Objects).Iterate.func1(0x2887e98?, 0xc00104be48?)
/home/runner/work/Adalanche/Adalanche/modules/engine/objects.go:460 +0x22
github.com/SaveTheRbtz/generic-sync-map-go.(*MapOf[...]).Range(0xc001b58088?, 0xc002887f20?)
/home/runner/go/pkg/mod/github.com/!save!the!rbtz/[email protected]/map.go:334 +0x2ba
github.com/lkarlslund/adalanche/modules/engine.(*Objects).Iterate(0xc001882998?, 0xc004791268?)
/home/runner/work/Adalanche/Adalanche/modules/engine/objects.go:459 +0x45
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.init.0.func32(0xc0006d4920?)
/home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/analyze/analyze-ad.go:685 +0x35
github.com/lkarlslund/adalanche/modules/engine.Process.func1({0x1700ab0, {0x124587a, 0x32}, 0x3, 0x0})
/home/runner/work/Adalanche/Adalanche/modules/engine/edgeanalyzers.go:70 +0x5a
created by github.com/lkarlslund/adalanche/modules/engine.Process
/home/runner/work/Adalanche/Adalanche/modules/engine/edgeanalyzers.go:69 +0x277`

检测到 lkarlslund/adalanche 一共引入了289个开源组件，存在3个漏洞

漏洞标题：jwt-go 安全漏洞
缺陷组件：github.com/dgrijalva/[email protected]+incompatible
漏洞编号：CVE-2020-26160
漏洞描述：jwt-go是个人开发者的一个Go语言的JWT实现。
jwt-go 4.0.0-preview1之前版本存在安全漏洞。攻击者可利用该漏洞在使用[]string{} for m[\"aud\"](规范允许)的情况下绕过预期的访问限制。
影响范围：(∞, 4.0.0-preview1)
最小修复版本：4.0.0-preview1
缺陷组件引入路径：main@->github.com/dgrijalva/[email protected]+incompatible

另外还有3个漏洞，详细报告：https://mofeisec.com/jr?p=a9b5ed

Hello, thank you for the awesome awesome tool.

While using it I noticed that for a specific user I have, it says passwordCantChange: false:

However, in reality, that user is not capable of changing their password:

Curious why this is the case, shouldn't passwordCantChange be true instead?

Thank you.

Executables built on my Linux VM from a fresh git clone taken just now. I even went so far as to remove my ~/go dir and allow that to be rebuilt as part of the build.sh process. Please advise.

I saved a snapshot of one of my domains on 6/9 and again today. Adalanche fails to collect from either snapshot, with the same error (object number varies between the two snaps) for both snapshots. This is using win-x64 binary built from a git pull performed on June 15.

First run of Adalanche and this error when parsing the data.

09:33:04.22 INF Will process 225 files
Loading data 98% |███████████████████████████████████████ | (13822/14052, 22010 tidbits/s) [1s:0s]09:33:05.22 WRN Failed to convert attribute mS-DS-ConsistencyGuid value <> to GUID: uuid: UUID must be exactly 16 bytes long, got 36 bytes
panic: tried to set attribute mS-DS-ConsistencyGuid to NO values

goroutine 37 [running]:
github.com/lkarlslund/adalanche/modules/engine.(*Object).SetValues(0xc003e80063, 0x97d0, {0xc002ef64f0, 0x674851, 0xc0030715a0})
/home/runner/work/adalanche/adalanche/modules/engine/object.go:508 +0xdd
github.com/lkarlslund/adalanche/modules/integrations/activedirectory.(*RawObject).ToObject(0xc00b6fd800, 0x1)
/home/runner/work/adalanche/adalanche/modules/integrations/activedirectory/rawobject.go:42 +0x1e5
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.(*ADLoader).Init.func1()
/home/runner/work/adalanche/adalanche/modules/integrations/activedirectory/analyze/adloader.go:67 +0x70
created by github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.(*ADLoader).Init
/home/runner/work/adalanche/adalanche/modules/integrations/activedirectory/analyze/adloader.go:64 +0xc9

Single click bloodhound/sharphound/neo4j let me know if you have any issues running it.

https://github.com/freeload101/Bloodhound-Portable

Greetings,
I'm actually trying to test our active directory but unfortunately I'm getting the error:
Problem dumping AD: Failed to execute search request: LDAP Result Code 32 "No Such Object": 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:

It looks like there is a problem with forests, I can only dump if you provide the forest but not able to search/dump the child domains of that, really bad because our forest only holds a few objects and is not that interesting.
Also there is a missing support for other domain languages, we have a german one so the default queries are wrong in name.

It's a really cool tool to get an overview of what could be wrong, really appreciate it.

Step 1: adalanche-windows-x64-v2024.1.11.exe collect activedirectory
Finishes with message "Terminating successfully".

Step 2: adalanche-windows-x64-v2024.1.11.exe analyze
The lines prior to the runtime error is first an information line saying:
"We produced a total of x objects from data",
followed by a warning saying
"Can not find machine object for DC CN=xxxxx...."
and then the runtime error occurs.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x20 pc=0xa6ae47]

goroutine 861 [running]:
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.init.0.func46.1(0xc0599cb010?)
/home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/analyze/analyze-ad.go:1254 +0x827
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.init.0.func46.(*Objects).Iterate.func2(0x377b90?, 0xc02cea9790?)
/home/runner/work/Adalanche/Adalanche/modules/engine/objects.go:471 +0x1a
github.com/SaveTheRbtz/generic-sync-map-go.(*MapOf[...]).Range(0x1de0940?, 0xc000377d68?)
/home/runner/go/pkg/mod/github.com/!save!the!rbtz/[email protected]/map.go:334 +0x29a
github.com/lkarlslund/adalanche/modules/engine.(*Objects).Iterate(...)
/home/runner/work/Adalanche/Adalanche/modules/engine/objects.go:470
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze.init.0.func46(0xc000449200)
/home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/analyze/analyze-ad.go:1199 +0x51f
github.com/lkarlslund/adalanche/modules/engine.Process.func1({0x1cdf560, {0xd17841, 0x25}, 0x1, 0x0})
/home/runner/work/Adalanche/Adalanche/modules/engine/edgeanalyzers.go:70 +0x54
created by github.com/lkarlslund/adalanche/modules/engine.Process in goroutine 855
/home/runner/work/Adalanche/Adalanche/modules/engine/edgeanalyzers.go:69 +0x291

Can someone explain this part please?

"For more advanced use (recommended) first collect, with proper options. All your data files (are belong to us), and will end up in the data subfolder (or use --datapath dir to use an alternative folder)."

"are belong to us"?

After running the collector on a target, and getting the output back on a Kali host, adalanche seems to struggle with actually analysing the file.

According to the documentation, the output files must be placed in a folder called data. This folder will be created automatically when invoking adalanche, if it does not exist.
The folder however, is being created without execution permissions on a linux host, which means that it is broken. Files cannot be copied into the folder etc.

Furthermore, after making the folder executable (and moving an outputfile in), adalanche skips reading the file.

Testing information:

• HOST: kali linux
• ADALANCHE VERSION: Latest release (downloaded pre-compiled binaries)

See screenshots for further details:
No data folder existing

Data folder created automatically, but with wrong permissions

JSON file not picked up by adalanche, even though it is in the correct folder

I would personally prefer being able to point to where data should be loaded from, on starting adalanche analyze.

go build -ldflags "-X github.com/lkarlslund/adalanche/modules/version.Program=adalanche -X github.com/lkarlslund/adalanche/modules/version.Builddate=20220401 -X github.com/lkarlslund/adalanche/modules/version.Commit=ec6691c -X github.com/lkarlslund/adalanche/modules/version.Version=v2022.2.1-34-gec6691c-local-changes" -o adalanche-windows-x64-v2022.2.1-34-gec6691c-local-changes.exe ./adalanche

# github.com/lkarlslund/adalanche/modules/integrations/activedirectory/analyze modules\integrations\activedirectory\analyze\analyze-ad.go:1195:32: undefined: strings.Cut modules\integrations\activedirectory\analyze\analyze-ad.go:1225:32: undefined: strings.Cut

.\adalanche.exe collect localmachine
{"level":"warn","time":"2022-08-04T12:45:59+02:00","message":"Problem loading preferences: open preferences.json: The system cannot find the file specified."}
12:45:59.22 INF adalanche v2022.5.19 (commit 02ddc47) built 20220519, (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
panic: Exception occurred. ()

goroutine 1 [running]:
github.com/go-ole/go-ole/oleutil.MustGetProperty(0xc0000a4678?, {0xaeade4?, 0xc0001049e0?}, {0x0?, 0xc000104dc0?, 0xc000104d00?})
/home/runner/go/pkg/mod/github.com/go-ole/[email protected]/oleutil/oleutil.go:72 +0x5e
github.com/amidaware/taskmaster.parseRegisteredTask(_)
/home/runner/go/pkg/mod/github.com/amidaware/[email protected]/parse.go:67 +0x279
github.com/amidaware/taskmaster.(*TaskService).GetRegisteredTasks.func1(0x9?)
/home/runner/go/pkg/mod/github.com/amidaware/[email protected]/manage.go:174 +0x7b
github.com/go-ole/go-ole/oleutil.ForEach(0x1?, 0xc00013b6d8)
/home/runner/go/pkg/mod/github.com/go-ole/[email protected]/oleutil/oleutil.go:122 +0x20d
github.com/amidaware/taskmaster.(*TaskService).GetRegisteredTasks(0xc00013c750)
/home/runner/go/pkg/mod/github.com/amidaware/[email protected]/manage.go:171 +0x2d0
github.com/lkarlslund/adalanche/modules/integrations/localmachine/collect.Collect({0xade5ae, 0x4})
/home/runner/work/adalanche/adalanche/modules/integrations/localmachine/collect/main.go:283 +0xf3f
github.com/lkarlslund/adalanche/modules/integrations/localmachine/collect.Execute(0x160ba00?, {0xade6b2?, 0x0?, 0x0?})
/home/runner/work/adalanche/adalanche/modules/integrations/localmachine/collect/main.go:50 +0x6e
github.com/spf13/cobra.(*Command).execute(0x160ba00, {0x16922c0, 0x0, 0x0})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x67c
github.com/spf13/cobra.(*Command).ExecuteC(0x160b000)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/lkarlslund/adalanche/modules/cli.Run()
/home/runner/work/adalanche/adalanche/modules/cli/main.go:117 +0x60d
main.main()
/home/runner/work/adalanche/adalanche/adalanche/main.go:15 +0x19

Hi I ran the following

adalanche-windows-x64-v2024.1.11-43-g7774681.exe collect activedirectory -authdomain "contoso" --domain "contoso.com" --ignorecert --tlsmode "tls" --username Admin_AD--password P4$$w0rd --datapath "c:\ADALANCHE\ContosoData"

And got these error from the console:

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

13:58:54.561  INFORMA  Adalanche Open Source v2024.1.11-43-g7774681 (non-release), (c) 2020-2024 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
13:58:54.683  INFORMA  AD controller(s) detected as: DC01.contoso.com, DC02.contoso.com, DC03.contoso.com, DC04.contoso.com, DC05.contoso.com, DC02.contoso.com, DC06.contoso.com
13:58:54.684  INFORMA  Setting up TLS encrypted LDAP session to DC01.contoso.com:389
13:58:54.687  INFORMA  Connecting to DC01.contoso.com:389
13:58:54.896  INFORMA  Using user Admin_AD authentication mode LDAP_AUTH_NEGOTIATE
13:58:55.001  INFORMA  Successfull connect to DC DC01.contoso.com
13:58:55.016  INFORMA  Probing RootDSE ...
| Dumping from  ... (1/-, 51 objects/s) [0s]
13:58:55.043  INFORMA  Saving RootDSE ...
| Dumping from  ... (1/-, 44 objects/s) [0s]
13:58:55.090  INFORMA  Collecting schema objects from CN=Schema,CN=Configuration,DC=contoso,DC=com...
- Dumping from CN=Schema,CN=Configuration,DC=contoso,DC=com... (4710/-, 2512 objects/s) [1s]
13:58:57.017  INFORMA  Collecting configuration objects from CN=Configuration,DC=contoso,DC=com...
/ Dumping from CN=Configuration,DC=contoso,DC=com... (4166/-, 2008 objects/s) [2s] panic: runtime error: slice bounds out of range [:2080704] with length 1000000

goroutine 1 [running]:
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/collect.GoBytes(...)
        /home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/collect/ldap_windows.go:831
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/collect.LDAPBerval.Data(...)
        /home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/collect/ldap_windows.go:742
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/collect.(*WAD).Dump(0xc0000c0180, {{0xc000458690, 0x28}, 0x2, {0x1e7a4be, 0xf}, {0x0, 0x0, 0x0}, 0x1, ...})
        /home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/collect/ldap_windows.go:370 +0x1b4f
github.com/lkarlslund/adalanche/modules/integrations/activedirectory/collect.Execute(0xc0000c2700?, {0x1e64ef5?, 0x4?, 0x1e64ef9?})
        /home/runner/work/Adalanche/Adalanche/modules/integrations/activedirectory/collect/cli.go:461 +0x3087
github.com/spf13/cobra.(*Command).execute(0x3687580, {0xc0001429a0, 0xe, 0xe})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:983 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0x3686fc0)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/lkarlslund/adalanche/modules/cli.Run()
        /home/runner/work/Adalanche/Adalanche/modules/cli/main.go:156 +0xb08
main.main()
        /home/runner/work/Adalanche/Adalanche/adalanche/main.go:15 +0x25

Seems to be that the Collector for Active Directory doesn't finnish correclty so when I run the Analyze

adalanche-windows-x64-v2024.1.11-43-g7774681.exe analyze --datapath "c:\ADALANCHE\ContosoData"

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

13:56:24.363  INFORMA  Adalanche Open Source v2024.1.11-43-g7774681 (non-release), (c) 2020-2024 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
13:56:24.461  INFORMA  Scanning for data files from data ...
13:56:24.462  INFORMA  Will process 3 files
13:56:24.728  INFORMA  Loaded 3 files, skipped 0 files
13:56:25.534   FATAL   Can't apply unique source for AD data from data\DC=contoso,DC=com, this will give errors during object merging: No domain info found in collection

Hey, i ran ".\adalanche-windows-x64-v2024.1.11-4-g69a66ad.exe analyze" and used the default query.
I can get data for various users when clicking on their node, but for some, i dont get any information and only see this:

also in the terminal i can see this error message:

2024/01/26 15:03:58 http: panic serving 127.0.0.1:55950: runtime error: slice bounds out of range [:256] with length 150
goroutine 1100 [running]:
net/http.(*conn).serve.func1()
        /opt/hostedtoolcache/go/1.21.5/x64/src/net/http/server.go:1868 +0xb9
panic({0xa1b720?, 0xc000ca6000?})
        /opt/hostedtoolcache/go/1.21.5/x64/src/runtime/panic.go:920 +0x270
github.com/lkarlslund/adalanche/modules/analyze.analysisfuncs.func3.1(0x8570?, {0x1b50710?, 0xc003930760?})
        /home/runner/work/Adalanche/Adalanche/modules/analyze/webservicefuncs.go:149 +0x1fa
github.com/lkarlslund/adalanche/modules/analyze.analysisfuncs.func3.(*Object).AttrIterator.(*AttributeValueMap).Iterate.func2({0x3880?, {0x1b50710?, 0xc003930760?}})
        /home/runner/work/Adalanche/Adalanche/modules/engine/attributevaluemap.go:82 +0x22
github.com/lkarlslund/gonk.(*Gonk[...]).Range(0xa727d5?, 0xc000345930?)
        /home/runner/go/pkg/mod/github.com/lkarlslund/[email protected]/gonk.go:103 +0x95
github.com/lkarlslund/adalanche/modules/engine.(*AttributeValueMap).Iterate(...)
        /home/runner/work/Adalanche/Adalanche/modules/engine/attributevaluemap.go:81
github.com/lkarlslund/adalanche/modules/engine.(*Object).AttrIterator(...)
        /home/runner/work/Adalanche/Adalanche/modules/engine/object.go:1097
github.com/lkarlslund/adalanche/modules/analyze.analysisfuncs.func3({0x1b4e600, 0xc003e30620}, 0xc0045084e0?)
        /home/runner/work/Adalanche/Adalanche/modules/analyze/webservicefuncs.go:142 +0x5c5
net/http.HandlerFunc.ServeHTTP(0xc004672400?, {0x1b4e600?, 0xc003e30620?}, 0x19edd9efb08?)
        /opt/hostedtoolcache/go/1.21.5/x64/src/net/http/server.go:2136 +0x29
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0005963c0, {0x1b4e600, 0xc003e30620}, 0xc004672300)
        /home/runner/go/pkg/mod/github.com/gorilla/[email protected]/mux.go:212 +0x1c5
net/http.serverHandler.ServeHTTP({0xc004508390?}, {0x1b4e600?, 0xc003e30620?}, 0x6?)
        /opt/hostedtoolcache/go/1.21.5/x64/src/net/http/server.go:2938 +0x8e
net/http.(*conn).serve(0xc000f46360, {0x1b50908, 0xc0057201b0})
        /opt/hostedtoolcache/go/1.21.5/x64/src/net/http/server.go:2009 +0x5f4
created by net/http.(*Server).Serve in goroutine 197
        /opt/hostedtoolcache/go/1.21.5/x64/src/net/http/server.go:3086 +0x5cb

When running adalanche from a kali against a DC (remotely), it seems to throw authentication errors, although the credentials are correct.

See below output:

This is from the hackthebox machine "pivotapi" (which is retired, so don't worry about the spoilers).
As you can see, bloodhound works fine, but for some reason adalanche gives authentication errors.

I am not entirely sure what goes wrong here. I know when using bloodhound on hackthebox, it is important to use the nameserver flag, but adalanche does not seem to have this option/flag (or I am too stupid to find it).

EDIT
Running the Windows binary locally on the target worked, but produced another error, which I will open a new issue for.

EDIT 2
Testing information:

• HOST: kali linux
• ADALANCHE VERSION: Latest release (downloaded pre-compiled binaries)

I don't find the tool bad, but sometimes I don't want the organization admins, domain admins and administrators to be displayed. To do this, I have to check off all the entries in Edges and Nodes. Is there a way to specify these at the start or to deselect all?

There is a problem in the dialog boxes (modals) that display information; suppose you expand its height over the appbar of the browser:

Afterwards its becomes impossible to control it and drag it anywhere, since that is only at the top of border of the modal/dialog box:

One solution is to allow that drag element/functionality for all the borders.

I'm at the trying out stage with Adalanche and have been playing with it on our own domain.
I'm having problems getting it to load/display any data at all.

If I fire up adalanche with analyze -bind 127.0.0.1:81 it displays a long list of log messages terminated by

INF Listening - navigate to 127.0.0.1:81 ... (ctrl-c or similar to quit)

then I can browse the web page without any problems, except it has no data. So I can access the web page and adalanche at least opens.

While still in c:\temp\adalanche, if I run collect activedirectory it generates a load of files in the data folder, as expected.
If, from c:\temp\adalanche, I then start adalanche with analyze -bind 127.0.01:81 it starts up and displays the usual log, getting to

INF Preprocessing applying parent/child relationships ...

but thats all. It doesn't advance any further.

Port 81 is obviously unresponsive.

I'm doing this from our DC using an administrative account, elevated and am running this from c:\temp\adalanche
Removing the data directory and rerunning the process produces the same result, so its occuring after a single run, no mixing of results or configs.

If I enable debug I see this:

11:11:54.22 INF Preprocessing applying parent/child relationships ...
11:11:54.22 DBG Object already protocolCfgNNTPSite-Display has 816 as parent, so I'm not assigning 816 as parent
11:11:54.22 DBG Object already msMQ-Group-Display has 408 as parent, so I'm not assigning 408 as parent
11:11:54.22 DBG Object already mSMQQueue-Display has 416 as parent, so I'm not assigning 416 as parent
11:11:54.22 DBG Object already computer-Display has 408 as parent, so I'm not assigning 408 as parent
11:11:54.22 DBG Object already gsDirComercial-RO has SecurityGroups as parent, so I'm not assigning SecurityGroups as parent
11:11:54.22 DBG AD object Low Mandatory Level has no parent :-(
11:11:54.22 DBG Object already 123.168.192.in-addr.arpa has MicrosoftDNS as parent, so I'm not assigning MicrosoftDNS as parent
11:11:54.22 DBG AD object Local Authority has no parent :-(
11:11:54.22 DBG AD object NT Virtual Machine - Virtual Machines has no parent :-(
11:11:54.22 DBG AD object High Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Secure Process Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Medium Plus Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Protected Process Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Local has no parent :-(
11:11:54.22 DBG AD object Power Users has no parent :-(
11:11:54.22 DBG AD object NT Service has no parent :-(
11:11:54.22 DBG AD object Nobody has no parent :-(
11:11:54.22 DBG AD object NT Virtual Machine - Virtual Machines has no parent :-(
11:11:54.22 DBG AD object Secure Process Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Windows Manager - Windows Manager Group has no parent :-(
11:11:54.22 DBG AD object Local has no parent :-(
11:11:54.22 DBG AD object Non-unique Authority has no parent :-(
11:11:54.22 DBG AD object Power Users has no parent :-(
11:11:54.22 DBG AD object Medium Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Windows Manager - Windows Manager Group has no parent :-(
11:11:54.22 DBG AD object Creator Group Server has no parent :-(
11:11:54.22 DBG AD object Non-unique Authority has no parent :-(
11:11:54.22 DBG AD object All Services has no parent :-(
11:11:54.22 DBG AD object Medium Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Untrusted Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Creator Group Server has no parent :-(
11:11:54.22 DBG AD object System Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Null Authority has no parent :-(
11:11:54.22 DBG AD object Creator Owner Server has no parent :-(
11:11:54.22 DBG AD object All Services has no parent :-(
11:11:54.22 DBG AD object NT Authority has no parent :-(
11:11:54.22 DBG AD object World Authority has no parent :-(
11:11:54.22 DBG AD object Untrusted Mandatory Level has no parent :-(
11:11:54.22 DBG AD object System Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Creator Authority has no parent :-(
11:11:54.22 DBG AD object Null Authority has no parent :-(
11:11:54.22 DBG AD object Low Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Creator Owner Server has no parent :-(
11:11:54.22 DBG AD object Local Authority has no parent :-(
11:11:54.22 DBG AD object NT Authority has no parent :-(
11:11:54.22 DBG AD object High Mandatory Level has no parent :-(
11:11:54.22 DBG AD object World Authority has no parent :-(
11:11:54.22 DBG AD object Medium Plus Mandatory Level has no parent :-(
11:11:54.22 DBG AD object Creator Authority has no parent :-(
11:11:54.22 DBG AD object Protected Process Mandatory Level has no parent :-(
11:11:54.22 DBG AD object NT Service has no parent :-(
11:11:54.22 DBG AD object Nobody has no parent :-(

So, it looks like its not reading the data when I start it from this folder. If I change my default directory to c:\temp\adalanche\data and start it again, adalanche does not seem to load any data there either. It does get as far as the

INF Listening - navigate to 127.0.0.1:81 ... (ctrl-c or similar to quit)

In both cases the sample queries return nothing. Not even the domain controllers query.
When I run in debug mode and I run a query, the debug log displays an extra couple of lines for each click on 'analyze'

11:31:25.22 DBG Processing round 1 with 0 total objects and 0 connections
11:31:25.22 DBG Processing round 1 yielded 0 new objects

What on earth am I doing wrong?
?Any suggestions?

when trying to build on Windows 10 20h2 get the below error

fatal: not a git repository (or any of the parent directories): .git
no required module provides package 1Th-.exe; to add it:
go get 1Th-.exe
package 1Th- is not in GOROOT (C:\Program Files\Go\src\1Th-)
package 1Th- is not in GOROOT (C:\Program Files\Go\src\1Th-)
no required module provides package 1Th-.exe; to add it:
go get 1Th-.exe

It would be nice to have an option to quickly go back to the previous graph(s) after finishing drilling down paths. Thanks

I tried Adalanche today on a test system: adalanche-windows-amd64-v2023.5.3.exe runs without problems, but the collector version generates this message:

C:\Temp>adalanche-collector-windows-386-v2023.5.3.exe
14:33:58.303  INFORMA  Adalanche Open Source v2023.5.3 (commit aa4c038), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
Error: Problem accessing output folder: mkdir : The system cannot find the path specified.
Usage:
   [flags]

Flags:
  -h, --help                  help for this command
      --logfile string        Log file
      --logfilelevel string   Log file log level (default "info")
      --loglevel string       Console log level (default "info")
      --outputpath string     Dump output JSON file in this folder

14:33:58.315   ERROR   Error: Problem accessing output folder: mkdir : The system cannot find the path specified.
14:33:58.316   ERROR   Failed to execute

Have I missed something? I also get the same error running the program as an administrator ...

Best regards and thank you very much for this amazing tool!
Lasse

Hi,

Great work with the tool really nice!
I think it would make sense to add a Deselect All and Select all button under those blades where theres potentially a lot of clicking to be done, eg Analysis methods. See example below

For example if you only want to see Generic all, i have to click a lot, whereas if a deselect all button was there it would be four clicks.