need help with: libesedb_page_tree_get_number_of_leaf_values: invalid number of leaf pages value exceeds maximum.

[ghost]

Hi, I am trying to run my ntds.dit file through the esedbexport tool, to inevitably perform a password audit on Active Directory. I get the following error when running the command:

root@kali:/usr/local/bin# ./esedbexport -t /home/johnh/ /home/johnh/extract/ntds.dit esedbexport 20200718

Opening file. Database type: Unknown. Exporting table 1 (MSysObjects) out of 14. Exporting table 2 (MSysObjectsShadow) out of 14. Exporting table 3 (MSysObjids) out of 14. Exporting table 4 (MSysLocales) out of 14. Exporting table 5 (datatable) out of 14. Unable to export file. libesedb_page_tree_get_number_of_leaf_values: invalid number of leaf pages value exceeds maximum. libesedb_table_get_number_of_records: unable to retrieve number of leaf values from table page tree. export_handle_export_table: unable to retrieve number of records. export_handle_export_file: unable to export table: 4. root@kali:/usr/local/bin#

Any help would be awesome.

Thanks!

[joachimmetz]

First of all 20200718 is a WIP version not a pre-release https://github.com/libyal/libesedb/releases and is intended for development purposes. Also see: https://github.com/libyal/libesedb/wiki/Building#read-first

libesedb_page_tree_get_number_of_leaf_values: invalid number of leaf pages value exceeds maximum.

Indicates that the datatable table B-tree contains more leaf pages than the safe guard allows. What can help is sharing the file or comparable test data.

[joachimmetz]

No update from original reporter closing issue

[grap3-ap3]

Hello, I have recently encountered this same issue and see no other reference to the problem, or a solution.

Would it be possible reopen this issue? I can share some data with you if so.

[joachimmetz]

@grap3-ap3 you'll need to provide more context what same issue you're observing with what source data and what version of libesedb.

[grap3-ap3]

@joachimmetz ,

Thanks for the reply!

With regard to the "same issue", I am getting the same results as the OP when running esedbexport:

esedbexport -m tables /home/work/ntds.dit esedbexport 20220129

Opening file. Database type: Unknown. Exporting table 1 (MSysObjects) out of 14. Exporting table 2 (MSysObjectsShadow) out of 14. Exporting table 3 (MSysObjids) out of 14. Exporting table 4 (MSysLocales) out of 14. Exporting table 5 (datatable) out of 14. Unable to export file. libesedb_page_tree_get_number_of_leaf_values: invalid number of leaf pages value exceeds maximum. libesedb_table_get_number_of_records: unable to retrieve number of leaf values from table page tree. export_handle_export_table: unable to retrieve number of records. export_handle_export_file: unable to export table: 4.

The source data is the ntds.dit file exported from AD.

The version of libesedb is the current version cloned from your repository. I was unable to determine a specific version number, but if you can direct me as to how to extrapolate this, I will respond with details.

[grap3-ap3]

Just checking back once more, perhaps I'm doing something wrong?

Is this an issue you can help me address, or is there another way to accomplish my goal?

Thank you in advance for your time, and consideration.

[joachimmetz]

Pre-occupied with other urgent things at the moment.

I was unable to determine a specific version number, but if you can direct me as to how to extrapolate this, I will respond with details.

Version is 20220129

libesedb_page_tree_get_number_of_leaf_values: invalid number of leaf pages value exceeds maximum.

You can see if you can tweak the limits in your local copy of the source https://github.com/libyal/libesedb/blob/3326953464e2dad970b5772c55628590d1cc8e9a/libesedb/libesedb_page_tree.c#L1575

Realize this might have performance impact

[akravask]

Hi All,

Maybe I'm a bit late on the issue thread, but I got the solution for the problem thanks to the tip of @joachimmetz

The issue is due to in new releases of esedbexport some extra ranges are checked in the libesedb/libesedb/libesedb_page_tree.c file and when using large NTDS files it crashes. Comparing it with older releases like 20120102, this check was not made. So, the fix for this is to remove the entire WHILE from line 1573 "while ( leaf_page_number != 0 )" to line 1687 "}". This way, I could recompile the tool with no errors and extract a large NTDS.

Thank you all for the help!

[joachimmetz]

@akravask this is not recommended practice, there might unexpected side effects

[akravask]

@joachimmetz thank you for the information! In my case it was useful to export datatables of a bigger NTDS, but as you mention, I understand it is not a good practice and could carry problems.