Infinite loop in secretsdump.py while extracting domain hashes

[rodrigozanatta]

This is not a new bug. There is some reports, like #413 #256

I try to read the code and understand what happens. Look like it is a while and reading the debug data, look like just a simple programming error, like this:

• Reading block 10
• Reading block 11
• etc..

Somehow, it goes back in the number and do the infinite loop. So, it look likes only need to do a for i in range(total_bocks)

Obvious the code is more complex and because it make a lot of obscure call, I can't understand easly. But why not only make a simple for without going back (or a option to do this).

What is the problem here? How the algorithm works? Why the indice goes back?

[anadrianmanrique]

@rodrigozanatta can you provide some sample to trigger this issue? thanks

[rodrigozanatta]

@rodrigozanatta can you provide some sample to trigger this issue? thanks

I don't want to make the file public. Show me what test do you want me to make. Can I do it and send the results?

[anadrianmanrique]

@rodrigozanatta can you provide some sample to trigger this issue? thanks

I don't want to make the file public. Show me what test do you want me to make. Can I do it and send the results?

I understand. Can you describe the database in order to try to replicate the scenario? number of users, AD structure, number of computers, etc, I think that could help

[rodrigozanatta]

I understand. Can you describe the database in order to try to replicate the scenario? number of users, AD structure, number of computers, etc, I think that could help

@anadrianmanrique I did something better. I run the program with debug, sanitize the result, and send it. What you need to know:

• I run the command to extract ntds.dit (and other files) in date 1 and it work without problem
• I run the SAME command to extract ntds.dit (and other files) in date 2 and it is in infinite loop
• Beetween this two set, there where a small number of changes (about 4 new users and some hashes update)
• I am using Impacket v0.11.0
• I check and I am using the last version of secretdump.py
• This is my command line:
  • python secretsdump.py -system system.txt -security security.txt -sam sam.txt -ntds ntds.dit -outputfile result -use-vss -pwd-last-set -user-status -history -debug LOCAL

How the infinite loop happens?

• It starts normal and read the first 36 blocks from page 4 to page 1434 (the program only read this blocks ONE TIME)
• Then show: [+] Trying to fetch page 5822 (0x2d7e000)
  • It will dump the Domain Credential, showing *[] PEK # 0 found and decrypted:**
• So, it start running the program, reading page 179, page 2650, page 180.... (This is the start of the infinite loop)
• After running, it will read the last user in [+] Trying to fetch page 156 (0x13a000)
  • A curious thing, This users ends with a $, like NAME$
  • When it show the hashes, the program show NAME$$:hashes... (two $)
  • Another user in this set that ends with $, this don't happens, only one $ -> OTHERNAME$:hashes
  • Maybe this is not important
• So, it read the last pages:
  • [+] Trying to fetch page 174 (0x15e000) [+] Trying to fetch page 291 (0x248000) [+] Trying to fetch page 301 (0x25c000) [+] Trying to fetch page 309 (0x26c000) [+] Trying to fetch page 5822 (0x2d7e000)
• Look likes the page 5822 is the problem. It is the FIRST page to loop. Because this is the same with Domain Creential, the program could ends. Why it did not stop here?
• Not it will get the pages:
  • [+] Trying to fetch page 179 (0x168000) [+] Trying to fetch page 2650 (0x14b6000)
• From now on, the same text will repeat over and over again. I did make a diff in the text result and it is the same in every block. Now it is a infinite loop!

I could print the hex value in the address page 5822 or others. Could it helps? What part of the ntds.dit file could help to fix this bug?

I did atach the Log: log.txt

[rodrigozanatta]

Now I remember what I study. Because I use -use-vss

It will enter in line 2564 in /impacket/examples/secretsdump.py

line 2563    # Now let's keep moving through the NTDS file and decrypting what we find
line 2564    while True:
line 2565        try:
line 2566            record = self.__ESEDB.getNextRow(self.__cursor, filter_tables=self.__filter_tables_usersecret)
line 2567        except:
line 2568            LOG.error('Error while calling getNextRow(), trying the next one')
line 2569                continue
line 2570
line 2571         if record is None:
line 2572             break

The only way to exit this infinite loop is if record is None.

If I am not wrong, the __ESEDB.getNextRow() is in impacket/ese.py

    def getNextRow(self, cursor, filter_tables = None):
        cursor['CurrentTag'] += 1

        tag = self.__getNextTag(cursor)
        #hexdump(tag)

        if tag is None:
            # No more tags in this page, search for the next one on the right
            page = cursor['CurrentPageData']
            if page.record['NextPageNumber'] == 0:
                # No more pages, chau
                return None
            else:
                cursor['CurrentPageData'] = self.getPage(page.record['NextPageNumber'])
                cursor['CurrentTag'] = 0
                return self.getNextRow(cursor, filter_tables = filter_tables)
        else:
            return self.__tagToRecord(cursor, tag['EntryData'], filter_tables = filter_tables)

Look like the problem is in the line: if page.record['NextPageNumber'] == 0: I want that to happens.

This is the problem.. How to change the logic of the file. Do you know what is happening?

[anadrianmanrique]

Ok, let me see what I can do with this. I will try to replicate the issue in my env . I'll let you know if I need more information. Thanks!

[rodrigozanatta]

Whell, all the problem is how cursor was made. I could print it's value, just need to setup it. Only reading the code, it is difficult to understand.

One easy way to fix this in my noob view is just:

used_page = set()
if page not in used_page:
    used_page.add(page)
else:
    # will enter in infinite loop, stop it!!!
    break

But I have no idea how it will impact others cases :)

[AkechiShiro]

@anadrianmanrique is there any news on this issue? Were you able to reproduce or not ?