Windows NT allows remote users to find out the SID remotely if certain conditions are met. The logs need to be viewable remotely, auditing must be enabled, and policies must block the account after a certain failure count.
058acc074b6dceaa3311a7b9d02f577660e67364ccb5a3bab68adece51f67ee0+---------------------------------------------------------------------------
--+
|Author : NtWaK0
|
|Subject: EVENT VIEWER SPIT OUT THE SID
|
|Date: Sep-3-2000
|
+---------------------------------------------------------------------------
--+
SECURITY ISSUE FOUND WHILE I WAS WRITING SOME PAPER ABOUT NT LOGS
=================================================================
To the one of you who know the SID in NT and the tool "sid2user" that
allow
you to get the SID of the users .
Well I found a way to get the SID even Administrator Remotly if certain
conditions are meet:
1- By default NT logs can be viewed remotly :)
2- If you have Audting Enabled
3- If your policies Block The account after certain failure count.
Now here is what you need to do to get NT Spit out the SID
----------------------------------------------------------
Try to login to the remote box using any exisiting account and the box
you will get a logong failure and in event viewer you will generate an
entry
Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL
If like I said you have a policy that block an account after certain
count
You will you see this entry in your log file.
ser Account Locked Out:
Target Account Name: WaKiNg
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
Caller Machine Name: \\BRAINCELL
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)
So now if you connect to the remote EVENT box using event viewer you will
be able to see the logs and you will see the SID
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
I did not do any other research into this cause the objective was not to
find something but it was to write this paper :)
The Full paper about NT logs will be on www.legions.org
============================================================================
===
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good, Accept no limitations --:)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed