search

csababarta / ntdsxtract

Active Directory forensic framework
http://www.ntdsxtract.com
GNU General Public License v3.0
311 stars 109 forks source link

Output errors #25

Open aldo1901 opened 8 years ago

aldo1901 commented 8 years ago

Here is my command line:

python dsusers.py datatable linktable test --passwordhashes --syshive system.save --pwdformat john --lmoutfile LM.out --ntoutfile NT.out

The scripts displays a scrolling output of:

[!] Warning! Multiple records with PEK entry! [+] Scanning database - 0% -> 4372(this number is just an example, it keeps increasing as the script is running) records processed

Finally, the scripts gets killed:

Error in sys.excepthook: Traceback (most recent call last): File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntdsinit.py", line 31, in simple_exception sys.stderr.write("[!] Error!", value, "\n") TypeError: function takes exactly 1 argument (3 given)

Original exception was: Traceback (most recent call last): File "dsusers.py", line 407, in db = dsInitDatabase(sys.argv[1], wd) File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin e 174, in dsInitDatabase dsCheckMaps(db, workdir) File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin e 207, in dsCheckMaps dsBuildMaps(dsDatabase, workdir) File "C:\Users\aldperez\Documents\dumpntds\ntdsxtract\ntds\dsdatabase.py", lin e 290, in dsBuildMaps dsMapRecordIdBySID[str(SID(record[ntds.dsfielddictionary.dsSIDIndex]))] IndexError: list index out of range

Concerning the PEK entries, does it mean that the DC is encrypted? Also, I'm running this in Windows and I do have pycrypto installed. Thanks

Mooey28 commented 6 years ago

Also getting this error:

TypeError: function takes exactly 1 argument (3 given)

Any fix or idea what to do?

jskrivseth commented 6 years ago

+1

jskrivseth commented 6 years ago

In my datatable input file, the PEK column (ATTk590689) was the rightmost column. When dsusers.py does a split('\t') on the line, it was supposed to read it as an empty string, but dsdatabase.py didn't strip newlines. So it kept reading newlines (either "\r\n" or "\n") as the value for the PEK encryption key and warning that there were duplicate values.

jskrivseth commented 6 years ago

27 I submitted this patch to deal with newlines. As it stands, ntdsxtract will always retrieve the wrong values (contains newline chars) from the rightmost column