Is there any nasl API for pulling SMB registry entries outside of HKLM? I
see the following in smb_nt.inc
function registry_access_step_1(soc, uid, tid, pipe)
{
tid_low = tid % 256;
tid_high = tid / 256;
uid_low = uid % 256;
uid_high = uid / 256;
pipe_low = pipe % 256;
pipe_high = pipe / 256;
req = raw_string(0x00, 0x00,
0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,
0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x1D, 0x83,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low,
uid_high,
0x00, 0x00, 0x10, 0x00, 0x00, 0x24, 0x00, 0x00,
0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,
0x00, 0x24, 0x00, 0x54, 0x00, 0x02, 0x00, 0x26,
0x00, pipe_low, pipe_high, 0x35, 0x00, 0x00, 0x5c, 0x00,
0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,
0x5C, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x05, 0x00,
0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x10, 0xFF,
0x12, 0x00, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00,
0x00, 0x02);
send(socket:soc, data:req);
r = smb_recv(socket:soc, length:4096);
if(strlen(r) < 10)return(FALSE);
if(ord(r[9])==0)return(r);
else return(FALSE);
}
Which Michel documents as being renamed registry_open_hklm (or should
be)...So, is there any way to registry_open_hkcu, or any of the other hives?
I guess I can dump a remote HKCU session...but I don't want to have to :-/
John W. Lampe
https://f00dikator.aceryder.com/
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.493 / Virus Database: 292 - Release Date: 6/27/2003
This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 13:59:22 PDT