Pingcastle crash, probably new RPC tests
ruppde opened this issue · 4 comments
Pingcastle 3.2.0.0 crashed with the error below:
...
[14:12:45] Gathering WSUS data
[14:13:27] Gathering MSOL data
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
[14:13:27] Gathering domain controller data (including null session) (including RPC tests)
[14:13:27] An exception occured when doing the task: application domain
Note: you can run the program with the switch --log to get more detail
Exception: Destination array was not long enough. Check destIndex and length, and the array's lower bounds.
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at PingCastle.RPC.RpcFirewallChecker..ctor(Guid interfaceId, String pipe, UInt16 majorVersion, UInt16 minorVersion, Int32 maxOpNum) in c:\git\PingCastle\RPC\rpcfirewallchecker.cs:line 31
at PingCastle.RPC.RpcFirewallChecker.TestFunctions(String server, Guid interfaceId, String pipe, UInt16 majorVersion, UInt16 minorVersion, Dictionary`2 functionsToTest) in c:\git\PingCastle\RPC\rpcfirewallchecker.cs:line 103
at PingCastle.Healthcheck.HealthcheckAnalyzer.TestFirewallRPCDC(HealthcheckDomainController DC, Int32 threadId) in c:\git\PingCastle\Healthcheck\HealthcheckAnalyzer.cs:line 5312
at PingCastle.Healthcheck.HealthcheckAnalyzer.<>c__DisplayClassbc.<GenerateDomainControllerData>b__b9(Object index) in c:\git\PingCastle\Healthcheck\HealthcheckAnalyzer.cs:line 5200
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart(Object obj)
Unhandled Exception: System.ArgumentException: Destination array was not long enough. Check destIndex and length, and the array's lower bounds.
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at PingCastle.RPC.RpcFirewallChecker..ctor(Guid interfaceId, String pipe, UInt16 majorVersion, UInt16 minorVersion, Int32 maxOpNum) in c:\git\PingCastle\RPC\rpcfirewallchecker.cs:line 31
at PingCastle.RPC.RpcFirewallChecker.TestFunctions(String server, Guid interfaceId, String pipe, UInt16 majorVersion, UInt16 minorVersion, Dictionary`2 functionsToTest) in c:\git\PingCastle\RPC\rpcfirewallchecker.cs:line 103
at PingCastle.Healthcheck.HealthcheckAnalyzer.TestFirewallRPCDC(HealthcheckDomainController DC, Int32 threadId) in c:\git\PingCastle\Healthcheck\HealthcheckAnalyzer.cs:line 5312
at PingCastle.Healthcheck.HealthcheckAnalyzer.<>c__DisplayClassbc.<GenerateDomainControllerData>b__b9(Object index) in c:\git\PingCastle\Healthcheck\HealthcheckAnalyzer.cs:line 5200
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart(Object obj)
It was running on a non-domain-joined system in a runas-cmd.exe. PingCastle_3.1.0.1 worked flawless with the same machine & user.
update: the same happens on a domain-joined system
still present in the current version ?
Hi
My issue is quite closely related. On a new lab with 2 WS2022 machines that are both domain controllers, I ran PingCastle to see what I should harden. Before any modifications were made, it just took 10s and closed. After the first few security measures were applied, I ran into the same issue, except I don't get the "Exception" paragraphs. It hangs 1-2 hours onto the
Gathering domain controller data (including null session) (including RPC tests)
line, then switches to LDAP, and completes the check.
I don't know if that is related but for context, I once had the main DC GUI hang to the point I could still move the cursor and interact with the system, but so slowly that closing a window took 20 minutes. I unfortunately had to force shut down the VM. After that, I've never by able to have PingCastle run really successfully since. Otherwise, no functionality of the domain or the machine itself that I can think about is affected. Weirdly, when I restored a snapshot I did quite before and ran a test, the issue arose as well. Same things happens on the 2nd DC, so it looks like something domain-wide is accountable.
At that moment, I've just began by disabling NTLMv1, old ciphers and enforcing SMB signature. I can't see what has to do with RPC among every change implied, even after a lot of research. I disabled it, gpupdate then reboot, same thing.
A Wireshark trace when running the test shows nothing interesting about RPC.
Select a domain or server
=========================
Please specify the domain or server to investigate (default:xxx.domain)
Free Edition of PingCastle 3.2.0 - Not for commercial use
Starting the task: Perform analysis for xxx.domain
[22:15:40] Getting domain information (xxx.domain)
[22:15:40] Gathering general data
[22:15:40] This domain contains approximatively 280 objects
[22:15:40] Gathering user data
[22:15:40] Gathering computer data
[22:15:40] Gathering trust data
[22:15:40] Gathering privileged group and permissions data
[22:15:40] - Initialize
[22:15:40] - Searching for critical and infrastructure objects
[22:15:40] - Collecting objects - Iteration 1
[22:15:41] - Collecting objects - Iteration 2
[22:15:41] - Collecting objects - Iteration 3
[22:15:41] - Collecting objects - Iteration 4
[22:15:41] - Collecting objects - Iteration 5
[22:15:41] - Completing object collection
[22:15:41] - Export completed
[22:15:41] Gathering delegation data
[22:15:41] Gathering gpo data
[22:15:41] Gathering pki data
[22:15:41] Gathering sccm data
[22:15:41] Gathering exchange data
[22:15:41] Gathering anomaly data
[22:15:41] Gathering dns data
[22:15:41] Gathering WSUS data
[22:15:41] Gathering MSOL data
[22:15:41] Gathering domain controller data (including null session) (including RPC tests)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
[23:08:50] Gathering network data
The AD query failed. Using the alternative protocol (LDAPConnection)
The AD query failed. Using the alternative protocol (LDAPConnection)
[23:08:50] Computing risks
[23:08:50] Export completed
[23:08:50] Generating html report
[23:08:50] Generating xml file for consolidation report
[23:08:50] Export level is Normal
[23:08:50] Personal data will NOT be included in the .xml file (add --level Full to add it. Ex: PingCastle.exe --interactive --level Full)
[23:08:51] Done
Task Perform analysis for xxx.domain completed
=============================================================================
Program launched in interactive mode - press any key to terminate the program
=============================================================================
this has nothing to do with RPC.
This is because AD Webservice (faster than LDAP) has a limit of 5 simultaneous connection per server and something is using it.
Just force LDAP with --protocol LDAPOnly
still present in the current version ?
it's fixed in 3.3.0.0 beta, thanks