演示还原NT平台上拨号连接的密码
2012-02-05 16:45
253 查看
-=-=-=-=-=-=-=-=-=-= x_dialupass.c -=-=-=-=-=-=-=-=-=-= /* 演示还原NT平台上拨号连接的密码 可运行于windows 2000/xp/2003 原理基于分析dialupass v2.42 eyas at xfocus.org http://www.xfocus.net 2004-10-01 FileName: x_dialupass.c */ #define WINVER 0x500 #define _WIN32_WINNT 0x0500 #include <windows.h> #include <stdio.h> #include <ras.h> #include <raserror.h> #include <Ntsecapi.h> #include <Userenv.h> #include <Sddl.h> #pragma comment(lib,"Rasapi32.lib") #pragma comment(lib,"advapi32.lib") #pragma comment(lib,"UserEnv.lib") unsigned char private_data[0x500]; int data_len; unsigned char * get_real_pass(unsigned char *user, DWORD dwDialParamsUID) { int i, j; unsigned char *p, szDialParamsUID[52], *pass=NULL; _snprintf(szDialParamsUID, sizeof(szDialParamsUID), "%d", dwDialParamsUID); p = private_data; for(i=0;i<data_len;i++) { if(strcmp(&p[i], szDialParamsUID) == 0 ) { for(j=i;j<data_len;j++) { if(strcmp(&p[j], user) == 0 ) { pass = p + j + strlen(user) + 1; break; } } break; } } return pass; } void main() { LPRASENTRYNAME lpRasEntryName; LPRASDIALPARAMS lpRasDialParams; DWORD cb, nRet, i, cEntries; BOOL b; char szPhoneBook1[512], szPhoneBook2[512], szUserName[128], szDomainName[128]; DWORD dwSize, dwDialParamsUID, dwTmp; PSID pSid = NULL; SID_NAME_USE peUse; LSA_OBJECT_ATTRIBUTES lsa_object_attr; LSA_HANDLE lsa_handle; PLSA_UNICODE_STRING plsa_private_data; LSA_UNICODE_STRING lsa_keyname; NTSTATUS status; int ret; unsigned char *pass; WCHAR *sid; printf("dialup password recover tool for win 2k/xp/2003\n" "code by eyas at xfocus.org\n" "http://www.xfocus.net\n" "2004-10-01\n\n"); //get current user's string sid dwSize = sizeof(szUserName); GetUserName(szUserName, &dwSize); dwSize = 0; dwTmp = sizeof(szDomainName); LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName, &dwTmp, &peUse); if(!dwSize) { printf("[-] LookupAccountName failed.\n"); return; } pSid = (PSID)malloc(dwSize); LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName, &dwTmp, &peUse); ConvertSidToStringSidW(pSid, &sid); memset(&lsa_object_attr, 0, sizeof(lsa_object_attr)); lsa_object_attr.Length = sizeof(LSA_OBJECT_ATTRIBUTES); LsaOpenPolicy(0, &lsa_object_attr, 0x800, &lsa_handle); plsa_private_data = (PLSA_UNICODE_STRING)malloc(sizeof(LSA_UNICODE_STRING)); plsa_private_data->Length = 0x500; plsa_private_data->MaximumLength = 0x500; plsa_private_data->Buffer = (PWSTR)malloc(0x500); lsa_keyname.MaximumLength = 0x200; lsa_keyname.Buffer = (PWSTR)malloc(0x200); wcscpy(lsa_keyname.Buffer,L"RasDialParams!"); wcscat(lsa_keyname.Buffer, sid); wcscat(lsa_keyname.Buffer, L"#0"); lsa_keyname.Length = wcslen(lsa_keyname.Buffer) * 2; //get current user's dialup info status = LsaRetrievePrivateData(lsa_handle, &lsa_keyname, &plsa_private_data); LsaClose(lsa_handle); if(status != 0) { printf("[-] LsaRetrievePrivateData failed: %d\n", LsaNtStatusToWinError(status)); return; } ret = WideCharToMultiByte(0, 0, plsa_private_data->Buffer, plsa_private_data->Length, private_data, sizeof(private_data), 0, 0); if(ret == 0) { printf("[-] WideCharToMultiByte failed:%d\n", GetLastError()); return; } data_len = ret; //get phone book name GetEnvironmentVariable("ALLUSERSPROFILE", szPhoneBook1, sizeof(szPhoneBook1)-200); GetEnvironmentVariable("USERPROFILE", szPhoneBook2, sizeof(szPhoneBook2)-200); strcat(szPhoneBook1, "\\Application Data\\Microsoft\\Network" "\\Connections\\pbk\\rasphone.pbk"); strcat(szPhoneBook2, "\\Application Data\\Microsoft\\Network" "\\Connections\\pbk\\rasphone.pbk"); lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, sizeof(RASENTRYNAME)); lpRasEntryName->dwSize = sizeof(RASENTRYNAME); cb = sizeof(RASENTRYNAME); if ((nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries)) == ERROR_BUFFER_TOO_SMALL) { lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, cb); lpRasEntryName->dwSize = sizeof(RASENTRYNAME); } // Calling RasEnumEntries to enumerate the phone-book entries nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries); if (nRet != ERROR_SUCCESS) { printf("[-] RasEnumEntries failed: Error %d\n", nRet); return; } for(i=0;i < cEntries;i++) { lpRasDialParams = malloc(sizeof(RASDIALPARAMS)); strcpy(lpRasDialParams->szEntryName, lpRasEntryName->szEntryName); lpRasDialParams->dwSize = sizeof(RASDIALPARAMS); RasGetEntryDialParams(0, lpRasDialParams, &b); dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName, "DialParamsUID", 0, szPhoneBook1); if(dwDialParamsUID == 0) { dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName, "DialParamsUID", 0, szPhoneBook2); if(dwDialParamsUID == 0) { printf("[-] Can't get DialParamsUID from PhoneBook.\n"); return; } } pass = get_real_pass(lpRasDialParams->szUserName, dwDialParamsUID); printf( "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n" "EntryName : %s\n" "UserName : %s\n" "PassWord : %s\n\n", lpRasEntryName->szEntryName, lpRasDialParams->szUserName, pass); free(lpRasDialParams); lpRasEntryName++; } } -=-=-=-=-=-=-=-=-=-= code end -=-=-=-=-=-=-=-=-=-=
相关文章推荐
- NT平台拨号连接密码恢复原理
- NT平台拨号连接密码恢复原理(转)
- NT平台拨号连接密码恢复原理
- NT平台拨号连接密码恢复原理
- NT平台ADSL拨号连接密码恢复原理
- hg211g破解获取管理员密码,可以连接路由器。默认光猫来拨号。
- Windows平台查看连接过的WiFi账号及密码(来自一位技术大牛)
- phoenixframe平台连接socketserver,并接收返回值的演示样例
- 什么是拨号上网,即点击“宽带连接”输入账号和密码方式,实现上网,即为拨号上网
- Win8宽带连接不能保存密码自动链接拨号时每次都要输入密码
- 拨号上网,即PPPoE方式,即点击“宽带连接”输入账号和密码的方式,没有“宽带连接”怎么办?
- SecureCRT 连接树莓派密码不兼容!
- 其它终端设备连接gmail账户提示密码错误解决方法
- Java 连接SMS短信平台发送短信
- 网络连接密码用户名及密码消失,且不能保存的解决办法
- 连接带密码的ACCESS数据库
- SQL Server SA 密码丢失无法连接数据库怎么办?
- vs2010连接mysql数据库(含win32和x64两种平台)
- Ubuntu16.04 802.1x 有线连接 输入账号密码,为什么连接不上?
- 数据库的备份和还原 重置MySQL的密码