Garbage record in secretsdump history

[C-Sto]

Configuration

impacket version: Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation
Python version:
Target OS: Win 2016

NOTE: Secretsdump.py was modified to output some of the values (example below). The tl;dr of the output is to visualise the pre-DES (but post AES) value:
https://github.com/SecureAuthCorp/impacket/blob/96c7a5124f26666a1d55b7c282cb944cd1672663/impacket/examples/secretsdump.py#L2141-L2152
->

               if record[self.NAME_TO_INTERNAL['ntPwdHistory']] is not None:
                    encryptedNTHistory = self.CRYPTED_HISTORY(unhexlify(record[self.NAME_TO_INTERNAL['ntPwdHistory']]))
                    if encryptedNTHistory['Header'][:4] == b'\x13\x00\x00\x00':
                        # Win2016 TP4 decryption is different
                        encryptedNTHistory = self.CRYPTED_HASHW16(
                            unhexlify(record[self.NAME_TO_INTERNAL['ntPwdHistory']]))
                        pekIndex = hexlify(encryptedNTHistory['Header'])
                        print("PEK INDEX", pekIndex)
                        print("ENC HASH", hexlify(encryptedNTHistory['EncryptedHash']))
                        print("Key Material", hexlify(encryptedNTHistory['KeyMaterial']))
                        tmpNTHistory = self.__cryptoCommon.decryptAES(self.__PEK[int(pekIndex[8:10])],
                                                                      encryptedNTHistory['EncryptedHash'],
                                                                      encryptedNTHistory['KeyMaterial'])
                        print("output", hexlify(tmpNTHistory))
                    else:

Debug Output With Command String

Using the 2016 .dit as reference:
https://github.com/C-Sto/ntds_reference

python impacket/examples/secretsdump.py -system ~/repo/ntds_reference/2016/system -ntds ~/repo/ntds_reference/2016/ntds.dit LOCAL -history -out impacket.txt

Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x10b9ade41767b01d8016a67274ad1a58
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 700d62ed7d5e195ed60a44f27a6f1f1d
[*] Reading and decrypting hashes from /Users/c_sto/repo/ntds_reference/2016/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:986ced7b028e25984c4e2ad171d9ded5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-K97I9JS0MQ0$:1000:aad3b435b51404eeaad3b435b51404ee:1abb49fcab0cb1a491850c2348eac619:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be0aa069cf8f5de187f72a4cb7bbd926:::
PEK INDEX 1300000000000000
ENC HASH 08bd4facdc6b5c598328b5c1a91adab3ae5d0dfc795b9fc327fb13df14beef76
Key Material d8289f5f1fa1a0022929ccdf2f36bdc5
output bb6e10b4b7175c52de3cf7ec8a5634eb10101010101010101010101010101010
krbtgt_history0:502:aad3b435b51404eeaad3b435b51404ee:b5ca59b606a13445af2043409d2c0086:::
camtest123:1103:aad3b435b51404eeaad3b435b51404ee:766b62d3db023f90443469d86393ca66:::
PEK INDEX 1300000000000000
ENC HASH d5c5ee16a622a306285e4a682d561e9d61f9a38abe17c826cbfca74a4f3465ffa3d4415236569af536722a77ffa41d8afb33870b3a4dc9ee73b8005318592b28cb2376e768e4edc2838351cb6a1dacf8
Key Material 76466c1dcd403c87f28448ea1c71c9f8
output 1be07dd91906f8cc0df3c7fb9d7a93c4ca1dc5395ae54fae99ff715b9cf7a97b29c5190c4b31aeeb46acb5d21472284bf7b2559c558003bd82437bc65d4f058810101010101010101010101010101010
camtest123_history0:1103:aad3b435b51404eeaad3b435b51404ee:c9ab9d08cc7da5a55d8a82d869e01ea8:::
camtest123_history1:1103:aad3b435b51404eeaad3b435b51404ee:02151f5a54ba5a016ee42da5de832457:::
camtest123_history2:1103:aad3b435b51404eeaad3b435b51404ee:c8f55e0c6d01af1f57ee3493e87a59f5:::
camtest123_history3:1103:aad3b435b51404eeaad3b435b51404ee:c63407eac237a49a7e559f453cc6a4df:::
[*] Kerberos keys from /Users/c_sto/repo/ntds_reference/2016/ntds.dit 
WIN-K97I9JS0MQ0$:aes256-cts-hmac-sha1-96:eb17251816833c6aa41adfbcc3e561a8c4ac09cd8432d1f699404091eba0e242
WIN-K97I9JS0MQ0$:aes128-cts-hmac-sha1-96:447a4bffe6c5be6337fabdffaf2775ec
WIN-K97I9JS0MQ0$:des-cbc-md5:e6b5a2ec6b944052
krbtgt:aes256-cts-hmac-sha1-96:3d8ecf6154bf3a6296096cc72b257ea64d490e48da22352cd7cd95dfbb1ac06b
krbtgt:aes128-cts-hmac-sha1-96:1b7702abe2cd8d78e3fa4d1466e91a71
krbtgt:des-cbc-md5:4fd5e0e398621608
camtest123:aes256-cts-hmac-sha1-96:f773fe8693823158418b711ce935ec6222f81cbe8f6705faa41c7a0993b2dc98
camtest123:aes128-cts-hmac-sha1-96:7d38a681c4047ceaa265b52ec725880f
camtest123:des-cbc-md5:ce673886a1019d1c
[*] Cleaning up... 

PCAP

N/A

Additional context

We can see in the 'output' line for history values, there appears to be a final block value of 10101010101010101010101010101010. This is probably an initialisation value, and realistically passing this to the DES decrypt function will result in garbage that isn't a real hash that was ever relevant in the environment. It makes sense to keep it, but it may be worth marking it as invalid.