Solved

WNetGetCachedPassword : Specs!? ..

Posted on 1999-01-20
25
175 Views
Last Modified: 2010-04-06
How can I call this Hidden Function from MPR.DLL
WNetGetCachedPassword...
Can someone give me the Code to call this function!??
Thanx...
0
Comment
Question by:Loster
  • 12
  • 9
  • 4
25 Comments
 
LVL 20

Expert Comment

by:Madshi
ID: 1362575
Perhaps you mean WNetEnumCachedPasswords? Here are some Delphi4 sources for that API. Hope it helps...

type TPasswordCacheEntry  = packed record
                              entry       : word;   // size of this entry, in bytes
                              resourceLen : word;   // size of resource name, in bytes
                              passwordLen : word;   // size of password, in bytes
                              entryIndex  : byte;   // entry index
                              entryType   : byte;   // type of entry
                              resource    : array [0..$FFFFFFF] of char;
                                                    // start of resource name
                                                    // password immediately follows resource name
                            end;
     TPPasswordCacheEntry = ^TPasswordCacheEntry;

function EnumPasswordCallbackProc(pce: TPPasswordCacheEntry; lParam: cardinal) : LongBool; stdcall;
var i1   : integer;
    ppcl : ^TCachedPasswordList;
begin
  result:=true;
  ppcl:=pointer(lParam);
  i1:=length(ppcl^);
  SetLength(ppcl^,i1+1);
  SetLength(ppcl^[i1].resource,pce^.resourceLen);
  Move(pce^.resource[0],pointer(ppcl^[i1].resource)^,pce^.resourceLen);
  ppcl^[i1].resource:=pchar(ppcl^[i1].resource);
  SetLength(ppcl^[i1].password,pce^.passwordLen);
  Move(pce^.resource[pce^.resourceLen],pointer(ppcl^[i1].password)^,pce^.passwordLen);
  ppcl^[i1].password:=pchar(ppcl^[i1].password);
end;

var WNetEnumCachedPasswords : function (ps: pchar; pw: word; pb: byte; proc: pointer; lParam: cardinal) : word; stdcall
                              = nil;
    mpr                     : cardinal = 0;

function GetCachedPasswords : TCachedPasswordList;
begin
  result:=nil;
  if mpr=0 then begin
    mpr:=LoadLibrary('mpr');
    if mpr=0 then exit;
  end;
  if @WNetEnumCachedPasswords=nil then begin
    WNetEnumCachedPasswords:=GetProcAddress(mpr,'WNetEnumCachedPasswords');
    if @WNetEnumCachedPasswords=nil then exit;
  end;
  WNetEnumCachedPasswords(nil,0,$FF,@EnumPasswordCallbackProc,cardinal(@result));
end;

initialization
finalization
  if mpr<>0 then FreeLibrary(mpr);
end.

Regards, Madshi.
0
 

Author Comment

by:Loster
ID: 1362576
Hmmm.. A bit Complicated hehe... (Btw I'm using Delphi2 )

Okay well I heard about WNetGetCachedPassword Hidden API
function Only... The problem is that I just don't know how to Take
it from the MPR.DLL ..

The only information that I have is:

WORD
WNetGetCachedPassword(pbResource, cbResource, pbPassword, pcbPassword, nType)

LPSTR pbResource; // name of workgroup, computer, or resource
WORD cbResource; // size of name, in bytes
LPSTR pbPassword; // buffer to receive password
LPWORD pcbPassword; // receives size of password, in bytes
BYTE nType; // type of password to retrieve

.. So I supposed to Call this Function as this:
Function WNetGetCachedPassword(pbResource:PAnsiChar; cbResource:WORD;
       Var PbPassword:PAnsiChar; Var pcbPassword:Word;nType:Byte):Word; stdcall;

But when I call WNetGetCachedPassword from Delphi, It just
Hang...  
Hehe, That's my first time Calling Windows API from Dlls,
so I based this on the WINDOWS unit Source ...

 I'll Try what you Wrote, But I'm not sure I will understand
something hehe...

0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362577
Hmm. My code won't work with Delphi2, because I'm using arrays with dynamic length (I really love them...).

I think, there's one error in your sources. The pbPassword string must not be a VAR string. If it would be this way, it would have been a ppbPassword variable from the type PLPSTR.

Try this one:

function WNetGetCachedPassword(pbResource: pchar; cbResource: word; pbPassword: pchar; var pcbPassword: word; nType: byte) : word; stdcall; external 'mpr.dll' name 'WNetGetCachedPassword';

Perhaps that works.

Regards, Madshi.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362578
P.S: Of course you'll have to allocate pbPassword before calling the function...
0
 

Author Comment

by:Loster
ID: 1362579
.. What do you mean by: You must Allocate PbPassword ...

!?..


0
 

Author Comment

by:Loster
ID: 1362580
.. I mean, HOW do I allocate this.....
(- Sorry I learned to program by myself so I'm not familliar with
   Allocating Variables -)

0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362581
>> LPSTR pbPassword; // buffer to receive password
>> LPWORD pcbPassword; // receives size of password, in bytes

pbPassword is the "buffer to receive password". That means, you have to give the Windows function a pointer to a buffer, to which the Windows function can copy the password characters. And I guess, you'll have to give the size of the buffer (you allocated) into "pcbPassword". When you return from the Windows call, Windows will have written the size of the buffer it has used in "pcbPassword" again.

Do this:

var pc : pchar;
    w1 : word;
begin
  AllocMem(pc,100); w1:=100;  // now give "pc" and "w1" into the WNetXXX function
  try
  finally FreeMem(pc) end;  // Never forget to free allocated buffers...
end;

Or use this:

var s1 : string;
    w1 : word;
begin
  SetLength(s1,100); w1:=100;
  // Now call WNetXXX with "pchar(s1)" and "w1"
  // When using Delphi strings, you don't need to care about deallocation, Delphi does that for you...
  SetLength(s1,w1);  // Set the string length...
  // Now you can use "s1"
end;

Regards, Madshi.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362582
Hmm. In my first example you can use "pc" between "try" and "finally" of course...

Am going to sleep now. Will come back in 10 hours...  :-)
0
 

Author Comment

by:Loster
ID: 1362583
Ahhhh Oki!!! ..
Well... Okay I understand..

But now, what I don't understand is the Fact that the Pbpassword
doesn't contain the VAR statement.. Will the Function return
PbPassword in s1 !? ? ..

Look at my Code, I want to be sure I got it .. ;)

Function WNetGetCachedPassword(pbResource: pchar; cbResource: word;
         pbPassword: pchar; var pcbPassword: word; nType: byte) : word; stdcall; external 'mpr.dll' name 'WNetGetCachedPassword';
{ ----------------------------------------------------------- }

Var  s1        : String;
       w1,Test: word;
Begin
   SetLength(s1,100); w1:=100;

     WNetGetCachedPassword('LOSTER',6,PChar(s1),w1,0);
 
    SetLength(s1,w1);
      ShowMessage(S1);
end;

 Thank you!! ;)


0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362584
Yes, you got it!

Only problem: I *guessed* a lot because you didn't gave me the complete documentation (I think you don't have it, right?). But I guessed the way, normal winAPI work.

So please try it out. Does it work?

Hmmm. Just an explanation. We set "s1" to 100 Bytes length. That is a kind of memory allocation. With "pchar(s1)" Delphi gives back the pointer to the first character in the string buffer. And the line "SetLength(s1,w1)" is nessecary to reduce the string length to the string data, the WNetXXX function returned.

Regards, Madshi.
0
 

Author Comment

by:Loster
ID: 1362585
Hmm.. No your right, I don't have the Documentation ... Well.. I don't think I can
find it anywayz .. .


And It doesn't work ....8( .. I tried some user names for the Resource, I also tried
InterNet Connection Name.. Nothings works.. I just get an Empty String . .. I tried
several values for nType ... And I get no Result! ... Hmmm...

Do you have any idea why it doesn't work!?? ...
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362586
I've tested the function. But since I've no documentation, I don't know exactly what I have to give in.
I get an empty string, too. However, it shows, that the declaration is alright. I filled the string before calling the function. The function definitely sets the string to "".
So something is wrong with the parameters we give in.

For what purpose do you need this function?

Regards, Madshi.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:Loster
ID: 1362587
Hmm ..
Ok the Purpose of this... I want to check the Login Password
of Windows, it is supposed to Take the password from the .PWL
Files....
You give the Resource Name wich I suppose is the Connection
Name or User Name ..
I think the Problem is in the nTYPE .. I have no idea of what it is.

And I did not find any Documentation of this Function anywhere...
As I said, it's a Hidden Function of M$ .. It's purpose is to
Decode the .PWL File .. So they did not documented it..
Maybe there is a Checksum somewhere, a key or something
to make this Work .. maybe nType is the checksum of the
Resource Name... !???? To be more Secured, I really don't know..

But I have some Infos to Decode the RC4 Cipher Encryption of
the .PWL .. But if I can decode it with this simple Function , I'll
use it!! 8)

0
 
LVL 17

Expert Comment

by:inthe
ID: 1362588
ntype is the type of password resource used ie
WNetGetCachedPassword('LOSTER',6,PChar(s1),w1,18);

would return the password of a netware account.

madshi do you know c very well if so i can post 2 functions for getting and setting novell password. the only prob is i dont know what number to use for windows password,as seems to be your trouble here.
Regards Barry

0
 
LVL 17

Expert Comment

by:inthe
ID: 1362589
on closer look you seem to be right with everything already just the last parameter(type of password).i searched everywhere a month or so ago and could nor find the windows password number anywhere as loster said it is very undocumented function.
good luck
Regards Barry
0
 

Author Comment

by:Loster
ID: 1362590
Thanks Barry for your Comment..
So the problem is the nType ..
Hmm okay, well I can do an increment search calling the function
with a value from 0 to 65535 !

Thank you very much Madchi and Barry!! 8)
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362591
>> madshi do you know c very well if so i can post 2 functions
>> for getting and setting novell password. the only prob is i
>> dont know what number to use for windows password,as seems to
>> be your trouble here.

Hi Barry, I'm no C(++) expert, I know just enough to convert simple programs to Delphi...   :-)

Regards, Madshi.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362592
Hi Loster, does it finally work? Then you should ask Barry to write an answer so he can get the points...  :-)
0
 
LVL 17

Expert Comment

by:inthe
ID: 1362593
Loster
it would be give madshi the points for this as he did all the graft in delphi,i only knew how to do it from  c and are pleased to see how it is done in delphi.
btw if it is working would you please be kind enough to post the complete code with the windows password number as this would be helpful for other users with similar problems.
 Regards Barry ¤ :-) ¤
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362594
No, please Barry, the final hint came from you. And I want to see you in the top 15. So please do you answer the question...  :-)
0
 

Author Comment

by:Loster
ID: 1362595
Ehehe..
Thans Guy, It Finnally WorkS!!!!

Hahaha...
Well, I'm glad to tell you that the nType number is 8 ..
But, I do an increment For .. Do ...

Hmm, You were right in your explanations..

Okay, well, I found that the Resource Name was not just the
User Name.. For example, if you want your InterNet Connection
Password, who is saved in the .Pwl, you should use the function
like this:

WNetGetCachedPassWord('*Rna\InterNetConnectionName\UserName',
                                            LengthofAbove,  PassWord, LengthPw,
                                            nType);

As I said, nType should be incremented from 0 to 255 to be
sure to find All passwords.. Maybe nType is not Constant..


. And I also found something interesting on www.microsoft.com
hehe...

PWLEDIT.EXE .. a program from M$, who give you the Resource
Names contained in your .PWL file..


So .. hmmm, who should have the credits!??? 8)
Well, I really don't know guys! .. you helped me so much! 8))))

Thank you again!


0
 

Author Comment

by:Loster
ID: 1362596
Ehehe..
Thans Guy, It Finnally WorkS!!!!

Hahaha...
Well, I'm glad to tell you that the nType number is 8 ..
But, I do an increment For .. Do ...

Hmm, You were right in your explanations..

Okay, well, I found that the Resource Name was not just the
User Name.. For example, if you want your InterNet Connection
Password, who is saved in the .Pwl, you should use the function
like this:

WNetGetCachedPassWord('*Rna\InterNetConnectionName\UserName',
                                            LengthofAbove,  PassWord, LengthPw,
                                            nType);

As I said, nType should be incremented from 0 to 255 to be
sure to find All passwords.. Maybe nType is not Constant..


. And I also found something interesting on www.microsoft.com
hehe...

PWLEDIT.EXE .. a program from M$, who give you the Resource
Names contained in your .PWL file..


So .. hmmm, who should have the credits!??? 8)
Well, I really don't know guys! .. you helped me so much! 8))))

Thank you again!


0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362597
Hmm. If you really do a loop from 0 to 255, you should use WNetEnum..., 'cause it will tell you all passwords in just ONE call.
If you wait some days/weeks, you can get an object oriented function for WNetEnum... from me, I'm planning to put some of windows' enum functions in Delphi objects...   :-)

Regards, Madshi.
0
 
LVL 17

Accepted Solution

by:
inthe earned 90 total points
ID: 1362598
Loster,
i will only put this as answer as madshi insists id do :-)
although dont forget his enum stuff ,i have some of his work and it's very good :-)
pleased to see you got the number 8 :-)
did you know pwledit.exe is on your windows cd.

B.T.W you can also use this one:
WNetCachePassword(LPCSTR pbResource,
                  WORD  cbResource,
                  LPCSTR pbPassword,
                  WORD  cbPassword,
                  BYTE  nType,
                  UINT  fnFlags);
this is for setting the password,where the final parameter fnflags is set for a 0 or a 1 depending on whether you want the password saved for duration of logon or permenantly.

Madshi,
Thankyou  
(only 11,000 to number 15 and the telephone bill 's just gets bigger :-( ,but it's amazing want you can learn here so worth it.
let me and loster know when you have done the enum stuff ,your sources are very good to see as always .
Regards Barry
8888888888888888888888888888888888888888888888888888888888888888
0
 
LVL 20

Expert Comment

by:Madshi
ID: 1362599
Barry,

>> only 11,000 to number 15 and the telephone bill 's just gets
>> bigger :-( ,but it's amazing want you can learn here so worth it.
So with me. My telephone bill is quite big the last months...  :-(((
 
>> let me and loster know when you have done the enum stuff
>> your sources are very good to see as always .
I will...  :-)

Regards, Madshi.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now