def decUserHash(bootkey, rawPekKey, user, rawRID, rawLMhash, rawNTLMhash):
rid = int(rawRID[48:], 16)
encPEK = unhexlify(rawPekKey[16:])
pek = ds_decrypt_pek(bootkey, encPEK)
if (not rawLMhash):
rawLMhash = ""
if rawLMhash.startswith("1100000000000000"):
rawLMhash = rawLMhash[16:]
if rawNTLMhash.startswith("1100000000000000"):
rawNTLMhash = rawNTLMhash[16:]
pekENClm = unhexlify(rawLMhash)
pekENCntlm = unhexlify(rawNTLMhash)
encLM = ds_decrypt_with_pek(pek, rawLMhash)
encNTLM = ds_decrypt_with_pek(pek, pekENCntlm)
lm = ds_decrypt_single_hash(rid, encLM)
ntlm = ds_decrypt_single_hash(rid, encNTLM)
out = user + ":" + str(rid)
if ((not encLM) or (encLM == "")):
out += ":aad3b435b51404eeaad3b435b51404ee:"
else:
out += ":" + lm.encode('hex') + ":"
if (ntlm == ""):
out += "NO PASSWORD*********************:::"
else:
out += ntlm.encode('hex') + ":::"
return out
def decUserHash(bootkey,rawPekKey,user,rawRID,rawLMhash,rawNTLMhash):
rid = int(rawRID[48:],16)
encPEK = unhexlify(rawPekKey[16:])
pek = ds_decrypt_pek(bootkey, encPEK)
if (not rawLMhash):
rawLMhash = ""
if rawLMhash.startswith("1100000000000000"):
rawLMhash = rawLMhash[16:]
if rawNTLMhash.startswith("1100000000000000"):
rawNTLMhash = rawNTLMhash[16:]
pekENClm = unhexlify(rawLMhash)
pekENCntlm = unhexlify(rawNTLMhash)
encLM = ds_decrypt_with_pek(pek, rawLMhash)
encNTLM = ds_decrypt_with_pek(pek, pekENCntlm)
lm = ds_decrypt_single_hash(rid, encLM)
ntlm = ds_decrypt_single_hash(rid, encNTLM)
out = user+":"+str(rid)
if ((not encLM) or (encLM == "")):
out+= ":aad3b435b51404eeaad3b435b51404ee:"
else:
out += ":"+lm.encode('hex')+":"
if (ntlm == ""):
out += "NO PASSWORD*********************:::"
else:
out += ntlm.encode('hex')+":::"
return out
def decUserHashHistory(bootkey, rawPekKey, user, rawRID, rawLMhashHistory,
rawNTLMhashHistory):
# "rawRID" may already be the RID, or the full SID - if latter is true, truncate
rid = int(rawRID, 16) if len(rawRID) == 8 else int(rawRID[48:], 16)
encPEK = unhexlify(rawPekKey[16:])
pek = ds_decrypt_pek(bootkey, encPEK)
if rawLMhashHistory.startswith("1100000000000000"):
rawLMhashHistory = rawLMhashHistory[16:]
if rawNTLMhashHistory.startswith("1100000000000000"):
rawNTLMhashHistory = rawNTLMhashHistory[16:]
pekENClmHistory = unhexlify(rawLMhashHistory)
pekENCntlmHistory = unhexlify(rawNTLMhashHistory)
encLM = ds_decrypt_with_pek(pek, pekENClmHistory)
encNTLM = ds_decrypt_with_pek(pek, pekENCntlmHistory)
histories = []
for hindex in range(0, len(encNTLM) / 16):
ntlm = ds_decrypt_single_hash(rid,
encNTLM[hindex * 16:(hindex + 1) * 16])
lm = ds_decrypt_single_hash(rid, encLM[hindex * 16:(hindex + 1) * 16])
if hindex == 0:
out = user + ":" + str(rid)
else:
out = user + "_history" + str(hindex - 1) + ":" + str(rid)
if (lm == ""):
out += ":aad3b435b51404eeaad3b435b51404ee:"
else:
out += ":" + lm.encode('hex') + ":"
if (ntlm == ""):
out += "NO PASSWORD*********************:::"
else:
out += ntlm.encode('hex') + ":::"
histories.append(out)
return histories
def decUserHashHistory(bootkey, rawPekKey, user, rawRID, rawLMhashHistory, rawNTLMhashHistory):
# "rawRID" may already be the RID, or the full SID - if latter is true, truncate
rid = int(rawRID,16) if len(rawRID)==8 else int(rawRID[48:],16)
encPEK = unhexlify(rawPekKey[16:])
pek = ds_decrypt_pek(bootkey, encPEK)
if rawLMhashHistory.startswith("1100000000000000"):
rawLMhashHistory = rawLMhashHistory[16:]
if rawNTLMhashHistory.startswith("1100000000000000"):
rawNTLMhashHistory = rawNTLMhashHistory[16:]
pekENClmHistory = unhexlify(rawLMhashHistory)
pekENCntlmHistory = unhexlify(rawNTLMhashHistory)
encLM = ds_decrypt_with_pek(pek, pekENClmHistory)
encNTLM = ds_decrypt_with_pek(pek, pekENCntlmHistory)
histories = []
for hindex in range(0,len(encNTLM)/16):
ntlm = ds_decrypt_single_hash(rid, encNTLM[hindex*16:(hindex+1)*16])
lm = ds_decrypt_single_hash(rid, encLM[hindex*16:(hindex+1)*16])
if hindex == 0:
out = user+":"+str(rid)
else:
out = user+"_history"+str(hindex-1)+":"+str(rid)
if (lm == ""):
out+= ":aad3b435b51404eeaad3b435b51404ee:"
else:
out += ":"+lm.encode('hex')+":"
if (ntlm == ""):
out += "NO PASSWORD*********************:::"
else:
out += ntlm.encode('hex')+":::"
histories.append(out)
return histories