home *** CD-ROM | disk | FTP | other *** search

---

/ DEFCON 15 / DefCon15.bin / Speakers / Jennings / Extras / find_user / main.c

next >

Wrap

C/C++ Source or Header  |  2007-02-28  |  6KB  |  218 lines

---

1. #include <stdio.h>
2. #include <assert.h>
3. #include <windows.h> 
4. #include <lm.h>
5.  
6. int main(int argc, char *argv[])
7. {
8.     LPWKSTA_USER_INFO_1 pBuf = NULL;
9.     LPWKSTA_USER_INFO_1 pTmpBuf;
10.     DWORD dwLevel = 1;
11.     DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
12.     DWORD dwEntriesRead = 0;
13.     DWORD dwTotalEntries = 0;
14.     DWORD dwResumeHandle = 0;
15.     DWORD i;
16.     DWORD dwTotalCount = 0;
17.     NET_API_STATUS nStatus;
18.     wchar_t pszServerName[100];
19.     char ascii_server_name[100], *username, *password, temp_server_name[98], file_line[97];
20.     NETRESOURCE     nr;
21.     FILE *fp;
22.     BOOL bFileMode = FALSE;
23.  
24.     if (argc < 4)
25.     {
26.       fprintf(stderr, "Find User usage: \n\nfind_user <username> <password> [<server_name_or_ip> | -f <server_list_file>]\n");
27.       exit(1);
28.     }
29.     if (!stricmp(argv[3], "-f") && argc == 5)
30.         bFileMode = TRUE;
31.  
32.     printf("[*] Scanning for logged on users...\n\n");
33.     printf("Server Name\t\tUsername\n");
34.     printf("------------------------------------------------------\n");
35.  
36.     if (bFileMode)
37.     {
38.         fp = fopen(argv[4], "r");
39.         while (fgets(file_line, 97, fp))
40.         {
41.             sscanf(file_line, "%s\n", temp_server_name);
42.             username = argv[1];
43.             password = argv[2];
44.             strcpy(ascii_server_name, "\\\\");
45.             strncat(ascii_server_name, temp_server_name, 97);
46.             ascii_server_name[99] = '\0';
47.             mbstowcs(pszServerName, ascii_server_name, strlen(ascii_server_name)+1);
48.  
49.             nr.dwType             = RESOURCETYPE_DISK;
50.                nr.lpLocalName       = NULL;
51.                nr.lpProvider        = NULL;
52.                nr.lpRemoteName      = ascii_server_name;
53.             WNetAddConnection2A(&nr, password, username, 0);
54.             
55.             do // begin do
56.             {
57.                 nStatus = NetWkstaUserEnum(pszServerName,
58.                                          dwLevel,
59.                                          (LPBYTE*)&pBuf,
60.                                          dwPrefMaxLen,
61.                                          &dwEntriesRead,
62.                                          &dwTotalEntries,
63.                                          &dwResumeHandle);
64.               //
65.               // If the call succeeds,
66.               //
67.               if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA))
68.               {
69.                  if ((pTmpBuf = pBuf) != NULL)
70.                  {
71.                     //
72.                     // Loop through the entries.
73.                     //
74.                     for (i = 0; (i < dwEntriesRead); i++)
75.                     {
76.                        assert(pTmpBuf != NULL);
77.  
78.                        if (pTmpBuf == NULL)
79.                        {
80.                           //
81.                           // Only members of the Administrators local group
82.                           //  can successfully execute NetWkstaUserEnum
83.                           //  locally and on a remote server.
84.                           //
85.                           fprintf(stderr, "An access violation has occurred\n");
86.                           break;
87.                        }
88.                        //
89.                        // Print the user logged on to the workstation. 
90.                        //
91.                        
92.                        if (!wcschr(pTmpBuf->wkui1_username, L'$'))
93.                        {
94.                             printf("%s", temp_server_name);
95.                             wprintf(L"\t\t%s\\%s\n", pTmpBuf->wkui1_logon_domain, pTmpBuf->wkui1_username);
96.                        }
97.                        pTmpBuf++;
98.                        dwTotalCount++;
99.                     }
100.                  }
101.               }
102.               //
103.               // Otherwise, indicate a system error.
104.               //
105.               else
106.                  fprintf(stderr, "%s\t\tError: %d\n", temp_server_name, nStatus);
107.               //
108.               // Free the allocated memory.
109.               //
110.               if (pBuf != NULL)
111.               {
112.                  NetApiBufferFree(pBuf);
113.                  pBuf = NULL;
114.               }
115.            }
116.            // 
117.            // Continue to call NetWkstaUserEnum while 
118.            //  there are more entries. 
119.            // 
120.            while (nStatus == ERROR_MORE_DATA); // end do
121.            //
122.            // Check again for allocated memory.
123.            //
124.            if (pBuf != NULL)
125.               NetApiBufferFree(pBuf);
126.  
127.         }
128.     }
129.     else 
130.     {
131.         username = argv[1];
132.         password = argv[2];
133.         strcpy(ascii_server_name, "\\\\");
134.         strncat(ascii_server_name, argv[3], 97);
135.         ascii_server_name[99] = '\0';
136.         mbstowcs(pszServerName, ascii_server_name, strlen(ascii_server_name)+1);
137.  
138.         nr.dwType             = RESOURCETYPE_DISK;
139.            nr.lpLocalName       = NULL;
140.            nr.lpProvider        = NULL;
141.            nr.lpRemoteName      = ascii_server_name;
142.         WNetAddConnection2A(&nr, password, username, 0);
143.         
144.         do // begin do
145.         {
146.             nStatus = NetWkstaUserEnum(pszServerName,
147.                                      dwLevel,
148.                                      (LPBYTE*)&pBuf,
149.                                      dwPrefMaxLen,
150.                                      &dwEntriesRead,
151.                                      &dwTotalEntries,
152.                                      &dwResumeHandle);
153.           //
154.           // If the call succeeds,
155.           //
156.           if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA))
157.           {
158.              if ((pTmpBuf = pBuf) != NULL)
159.              {
160.                 //
161.                 // Loop through the entries.
162.                 //
163.                 for (i = 0; (i < dwEntriesRead); i++)
164.                 {
165.                    assert(pTmpBuf != NULL);
166.  
167.                    if (pTmpBuf == NULL)
168.                    {
169.                       //
170.                       // Only members of the Administrators local group
171.                       //  can successfully execute NetWkstaUserEnum
172.                       //  locally and on a remote server.
173.                       //
174.                       fprintf(stderr, "An access violation has occurred\n");
175.                       break;
176.                    }
177.                    //
178.                    // Print the user logged on to the workstation. 
179.                    //
180.                    
181.                    if (!wcschr(pTmpBuf->wkui1_username, L'$'))
182.                    {
183.                         printf("%s", argv[3]);
184.                         wprintf(L"\t\t%s\\%s\n", pTmpBuf->wkui1_logon_domain, pTmpBuf->wkui1_username);
185.                    }
186.                    pTmpBuf++;
187.                    dwTotalCount++;
188.                 }
189.              }
190.           }
191.           //
192.           // Otherwise, indicate a system error.
193.           //
194.           else
195.              fprintf(stderr, "%s\t\tError: %d\n", argv[3], nStatus);
196.           //
197.           // Free the allocated memory.
198.           //
199.           if (pBuf != NULL)
200.           {
201.              NetApiBufferFree(pBuf);
202.              pBuf = NULL;
203.           }
204.        }
205.        // 
206.        // Continue to call NetWkstaUserEnum while 
207.        //  there are more entries. 
208.        // 
209.        while (nStatus == ERROR_MORE_DATA); // end do
210.        //
211.        // Check again for allocated memory.
212.        //
213.        if (pBuf != NULL)
214.           NetApiBufferFree(pBuf);
215.     }
216.  
217.     return 0;
218. }