Update secretsdump.py

Author: Coontzy1

impacket/examples/secretsdump.py

@@ -62,7 +62,7 @@
 from binascii import unhexlify, hexlify
 from collections import OrderedDict
 from datetime import datetime, timedelta, timezone
-from struct import unpack, pack
+from struct import unpack, pack, unpack_from
 from six import b, PY2
 
 from impacket import LOG
@@ -153,6 +153,13 @@ class SAM_HASH_AES(Structure):
         ('Hash',':'),
     )
 
+SAM_V_VALUE_BASE = 0xCC
+AAD3 = unhexlify('aad3b435b51404eeaad3b435b51404ee')
+CONST_LM = b"LMPASSWORD\x00"
+CONST_NT = b"NTPASSWORD\x00"
+CONST_LMH = b"LMPASSWORDHISTORY\x00"
+CONST_NTH = b"NTPASSWORDHISTORY\x00"
+
 class DOMAIN_ACCOUNT_F(Structure):
     structure = (
         ('Revision','<L=0'),
@@ -1415,7 +1422,7 @@ def finish(self):
             self.__registryHive.close()
 
 class SAMHashes(OfflineRegistry):
-    def __init__(self, samFile, bootKey, isRemote = False, printUserStatus=False, perSecretCallback = lambda secret: _print_helper(secret)):
+    def __init__(self, samFile, bootKey, isRemote = False, printUserStatus=False, history=False, perSecretCallback = lambda secret: _print_helper(secret)):
         OfflineRegistry.__init__(self, samFile, isRemote)
         self.__samFile = samFile
         self.__hashedBootKey = b''
@@ -1424,6 +1431,7 @@ def __init__(self, samFile, bootKey, isRemote = False, printUserStatus=False, pe
         self.__cryptoCommon = CryptoCommon()
         self.__itemsFound = {}
         self.__perSecretCallback = perSecretCallback
+        self.__history = history
 
     def binary_to_sid(self, binary_data, without_prefix=False):
         if len(binary_data) < 12:
@@ -1534,6 +1542,94 @@ def __replaceValue(self, obj, offset, value):
             obj[offset + i] = v
         return bytes(obj)
 
+    @staticmethod
+    def _read_v_entry(v, index):
+        try:
+            entry_offset = unpack_from('<L', v, 0x0C * index)[0] + SAM_V_VALUE_BASE
+            entry_length = unpack_from('<L', v, 0x0C * index + 4)[0]
+        except Exception:
+            return None
+        if entry_offset == SAM_V_VALUE_BASE or entry_length == 0:
+            return None
+        if entry_offset + entry_length > len(v):
+            return None
+        record = v[entry_offset:entry_offset + entry_length]
+        if len(record) < 4:
+            return None
+        pek_id = unpack_from('<H', record, 0)[0]
+        revision = unpack_from('<H', record, 2)[0]
+        return entry_offset, entry_length, pek_id, revision, record
+
+    def _parse_record_hashes(self, record, record_length, rid, constant, revision):
+        if record_length < 8 or len(self.__hashedBootKey) < 16:
+            return []
+
+        if revision == 2:
+            data_length = unpack_from('<L', record, 0x04)[0] if record_length >= 0x08 else 0
+
+            if record_length <= 0x18 and data_length == 0:
+                return []
+
+            if record_length <= 0x18:
+                # Some offline hives mark history entries as revision 2 but still use RC4 layout
+                revision = 1
+            else:
+                if record_length < 0x18 + 16:
+                    return []
+                iv = record[0x08:0x18]
+                if data_length == 0 or data_length % 16 != 0:
+                    return []
+                if 0x18 + data_length > record_length:
+                    return []
+                encrypted = record[0x18:0x18 + data_length]
+                decrypted = self.__cryptoCommon.decryptAES(self.__hashedBootKey[:16], encrypted, iv)
+
+        if revision == 1:
+            encrypted = record[8:record_length]
+            if not encrypted:
+                return []
+            md5 = hashlib.new('md5')
+            md5.update(self.__hashedBootKey[:16])
+            md5.update(pack('<L', rid))
+            md5.update(constant)
+            decrypted = ARC4.new(md5.digest()).encrypt(encrypted)
+        else:
+            return []
+
+        key1, key2 = self.__cryptoCommon.deriveKey(rid)
+        des1 = DES.new(key1, DES.MODE_ECB)
+        des2 = DES.new(key2, DES.MODE_ECB)
+
+        hashes = []
+        for idx in range(0, len(decrypted), 16):
+            block = decrypted[idx:idx + 16]
+            if len(block) != 16:
+                break
+            plain = des1.decrypt(block[:8]) + des2.decrypt(block[8:])
+            if plain in (b'\x00' * 16, b'\xff' * 16):
+                continue
+            hashes.append(plain)
+        return hashes
+
+    def _extract_history_hashes(self, v_data, rid):
+        nt_hist_entry = self._read_v_entry(v_data, 15)
+        lm_hist_entry = self._read_v_entry(v_data, 16)
+
+        lm_history = []
+        nt_history = []
+
+        if lm_hist_entry:
+            _, length, _, revision, record = lm_hist_entry
+            constant = CONST_LMH if revision == 1 else b''
+            lm_history = list(self._parse_record_hashes(record, length, rid, constant, revision))
+
+        if nt_hist_entry:
+            _, length, _, revision, record = nt_hist_entry
+            constant = CONST_NTH if revision == 1 else b''
+            nt_history = list(self._parse_record_hashes(record, length, rid, constant, revision))
+
+        return lm_history, nt_history
+
     def dump(self):
         NTPASSWORD = b"NTPASSWORD\0"
         LMPASSWORD = b"LMPASSWORD\0"
@@ -1633,7 +1729,8 @@ def dump(self):
             auto_locked = bool(grouped_data & 0x0400)
             locked_out = locked
 
-            userAccount = USER_ACCOUNT_V(self.getValue(ntpath.join(usersKey, rid, 'V'))[1])
+            v_raw = self.getValue(ntpath.join(usersKey, rid, 'V'))[1]
+            userAccount = USER_ACCOUNT_V(v_raw)
             rid = int(rid, 16)
 
             V = userAccount['Data']
@@ -1643,44 +1740,89 @@ def dump(self):
                 logging.debug('The account %s doesn\'t have hash information.' % userName)
                 continue
 
-            encNTHash = b''
-            if V[userAccount['NTHashOffset']:][2:3] == b'\x01':
-                # Old Style hashes
-                newStyle = False
-                if userAccount['LMHashLength'] == 20:
-                    encLMHash = SAM_HASH(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
-                if userAccount['NTHashLength'] == 20:
-                    encNTHash = SAM_HASH(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
-            else:
-                # New Style hashes
-                newStyle = True
-                if userAccount['LMHashLength'] == 24:
-                    encLMHash = SAM_HASH_AES(V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']])
-                encNTHash = SAM_HASH_AES(V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']])
+            newStyle = V[userAccount['NTHashOffset']:][2:3] != b'\x01'
 
-            LOG.debug('NewStyle hashes is: %s' % newStyle)
+            encLMHash = None
             if userAccount['LMHashLength'] >= 20:
-                lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD, newStyle)
-            else:
-                lmHash = b''
+                raw_lm = V[userAccount['LMHashOffset']:][:userAccount['LMHashLength']]
+                encLMHash = SAM_HASH_AES(raw_lm) if newStyle else SAM_HASH(raw_lm)
 
-            if encNTHash != b'':
-                ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD, newStyle)
+            raw_nt = V[userAccount['NTHashOffset']:][:userAccount['NTHashLength']]
+            if newStyle:
+                encNTHash = SAM_HASH_AES(raw_nt)
             else:
-                ntHash = b''
+                encNTHash = SAM_HASH(raw_nt)
+
+            lmHash = b''
+            if encLMHash is not None:
+                try:
+                    lmHash = self.__decryptHash(rid, encLMHash, LMPASSWORD, newStyle)
+                except Exception:
+                    LOG.debug('Failed to decrypt LM hash for %s', userName, exc_info=True)
+                    lmHash = b''
+
+            ntHash = b''
+            if encNTHash is not None:
+                try:
+                    ntHash = self.__decryptHash(rid, encNTHash, NTPASSWORD, newStyle)
+                except Exception:
+                    LOG.debug('Failed to decrypt NT hash for %s', userName, exc_info=True)
+                    ntHash = b''
 
             if lmHash == b'':
-                lmHash = ntlm.LMOWFv1('','')
+                lmHash = ntlm.LMOWFv1('', '')
             if ntHash == b'':
-                ntHash = ntlm.NTOWFv1('','')
+                ntHash = ntlm.NTOWFv1('', '')
 
-            answer =  "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash).decode('utf-8'), hexlify(ntHash).decode('utf-8'))
+            lm_hex = hexlify(lmHash).decode('utf-8')
+            nt_hex = hexlify(ntHash).decode('utf-8')
+
+            LOG.debug('NewStyle hashes is: %s' % newStyle)
+
+            answer =  "%s:%d:%s:%s:::" % (userName, rid, lm_hex, nt_hex)
 
             if self.__printUserStatus is True:
                 answer = f"{answer} (Enabled={'False' if disabled else 'True'}) (Locked={'True' if locked_out or auto_locked else 'False'}) (Admin={'True' if is_admin else 'False'})"
 
             self.__itemsFound[rid] = answer
             self.__perSecretCallback(answer)
+
+            if self.__history:
+                lm_history_raw, nt_history_raw = self._extract_history_hashes(v_raw, rid)
+                entry_count = max(len(lm_history_raw), len(nt_history_raw))
+                if entry_count == 0:
+                    continue
+
+                blank_lm_hex = hexlify(ntlm.LMOWFv1('', '')).decode('utf-8')
+
+                history_entries = []
+
+                for idx in range(entry_count):
+                    lm_bytes = lm_history_raw[idx] if idx < len(lm_history_raw) else b''
+                    nt_bytes = nt_history_raw[idx] if idx < len(nt_history_raw) else b''
+
+                    if lm_bytes in (b'', AAD3):
+                        lm_val = blank_lm_hex
+                    else:
+                        lm_val = hexlify(lm_bytes).decode('utf-8')
+
+                    if nt_bytes:
+                        nt_val = hexlify(nt_bytes).decode('utf-8')
+                    else:
+                        nt_val = hexlify(ntlm.NTOWFv1('', '')).decode('utf-8')
+
+                    # Some hives mirror the current password into the first history slot.
+                    if lm_val == lm_hex and nt_val == nt_hex:
+                        continue
+
+                    history_line = f"{userName}_history{idx}:{rid}:{lm_val}:{nt_val}:::"
+                    history_entries.append(history_line)
+
+                if not history_entries:
+                    continue
+
+                for history_line in history_entries:
+                    self.__perSecretCallback(history_line)
 
     def edit(self, user, newNTHash, newLMHash=b''):
         NTPASSWORD = b"NTPASSWORD\0"
@@ -2417,8 +2559,8 @@ def __init__(self, ntdsFile, bootKey, isRemote=False, history=False, noLMHash=Tr
         self.__skipUser = skipUser
         self.__perSecretCallback = perSecretCallback
 
-		# these are all the columns that we need to get the secrets.
-		# If in the future someone finds other columns containing interesting things please extend ths table.
+                # these are all the columns that we need to get the secrets.
+                # If in the future someone finds other columns containing interesting things please extend ths table.
         self.__filter_tables_usersecret = {
             self.NAME_TO_INTERNAL['objectSid'] : 1,
             self.NAME_TO_INTERNAL['dBCSPwd'] : 1,