Issue with export about ntdsxtract HOT 6 CLOSED

Hi there,

First of all thank you for the bug report.

Could you please send me some details about the problem?
How does the command look like that you used?
How big is the database?
Is it possible to reproduce the issue with a test system? (I know that the content of the database that you would like to process is confidential so I cannot get that, but maybe you have a test database that shows the same symptoms).

Thanks in advance for your support.

from ntdsxtract.

Hi there again,

the error code seems to refer to a conversion error. Could you please do the following?

1. Edit the file /ntds/init.py
2. Comment out all the lines except the one that starts with "import"
3. Repeat the export and check if you receive a detailed error message with stack trace. If this is the case please paste it here in order for me to get some details about the bug

Thanks in advance for your help!

from ntdsxtract.

Hi

I have this error as well. I'm using 1.3.1 with this command line:

./dsusers.py /ntds/SAM/extract.export/datatable.3 /ntds/SAM/extract.export/link_table.5 /ntds/output/ --syshive /ntds/SAM/SYSTEM --ntoutfile /ntds/output/nthash --pwdformat ophc --passwordhashes --passwordhistory

The program initialises properly then gives this error trace:

List of users:
==============Traceback (most recent call last):
File "./dsusers.py", line 468, in
for recordid in dsMapRecordIdByTypeId[utype]:
KeyError: 1369

The database is only small, about 12Mb. Esedbexport gives the error 'unable to retrieve long value of record entry : 519', but seems to work through the file, the datatable.3 file is around 4Mb.

Thanks for your attention, great tool, I'm almost there in making it work!

from ntdsxtract.

I've done some more work on this. I think the problem is related to the ntds.dit file. I was using the version from %systemroot%\System32\ whereas it should have been the one from %systemroot%\NTDS. The location of the NTDS folder on my DC is not the default location. Worth checking.

from ntdsxtract.

That seemed to work for me aswell. thanks.

from ntdsxtract.

Hi,I have a similar problem:
version 1.3.1
command line is:
python dsusers.py /home/meth/ntds.dit.export_NTDS/datatable.3 /home/meth/ntds.dit.export_NTDS/link_table.5 /home/meth/wip/ --syshive /home/ameth/prod/SYSTEM --passwordhashes --lmoutfile /home/meth/lm-out.txt --ntoutfile /home/meth/nt-out.txt --pwdformat ophc --debug
The output is
[+] Started at: Mon, 12 Oct 2015 10:22:44 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: /home/meth/lm-out.txt
[-] NT hash output filename: /home/meth/nt-out.txt
[-] Hash output format: ophc
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[+] Loading saved map files (Stage 2)...

List of users:
==============Traceback (most recent call last):
File "dsusers.py", line 486, in
for recordid in dsMapRecordIdByTypeId[utype]:
KeyError: 1528

I tryed the SYSTEM from %systemroot%\System32\ and from %systemroot%\NTDS, with the same result.
Can someone help me?

from ntdsxtract.