Land rapid7#8516, add verbose debug to ntds dumper

Author: Brent Cook

lib/metasploit/framework/ntds/account.rb

@@ -137,7 +137,7 @@ def get_int(data)
         end
 
         def get_string(data,length)
-          data.slice!(0,length).gsub(/\x00/,'')
+          data.slice!(0,length).force_encoding("UTF-8").gsub(/\x00/,'')
         end
 
         def uac_string

lib/metasploit/framework/ntds/parser.rb

@@ -50,11 +50,13 @@ def each_account
 
         def pull_batch
           if channel.cid.nil?
+            dlog("NTDS Parser Channel was closed, reopening")
             reopen_channel
           end
           begin
             raw_batch_data = channel.read(BATCH_SIZE)
-          rescue EOFError
+          rescue EOFError => e
+            elog("NTDS Parser: Error pulling batch - #{e}")
             raw_batch_data = nil
           end
           raw_batch_data

modules/post/windows/gather/credentials/domain_hashdump.rb

@@ -33,10 +33,13 @@ def run
     if preconditions_met?
       ntds_file = copy_database_file
       unless ntds_file.nil?
+        file_stat = client.fs.file.stat(ntds_file)
+        print_status "NTDS File Size: #{file_stat.size.to_s} bytes"
         print_status "Repairing NTDS database after copy..."
         print_status repair_ntds(ntds_file)
         realm = sysinfo["Domain"]
         ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
+        print_status "Started up NTDS channel. Preparing to stream results..."
         ntds_parser.each_account do |ad_account|
           print_good ad_account.to_s
           report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm)
@@ -46,6 +49,7 @@ def run
             report_hash(hash_string.downcase,ad_account.name, realm)
           end
         end
+        print_status "Deleting backup of NTDS.dit at #{ntds_file}"
         rm_f(ntds_file)
       end
     end