Adding LSA_OPENSECRET (-> LsarOpenSecret) and LSA_QUERYSECRET

(-> LsarQuerySecret) on client side, including rpcclient command
"querysecret" for others to play with.

The major obstacle is working out the encryption algorithm used
for the secret value. It definitely uses the NT hash as part of the
key, and it seems the block size is 64 bits - probably DES based -
but I can't work out what's done in between. Help required.
(This used to be commit 365fa3b5fbf551670acc91f593138a7e91a5f7fa)

2 files changed, 70 insertions, 0 deletions

diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index be148a7f1d..a0d60037ec 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -309,3 +309,72 @@ void cmd_lsa_lookup_sids(struct client_info *info)
 	}
 }
 
+/****************************************************************************
+nt lsa query
+****************************************************************************/
+void cmd_lsa_query_secret(struct client_info *info)
+{
+	uint16 nt_pipe_fnum;
+	fstring srv_name;
+	BOOL res = True;
+	BOOL res1;
+	int i;
+
+	POLICY_HND hnd_secret;
+	fstring secret_name;
+	unsigned char enc_secret[24];
+	NTTIME last_update;
+
+	if (!next_token(NULL, secret_name, NULL, sizeof(secret_name)))
+	{
+		fprintf(out_hnd, "querysecret <secret name>\n");
+		return;
+	}
+
+	fstrcpy(srv_name, "\\\\");
+	fstrcat(srv_name, info->myhostname);
+	strupper(srv_name);
+
+	DEBUG(4,("cmd_lsa_query_info: server:%s\n", srv_name));
+
+	/* open LSARPC session. */
+	res = res ? cli_nt_session_open(smb_cli, PIPE_LSARPC, &nt_pipe_fnum) : False;
+
+	/* lookup domain controller; receive a policy handle */
+	res = res ? lsa_open_policy(smb_cli, nt_pipe_fnum,
+				srv_name,
+				&info->dom.lsa_info_pol, False) : False;
+
+	/* lookup domain controller; receive a policy handle */
+	res = res ? lsa_open_secret(smb_cli, nt_pipe_fnum,
+				&info->dom.lsa_info_pol,
+				secret_name, 0x20003, &hnd_secret) : False;
+
+	res1 = res ? lsa_query_secret(smb_cli, nt_pipe_fnum,
+				&hnd_secret, enc_secret, &last_update) : False;
+
+	res = res ? lsa_close(smb_cli, nt_pipe_fnum, &hnd_secret) : False;
+
+	res = res ? lsa_close(smb_cli, nt_pipe_fnum, &info->dom.lsa_info_pol) : False;
+
+	/* close the session */
+	cli_nt_session_close(smb_cli, nt_pipe_fnum);
+
+	if (res1)
+	{
+		fprintf(out_hnd, "\tValue (encrypted): ");
+		for (i = 0; i < 24; i++)
+		{
+			fprintf(out_hnd, "%02X", enc_secret[i]);
+		}
+
+		fprintf(out_hnd, "\n\tLast Updated     : %s\n\n",
+			http_timestring(nt_time_to_unix(&last_update)));
+	}
+	else
+	{
+		fprintf(out_hnd, "LSA Query Secret: failed\n");
+	}
+}
+
+
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index a9719b143b..fb520004da 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -140,6 +140,7 @@ struct
   {"enumaliases",cmd_sam_enum_aliases, "SAM Aliases Database Query (experimental!)"},
   {"enumgroups", cmd_sam_enum_groups,  "SAM Group Database Query (experimental!)"},
   {"samgroups",  cmd_sam_query_dominfo, "SAM Query Domain Info(experimental!)"},
+  {"querysecret", cmd_lsa_query_secret, "LSA Query Secret (developer use)"},
   {"quit",       cmd_quit,        "logoff the server"},
   {"q",          cmd_quit,        "logoff the server"},
   {"exit",       cmd_quit,        "logoff the server"},