Jan 242021
 

Every time that you change the login password on your system, Windows stores the hashes of the previous password in the CREDHIST file (Located in %appdata%\Microsoft\Protect\CREDHIST ).

Lets play with the credhist file and NTHASH then.

Setup:
-User test created with Password1
-I then logged in and changed password twice to Password2, then Password3.

***********************
I retrieved credhist file for that user, took it offline, then ran the below:
nthash-win64 /decodecredhist /binary:.\credhist-test.

The contains 2 entries (everytime I changed password,i.e twice).

*********************

Decryption is based on a hmac key generated from the sha1 password + the user SID.

Lets get the SHA1 of the current user password (the user SID is known in the credhist file).

NTHASH-win64.exe /widestringtohexa /input:Password3 | NTHASH-win64.exe /gethash /mode:SHA1
NTHASH 1.8 x64 by erwan2212@gmail.com
gethash
31F8F4DFCB16205363B35055EBE92A75F0A19CE3

**********************************
Now lets decrypt last credhist entry i.e #1.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:31F8F4DFCB16205363B35055EBE92A75F0A19CE3 /key:1

I get
SHA1:2277C28035275149D01A8DE530CC13B74F59EDFB
NTLM:C39F2BEB3D2EC06A62CB887FB391DEE0

This is sha1/ntlm for Password2.
**********************************
Now lets decrypt previous (and first) entry i.e #0.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:2277C28035275149D01A8DE530CC13B74F59EDFB /key:0

SHA1:CBA4E545B7EC918129725154B29F055E4CD5AEA8
NTLM:64F12CDDAA88057E06A81B54E73B949B

This is sha1/ntlm for Password1.

**********************************

That’s it : we have seen the logic behing this credhist file and how to decrypt it.

  2 Responses to “Lets play with windows credhist file”

  1. Hi Erwin, I followed your article but I am not getting the SHA1.
    My problem is that I might changed the password of the user and I am not able to decrypt anymore files encrypted with EFS.

    I also notice that while running your tool cmd when it comes to showing the SID I get an extreme length string on multiple lines.
    My CREDHIST does have only one entry so I tried to use Key0 in the last command and the last thing returned is the psecret
    Do you have any suggestion?

  2. I just wanted to say that you have very valuable information and it is easy to read.

    For example, the Arduino articles you have written, are very easy to understand compared to many others.

    Thank you!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.