+--------------------------------------------------------------------------- --+ |Author : NtWaK0 | |Subject: EVENT VIEWER SPIT OUT THE SID | |Date: Sep-3-2000 | +--------------------------------------------------------------------------- --+ SECURITY ISSUE FOUND WHILE I WAS WRITING SOME PAPER ABOUT NT LOGS ================================================================= To the one of you who know the SID in NT and the tool "sid2user" that allow you to get the SID of the users . Well I found a way to get the SID even Administrator Remotly if certain conditions are meet: 1- By default NT logs can be viewed remotly :) 2- If you have Audting Enabled 3- If your policies Block The account after certain failure count. Now here is what you need to do to get NT Spit out the SID ---------------------------------------------------------- Try to login to the remote box using any exisiting account and the box you will get a logong failure and in event viewer you will generate an entry Logon Failure: Reason: Unknown user name or bad password User Name: WaKiNg Domain: WaK0 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\BRAINCELL If like I said you have a policy that block an account after certain count You will you see this entry in your log file. ser Account Locked Out: Target Account Name: WaKiNg Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 Caller Machine Name: \\BRAINCELL Caller User Name: SYSTEM Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E7) So now if you connect to the remote EVENT box using event viewer you will be able to see the logs and you will see the SID Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500 I did not do any other research into this cause the objective was not to find something but it was to write this paper :) The Full paper about NT logs will be on www.legions.org ============================================================================ === Cheers, ------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ----------------------------------------------------------------- Live Well Do Good, Accept no limitations --:)