search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.46k stars 3.57k forks source link

secretsdump.py does not complete, #1533

Open chadministratorwastaken opened 1 year ago

chadministratorwastaken commented 1 year ago

Configuration

impacket version: v0.10.0 Python version: 3.11.2 Target OS: Kali Linux 2023.1

Debug Output With Command String

i.e.
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -debug -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL

...
[+] Trying to fetch page 19366 (0x974e000)
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: John Doe
example.com\John.Doe:12345:aad3b435b51404eeaad3b435b51404ee:1234567890abcdef1234567890abcdef:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Exception
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 2512, in dump
    self.__decryptSupplementalInfo(record, None, keysOutputFile, clearTextOutputFile)
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 2148, in __decryptSupplementalInfo
    userProperty = samr.USER_PROPERTY(propertiesData)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 87, in __init__
    self.fromString(data)
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 152, in fromString
    self[field[0]] = self.unpack(field[1], data[:size], dataClassOrCode = dataClassOrCode, field = field[0])
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 326, in unpack
    return self.unpack(two[0],data)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/structure.py", line 385, in unpack
    return unpack(format, data)[0]
           ^^^^^^^^^^^^^^^^^^^^
struct.error: ('unpack requires a buffer of 2 bytes', "When unpacking field 'NameLength | <H=0 | b''[:2]'")
[-] Error while processing row for user John Doe
[-] ('unpack requires a buffer of 2 bytes', "When unpacking field 'NameLength | <H=0 | b''[:2]'")
...

Additional context

Entire debug output is a never-ending loop. Output above is a sample. Source files are from a client and not able to be shared. Source files were retrieved using vssadmin command.

This is an issue I see frequently, and I am motivated to assist however I can in finding a solution.

chadministratorwastaken commented 9 months ago

I have found a workaround to this by using dissect. Still not sure what the actual issue is, but shimming dissect.esedb works successfully on all the files that have failed in the past.