Fixes #1099 by discarding additional cases where supplemental credent…

…ials do not match the MS-SAMR USER_PROPERTIES struct.
fortra · Jul 5, 2023 · f7c4a13 · f7c4a13
1 parent b5dab2d
commit f7c4a13
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/impacket/examples/secretsdump.py b/impacket/examples/secretsdump.py
@@ -2126,10 +2126,16 @@ def __decryptSupplementalInfo(self, record, prefixTable=None, keysFile=None, cle
                         plainText = self.__cryptoCommon.decryptAES(self.__PEK[int(pekIndex[8:10])],
                                                                    cipherText['EncryptedHash'][4:],
                                                                    cipherText['KeyMaterial'])
-                        haveInfo = True
                     else:
                         plainText = self.__removeRC4Layer(cipherText)
-                        haveInfo = True
+                    # 6f is the length of the empty USER_PROPERTIES struct per MS-SAMR 2.2.10.1
+                    # "PropertyCount (2 bytes): The number of USER_PROPERTY elements in the UserProperties field.
+                    # When there are zero USER_PROPERTY elements in the UserProperties field, this field MUST be
+                    # omitted; the resultant USER_PROPERTIES structure has a constant size of 0x6F bytes."
+                    # We add one because we expect to have this PropertyCount and 4 again representing the minimal size
+                    # of an empty UserProperty struct
+                    # This discards additional cases where user properties do not match MS-SAMR structure ...
+                    haveInfo = len(plainText) > 0x6f + 2 + 4
         else:
             domain = None
             userName = None