-
Notifications
You must be signed in to change notification settings - Fork 31
pkg ese
Jacob Paullus edited this page Apr 17, 2026
·
1 revision
Parse Extensible Storage Engine databases, primarily for offline NTDS.dit analysis.
func Open(data []byte) (*Database, error)func (db *Database) GetTable(name string) (*Table, error)func (t *Table) OpenTable() error
func (t *Table) GetNextRecord() (*Record, error)
func (t *Table) Columns() []ColumnDefpackage main
import (
"fmt"
"os"
"gopacket/pkg/ese"
)
func main() {
data, _ := os.ReadFile("ntds.dit")
db, err := ese.Open(data)
if err != nil {
fmt.Printf("[-] %v\n", err)
return
}
table, _ := db.GetTable("datatable")
table.OpenTable()
for {
record, err := table.GetNextRecord()
if err != nil {
break
}
// Extract ATTm590045 (sAMAccountName), ATTk589879 (ntHash), etc.
_ = record
}
}