Parse Ntds DnsNode dnsRecord entries#20
Conversation
william-billaud
force-pushed
the
dns_node
branch
from
4345689 to
7be4506
Compare
william-billaud
changed the title
|
@Schamper just a ping as this PR was previously in draft and I do not now what kind of notification you have, but no emergency on this topic |
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
|
Done, I just have a weird issue (or maybe intended) with cstruct : #20 (comment) I also added some tests for errored entries. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #20 +/- ##
======================================
Coverage 0.00% 0.00%
======================================
Files 151 152 +1
Lines 4537 4716 +179
======================================
- Misses 4537 4716 +179
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
|
I changed some docs strings with list as it was rendering like this; After change 
|
| def as_dict(self) -> dict[str, Any]: | ||
| result = super().as_dict() | ||
| result["distinguished_name_as_dns_name"] = self.distinguished_name_as_dns_name | ||
| result["dns_record"] = [r.as_dict() for r in self.dns_record] |
There was a problem hiding this comment.
As an addition to the above comment, you can still keep this line in here so that you change the DnsRecord object into a dictionary too.
There was a problem hiding this comment.
Done, but I'm not sure I've fully understood (my understanding is that I should not create a new dict key, but just replace the DnsRecord key in the generated dict)
There was a problem hiding this comment.
Yes, because otherwise the value "dns_record" in the dictionary will be the DnsRecord objects themselves. With this line you replace those to be dictionary's variants of those objects too, which I think is desirable behavior.
|
I made some small changes, let me know if you agree and then this LGTM! |
|
LGTM, thanks for the review. |
2 participants
Add function associate with the parsing of DnsNode NTDS entries. Goal is to later include this in a dissect.target plugins.
These entries allow to quickly retrieves DNS record from a Domain. E.g
In terms of review difficulty I would say 3/5 : This PR does not modify existing code, and this feature mainly rely on documented structure unpacking, without difficult concepts to understand and with a good test coverage.
Some note:
Using dissect.cstruct, is it possible to specify that a structure member is in little endian, and other in bug endian (for the same struct, see the swap_endianess function) ?
I have issue with serial number of SOA records, which are not the same as observed in Lab, I can't figure out how MS handle it, I have chosen to not display this value as value is known as being wrong + this is, in my opinion not the most import information.
Not all DNS Record type are parsed. There is a lot of possible structure (27), some of them are nearly never found production env/obsolete or with low interest. But if someone want to, it should be easy to add a missing type.
closes Parse Ntds DnsNode dnsRecord entries #19