Improve --scan-all-computers timeout handling and configurability#21
Open
jazofra wants to merge 9 commits into
Open
Improve --scan-all-computers timeout handling and configurability#21jazofra wants to merge 9 commits into
jazofra wants to merge 9 commits into
Conversation
…computers is more configurable The main issue was that --scan-all-computers could leave the concurrent worker pool waiting forever if one target became stuck in a nested SQL, LDAP, DNS, or Windows SID lookup path. This PR adds bounded timeout behavior around the risky paths and adds an outer per-server worker timeout so one wedged target cannot prevent the run from completing. This also clarifies and improves scan-all behavior. SPN-discovered SQL Servers still preserve their AD-advertised port or instance. Blindly enumerated domain computers continue to default to TCP 1433, but operators can now provide additional candidate ports and tune the TCP reachability timeout. Changes Added direct LDAP dial deadlines so LDAP fallback setup cannot block before LDAP operation timeouts apply. Added a bounded Windows computer SID lookup wrapper. Added an outer per-server worker timeout so blocked nested calls return a failed result instead of holding the worker pool open. Added --scan-all-computer-ports, defaulting to 1433, for scanning additional candidate SQL ports on domain computers. Added --port-check-timeout, defaulting to 2 seconds, for TCP reachability checks. Preserved existing default behavior when the new flags are not provided. Added regression tests for port parsing, scan-all computer target expansion, Windows SID timeout behavior, and worker timeout behavior. Updated the saved project plan and lessons for the timeout patterns found during investigation.
…computers is more configurable The main issue was that --scan-all-computers could leave the concurrent worker pool waiting forever if one target became stuck in a nested SQL, LDAP, DNS, or Windows SID lookup path. This PR adds bounded timeout behavior around the risky paths and adds an outer per-server worker timeout so one wedged target cannot prevent the run from completing. This also clarifies and improves scan-all behavior. SPN-discovered SQL Servers still preserve their AD-advertised port or instance. Blindly enumerated domain computers continue to default to TCP 1433, but operators can now provide additional candidate ports and tune the TCP reachability timeout. Changes Added direct LDAP dial deadlines so LDAP fallback setup cannot block before LDAP operation timeouts apply. Added a bounded Windows computer SID lookup wrapper. Added an outer per-server worker timeout so blocked nested calls return a failed result instead of holding the worker pool open. Added --scan-all-computer-ports, defaulting to 1433, for scanning additional candidate SQL ports on domain computers. Added --port-check-timeout, defaulting to 2 seconds, for TCP reachability checks. Preserved existing default behavior when the new flags are not provided. Added regression tests for port parsing, scan-all computer target expansion, Windows SID timeout behavior, and worker timeout behavior.
Adds the new scan-all flags to the Target Selection table and to the Full Domain Enumeration examples, and notes the per-server worker timeout that prevents a wedged target from holding the pool open.
principal.Name from sys.server_principals is always DOMAIN\account for Windows logins. The AD node creation loop was using that form directly, producing DOMAIN\account@DOMAIN.COM instead of BloodHound's expected account@DOMAIN.COM convention. Strip the NETBIOS prefix before appending the UPN suffix, mirroring the identical pattern already present in the service-account node block.
Fix AD node name poisoning.
StreamingWriter now tracks counts broken down by node kind and edge kind. After each server file is written, a second log line reports the breakdown so operators can see exactly which types of nodes and edges were produced. https://claude.ai/code/session_01R2EgSH37FnPxdqeVy4yTEg
Add per-type node and edge statistics tracking
The collector now accumulates per-kind counts across all output files (server files and AD files) and logs a single "Total node and edge counts by type" line at the end of Run(), giving a full-run view alongside the existing per-file breakdowns. https://claude.ai/code/session_01R2EgSH37FnPxdqeVy4yTEg
Add aggregate node/edge type summary at end of collection run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes
--scan-all-computersruns that could appear stuck near the end of enumeration and makes the blind computer sweep more configurable.The main issue was that
--scan-all-computerscould leave the concurrent worker pool waiting forever if one target became stuck in a nested SQL, LDAP, DNS, or Windows SID lookup path. This PR adds bounded timeout behavior around the risky paths and adds an outer per-server worker timeout so one wedged target cannot prevent the run from completing.This also improves scan-all behavior. SPN-discovered SQL Servers still preserve their AD-advertised port or instance. Blindly enumerated domain computers continue to default to TCP
1433, but operators can now provide additional candidate ports and tune the TCP reachability timeout.Changes
--scan-all-computer-ports, defaulting to1433, for scanning additional candidate SQL ports on domain computers.--port-check-timeout, defaulting to2seconds, for TCP reachability checks.Validation
go test ./...go build ./cmd/mssqlhound