Crates.io Crates.io Crates.io (latest)

ntdsextract2

This aims to be a replacement of https://github.com/csababarta/ntdsxtract/ by @csababarta.

Why do you write a tool that's already there and working?

  1. ntdsxtract is using Python 2.7, which makes it hard to use on modern systems
  2. There has been no change since a lot of time (the last commit is from February 2016), which suggests that Csaba has other stuff to do at the moment. That's OK. But Windows is changing, and therefore the tools to analyze Windows Systems has to adapt. As I don't like some architectural decisions Csaba has made, I started my own development.

Installation

bash cargo install --git https://github.com/janstarke/ntdsextract2.git

Usage

``` USAGE: ntdsextract2 [OPTIONS]

ARGS: name of the file to analyze

OPTIONS: -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence -V, --version Print version information

SUBCOMMANDS: computer display computer accounts entry display one single entry from the directory information tree group Display groups help Print this message or the help of the given subcommand(s) search search for entries whose values match to some regular expression timeline create a timeline (in bodyfile format) tree display the directory information tree types list all defined types user Display user accounts

```

Search for entries

``` USAGE: ntdsextract2 search [OPTIONS]

ARGS: regular expression to match against

OPTIONS: -h, --help Print help information -i, --ignore-case case-insensitive search (ignore case) -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

Displaying a single entry

``` USAGE: ntdsextract2 entry [OPTIONS]

ARGS: id of the entry to show

OPTIONS: -h, --help Print help information -q, --quiet Less output per occurrence --sid search for SID instead for NTDS.DIT entry id. will be interpreted as RID, wich is the last part of the SID; e.g. 500 will return the Administrator account -v, --verbose More output per occurrence ```

Displaying the tree structure of the AD

``` USAGE: ntdsextract2 tree [OPTIONS]

OPTIONS: -h, --help Print help information --max-depth maximum recursion depth [default: 4] -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

Creating a timeline

``` USAGE: ntdsextract2 timeline [OPTIONS]

OPTIONS: --all-objects show objects of any type (this might be a lot) -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

Enumerating ...

... users

``` USAGE: ntdsextract2 user [OPTIONS]

OPTIONS: -A, --show-all show all non-empty values. This option is ignored when CSV-Output is selected -F, --format Output format [default: csv] [possible values: csv, json, json-lines] -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

... groups

``` USAGE: ntdsextract2 group [OPTIONS]

OPTIONS: -A, --show-all show all non-empty values. This option is ignored when CSV-Output is selected -F, --format Output format [default: csv] [possible values: csv, json, json-lines] -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

... computers

``` USAGE: ntdsextract2 computer [OPTIONS]

OPTIONS: -A, --show-all show all non-empty values. This option is ignored when CSV-Output is selected -F, --format Output format [default: csv] [possible values: csv, json, json-lines] -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```

... types

``` USAGE: ntdsextract2 types [OPTIONS]

OPTIONS: -F, --format Output format [default: csv] [possible values: csv, json, json-lines] -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence ```