search

csababarta / ntdsxtract

Active Directory forensic framework
http://www.ntdsxtract.com
GNU General Public License v3.0
311 stars 109 forks source link

KeyError: 1528 #22

Open 0x-nope opened 8 years ago

0x-nope commented 8 years ago

I rely very much on this tool (great job man) for my work and it always worked fine but this time i got this error.

esedbexport 20151213

Opening file. Exporting table 1 (MSysObjects) out of 12. Exporting table 2 (MSysObjectsShadow) out of 12. Exporting table 3 (MSysObjids) out of 12. Exporting table 4 (MSysLocales) out of 12. Exporting table 5 (datatable) out of 12. Exporting table 6 (hiddentable) out of 12. Exporting table 7 (link_history_table) out of 12. Exporting table 8 (link_table) out of 12. Exporting table 9 (quota_table) out of 12. Exporting table 10 (sdpropcounttable) out of 12. Exporting table 11 (sdproptable) out of 12. Exporting table 12 (sd_table) out of 12. Export completed.

--------------FILES ----------------

-rw-r--r-- 1 root root 6408266 May 11 15:46 datatable.4 -rw-r--r-- 1 root root 567 May 11 15:46 hiddentable.5 -rw-r--r-- 1 root root 263 May 11 15:46 link_history_table.6 -rw-r--r-- 1 root root 155 May 11 15:46 link_table.7 -rw-r--r-- 1 root root 1021 May 11 15:45 MSysLocales.3 -rw-r--r-- 1 root root 95781 May 11 15:45 MSysObjects.0 -rw-r--r-- 1 root root 95781 May 11 15:45 MSysObjectsShadow.1 -rw-r--r-- 1 root root 1680 May 11 15:45 MSysObjids.2 -rw-r--r-- 1 root root 51 May 11 15:46 quota_table.8 -rw-r--r-- 1 root root 24 May 11 15:46 sdpropcounttable.9 -rw-r--r-- 1 root root 96 May 11 15:46 sdproptable.10 -rw-r--r-- 1 root root 576 May 11 15:46 sd_table.11

and the error is here:

[+] Started at: Wed, 11 May 2016 13:49:38 UTC
[+] Started with options:
    [-] Extracting password hashes
    [-] Hash output format: ocl
    [-] NT hash output filename: ******_NT_hash
    [-] LM hash output filename: ******_LM_hash
The directory (/root/ntdsxtract-master/XXXX/temp2) specified does not exists!
Would you like to create it? [Y/N] y

[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/ntdsxtract-master/XXXX/temp2/offlid.map'
[+] Rebuilding maps...
[+] Scanning database - 100% -> 1745 records processed
[+] Sanity checks...
      Schema record id: 5
      Schema type id: 10
[+] Extracting schema information - 100% -> 1738 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/ntdsxtract-master/XXXX/temp2/links.map'
[+] Rebuilding maps...
[+] Extracting object links...

List of users:
==============Error in sys.excepthook:
Traceback (most recent call last):
  File "/root/ntdsxtract-master/ntds/__init__.py", line 31, in simple_exception
    sys.stderr.write("[!] Error!", value, "\n")
TypeError: function takes exactly 1 argument (3 given)

Original exception was:
Traceback (most recent call last):
  File "dsusers.py", line 486, in <module>
    for recordid in dsMapRecordIdByTypeId[utype]:
KeyError: 1528

I am doing something wrong or this is a new bug?

JoinGitHub1 commented 7 years ago

I had the same issue, with about the same number of records processed.

I was using the wrong ntds.dit file. Could it be that you aswell did the same thing? The correct file is located under %SystemRoot%\NTDS\Ntds.dit, not the System32 folder.