csababarta
commented
8 years ago I have just tested the framework with Server 2012 R2 and it seems to work. Can you send me some test data? I would need it in order to be able to reproduce the issue...
Open bucky67gto opened 8 years ago
csababarta
commented
8 years ago I have just tested the framework with Server 2012 R2 and it seems to work. Can you send me some test data? I would need it in order to be able to reproduce the issue...
bucky67gto
commented
8 years ago I wish i could. the only data I have is from a live pentest I am doing. Did you get the same 14 tables in your export? did you run with datatable.4 and link_table.7? also, I am using NTDSXtract v1.3
bucky67gto
commented
8 years ago Did you get the same 14 tables in your export? did you run with datatable.4 and link_table.7? also, I am using NTDSXtract v1.3
rufflabs
commented
7 years ago I am noticing the same thing here. This is my first time doing this and I was wondering why my output didn't include any hashes like all the guides said it should.
I started searching and noticed that ntdsxtract said it only works on 2003 and 2008, while mine are 2012. I stumbled on this post when searching for ntdsxtract and server 2012.
Edit: For my issue I believe it was corrupted ntds or registry. I had initially taken the files from backups snapshots. When I took new snapshots with VSS and used those files it worked fine.
304GEEK
commented
6 years ago Same issue here.
MSysDefrag2.11 MSysObjids.2 link_table.7 sdpropcounttable.8 MSysLocales.3 datatable.4 quota_rebuild_progress_table.13 sdproptable.9 MSysObjects.0 hiddentable.5 quota_table.12 MSysObjectsShadow.1 link_history_table.6 sd_table.10
changing datable.# and link_table.# to match the output above, results are no -lmoutfile and -ntoutfile are not generated. some account details are presented.
Any progress working with this issue?
thanks,
wgroenewold
commented
5 years ago No issue here. Did you supply the SYSTEM hive?
been working great for years. Love the effort. Trying on Windows 2012 R2 and getting problems.
the export from the latest esedbtools is the following:
Opening file. Exporting table 1 (MSysObjects) out of 14. Exporting table 2 (MSysObjectsShadow) out of 14. Exporting table 3 (MSysObjids) out of 14. Exporting table 4 (MSysLocales) out of 14. Exporting table 5 (datatable) out of 14. Exporting table 6 (hiddentable) out of 14. Exporting table 7 (link_history_table) out of 14. Exporting table 8 (link_table) out of 14. Exporting table 9 (sdpropcounttable) out of 14. Exporting table 10 (sdproptable) out of 14. Exporting table 11 (sd_table) out of 14. Exporting table 12 (MSysDefrag2) out of 14. Exporting table 13 (quota_table) out of 14. Exporting table 14 (quota_rebuild_progress_table) out of 14. Export completed.
I am guessing that the differences in the extracted files is messing up the parsing that ntdsxtract is doing. I can run with datatable.4 and link_table.7 which gives me some data, but not the hashes, thoughts?