impacket
impacket copied to clipboard
fortra
secretsdump.py: ('unpack requires a buffer of 2 bytes', "When unpacking field 'NameLength | <H=0 | b''[:2]'"
Impacket v0.9.24.dev1+20210618.54810.11f43043
secretsdump.py -ntds ntds.dit -system SYSTEM.bak -outputfile domain.local local
[-] Error while processing row for user User_Name [-] ('unpack requires a buffer of 2 bytes', "When unpacking field 'NameLength | <H=0 | b''[:2]'")
These errors may appear for accounts with enabled UAC flags "Smart card is required for interactive logon", "Account is sensitive and cannot be delegated". The RC4 hashes of these accounts are retrieved, but the Kerberos keys are not.
I may have found the origin of this bug. Happened to stumble on it here too, and it definitely look (in my case at least) that there are additional cases where the MS-SAMR USER_PROPERTIES structure isnt respected by Windows somehow.
In my case, decrypting a supplemental_credentials blob gives me a structure with a supposed count of 256 user properties, where it have in fact none. The total length of the decrypted blob is 0x6f + 1, which does not look like it should fit in the USER_PROPERTIES structure.
So two possibilities here : either the MS-SAMR documentation is wrong saying that the minimal length with no user properties is 0x6F but it should be 0x70 (the additional supposed count being the last reserved byte), or the structure is not respected at all (which is maybe more likely in my opinion).
The fix I used was to state that if the length of the decrypted supplemental credentials blob is not at least big enough to hold one user property (so if its not 0x6f + 2 + 4 bytes big, 4 being the header length of a single user property), then it is empty anyway so we dont have to parse it as a USER_PROPERTIES structure, and it doesnt have "info".
My pull request will come soon, I hope you got the exact same problem ! What is a shame is that it prevents the decryption of anything at all, where only the supplemental credentials was problematic ☹
Have a good day.
