NTLM Hash history does not accurately display

[BraveLittleRoaster]

I have experienced the same thing here:
#395

When testing on Server 2016, I am also experiencing the issue this previous thread mentioned. I've tested a few different scenarios.

The .dit files and system registry are dumped with: ntdsutil.exe "ac i ntds" "ifm" "create full .\snapshot" q q
And I am running impacket like so:
python secretsdump.py -history -ntds ".\snapshot\Active Directory\ntds.dit" -system ".\snapshot\registry\SYSTEM" LOCAL

I set a user account with a password "Password123", or NTLM: 58a478135a93ac3bf058a5ea0e8fdb71
Then reset it to something randomly generated. I then set it back to Password123. I repeat this process a few times and here is what I'll get:

Run a few times:

26c2c3bcb1ce41980f54ddae078c97ff,
937f0e8b8bee213040e2d91baef8ac2a,
35f6a91319eed7183caa5ab02134b0bf,
1e96b23f1a554188ec72cf6744579386,
6b37bda4a1cf9ddadbb024b8b2d9b49e,
993f82de7e6b7dc4b35edbcce7dfc0fb,
a0f172dcbdd2784ef006267f84abc35a,
988d0111fa68e2635415be4fccefe081

Run some more times:

a6dfe640aaab3f1b4230fcdbfb47c861,
44089f9a96c7d67ae10c26e6f5c76f5d,
6155635d7ad0671e0cf3e1aacd2b74a9,
bde5c798bbc4528d5250d48787111024,
10f1d45ae519bc3581da4489e0b39af8,
4369e77b3828e601f7b86a24ea0d671d,
09d5819273d0a19d1f520f7799281fdd,
cb94f9229b46726f13fc469dc3a6610a,
0572e648a5ec16aaad5ee6c62fd70059,
24f2f25b67ba55e0d5202aeed374ddd4

As you can see, the hash history changes entirely every time the password is reset. Is this some feature within Server 2016? Or am I missing something?

The hash for Password123 never appears. However if it is the currently set password, it appears as normal. When loading my test domain I intentionally pick hashes that I know are vulnerable and set them to the users history by changing their password a couple of times. I am not able to crack any histories, but i can crack the currently set passwords no problem.

Edit: Grabbed some of the raw bytes, if you need them:

Username: testdomain.com\CompromisedAccount3 Raw: '\x05r\xe6H\xa5\xec\x16\xaa\xad^\xe6\xc6/\xd7\x00Y'
Username: testdomain.com\CompromisedAccount3 Raw: '$\xf2\xf2[g\xbaU\xe0\xd5 *\xee\xd3t\xdd\xd4'
Username: testdomain.com\CompromisedAccount3 Raw: 'aUc]z\xd0g\x1e\x0c\xf3\xe1\xaa\xcd+t\xa9'
Username: testdomain.com\CompromisedAccount3 Raw: '\xbd\xe5\xc7\x98\xbb\xc4R\x8dRP\xd4\x87\x87\x11\x10$'
Username: testdomain.com\CompromisedAccount3 Raw: '\x10\xf1\xd4Z\xe5\x19\xbc5\x81\xdaD\x89\xe0\xb3\x9a\xf8'
Username: testdomain.com\CompromisedAccount3 Raw: 'Ci\xe7{8(\xe6\x01\xf7\xb8j$\xea\rg\x1d'
Username: testdomain.com\CompromisedAccount3 Raw: '\xa6\xdf\xe6@\xaa\xab?\x1bB0\xfc\xdb\xfbG\xc8a'
Username: testdomain.com\CompromisedAccount3 Raw: 'D\x08\x9f\x9a\x96\xc7\xd6z\xe1\x0c&\xe6\xf5\xc7o]'

or if you prefer:

b'\x05r\xe6H\xa5\xec\x16\xaa\xad^\xe6\xc6/\xd7\x00Y',
b'$\xf2\xf2[g\xbaU\xe0\xd5 *\xee\xd3t\xdd\xd4',
b'aUc]z\xd0g\x1e\x0c\xf3\xe1\xaa\xcd+t\xa9',
b'\xbd\xe5\xc7\x98\xbb\xc4R\x8dRP\xd4\x87\x87\x11\x10$',
b'\x10\xf1\xd4Z\xe5\x19\xbc5\x81\xdaD\x89\xe0\xb3\x9a\xf8',
b'Ci\xe7{8(\xe6\x01\xf7\xb8j$\xea\rg\x1d',
b'\xa6\xdf\xe6@\xaa\xab?\x1bB0\xfc\xdb\xfbG\xc8a',
b'D\x08\x9f\x9a\x96\xc7\xd6z\xe1\x0c&\xe6\xf5\xc7o]'

These should match up to the second list I posted when using hexlify.

[0xdeaddood]

Hi @BraveLittleRoaster! Thanks for the detailed explanation. I created a PR #783 with a fix. Please check it and let me know if it's OK.

[asolino]

Closing as fixed by #783