Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server 2012 R2 #19

Open
bucky67gto opened this issue Oct 2, 2015 · 6 comments
Open

Server 2012 R2 #19

bucky67gto opened this issue Oct 2, 2015 · 6 comments

Comments

@bucky67gto
Copy link

been working great for years. Love the effort. Trying on Windows 2012 R2 and getting problems.

the export from the latest esedbtools is the following:

Opening file.
Exporting table 1 (MSysObjects) out of 14.
Exporting table 2 (MSysObjectsShadow) out of 14.
Exporting table 3 (MSysObjids) out of 14.
Exporting table 4 (MSysLocales) out of 14.
Exporting table 5 (datatable) out of 14.
Exporting table 6 (hiddentable) out of 14.
Exporting table 7 (link_history_table) out of 14.
Exporting table 8 (link_table) out of 14.
Exporting table 9 (sdpropcounttable) out of 14.
Exporting table 10 (sdproptable) out of 14.
Exporting table 11 (sd_table) out of 14.
Exporting table 12 (MSysDefrag2) out of 14.
Exporting table 13 (quota_table) out of 14.
Exporting table 14 (quota_rebuild_progress_table) out of 14.
Export completed.

I am guessing that the differences in the extracted files is messing up the parsing that ntdsxtract is doing. I can run with datatable.4 and link_table.7 which gives me some data, but not the hashes, thoughts?
@csababarta
Copy link
Owner

I have just tested the framework with Server 2012 R2 and it seems to work. Can you send me some test data? I would need it in order to be able to reproduce the issue...

@bucky67gto
Copy link
Author

I wish i could. the only data I have is from a live pentest I am doing. Did you get the same 14 tables in your export? did you run with datatable.4 and link_table.7? also, I am using NTDSXtract v1.3

@bucky67gto
Copy link
Author

Did you get the same 14 tables in your export? did you run with datatable.4 and link_table.7? also, I am using NTDSXtract v1.3

@rufflabs
Copy link

rufflabs commented Nov 30, 2016
edited
Loading

I am noticing the same thing here. This is my first time doing this and I was wondering why my output didn't include any hashes like all the guides said it should.

I started searching and noticed that ntdsxtract said it only works on 2003 and 2008, while mine are 2012. I stumbled on this post when searching for ntdsxtract and server 2012.

Edit: For my issue I believe it was corrupted ntds or registry. I had initially taken the files from backups snapshots. When I took new snapshots with VSS and used those files it worked fine.

@304GEEK
Copy link

304GEEK commented Aug 2, 2017

Same issue here.

MSysDefrag2.11 MSysObjids.2 link_table.7 sdpropcounttable.8
MSysLocales.3 datatable.4 quota_rebuild_progress_table.13 sdproptable.9
MSysObjects.0 hiddentable.5 quota_table.12
MSysObjectsShadow.1 link_history_table.6 sd_table.10

changing datable.# and link_table.# to match the output above, results are no -lmoutfile and -ntoutfile are not generated. some account details are presented.

Any progress working with this issue?

thanks,

@wgroenewold
Copy link

No issue here. Did you supply the SYSTEM hive?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bucky67gto @rufflabs @304GEEK @wgroenewold @csababarta