Windows Event ID 1029 Hashes

While reviewing Windows RDP event logs for the RDP project, I noticed one in particular. Windows Event ID 1029 can be found under Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx. This event is created on the computer initiating the connection, and contains a hash of the username being used. (update 7/2022) I also collaborated with 13Cubed for an explanation of this event ID as well. You can watch that episode here or the embedded video at the bottom:

The description of this particular event is Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

So, if you're performing some analysis and want to know the username used, you'll need to be able to "crack" this hash. What should have been a strightforward exercise using sha256sum and base64 in linux turned out to be a little more complicated thanks to Microsoft's bss-ackwards way of encoding things in UTF16 Little-Endian. I also missed that the sha256 sum is binary, rather than hex encoded.

Thankfully, /u/Belgarion0 and /u/RedPh0enix on Reddit were there to help out and give me the above answers. They deserve all the credit for figuring out how to put the hash together. In summary, it would be more appropriately written out as: Base64(SHA256binary(UTF-16LE(UserName)).

You can use the following Python snippit to calculate the hash for a single user:

import hashlib,base64
username = "Administrator"
username = username.decode('utf-8').encode('utf-16le')
hash = hashlib.sha256(username).digest() # note NOT .hexdigest()
print base64.b64encode(hash)

I also created a short script that can take a wordlist of usernames and find the matching hash.

And lastly, here's a CyberChef receipy (some of the characters break the link, copy and paste it):'UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256',64,160)From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')&input=QWRtaW5pc3RyYXRvcg