8000 ntdsextract2 panics on NTDS extraction: libesedb_record_get_long_value error · Issue #39 · janstarke/ntdsextract2 · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

ntdsextract2 panics on NTDS extraction: libesedb_record_get_long_value error #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bru73f0rc3 opened this issue Feb 15, 2025 · 4 comments · Fixed by #40
Closed

ntdsextract2 panics on NTDS extraction: libesedb_record_get_long_value error #39

bru73f0rc3 opened this issue Feb 15, 2025 · 4 comments · Fixed by #40
Assignees
@janstarke
Labels
bug Something isn't working

Comments

@bru73f0rc3
Copy link

I recently installed version 1.4.7 via Cargo, and while attempting to extract user or group info from NTDS the tool consistently fails with a panic related to libesedb_record_get_long_value.

command line to reproduce (done with 1.4.7):

ntdsextract2 ntds.dit group -D -A --member-of sam -F json-lines

Error and Stack:

thread 'main' panicked at /home/.../.cargo/registry/src/index.crates.io-.../ntdsextract2-1.4.7/src/ntds/sd_table.rs:38:22:
called `Result::unwrap()` on an `Err` value: c-libesedb: libesedb_record_get_long_value: unable retrieve value data.
libesedb_data_definition_read_long_value_segment: invalid data definition.
libesedb_record_get_long_value_data_segments_list: unable to read data definition long value segment.
libesedb_record_get_long_value: unable retrieve value data.

Stack backtrace:
   0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
   1: <libntdsextract2::cache::record::Record as libntdsextract2::cache::record::with_value::WithValue<libntdsextract2::cache::column_index::ColumnIndex>>::with_value
   2: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold
   3: <std::collections::hash::map::HashMap<K,V,S> as core::iter::traits::collect::FromIterator<(K,V)>>::from_iter
   4: libntdsextract2::ntds::sd_table::SdTable::new
   5: libntdsextract2::c_database::CDatabase::new
   6: ntdsextract2::main
   7: std::sys::backtrace::__rust_begin_short_backtrace
   8: std::rt::lang_start::{{closure}}
   9: std::rt::lang_start_internal
  10: main
  11: <unknown>
  12: __libc_start_main
  13: _start
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::result::unwrap_failed
   3: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold
   4: <std::collections::hash::map::HashMap<K,V,S> as core::iter::traits::collect::FromIterator<(K,V)>>::from_iter
   5: libntdsextract2::ntds::sd_table::SdTable::new
   6: libntdsextract2::c_database::CDatabase::new
   7: ntdsextract2::main

I originally used version 1.4.2 on a different system without issues. To troubleshoot, I tested different versions by force-installing them. I found that versions 1.4.2 and 1.4.3 work as expected, while versions 1.4.4 through 1.4.7 consistently fail with the same error.

Using Kali 2024.2
rustc 1.84.0

Let me know if any additional info would help.
@janstarke janstarke self-assigned this Mar 9, 2025
@janstarke janstarke added the bug Something isn't working label Mar 9, 2025
@janstarke
Copy link
Owner

I'm currently on the road. I will take care of this problem next week...

@janstarke
Copy link
Owner

Some AD databases use LONG values, which are more complicated to parse. I added support for this in one of the younger releases.

Today, changed the error handling on this issue and added a cli switch --include-sd which you can you to enable reading of the SD table. If you don't set --include-sd, this table will not be parsed and the error should go away. This code is in the issue branch only, at the moment.

However, this does not solve the originating problem. Is it possible to get a copy of your test data, so that I can debug the problem?

@janstarke janstarke linked a pull request Mar 15, 2025 that will close this issue
39 ntdsextract2 panics on ntds extraction libesedb record get long value error #40
Merged
@bru73f0rc3
Copy link
Author

Unfortunately it's data that I can't share, but I'm happy to run debug builds if you want to add any logging that might be helpful.

@janstarke
Copy link
Owner
janstarke commented May 9, 2025
edited
Loading

I recently had a case where one ntds.dit also had this issue. I think, using this data I was able to fix the problem. Could you please give it a try?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janstarke janstarke

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@bru73f0rc3 @janstarke
0