Get-BloodHoundData loops forever when Group contains itself

[ktwombley]

I was diagnosing an issue where my bloodhound database never grew above a certain size so I changed output to CSV. In the CSV file it became clear that in my AD environment I ended up with a group which contained itself as a member, causing Get-BloodHoundData to churn forever when trying to process that group.

Here is the command I'm running:

$VerbosePreference = "Continue"; Get-BloodHoundData -verbose | Export-BloodHoundCSV -SkipGCDeconfliction -Verbose -CSVFolder .\csv

Checking group_memberships.csv file after some time reveals a pattern:

"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","group","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","group","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
"[email protected]","user","[email protected]"
...

[HarmJ0y]

I'm not quite sure what's causing this, as we don't recurse on group memberships themselves. I created a group that's nested within itself and am not able to recreate the infinite loop.

Can you run Get-NetGroup | Get-NetGroupMember manually and see if it still loops?

[ktwombley]

Running that manually does not loop, and the results agree with get-adgroupmember as well;

PS C:\development\Bloodhound\PowerShell> (get-netgroup "BadGroup" | Get-NetGroupMember | measure-object).Count
516

PS C:\development\Bloodhound\PowerShell> (get-adgroupmember BadGroup | measure-object).Count
516

[HarmJ0y]

Hrmmmm unsure about this as we can't recreate, we'll try to dive a bit deeper.

[ktwombley]

I don't think this is caused by a group containing itself now that i've stepped through it in the debugger.

Not sure what exactly causes it, but on line 5425 GroupSearcher.FindOne() always returns my "BadGroup" after it sees badgroup the first time. Still debugging on my end.

(my line numbers may be off due to adding write-verbose statements all over)

[HarmJ0y]

Fixed with ktwombley#1