Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impossible to find Pek-List attribute in ntds file #456

Closed
quentinhardy opened this issue May 21, 2018 · 4 comments
Closed

Impossible to find Pek-List attribute in ntds file #456

quentinhardy opened this issue May 21, 2018 · 4 comments

Comments

@quentinhardy
Copy link

Hello,

I am trying to use secretsdump.py for extracting hashes from a big ntds.dit file which has been copied with vssadmin.

When I run secretsdump.py, it seems the script doesn't find the Pek-List attribute:

Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Target system bootKey: 0x****************************
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[-] Error while calling getNextRow(), trying the next one
[-] Error while calling getNextRow(), trying the next one
[-] Error while calling getNextRow(), trying the next one
[-] Error while calling getNextRow(), trying the next one
[-] Error while calling getNextRow(), trying the next one
[-] Error while calling getNextRow(), trying the next one
[...]
Killed

This attribute is required for decrypting hashes.

I have the same bug with impdump project (HarmJ0y/ImpDump#5) wich uses the impacket project (e.g. esentutl.py).

Notice esedbexport is running on this same ntds file (from some days) and there is an "ATTk590689" (Pek-List) attribute in database file (database.4 file). It is not finish but if I take this "ATTk590689" value from database.4 file and I use it directly in source code of https://github.com/HarmJ0y/ImpDump/blob/master/impdump.py, it works! : I can extract decrypted hashes.

So I think it is a bug in impacket -:(

Do you known if it a well known problem?

Thanks in advance for your help,

@asolino
Copy link
Collaborator

asolino commented May 23, 2018

Hey @quentinhardy

First time I hear about this issue.

According to your tests, looks like there's a bug in the getNextRow() code.

Now, without a way to reproduce this bug, it is almost imposible to determine where the problem is (in particular due to the complexity of the ESE format). Can you provide the DIT and registry hives to reproduce it?

If not, another alternative is for you to figure out where the problem is.

thanks,

@quentinhardy
Copy link
Author

Hello,

Unfortunately, I can't send you the ntds.dit file with the SYSTEM file.

I will try to search the problem.

@echobb8
Copy link

echobb8 commented Jul 18, 2018

Any resolution to this? @quentinhardy how did you discover the Pek-List value? I'm getting the same issues as you reported in the OP on two ntds.dit files.

@asolino
Copy link
Collaborator

asolino commented Oct 25, 2018

Should be fixed in 9efa50f

@asolino asolino closed this as completed Oct 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants