FalconForceTeam/SOAPHound

"Unhandled Exception: System.NullReferenceException" Error When Collecting BloodHound Data

Closed this issue · 1 comments

jomphatt commented

Hello Team,

First of all, thank you for creating such tool. It does look amazing.
Unfortunately, I ran SOAPHound with --bhdump --autosplit --threshold 1000 from a non-domain machine and encountered an error:

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at SOAPHound.Processors.ComputerProcessor.parseComputerObject(ADObject adobject, String domainName) in C:\Users\Public\Downloads\SOAPHound\Processors\ComputerProcessor.cs:line 92
   at SOAPHound.Program.CreateOutput(List`1 adobjects, String header) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 567
   at SOAPHound.Program.ParseAutosplitObjects(String str1, String str2) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 533
   at SOAPHound.Program.AutoSplit() in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 518
   at SOAPHound.Program.ADDump() in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 391
   at SOAPHound.Program.Run(String Server, Int32 Port, NetworkCredential Credential) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 280
   at SOAPHound.Program.RunOptions(Options options) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 247
   at SOAPHound.Program.<>c__DisplayClass25_0.<ParseCommandLineArgs>b__1(Options options) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 75
   at CommandLine.ParserResultExtensions.WithParsed[T](ParserResult`1 result, Action`1 action)
   at SOAPHound.Program.ParseCommandLineArgs(String[] args) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 74
   at SOAPHound.Program.Main(String[] args) in C:\Users\Public\Downloads\SOAPHound\Program.cs:line 45

I had tried lowering down the threshold and it did not help (which is kind of obvious). One thing that I observed is that both attempts failed right after Gathering autosplit data: (cn=su*) complete, while su is the first two characters of the name of the domain, e.g. super.local. There was no Output files with prefix "su" generated in .... My observation could mean nothing, but I still want to mention it in case it helps.

0xFF-NK commented

Thanks for your feedback. It seems that one of the Computer objects starting with "su" has a null attribute, but it's not clear which one. We added exception handling when parsing the objects in CreateOutput function, so that you can see in the console which object fails (i.e. it will show the ObjectGUID of the affected object). Despite the error, it should now be able to continue and parse the rest of the objects.

It would be helpful if you can find the object that was failing (e.g. with ADExplorer) and tell us if you see any unexpected null attributes. This way we could also fix the actual issue.