exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nt-sid.txt

nt-sid.txt
Posted Sep 6, 2000
Authored by NT Wako | Site legions.org

Windows NT allows remote users to find out the SID remotely if certain conditions are met. The logs need to be viewable remotely, auditing must be enabled, and policies must block the account after a certain failure count.

tags | remote
systems | windows
SHA-256 | 058acc074b6dceaa3311a7b9d02f577660e67364ccb5a3bab68adece51f67ee0

nt-sid.txt

Change Mirror Download
+---------------------------------------------------------------------------
--+
|Author : NtWaK0
|
|Subject: EVENT VIEWER SPIT OUT THE SID
|
|Date: Sep-3-2000
|
+---------------------------------------------------------------------------
--+

SECURITY ISSUE FOUND WHILE I WAS WRITING SOME PAPER ABOUT NT LOGS
=================================================================

To the one of you who know the SID in NT and the tool "sid2user" that
allow
you to get the SID of the users .

Well I found a way to get the SID even Administrator Remotly if certain
conditions are meet:

1- By default NT logs can be viewed remotly :)
2- If you have Audting Enabled
3- If your policies Block The account after certain failure count.

Now here is what you need to do to get NT Spit out the SID
----------------------------------------------------------

Try to login to the remote box using any exisiting account and the box
you will get a logong failure and in event viewer you will generate an
entry

Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL

If like I said you have a policy that block an account after certain
count
You will you see this entry in your log file.
ser Account Locked Out:
Target Account Name: WaKiNg
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
Caller Machine Name: \\BRAINCELL
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)

So now if you connect to the remote EVENT box using event viewer you will
be able to see the logs and you will see the SID
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500

I did not do any other research into this cause the objective was not to
find something but it was to write this paper :)


The Full paper about NT logs will be on www.legions.org


============================================================================
===
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good, Accept no limitations --:)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close