\nI retrieved credhist file for that user, took it offline, then ran the below:
\nnthash-win64 \/decodecredhist \/binary:.\\credhist-test.<\/strong><\/p>\n
The contains 2 entries (everytime I changed password,i.e twice).<\/p>\n
![](\"https:\/\/i.imgur.com\/D3r2d1F.png\")
<\/p>\n
*********************<\/p>\n
Decryption is based on a hmac key generated from the sha1 password + the user SID.<\/p>\n
Lets get the SHA1 of the current user password (the user SID is known in the credhist file).<\/p>\n
NTHASH-win64.exe \/widestringtohexa \/input:Password3 | NTHASH-win64.exe \/gethash \/mode:SHA1<\/strong> ********************************** nthash-win64 \/decodecredhist \/binary:.\\credhist-test \/password:31F8F4DFCB16205363B35055EBE92A75F0A19CE3 \/key:1<\/strong><\/p>\n I get This is sha1\/ntlm for Password2. nthash-win64 \/decodecredhist \/binary:.\\credhist-test \/password:2277C28035275149D01A8DE530CC13B74F59EDFB \/key:0<\/strong><\/p>\n SHA1:CBA4E545B7EC918129725154B29F055E4CD5AEA8 This is sha1\/ntlm for Password1.<\/p>\n **********************************<\/p>\n That’s it : we have seen the logic behing this credhist file and how to decrypt it.<\/p>\n","protected":false},"excerpt":{"rendered":" Every time that you change the login password on your system, Windows stores the hashes of the previous password in the CREDHIST file (Located in %appdata%\\Microsoft\\Protect\\CREDHIST ). Lets play with the credhist file and NTHASH then. Setup: -User test created with Password1 -I then logged in and changed password twice to Password2, then Password3. *********************** […]<\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[],"class_list":["post-2314","post","type-post","status-publish","format-standard","hentry","category-nthash","category-118-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2314"}],"version-history":[{"count":5,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2314\/revisions"}],"predecessor-version":[{"id":2320,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/2314\/revisions\/2320"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nNTHASH 1.8 x64 by erwan2212@gmail.com
\ngethash
\n31F8F4DFCB16205363B35055EBE92A75F0A19CE3<\/p>\n
\nNow lets decrypt last credhist entry i.e #1.<\/p>\n
\nSHA1:2277C28035275149D01A8DE530CC13B74F59EDFB
\nNTLM:C39F2BEB3D2EC06A62CB887FB391DEE0<\/p>\n
\n**********************************
\nNow lets decrypt previous (and first) entry i.e #0.<\/p>\n
\nNTLM:64F12CDDAA88057E06A81B54E73B949B<\/p>\n