fox-it / citrix-netscaler-triage Goto Github PK

Hi! :)
I am getting an error when I try to check one of my Netscaler vmdks (NetScaler NS13.0: Build 91.13.nc)

Traceback (most recent call last):
  File "/home/user/TEMP/virtual-env/iocitrix.py", line 267, in <module>
    main()
  File "/home/user/TEMP/virtual-env/iocitrix.py", line 263, in main
    check_targets(args.targets)
  File "/home/user/TEMP/virtual-env/iocitrix.py", line 227, in check_targets
    raise ValueError(f"Target not recognized as a citrix-netscaler: {target.path}: {target.os}")
ValueError: Target not recognized as a citrix-netscaler: netscaler.vmx: default

With the same setup I was able to check another one successfully so I am cautiously optimistic that I am not per se dooing something wrong... ^^

any ideas ?

cheers
Michael

the code:

local ~ $ ssh nsroot@<YOUR-NETSCALER-IP> shell dd if=/dev/ada0 bs=10M | tail -c +7 | head -c -6 > ada0.img

does not work on CLI unless I delete the tail and head sections. Then the file is only 10MB, I'm assuming because of the 10M in the line above. There is not enough room on the Netscaler to hold this image so the command must be done through SSH as above.

Originally posted by @jaymahannah in #4 (comment)

Hi,
tried to scan our netscaler image. On my ubuntu mashine installed dissect.target with pip and tried the command

python3 iocitrix.py netscaler-node1.vmdk
Traceback (most recent call last):
File "iocitrix.py", line 20, in
from dissect.target import Target
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/init.py", line 1, in
from dissect.target.target import Target
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/target.py", line 10, in
from dissect.target import filesystem, loader, plugin, volume
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/filesystem.py", line 17, in
from dissect.target.helpers import fsutil, hashutil
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/helpers/hashutil.py", line 7, in
from dissect.target.plugins.filesystem.resolver import ResolverPlugin
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/plugins/filesystem/resolver.py", line 4, in
from dissect.target.plugin import Plugin, internal
File "/home/user/.local/lib/python3.8/site-packages/dissect/target/plugin.py", line 35, in
PluginDescriptor = dict[str, Any]
TypeError: 'type' object is not subscriptable`

Hi,
thanks for the script. The problem is it doesn't fit on mpx Netscalers. The have a different disk layout. The RAM disk is ok. Maybe the issue are the disk partions on if=/dev/ada0.

Filesystem Size Used Avail Capacity Mounted on
/dev/md0 425M 410M 6.2M 99% /
devfs 1.0K 1.0K 0B 100% /dev
procfs 4.0K 4.0K 0B 100% /proc
/dev/ada0s1a 16G 756M 14G 5% /flash
/dev/ada0s1e 155G 34G 109G 24% /var

ls /dev/ada*
ada0
ada0s1
ada0s1a
ada0s1d
ada0s1e
ada0s1f
ada0s1g
ada0s1h

Could you please verify the python script against MPX.

The error happens when looking for:
dissect.target.exceptions.FileNotFoundError: /flash/.version
The file doesn't exists on MPX (new Version!)

I receive an "illigal byte count -- -6" error message when attempting to create the offline image for analysis. Anyone else have this issue?