Closed TheraNinjaCat closed 2 weeks ago
Interesting. I implemented an aggressive error handling
self.record_index
.get(ptr)
.unwrap_or_else(|| panic!("invalid record pointer: {ptr}"))
because I assumed the record_index contains all entries. Obviously this assumption was wrong.
This situation might happen if there is an inconsistency in your link table. I'll add a better error handling for this
Yeah, I'm not surprised by inconsistencies in the link table, I've done analysis on quite a number of NTDS files at this point, and I think just about every single one of them has had some... weirdness. I would assume it's some mix of long-lived domains having some errors compounded over time, upgrades to the underlying Windows server, or errors caused during the export of the file.
I have tested this commit 889841aed1d05bdf207ce628835429044137ca5f and now get this error:
Error: invalid value detected: '"Long"'; expected type was String (one of (text, largetext or binary)
Stack backtrace:
0: std::backtrace_rs::backtrace::libunwind::trace
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
1: std::backtrace_rs::backtrace::trace_unsynchronized
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: std::backtrace::Backtrace::create
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/backtrace.rs:331:13
3: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/anyhow-1.0.86/src/backtrace.rs:27:14
4: <core::result::Result<T,F> as core::ops::try_trait::FromResidual<core::result::Result<core::convert::Infallible,E>>>::from_residual
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/core/src/result.rs:1989:27
5: libntdsextract2::value::from_value::FromValue::from_record_opt
at ./src/value/from_value.rs:21:16
6: <libntdsextract2::cache::meta_data_cache::MetaDataCache as core::convert::TryFrom<&libntdsextract2::esedbinfo::EsedbInfo>>::try_from
at ./src/cache/meta_data_cache.rs:99:29
7: libntdsextract2::c_database::CDatabase::new
at ./src/c_database.rs:19:30
8: ntdsextract2::main
at ./src/main.rs:47:20
9: core::ops::function::FnOnce::call_once
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/core/src/ops/function.rs:250:5
10: std::sys_common::backtrace::__rust_begin_short_backtrace
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/sys_common/backtrace.rs:155:18
11: std::rt::lang_start::{{closure}}
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/rt.rs:159:18
12: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/core/src/ops/function.rs:284:13
13: std::panicking::try::do_call
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panicking.rs:559:40
14: std::panicking::try
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panicking.rs:523:19
15: std::panic::catch_unwind
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panic.rs:149:14
16: std::rt::lang_start_internal::{{closure}}
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/rt.rs:141:48
17: std::panicking::try::do_call
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panicking.rs:559:40
18: std::panicking::try
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panicking.rs:523:19
19: std::panic::catch_unwind
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/panic.rs:149:14
20: std::rt::lang_start_internal
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/rt.rs:141:20
21: std::rt::lang_start
at /rustc/3f5fd8dd41153bc5fdca9427e9e05be2c767ba23/library/std/src/rt.rs:158:17
22: main
23: __libc_start_main
24: <unknown>
Funny. The line that causes this issue is https://github.com/janstarke/ntdsextract2/blob/88616a18f5c23df93629d492e090e5504afee17d/src/cache/meta_data_cache.rs#L98-L99
Obviously there is a number stored in the column for samAccountName :laughing:
I'll also change this into a log message
I updated the branch, but I cannot test it. Would you please give it a try?
I've just tested this out, it now runs to completion, there's a whole bunch of missing entries because of an inconsistency in the link_table
, and a single error reading samAccountName
because it's a long, besides those however it more or less seems to run correctly.
I've run users normally, with --member-of sam
, --member-of dn
, and --member-of sid
, and they all seem to work correctly. It seems that it outputs null
in the member_of
list for sam
and sid
, however for dn
it seems to be putting entries like "id=21607/row=16996"
. I've run group with --member-of dn
and this acts in the same way. I suspect this is because the dn
couldn't be interpreted, and in these objects the distinguished_name
field is null
, which ironically makes the id/row
numbers useless as well, as they can't be directly linked to any other object ha ha ha. As it is, however, it is in a state where I can run the tool multiple times with different member_of
fields, and parse all the data to come up with unique links to objects. Thank you heaps for your efforts in implementing these changes and fixes.
Yes, I know that problem of missing entries and the id/row as replacement. We could instead print something like MISSING ENTRY FOR ID 21607
, which could more descriptive
I think for the json output null
is probably the cleanest value, it’s already present in the other member_of
formats, and it seems to be how it’s handled for the main distinguished _name
field as well. It shows that there is missing data, but it’s possible to use the other member_of
formats to fill in the gaps.
When running the current main 7f79f14737cb0782997d5355ddc833fea55d8947 branch against my dataset I get the following new crash:
RUST_BACKTRACE=full target/debug/ntdsextract2 /working/NTDS.dit user -D -F json