Verfifcation on MPX Netscalers

[ThomasAltk]

Hi,
thanks for the script. The problem is it doesn't fit on mpx Netscalers. The have a different disk layout. The RAM disk is ok. Maybe the issue are the disk partions on if=/dev/ada0.

Filesystem Size Used Avail Capacity Mounted on
/dev/md0 425M 410M 6.2M 99% /
devfs 1.0K 1.0K 0B 100% /dev
procfs 4.0K 4.0K 0B 100% /proc
/dev/ada0s1a 16G 756M 14G 5% /flash
/dev/ada0s1e 155G 34G 109G 24% /var

ls /dev/ada*
ada0
ada0s1
ada0s1a
ada0s1d
ada0s1e
ada0s1f
ada0s1g
ada0s1h

Could you please verify the python script against MPX.

The error happens when looking for:
dissect.target.exceptions.FileNotFoundError: /flash/.version
The file doesn't exists on MPX (new Version!)

[yunzheng]

Hi @ThomasAltk ,

We recently updated our README.md to only suggest the streaming over SSH option. This way you don't have to write it to your NetScaler and free space will not be an issue other than free space on your own machine.

It looks like MPX has a different disk name but it should work the same. You can make a disk image of /dev/ada0 using:

local ~ $ ssh nsroot@<YOUR-NETSCALER-IP> shell dd if=/dev/ada0 bs=10M | tail -c +7 | head -c -6 > ada0.img

Then use:

local ~ $ python3 iocitrix.py md0+ada0.img

[ThomasAltk]

Hi @yunzheng
Thanks. Thats great. The issue was the version file. If that doesn't exists the py fails and on older installations it is not up to date and it seems not to be updated anymore.
Could you please verifiy that.

Thanks alot for the help.

[yunzheng]

I can confirm this is an issue, we will look into it a fix.

[yunzheng]

A fix has been merged, you need to upgrade to the development version of dissect.target using:

pip install --upgrade --pre dissect.target

Let us know if this fixes the issue.

[ThomasAltk]

Hi, just did this and it raises the following error:
Traceback (most recent call last):
File "/home//home/Mail/iocitrix.py", line 270, in
main()
File "/home//home/Mail/iocitrix.py", line 266, in main
check_targets(args.targets)
File "/home//home/Mail/iocitrix.py", line 228, in check_targets
print_target_info(target)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/info.py", line 133, in print_target_info
print(f"Timezone : {target.timezone}")
File "/usr/local/lib/python3.10/dist-packages/dissect/target/target.py", line 628, in getattr
result = func.get(p)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/cache.py", line 228, in cache_wrapper
return cache.call(*args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/cache.py", line 104, in call
func_cache[key] = self.func(*args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/unix/locale.py", line 35, in timezone
zoneinfo_path = str(zoneinfo.readlink()).split("/")
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/fsutil.py", line 747, in readlink
path = self._accessor.readlink(self)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/fsutil.py", line 528, in readlink
raise e
OSError: 22

[yunzheng]

We can confirm this is a bug in dissect.target when /etc/localtime is hardlink or a regular file. It now always assumes it's a symlink and will break if it's not.

We are working on a fix, but you can work around this at the moment to comment out print_target_info(target) in iocitrix.py.

[yunzheng]

@ThomasAltk a fix has been pushed, so it should work now without a workaround. You will need to upgrade dissect.target again to latest development version:

pip install --upgrade --pre dissect.target

[jaymahannah]

the code:
local ~ $ ssh nsroot@ shell dd if=/dev/ada0 bs=10M | tail -c +7 | head -c -6 > ada0.img
does not work on CLI unless I delete the tail and head sections. Then the file is only 10MB, I'm assuming because of the 10M in the line above. There is not enough room on the Netscaler to hold this image so the command must be done through SSH as above.

[ThomasAltk]

@yunzheng :
with dissect.target-3.11.2.dev13 everything works fine.
Thanks alot!!

[ThomasAltk]

with dissect.target-3.11.2.dev13 everything works fine.
Thanks alot!!