def decUserHash(bootkey, rawPekKey, user, rawRID, rawLMhash, rawNTLMhash): rid = int(rawRID[48:], 16) encPEK = unhexlify(rawPekKey[16:]) pek = ds_decrypt_pek(bootkey, encPEK) if (not rawLMhash): rawLMhash = "" if rawLMhash.startswith("1100000000000000"): rawLMhash = rawLMhash[16:] if rawNTLMhash.startswith("1100000000000000"): rawNTLMhash = rawNTLMhash[16:] pekENClm = unhexlify(rawLMhash) pekENCntlm = unhexlify(rawNTLMhash) encLM = ds_decrypt_with_pek(pek, rawLMhash) encNTLM = ds_decrypt_with_pek(pek, pekENCntlm) lm = ds_decrypt_single_hash(rid, encLM) ntlm = ds_decrypt_single_hash(rid, encNTLM) out = user + ":" + str(rid) if ((not encLM) or (encLM == "")): out += ":aad3b435b51404eeaad3b435b51404ee:" else: out += ":" + lm.encode('hex') + ":" if (ntlm == ""): out += "NO PASSWORD*********************:::" else: out += ntlm.encode('hex') + ":::" return out
def decUserHash(bootkey,rawPekKey,user,rawRID,rawLMhash,rawNTLMhash): rid = int(rawRID[48:],16) encPEK = unhexlify(rawPekKey[16:]) pek = ds_decrypt_pek(bootkey, encPEK) if (not rawLMhash): rawLMhash = "" if rawLMhash.startswith("1100000000000000"): rawLMhash = rawLMhash[16:] if rawNTLMhash.startswith("1100000000000000"): rawNTLMhash = rawNTLMhash[16:] pekENClm = unhexlify(rawLMhash) pekENCntlm = unhexlify(rawNTLMhash) encLM = ds_decrypt_with_pek(pek, rawLMhash) encNTLM = ds_decrypt_with_pek(pek, pekENCntlm) lm = ds_decrypt_single_hash(rid, encLM) ntlm = ds_decrypt_single_hash(rid, encNTLM) out = user+":"+str(rid) if ((not encLM) or (encLM == "")): out+= ":aad3b435b51404eeaad3b435b51404ee:" else: out += ":"+lm.encode('hex')+":" if (ntlm == ""): out += "NO PASSWORD*********************:::" else: out += ntlm.encode('hex')+":::" return out
def decUserHashHistory(bootkey, rawPekKey, user, rawRID, rawLMhashHistory, rawNTLMhashHistory): # "rawRID" may already be the RID, or the full SID - if latter is true, truncate rid = int(rawRID, 16) if len(rawRID) == 8 else int(rawRID[48:], 16) encPEK = unhexlify(rawPekKey[16:]) pek = ds_decrypt_pek(bootkey, encPEK) if rawLMhashHistory.startswith("1100000000000000"): rawLMhashHistory = rawLMhashHistory[16:] if rawNTLMhashHistory.startswith("1100000000000000"): rawNTLMhashHistory = rawNTLMhashHistory[16:] pekENClmHistory = unhexlify(rawLMhashHistory) pekENCntlmHistory = unhexlify(rawNTLMhashHistory) encLM = ds_decrypt_with_pek(pek, pekENClmHistory) encNTLM = ds_decrypt_with_pek(pek, pekENCntlmHistory) histories = [] for hindex in range(0, len(encNTLM) / 16): ntlm = ds_decrypt_single_hash(rid, encNTLM[hindex * 16:(hindex + 1) * 16]) lm = ds_decrypt_single_hash(rid, encLM[hindex * 16:(hindex + 1) * 16]) if hindex == 0: out = user + ":" + str(rid) else: out = user + "_history" + str(hindex - 1) + ":" + str(rid) if (lm == ""): out += ":aad3b435b51404eeaad3b435b51404ee:" else: out += ":" + lm.encode('hex') + ":" if (ntlm == ""): out += "NO PASSWORD*********************:::" else: out += ntlm.encode('hex') + ":::" histories.append(out) return histories
def decUserHashHistory(bootkey, rawPekKey, user, rawRID, rawLMhashHistory, rawNTLMhashHistory): # "rawRID" may already be the RID, or the full SID - if latter is true, truncate rid = int(rawRID,16) if len(rawRID)==8 else int(rawRID[48:],16) encPEK = unhexlify(rawPekKey[16:]) pek = ds_decrypt_pek(bootkey, encPEK) if rawLMhashHistory.startswith("1100000000000000"): rawLMhashHistory = rawLMhashHistory[16:] if rawNTLMhashHistory.startswith("1100000000000000"): rawNTLMhashHistory = rawNTLMhashHistory[16:] pekENClmHistory = unhexlify(rawLMhashHistory) pekENCntlmHistory = unhexlify(rawNTLMhashHistory) encLM = ds_decrypt_with_pek(pek, pekENClmHistory) encNTLM = ds_decrypt_with_pek(pek, pekENCntlmHistory) histories = [] for hindex in range(0,len(encNTLM)/16): ntlm = ds_decrypt_single_hash(rid, encNTLM[hindex*16:(hindex+1)*16]) lm = ds_decrypt_single_hash(rid, encLM[hindex*16:(hindex+1)*16]) if hindex == 0: out = user+":"+str(rid) else: out = user+"_history"+str(hindex-1)+":"+str(rid) if (lm == ""): out+= ":aad3b435b51404eeaad3b435b51404ee:" else: out += ":"+lm.encode('hex')+":" if (ntlm == ""): out += "NO PASSWORD*********************:::" else: out += ntlm.encode('hex')+":::" histories.append(out) return histories