go-ese
go-ese copied to clipboard
Velocidex
Reading NTDS.DIT exhibits various problems
Reading a recent NTDS.DIT dump has surfaced several problems in the otherwise brilliant library you've created. Not sure how best to report this, but I'm attaching a lab dump of GOAD from Orange Cybersecurity which doesn't contain any secrets, and my observations from it.
The dump was made using NTDSUTIL / activate instance ntds / ifm / create full c:\temp - so there shouldn't be any DB corruption or similar problems with it.
Dumping sd_table there are multiple rows where the actual "sd_value" is incorrect, it's returned as 4 bytes not the entire data. Here is an example using ESEDatabaseView to show record 72 and 78 - using go-ese record 72 is returned correctly but the sd_value of record 78 is returned as "24000000".
I also suspect that some records are returned with corrupted sd_value, as I can not parse them as security descriptors, but I haven't had time to dive deeper into this.
Dumping datatable it shows that all ATTn fields are marked a multivalue (8), but almost all of what is returned using go-ese are not slices, just singular values. I found this as the ATTc0 attribute should return multiple integer values in most cases.
