protected void LoadHashes(DirectoryObject dsObject, DirectorySecretDecryptor pek) { if (pek == null) { // Do not continue if we do not have a decryption key return; } // NTHash: byte[] encryptedNtHash; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash); if (encryptedNtHash != null) { this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid()); } // LMHash byte[] encryptedLmHash; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash); if (encryptedLmHash != null) { this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid()); } // NTHashHistory: byte[] encryptedNtHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory); if (encryptedNtHashHistory != null) { this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid()); } // LMHashHistory: byte[] encryptedLmHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory); if (encryptedLmHashHistory != null) { this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid()); } // SupplementalCredentials: byte[] encryptedSupplementalCredentials; dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials); if (encryptedSupplementalCredentials != null) { byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials); this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials); } }
public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); Validator.AssertNotNull(pek, "pek"); // TODO: Test Object type // Decrypt the secret value byte[] encryptedSecret; dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret); this.RawKeyData = pek.DecryptSecret(encryptedSecret); // Parse DN to get key ID or pointer type: this.DistinguishedName = dsObject.DistinguishedName; var keyName = GetSecretNameFromDN(this.DistinguishedName); switch (keyName) { case null: // We could not parse the DN, so exit with Unknown as the key type this.Type = DPAPIBackupKeyType.Unknown; break; case PreferredRSAKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredRSAKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; case PreferredLegacyKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredLegacyKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; default: // Actual Key, so we parse its Guid and version this.KeyId = Guid.Parse(keyName); int version = BitConverter.ToInt32(this.RawKeyData, KeyVersionOffset); switch (version) { case 1: this.Type = DPAPIBackupKeyType.LegacyKey; // Cut the version out of the data this.RawKeyData = this.RawKeyData.Cut(KeyVersionSize); break; case 2: this.Type = DPAPIBackupKeyType.RSAKey; // Combine the certificate and key into PFX and replace the original decrypted data this.RawKeyData = ConvertRSASecretToPFX(this.RawKeyData); break; } break; } }
/// <summary> /// Loads credential roaming objects and timestamps. /// </summary> protected void LoadRoamedCredentials(DirectoryObject dsObject) { try { byte[] roamingTimeStamp; dsObject.ReadAttribute(CommonDirectoryAttributes.PKIRoamingTimeStamp, out roamingTimeStamp); if (roamingTimeStamp == null) { // This account does not have roamed credentials, so we skip their processing return; } // The 16B of the value consist of two 8B actual time stamps. long createdTimeStamp = BitConverter.ToInt64(roamingTimeStamp, 0); long modifiedTimeStamp = BitConverter.ToInt64(roamingTimeStamp, sizeof(long)); this.RoamedCredentialsCreated = DateTime.FromFileTime(createdTimeStamp); this.RoamedCredentialsModified = DateTime.FromFileTime(modifiedTimeStamp); byte[][] masterKeyBlobs; dsObject.ReadLinkedValues(CommonDirectoryAttributes.PKIDPAPIMasterKeys, out masterKeyBlobs); byte[][] credentialBlobs; dsObject.ReadLinkedValues(CommonDirectoryAttributes.PKIAccountCredentials, out credentialBlobs); // Parse the blobs and combine them into one array. var credentials = new List <RoamedCredential>(); if (masterKeyBlobs != null) { foreach (var blob in masterKeyBlobs) { credentials.Add(new RoamedCredential(blob, this.SamAccountName, this.Sid)); } } if (credentialBlobs != null) { foreach (var blob in credentialBlobs) { credentials.Add(new RoamedCredential(blob, this.SamAccountName, this.Sid)); } } this.RoamedCredentials = credentials.ToArray(); } catch (SchemaAttributeNotFoundException) { // These attributes have been added in Windows Server 2008, so they might not be present on older DCs. } }
public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); Validator.AssertNotNull(pek, "pek"); // TODO: Test Object type // Decrypt the secret value byte[] encryptedSecret; dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret); this.RawKeyData = pek.DecryptSecret(encryptedSecret); // Parse DN to get key ID or pointer type: this.DistinguishedName = dsObject.DistinguishedName; var keyName = GetSecretNameFromDN(this.DistinguishedName); switch(keyName) { case null: // We could not parse the DN, so exit with Unknown as the key type this.Type = DPAPIBackupKeyType.Unknown; break; case PreferredRSAKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredRSAKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; case PreferredLegacyKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredLegacyKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; default: // Actual Key, so we parse its Guid and version this.KeyId = Guid.Parse(keyName); int version = BitConverter.ToInt32(this.RawKeyData, KeyVersionOffset); switch(version) { case 1: this.Type = DPAPIBackupKeyType.LegacyKey; // Cut the version out of the data this.RawKeyData = this.RawKeyData.Cut(KeyVersionSize); break; case 2: this.Type = DPAPIBackupKeyType.RSAKey; // Combine the certificate and key into PFX and replace the original decrypted data this.RawKeyData = ConvertRSASecretToPFX(this.RawKeyData); break; } break; } }
private const uint PVKHeaderKeySpec = 1; // = AT_KEYEXCHANGE public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); Validator.AssertNotNull(pek, "pek"); // TODO: Test Object type // Decrypt the secret value byte[] encryptedSecret; dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret); byte[] decryptedBlob = pek.DecryptSecret(encryptedSecret); // Initialize properties this.Initialize(dsObject.DistinguishedName, decryptedBlob); }
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); if (!dsObject.IsAccount) { // TODO: Exteption type throw new Exception("Not an account."); } // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor); // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount); // Enabled: // TODO: Move to DirectoryObject? int?numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); UserAccountControl uac = (UserAccountControl)numericUac.Value; this.Enabled = !uac.HasFlag(UserAccountControl.Disabled); // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: // TODO: Move to DirectoryObject? int?numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int?groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; if (pek == null) { // Do not continue if we do not have a decryption key return; } // NTHash: byte[] encryptedNtHash; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash); if (encryptedNtHash != null) { this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid()); } // LMHash byte[] encryptedLmHash; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash); if (encryptedLmHash != null) { this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid()); } // NTHashHistory: byte[] encryptedNtHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory); if (encryptedNtHashHistory != null) { this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid()); } // LMHashHistory: byte[] encryptedLmHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory); if (encryptedLmHashHistory != null) { this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid()); } // SupplementalCredentials: byte[] encryptedSupplementalCredentials; dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials); if (encryptedSupplementalCredentials != null) { byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials); this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials); } }
protected void LoadAccountInfo(DirectoryObject dsObject) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor); // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount); // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out this.spn); // UAC: int?numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: int?numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int?groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; //memberOf // dsObject.ReadAttribute(CommonDirectoryAttributes.Member, out this.member); }
protected void LoadAccountInfo(DirectoryObject dsObject) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory); this.SidHistory = sidHistory; // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName); this.DisplayName = displayName; // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description); this.Description = description; // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName); this.GivenName = givenName; // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname); this.Surname = surname; // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor); this.SecurityDescriptor = securityDescriptor; // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount); this.AdminCount = adminCount; // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn); this.ServicePrincipalName = spn; // UAC: dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted); this.Deleted = isDeleted; // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon); this.LastLogon = lastLogon; // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn); this.UserPrincipalName = upn; // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName); this.SamAccountName = samAccountName; // SamAccountType: dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId); this.PrimaryGroupId = groupId.Value; }
public KdsRootKey(DirectoryObject dsObject) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); // TODO: Validate object type // Key format version // TODO: Check that format == 1 dsObject.ReadAttribute(CommonDirectoryAttributes.KdsVersion, out this.version); // Domain controller DN DistinguishedName dcDN; dsObject.ReadAttribute(CommonDirectoryAttributes.KdsDomainController, out dcDN); this.DomainController = dcDN.ToString(); // Private key dsObject.ReadAttribute(CommonDirectoryAttributes.KdsPrivateKey, out this.privateKey); // Creation time dsObject.ReadAttribute(CommonDirectoryAttributes.KdsCreationTime, out this.creationTime); // Effective time dsObject.ReadAttribute(CommonDirectoryAttributes.KdsEffectiveTime, out this.effectiveTime); // Guid string cn; dsObject.ReadAttribute(CommonDirectoryAttributes.CommonName, out cn); this.KeyId = Guid.Parse(cn); // KDF algorithm dsObject.ReadAttribute(CommonDirectoryAttributes.KdsKdfAlgorithm, out this.kdfAlgorithmName); // KDF algorithm parameters (only 1 in current implementation) byte[] rawKdfParams; dsObject.ReadAttribute(CommonDirectoryAttributes.KdsKdfParameters, out rawKdfParams); this.KdfParameters = ParseKdfParameters(rawKdfParams); // Secret agreement algorithm dsObject.ReadAttribute(CommonDirectoryAttributes.KdsSecretAgreementAlgorithm, out this.secretAgreementAlgorithmName); // Secret agreement algorithm parameters dsObject.ReadAttribute(CommonDirectoryAttributes.KdsSecretAgreementParameters, out this.secretAgreementAlgorithmParam); // Secret agreement private key length dsObject.ReadAttribute(CommonDirectoryAttributes.KdsSecretAgreementPrivateKeyLength, out this.privateKeyLength); // Secret agreement public key length dsObject.ReadAttribute(CommonDirectoryAttributes.KdsSecretAgreementPublicKeyLength, out this.publicKeyLength); }
protected void LoadAccountInfo(DirectoryObject dsObject, string netBIOSDomainName) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory); this.SidHistory = sidHistory; // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName); this.DisplayName = displayName; // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description); this.Description = description; // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName); this.GivenName = givenName; // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname); this.Surname = surname; // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor); this.SecurityDescriptor = securityDescriptor; // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount); this.AdminCount = adminCount; // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn); this.ServicePrincipalName = spn; // UAC: dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted); this.Deleted = isDeleted; // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon); this.LastLogon = lastLogon; dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogonTimestamp, out DateTime? lastLogonTimestamp); this.LastLogonTimestamp = lastLogonTimestamp; // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn); this.UserPrincipalName = upn; // SamAccountName + LogonName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName); this.SamAccountName = samAccountName; this.LogonName = new NTAccount(netBIOSDomainName, samAccountName).Value; // SamAccountType: dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId); this.PrimaryGroupId = groupId.Value; // SuportedEncryptionTypes dsObject.ReadAttribute(CommonDirectoryAttributes.SupportedEncryptionTypes, out int?numericSupportedEncryptionTypes); // Note: The value is store as int in the DB, but the documentation says that it is an unsigned int this.SupportedEncryptionTypes = (SupportedEncryptionTypes?)numericSupportedEncryptionTypes; }
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); if(!dsObject.IsAccount) { // TODO: Exteption type throw new Exception("Not an account."); } // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Enabled: // TODO: Move to DirectoryObject? int? numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); UserAccountControl uac = (UserAccountControl)numericUac.Value; this.Enabled = !uac.HasFlag(UserAccountControl.Disabled); // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: // TODO: Move to DirectoryObject? int? numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int? groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; if(pek == null) { // Do not continue if we do not have a decryption key return; } // NTHash: byte[] encryptedNtHash; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash); if(encryptedNtHash != null) { this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid()); } // LMHash byte[] encryptedLmHash; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash); if (encryptedLmHash != null) { this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid()); } // NTHashHistory: byte[] encryptedNtHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory); if (encryptedNtHashHistory != null) { this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid()); } // LMHashHistory: byte[] encryptedLmHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory); if (encryptedLmHashHistory != null) { this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid()); } // SupplementalCredentials: byte[] encryptedSupplementalCredentials; dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials); if (encryptedSupplementalCredentials != null) { byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials); this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials); } }