This aims to be a replacement of https://github.com/csababarta/ntdsxtract/ by @csababarta.
- ntdsxtract is using Python 2.7, which makes it hard to use on modern systems
- There has been no change since a lot of time (the last commit is from February 2016), which suggests that Csaba has other stuff to do at the moment. That's OK. But Windows is changing, and therefore the tools to analyze Windows Systems has to adapt. As I don't like some architectural decisions Csaba has made, I started my own development.
cargo install ntdsextract2USAGE:
ntdsextract2 [OPTIONS] <NTDS_FILE> <SUBCOMMAND>
ARGS:
<NTDS_FILE> name of the file to analyze
OPTIONS:
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
-V, --version Print version information
SUBCOMMANDS:
computer display computer accounts
entry display one single entry from the directory information tree
group Display groups
help Print this message or the help of the given subcommand(s)
search search for entries whose values match to some regular expression
timeline create a timeline (in bodyfile format)
tree display the directory information tree
types list all defined types
user Display user accounts
USAGE:
ntdsextract2 <NTDS_FILE> search [OPTIONS] <REGEX>
ARGS:
<REGEX> regular expression to match against
OPTIONS:
-h, --help Print help information
-i, --ignore-case case-insensitive search (ignore case)
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> entry [OPTIONS] <ENTRY_ID>
ARGS:
<ENTRY_ID> id of the entry to show
OPTIONS:
-h, --help Print help information
-q, --quiet Less output per occurrence
--sid search for SID instead for NTDS.DIT entry id. <ENTRY_ID> will be interpreted as
RID, wich is the last part of the SID; e.g. 500 will return the Administrator
account
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> tree [OPTIONS]
OPTIONS:
-h, --help Print help information
--max-depth <MAX_DEPTH> maximum recursion depth [default: 4]
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> timeline [OPTIONS]
OPTIONS:
--all-objects show objects of any type (this might be a lot)
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> user [OPTIONS]
OPTIONS:
-A, --show-all show all non-empty values. This option is ignored when CSV-Output is
selected
-F, --format <FORMAT> Output format [default: csv] [possible values: csv, json, json-lines]
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> group [OPTIONS]
OPTIONS:
-A, --show-all show all non-empty values. This option is ignored when CSV-Output is
selected
-F, --format <FORMAT> Output format [default: csv] [possible values: csv, json, json-lines]
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> computer [OPTIONS]
OPTIONS:
-A, --show-all show all non-empty values. This option is ignored when CSV-Output is
selected
-F, --format <FORMAT> Output format [default: csv] [possible values: csv, json, json-lines]
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence
USAGE:
ntdsextract2 <NTDS_FILE> types [OPTIONS]
OPTIONS:
-F, --format <FORMAT> Output format [default: csv] [possible values: csv, json, json-lines]
-h, --help Print help information
-q, --quiet Less output per occurrence
-v, --verbose More output per occurrence