3 minute read

If you’re having problems with your SharpHound output uploading to BloodHound, you may be victim of an old version/new version incompatibility.

“File created from incompatible collector” and “NaN%” are super frustrating, particularly because you’ll only come across this roadblock when you’re in the throes of an engagement. In my case, I encountered this in both my 3rd OSCP attempt and in the TryHackMe room, “Post-Exploitation Basics.”

"Incompatible collector" results after trying to click-and-drag upload my SharpHound.ps1 loot.zip file

“Incompatible collector” results after trying to click-and-drag upload my SharpHound.ps1 loot.zip file

Solution

Use SharpHound.exe to collect your domain information, not SharpHound.ps1.

Location of SharpHound.exe tool on Kali

Transferring BloodHound.exe with $ python3 -m http.server 81

Transferring `SharpHound.exe` with `$ python3 -m http.server 81`

Successfully using SharpHound.exe in PowerShell.

Using SharpHound.exe

Transferring the SharpHound loot with scp

Transferring the SharpHound loot with `scp`

Successful upload to BloodHound

Successful upload to BloodHound

ACHTUNG!: I don’t think this will solve every instance of “incompatible collector,” but it worked for me today in my TryHackMe use-case. If this doesn’t work for you, look into the following options:

  1. Removing the Kali repo install of BloodHound and cloning from the project
  2. Downgrading your install of BloodHound back to when SharpHound.ps1 worked — try 3.0
  3. The use of bloodhound.py instead of SharpHound to collect domain information

Explanation

In the case of the TryHackMe room’s AttackBox, which is usually the route I go when I’m having trouble with my own Kali VM, the problem was that the SharpHound deployment on the environment’s Windows Server was only equipped with SharpHound.ps1 while the Ubuntu AttackBox had BloodHound 4.1.0 and my Kali VM used 4.2.0.

According to one of the project maintainers, rvazarkar, the “newest versions” of BloodHound do not make use of SharpHound.ps1. At the time of writing, the latest version BloodHound is 4.2.0, released this past August. The comment by rvazarkar was made on April 15th when 4.1.0 was the current release, making it the newest version at the time.

TryHackMe, Post-Exploitation Basics AttackBox BloodHound version 4.1.0

TryHackMe, Post-Exploitation Basics AttackBox BloodHound version 4.1.0

BloodHound maintainer indicating there was a sunset for SharpHound.ps1

BloodHound maintainer indicating there was a sunset for `SharpHound.ps1`

Sources

There was no one-line answer available on the first page of Google that I could see, hence the reason for this post. However, reading this GitHub issue on the project page led me to believe there was probably a version mismatch between the SharpHound pre-staged on the Windows Server and the BloodHound installed on the AttackBox and my Kali VM.

Leave a comment

You may also enjoy

Installing Ghostwriter for Remote Cloud Access

17 minute read

What put me on this road was the fundamental need for something that would help eleminate needless overhead involved with manually writing a pentest report. ...

Kali: Fresh Install Checklist

13 minute read

While Kali Linux is ready to use out-of-the-box, the longer you live inside it the more opinions you realize you have about your surroundings, as the frictio...

How To Bypass xlsx Spreadsheet Protection

8 minute read

The problem you’ve encountered is you have an .xlsx file that has password-protected data inside and you need to get at that information. I encountered this ...