dissect.database 1.2.dev8__tar.gz → 1.2.dev10__tar.gz

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.database
-Version: 1.2.dev8
+Version: 1.2.dev10
 Summary: A Dissect module implementing parsers for various database formats, including Berkeley DB, Microsofts Extensible Storage Engine (ESE) and SQLite3
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: Apache-2.0

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/database.py

@@ -11,7 +11,7 @@ from dissect.database.ese.ntds.pek import PEK
 from dissect.database.ese.ntds.query import Query
 from dissect.database.ese.ntds.schema import Schema
 from dissect.database.ese.ntds.sd import SecurityDescriptor
-from dissect.database.ese.ntds.util import DN, DatabaseFlags, SearchFlags, encode_value
+from dissect.database.ese.ntds.util import DN, DatabaseFlag, SearchFlag, encode_value
 
 if TYPE_CHECKING:
     from collections.abc import Iterator
@@ -44,14 +44,14 @@ class Database:
         self.data._make_dn.cache_clear()
 
     @cached_property
-    def flags(self) -> DatabaseFlags | None:
+    def flags(self) -> DatabaseFlag | None:
         """Return the database flags."""
         if self.hiddeninfo is None:
             return None
 
-        result = DatabaseFlags(0)
+        result = DatabaseFlag(0)
         flags = self.hiddeninfo.get("flags_col")
-        for idx, member in enumerate(DatabaseFlags.__members__.values()):
+        for idx, member in enumerate(DatabaseFlag.__members__.values()):
             if flags[idx] == ord(b"1"):
                 result = member if result is None else result | member
 
@@ -256,9 +256,9 @@ class DataTable:
         if schema.search_flags is None:
             raise ValueError(f"Attribute is not indexed: {attribute!r}")
 
-        if SearchFlags.Indexed in schema.search_flags:
+        if SearchFlag.Indexed in schema.search_flags:
             name = f"INDEX_{schema.id:08x}"
-        elif SearchFlags.TupleIndexed in schema.search_flags:
+        elif SearchFlag.TupleIndexed in schema.search_flags:
             name = f"INDEX_T_{schema.id:08x}"
         else:
             # TODO add ContainerIndexed

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/ntds.py

@@ -11,6 +11,7 @@ if TYPE_CHECKING:
 
     from dissect.database.ese.ntds.objects import (
         Computer,
+        DnsNode,
         DomainDNS,
         Group,
         GroupPolicyContainer,
@@ -20,6 +21,7 @@ if TYPE_CHECKING:
         TrustedDomain,
         User,
     )
+    from dissect.database.ese.ntds.objects.organizationalunit import OrganizationalUnit
     from dissect.database.ese.ntds.pek import PEK
 
 
@@ -83,11 +85,11 @@ class NTDS:
 
     def groups(self) -> Iterator[Group]:
         """Get all group objects from the database."""
-        yield from self.search(objectCategory="group")
+        yield from self.search(objectClass="group")
 
     def servers(self) -> Iterator[Server]:
         """Get all server objects from the database."""
-        yield from self.search(objectCategory="server")
+        yield from self.search(objectClass="server")
 
     def users(self) -> Iterator[User]:
         """Get all user objects from the database."""
@@ -95,7 +97,11 @@ class NTDS:
 
     def computers(self) -> Iterator[Computer]:
         """Get all computer objects from the database."""
-        yield from self.search(objectCategory="computer")
+        yield from self.search(objectClass="computer")
+
+    def domains(self) -> Iterator[DomainDNS]:
+        """Get all domain objects from the database."""
+        yield from self.search(objectClass="domainDNS")
 
     def trusts(self) -> Iterator[TrustedDomain]:
         """Get all trust objects from the database."""
@@ -105,10 +111,18 @@ class NTDS:
         """Get all group policy objects (GPO) objects from the database."""
         yield from self.search(objectClass="groupPolicyContainer")
 
+    def organizational_units(self) -> Iterator[OrganizationalUnit]:
+        """Get all organizational unit (OU) objects from the database."""
+        yield from self.search(objectClass="organizationalUnit")
+
     def secrets(self) -> Iterator[Secret]:
         """Get all secret objects from the database."""
         yield from self.search(objectClass="secret")
 
+    def dns_nodes(self) -> Iterator[DnsNode]:
+        """Get all DnsNode objects from the database."""
+        yield from self.search(objectClass="dnsNode")
+
     def backup_keys(self) -> Iterator[BackupKey]:
         """Get all DPAPI backup keys from the database."""
         if not self.pek.unlocked:

dissect_database-1.2.dev10/dissect/database/ese/ntds/objects/attributeschema.py

@@ -0,0 +1,28 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, ClassVar
+
+from dissect.database.ese.ntds.objects.top import Top
+from dissect.database.ese.ntds.util import SearchFlag, SystemFlagAttribute
+
+if TYPE_CHECKING:
+    from dissect.database.ese.ntds.objects.object import DecoderMap
+
+
+class AttributeSchema(Top):
+    """Represents an attribute schema object in the Active Directory.
+
+    References:
+        - https://learn.microsoft.com/en-us/windows/win32/adschema/c-attributeschema
+    """
+
+    __object_class__ = "attributeSchema"
+    __decoders__: ClassVar[DecoderMap] = {
+        "searchFlags": lambda db, value: SearchFlag(value),
+        "systemFlags": lambda db, value: SystemFlagAttribute(value),
+    }
+
+    @property
+    def search_flags(self) -> SearchFlag | None:
+        """Return the searchFlags of this attribute schema."""
+        return self.get("searchFlags")

dissect_database-1.2.dev10/dissect/database/ese/ntds/objects/c_dnsnode.py

@@ -0,0 +1,109 @@
+from __future__ import annotations
+
+from dissect.cstruct import cstruct
+
+dns_record_def = """
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/39b03b89-2264-4063-8198-d62f62a6441a
+enum DNS_RECORD_TYPE : WORD {
+    ZERO        = 0x0000,   // An empty record type ([RFC1034] section 3.6 and [RFC1035] section 3.2.2).
+    A           = 0x0001,   // An A record type, used for storing an IP address ([RFC1035] section 3.2.2).
+    NS          = 0x0002,   // An authoritative name-server
+                            // record type ([RFC1034] section 3.6 and [RFC1035] section 3.2.2).
+    MD          = 0x0003,   // A mail-destination record type ([RFC1035] section 3.2.2).
+    MF          = 0x0004,   // A mail forwarder record type ([RFC1035] section 3.2.2).
+    CNAME       = 0x0005,   // A record type that contains the canonical name of a DNS alias ([RFC1035] section 3.2.2).
+    SOA         = 0x0006,   // A Start of Authority (SOA) record type ([RFC1035] section 3.2.2).
+    MB          = 0x0007,   // A mailbox record type ([RFC1035] section 3.2.2).
+    MG          = 0x0008,   // A mail group member record type ([RFC1035] section 3.2.2).
+    MR          = 0x0009,   // A mail-rename record type ([RFC1035] section 3.2.2).
+    NULL        = 0x000A,   // A record type for completion queries ([RFC1035] section 3.2.2).
+    WKS         = 0x000B,   // A record type for a well-known service ([RFC1035] section 3.2.2).
+    PTR         = 0x000C,   // A record type containing FQDN pointer ([RFC1035] section 3.2.2).
+    HINFO       = 0x000D,   // A host information record type ([RFC1035] section 3.2.2).
+    MINFO       = 0x000E,   // A mailbox or mailing list information record type ([RFC1035] section 3.2.2).
+    MX          = 0x000F,   // A mail-exchanger record type ([RFC1035] section 3.2.2).
+    TXT         = 0x0010,   // A record type containing a text string ([RFC1035] section 3.2.2).
+    RP          = 0x0011,   // A responsible-person record type [RFC1183].
+    AFSDB       = 0x0012,   // A record type containing AFS database location [RFC1183].
+    X25         = 0x0013,   // An X25 PSDN address record type [RFC1183].
+    ISDN        = 0x0014,   // An ISDN address record type [RFC1183].
+    RT          = 0x0015,   // A route through record type [RFC1183].
+    SIG         = 0x0018,   // A cryptographic public key signature record type [RFC2931].
+    KEY         = 0x0019,   // A record type containing public key used in DNSSEC [RFC2535].
+    AAAA        = 0x001C,   // An IPv6 address record type [RFC3596].
+    LOC         = 0x001D,   // A location information record type [RFC1876].
+    NXT         = 0x001E,   // A next-domain record type [RFC2065].
+    SRV         = 0x0021,   // A server selection record type [RFC2782].
+    ATMA        = 0x0022,   // An Asynchronous Transfer Mode (ATM) address record type [ATMA].
+    NAPTR       = 0x0023,   // An NAPTR record type [RFC2915].
+    DNAME       = 0x0027,   // A DNAME record type [RFC2672].
+    DS          = 0x002B,   // A DS record type [RFC4034].
+    RRSIG       = 0x002E,   // An RRSIG record type [RFC4034].
+    NSEC        = 0x002F,   // An NSEC record type [RFC4034].
+    DNSKEY      = 0x0030,   // A DNSKEY record type [RFC4034].
+    DHCID       = 0x0031,   // A DHCID record type [RFC4701].
+    NSEC3       = 0x0032,   // An NSEC3 record type [RFC5155].
+    NSEC3PARAM  = 0x0033,   // An NSEC3PARAM record type [RFC5155].
+    TLSA        = 0x0034,   // A TLSA record type [RFC6698].
+    ALL         = 0x00FF,   // A query-only type requesting all records [RFC1035].
+    WINS        = 0xFF01,   // A record type containing Windows Internet Name Service (WINS)
+                            // forward lookup data [MS-WINSRADNS_TYPE_WINSR].
+    WINSR       = 0xFF02    // A record type containing WINS reverse lookup data [MS-WINSRA].
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
+typedef struct DNS_RECORD_HEADER {
+    WORD                DataLength;
+    DNS_RECORD_TYPE     Type;
+    BYTE                Version;            // Must be 0x05
+    BYTE                Rank;
+    WORD                Flags;              // Must be 0x00
+    DWORD               Serial;
+    DWORD               TtlSeconds;         // Big Endian
+    DWORD               Reserved;           // MUST be 0x00000000.
+    DWORD               TimeStamp;
+    CHAR                Data[DataLength];
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/3fd41adc-c69e-407b-979e-721251403132
+// MS docs indicate that structure is 4 byte aligned, and that the string MUST NOT be null-terminated.
+// But observed reality is a null terminated string (null char not counted in NameLength)
+typedef struct DNS_RPC_NAME{
+    BYTE                NameLength;
+    CHAR                dnsName[NameLength];
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/db37cab7-f121-43ba-81c5-ca0e198d4b9a
+typedef struct DNS_RPC_RECORD_SRV {
+    WORD                Priority;
+    WORD                Weight;
+    WORD                Port;
+    DNS_RPC_NAME        nameTarget;
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/f647d391-6614-4c3e-b38b-4df971590eb6
+typedef struct DNS_RPC_RECORD_NAME_PREFERENCE {
+    WORD                Preference;
+    DNS_RPC_NAME        nameExchange;
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/dcd3ec16-d6bf-4bb4-9128-6172f9e5f066
+typedef struct DNS_RPC_RECORD_SOA {
+    DWORD               Serial;
+    DWORD               Refresh;
+    DWORD               Retry;
+    DWORD               Expire;
+    DWORD               MinimumTtl;
+    DNS_RPC_NAME        namePrimaryServer;
+    BYTE                _pad;
+    DNS_RPC_NAME        ZoneAdministratorEmail;
+};
+
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/def7736a-dd09-4b4a-b8d6-6a702a7ecde0
+typedef struct DNS_RPC_RECORD_TS {
+    QWORD               EntombedTime;
+};
+"""
+c_dns_record = cstruct(dns_record_def)
+DNS_RECORD_TYPE = c_dns_record.DNS_RECORD_TYPE

dissect_database-1.2.dev10/dissect/database/ese/ntds/objects/c_dnsnode.pyi

@@ -0,0 +1,146 @@
+# Generated by cstruct-stubgen
+from typing import BinaryIO, Literal, TypeAlias, overload
+
+import dissect.cstruct as __cs__
+
+class _c_dns_record(__cs__.cstruct):
+    class DNS_RECORD_TYPE(__cs__.Enum):
+        ZERO = ...
+        A = ...
+        NS = ...
+        MD = ...
+        MF = ...
+        CNAME = ...
+        SOA = ...
+        MB = ...
+        MG = ...
+        MR = ...
+        NULL = ...
+        WKS = ...
+        PTR = ...
+        HINFO = ...
+        MINFO = ...
+        MX = ...
+        TXT = ...
+        RP = ...
+        AFSDB = ...
+        X25 = ...
+        ISDN = ...
+        RT = ...
+        SIG = ...
+        KEY = ...
+        AAAA = ...
+        LOC = ...
+        NXT = ...
+        SRV = ...
+        ATMA = ...
+        NAPTR = ...
+        DNAME = ...
+        DS = ...
+        RRSIG = ...
+        NSEC = ...
+        DNSKEY = ...
+        DHCID = ...
+        NSEC3 = ...
+        NSEC3PARAM = ...
+        TLSA = ...
+        ALL = ...
+        WINS = ...
+        WINSR = ...
+
+    class DNS_RECORD_HEADER(__cs__.Structure):
+        DataLength: _c_dns_record.uint16
+        Type: _c_dns_record.DNS_RECORD_TYPE
+        Version: _c_dns_record.uint8
+        Rank: _c_dns_record.uint8
+        Flags: _c_dns_record.uint16
+        Serial: _c_dns_record.uint32
+        TtlSeconds: _c_dns_record.uint32
+        Reserved: _c_dns_record.uint32
+        TimeStamp: _c_dns_record.uint32
+        Data: __cs__.CharArray
+        @overload
+        def __init__(
+            self,
+            DataLength: _c_dns_record.uint16 | None = ...,
+            Type: _c_dns_record.DNS_RECORD_TYPE | None = ...,
+            Version: _c_dns_record.uint8 | None = ...,
+            Rank: _c_dns_record.uint8 | None = ...,
+            Flags: _c_dns_record.uint16 | None = ...,
+            Serial: _c_dns_record.uint32 | None = ...,
+            TtlSeconds: _c_dns_record.uint32 | None = ...,
+            Reserved: _c_dns_record.uint32 | None = ...,
+            TimeStamp: _c_dns_record.uint32 | None = ...,
+            Data: __cs__.CharArray | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    class DNS_RPC_NAME(__cs__.Structure):
+        NameLength: _c_dns_record.uint8
+        dnsName: __cs__.CharArray
+        @overload
+        def __init__(self, NameLength: _c_dns_record.uint8 | None = ..., dnsName: __cs__.CharArray | None = ...): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    class DNS_RPC_RECORD_SRV(__cs__.Structure):
+        Priority: _c_dns_record.uint16
+        Weight: _c_dns_record.uint16
+        Port: _c_dns_record.uint16
+        nameTarget: _c_dns_record.DNS_RPC_NAME
+        @overload
+        def __init__(
+            self,
+            Priority: _c_dns_record.uint16 | None = ...,
+            Weight: _c_dns_record.uint16 | None = ...,
+            Port: _c_dns_record.uint16 | None = ...,
+            nameTarget: _c_dns_record.DNS_RPC_NAME | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    class DNS_RPC_RECORD_NAME_PREFERENCE(__cs__.Structure):
+        Preference: _c_dns_record.uint16
+        nameExchange: _c_dns_record.DNS_RPC_NAME
+        @overload
+        def __init__(
+            self, Preference: _c_dns_record.uint16 | None = ..., nameExchange: _c_dns_record.DNS_RPC_NAME | None = ...
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    class DNS_RPC_RECORD_SOA(__cs__.Structure):
+        Serial: _c_dns_record.uint32
+        Refresh: _c_dns_record.uint32
+        Retry: _c_dns_record.uint32
+        Expire: _c_dns_record.uint32
+        MinimumTtl: _c_dns_record.uint32
+        namePrimaryServer: _c_dns_record.DNS_RPC_NAME
+        _pad: _c_dns_record.uint8
+        ZoneAdministratorEmail: _c_dns_record.DNS_RPC_NAME
+        @overload
+        def __init__(
+            self,
+            Serial: _c_dns_record.uint32 | None = ...,
+            Refresh: _c_dns_record.uint32 | None = ...,
+            Retry: _c_dns_record.uint32 | None = ...,
+            Expire: _c_dns_record.uint32 | None = ...,
+            MinimumTtl: _c_dns_record.uint32 | None = ...,
+            namePrimaryServer: _c_dns_record.DNS_RPC_NAME | None = ...,
+            _pad: _c_dns_record.uint8 | None = ...,
+            ZoneAdministratorEmail: _c_dns_record.DNS_RPC_NAME | None = ...,
+        ): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+    class DNS_RPC_RECORD_TS(__cs__.Structure):
+        EntombedTime: _c_dns_record.uint64
+        @overload
+        def __init__(self, EntombedTime: _c_dns_record.uint64 | None = ...): ...
+        @overload
+        def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
+
+# Technically `c_dns_record` is an instance of `_c_dns_record`, but then we can't use it in type hints
+c_dns_record: TypeAlias = _c_dns_record
+DNS_RECORD_TYPE: TypeAlias = _c_dns_record.DNS_RECORD_TYPE

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/objects/certificationauthority.py

@@ -11,3 +11,8 @@ class CertificationAuthority(Top):
     """
 
     __object_class__ = "certificationAuthority"
+
+    @property
+    def dns_host_name(self) -> str | None:
+        """Return the dNSHostName of this Certification Authority."""
+        return self.get("dNSHostName")

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/objects/computer.py

@@ -23,6 +23,21 @@ class Computer(User):
     def __repr_body__(self) -> str:
         return f"name={self.name!r}"
 
+    @property
+    def dns_host_name(self) -> str | None:
+        """Return the dNSHostName of this computer."""
+        return self.get("dNSHostName")
+
+    @property
+    def operating_system(self) -> str | None:
+        """Return the operatingSystem of this computer."""
+        return self.get("operatingSystem")
+
+    @property
+    def operating_system_version(self) -> str | None:
+        """Return the operatingSystemVersion of this computer."""
+        return self.get("operatingSystemVersion")
+
     def fve_recovery_information(self) -> Iterator[MSFVERecoveryInformation]:
         """Return the BitLocker recovery information objects associated with this computer."""
         for child in self.children():

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/objects/configuration.py

@@ -11,3 +11,8 @@ class Configuration(Top):
     """
 
     __object_class__ = "configuration"
+
+    @property
+    def gp_link(self) -> str | None:
+        """Return the group policy link of the configuration."""
+        return self.get("gPLink")

dissect_database-1.2.dev10/dissect/database/ese/ntds/objects/crossref.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, ClassVar
+
+from dissect.database.ese.ntds.objects.top import Top
+from dissect.database.ese.ntds.util import SystemFlagCrossRef
+
+if TYPE_CHECKING:
+    from dissect.database.ese.ntds.objects.object import DecoderMap
+
+
+class CrossRef(Top):
+    """Represents a cross-reference object in the Active Directory.
+
+    References:
+        - https://learn.microsoft.com/en-us/windows/win32/adschema/c-crossref
+    """
+
+    __object_class__ = "crossRef"
+    __decoders__: ClassVar[DecoderMap] = {
+        "systemFlags": lambda db, value: SystemFlagCrossRef(value),
+    }
+
+    @property
+    def behavior_version(self) -> int | None:
+        """Return the msDS-Behavior-Version of this cross-reference."""
+        return self.get("msDS-Behavior-Version")

{dissect_database-1.2.dev8 → dissect_database-1.2.dev10}/dissect/database/ese/ntds/objects/crossrefcontainer.py

@@ -11,3 +11,8 @@ class CrossRefContainer(Top):
     """
 
     __object_class__ = "crossRefContainer"
+
+    @property
+    def behavior_version(self) -> int | None:
+        """Return the msDS-Behavior-Version of this cross-reference container."""
+        return self.get("msDS-Behavior-Version")