Jan 242021
 

Every time that you change the login password on your system, Windows stores the hashes of the previous password in the CREDHIST file (Located in %appdata%\Microsoft\Protect\CREDHIST ).

Lets play with the credhist file and NTHASH then.

Setup:
-User test created with Password1
-I then logged in and changed password twice to Password2, then Password3.

***********************
I retrieved credhist file for that user, took it offline, then ran the below:
nthash-win64 /decodecredhist /binary:.\credhist-test.

The contains 2 entries (everytime I changed password,i.e twice).

*********************

Decryption is based on a hmac key generated from the sha1 password + the user SID.

Lets get the SHA1 of the current user password (the user SID is known in the credhist file).

NTHASH-win64.exe /widestringtohexa /input:Password3 | NTHASH-win64.exe /gethash /mode:SHA1
NTHASH 1.8 x64 by erwan2212@gmail.com
gethash
31F8F4DFCB16205363B35055EBE92A75F0A19CE3

**********************************
Now lets decrypt last credhist entry i.e #1.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:31F8F4DFCB16205363B35055EBE92A75F0A19CE3 /key:1

I get
SHA1:2277C28035275149D01A8DE530CC13B74F59EDFB
NTLM:C39F2BEB3D2EC06A62CB887FB391DEE0

This is sha1/ntlm for Password2.
**********************************
Now lets decrypt previous (and first) entry i.e #0.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:2277C28035275149D01A8DE530CC13B74F59EDFB /key:0

SHA1:CBA4E545B7EC918129725154B29F055E4CD5AEA8
NTLM:64F12CDDAA88057E06A81B54E73B949B

This is sha1/ntlm for Password1.

**********************************

That’s it : we have seen the logic behing this credhist file and how to decrypt it.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.