Saturday, February 6, 2010

Identifying Accounts

Posted on  by   with No comments:

Two powerful NT/2000 enumeration tools are:
sid2user
user2sid
They can be downloaded at (www.chem.msu.su/^rudnyi/NT/)
These are command line tools that look up NT SIDs from username input and vice versa.


user2sid and sid2user are two small utilities for Windows NT/2000 that allows the user to query SAM and to find out a SID value for a given account name and vice versa. These utilities are actually command line interfaces to WIN32 functions, LookupAccountName and LookupAccountSid. It happens that to use these functions a user have just to be EVERYONE. It means that an ordinary user can find without a problem a built-in domain administrator name, which MS recommends us to rename from administrator to something else.
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. Windows NT/2000 keeps track of User accounts and groups with Security Identifiers or SIDs. All SIDs are unique within a given system and are issued by what is known as an "Authority" such as a domain. There are five authorities:
SECURITY_NULL_SID_AUTHORITY (null user)
SECURITY_WORLD_SID_AUTHORITY (everyone)
SECURITY_LOCAL_SID_AUTHORITY (local user)
SECURITY_CREATOR_SID_AUTHORITY (creator owner /group)
SECURITY_NT_AUTHORITY
Note the default SIDs that captures a cracker's interest.


Administrator S-1-5-21-<........................>-500 and Guest S-1-5-21-<........................>-501


Domain Admins S-1-5-21-<........................>-512


Domain Users S-1-5-21-<........................>-513

Domain Guest S-1-5-21-<........................>-514
Let us take a look at the attack.
Here we try for the default built-in Administrator account - and we get access to more information such as domain and number of sub authorities.
Had we found the default guest account, we could escalate it to the Administrators group by changing the RID using the sid2user.
c:\>sid2user \\196.xxx.xxx.xx 5 21 1123561549 1788223846 725345447 500
This will change the guest account to that of an administrator account. The last three digits (here 500) is the registered ID. Once a RID has been issued it will never be used again. Any group or user that is not created by default will have a RID of 1000 or greater.
Net use, user2sid and sid2user all operate over TCP port 139 - NetBIOS session. The reason why these utilities work despite having ACLs in place is that LookupAccountName and LookupAccountSID don't have ACL on them.

0 comments:

Post a Comment