Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verfifcation on MPX Netscalers #4

Closed
ThomasAltk opened this issue Aug 18, 2023 · 10 comments
Closed

Verfifcation on MPX Netscalers #4

ThomasAltk opened this issue Aug 18, 2023 · 10 comments

Comments

@ThomasAltk
Copy link

ThomasAltk commented Aug 18, 2023

Hi,
thanks for the script. The problem is it doesn't fit on mpx Netscalers. The have a different disk layout. The RAM disk is ok. Maybe the issue are the disk partions on if=/dev/ada0.

Filesystem Size Used Avail Capacity Mounted on
/dev/md0 425M 410M 6.2M 99% /
devfs 1.0K 1.0K 0B 100% /dev
procfs 4.0K 4.0K 0B 100% /proc
/dev/ada0s1a 16G 756M 14G 5% /flash
/dev/ada0s1e 155G 34G 109G 24% /var

ls /dev/ada*
ada0
ada0s1
ada0s1a
ada0s1d
ada0s1e
ada0s1f
ada0s1g
ada0s1h

Could you please verify the python script against MPX.

The error happens when looking for:
dissect.target.exceptions.FileNotFoundError: /flash/.version
The file doesn't exists on MPX (new Version!)

@yunzheng
Copy link
Member

Hi @ThomasAltk ,

We recently updated our README.md to only suggest the streaming over SSH option. This way you don't have to write it to your NetScaler and free space will not be an issue other than free space on your own machine.

It looks like MPX has a different disk name but it should work the same. You can make a disk image of /dev/ada0 using:

local ~ $ ssh nsroot@<YOUR-NETSCALER-IP> shell dd if=/dev/ada0 bs=10M | tail -c +7 | head -c -6 > ada0.img

Then use:

local ~ $ python3 iocitrix.py md0+ada0.img

@ThomasAltk
Copy link
Author

ThomasAltk commented Aug 18, 2023

Hi @yunzheng
Thanks. Thats great. The issue was the version file. If that doesn't exists the py fails and on older installations it is not up to date and it seems not to be updated anymore.
Could you please verifiy that.

Thanks alot for the help.

@yunzheng
Copy link
Member

I can confirm this is an issue, we will look into it a fix.

@yunzheng
Copy link
Member

A fix has been merged, you need to upgrade to the development version of dissect.target using:

pip install --upgrade --pre dissect.target

Let us know if this fixes the issue.

@ThomasAltk
Copy link
Author

ThomasAltk commented Aug 21, 2023

Hi, just did this and it raises the following error:
Traceback (most recent call last):
File "/home//home/Mail/iocitrix.py", line 270, in
main()
File "/home//home/Mail/iocitrix.py", line 266, in main
check_targets(args.targets)
File "/home//home/Mail/iocitrix.py", line 228, in check_targets
print_target_info(target)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/info.py", line 133, in print_target_info
print(f"Timezone : {target.timezone}")
File "/usr/local/lib/python3.10/dist-packages/dissect/target/target.py", line 628, in getattr
result = func.get(p)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/cache.py", line 228, in cache_wrapper
return cache.call(*args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/cache.py", line 104, in call
func_cache[key] = self.func(*args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/unix/locale.py", line 35, in timezone
zoneinfo_path = str(zoneinfo.readlink()).split("/")
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/fsutil.py", line 747, in readlink
path = self._accessor.readlink(self)
File "/usr/local/lib/python3.10/dist-packages/dissect/target/helpers/fsutil.py", line 528, in readlink
raise e
OSError: 22

@yunzheng
Copy link
Member

We can confirm this is a bug in dissect.target when /etc/localtime is hardlink or a regular file. It now always assumes it's a symlink and will break if it's not.

We are working on a fix, but you can work around this at the moment to comment out print_target_info(target) in iocitrix.py.

yunzheng added a commit to fox-it/dissect.target that referenced this issue Aug 21, 2023
A symlink is not always guaranteed for /etc/localtime.
This adds extra handling for hardlinks and regular files.

Issue found via: fox-it/citrix-netscaler-triage#4

Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@yunzheng
Copy link
Member

yunzheng commented Aug 21, 2023

@ThomasAltk a fix has been pushed, so it should work now without a workaround. You will need to upgrade dissect.target again to latest development version:

pip install --upgrade --pre dissect.target

@jaymahannah
Copy link

the code:
local ~ $ ssh nsroot@ shell dd if=/dev/ada0 bs=10M | tail -c +7 | head -c -6 > ada0.img
does not work on CLI unless I delete the tail and head sections. Then the file is only 10MB, I'm assuming because of the 10M in the line above. There is not enough room on the Netscaler to hold this image so the command must be done through SSH as above.

@ThomasAltk
Copy link
Author

@yunzheng :
with dissect.target-3.11.2.dev13 everything works fine.
Thanks alot!!

@ThomasAltk
Copy link
Author

with dissect.target-3.11.2.dev13 everything works fine.
Thanks alot!!

Poeloe pushed a commit to fox-it/dissect.target that referenced this issue Feb 29, 2024
A symlink is not always guaranteed for /etc/localtime.
This adds extra handling for hardlinks and regular files.

Issue found via: fox-it/citrix-netscaler-triage#4

Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
Zawadidone pushed a commit to Zawadidone/dissect.target that referenced this issue Apr 5, 2024
A symlink is not always guaranteed for /etc/localtime.
This adds extra handling for hardlinks and regular files.

Issue found via: fox-it/citrix-netscaler-triage#4

Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants