Tuesday, September 12, 2006

Enumerating user accounts with LookupAccountSid() and LookupAccountName()

Recently I was wondering about enumerating account names on a remote machine. This can be done with the 2 windows API functions LookupAccountSid() and LookupAccountName().
LookupAccountSID finds the SID for a named account and LookupAccountName finds the named account for a SID. Using the method described by Evgenii Borisovich Rudnyi (writer of user2sid and sid2user) in 1998 it is possible to find the name of the administrator account on a remote machine.

First, find the SID for any account on the machine using LookupAccountSID(). Guest is a good bet. The SID will look something like this: S-1-5-21-1482476501-963894560-682003330-123
Once you have found any old SID, take the last section of the SID (Called the RID) and replace it with 500. 500 will ALWAYS be the administrator account.
Then call LookupAccountName() passing in the new SID. That will return the name of the administrator account.
You can enumerate all the accounts on the machine by looping through RIDs 500 to say 4000.

This is functionality provided by the Win API for use by anyone. No hacking here.

I have recently written an implementation of the methods described in above .NET. Here is the output from this tool:

SidTool v0.1 - Tristan Phillips

SidTool -? for help

Querying machine: Local
Starting Account: Guest
Filtering Results: False
From RID: 400
To RID: 3000

Looking for Guest Sid . . .
Found Guest Sid: S-1-5-21-1482476501-963894560-682003330-501
Using Guest Sid as reference to find Administrator Sid . . .

Found administrator account called: XXXXXX\Administrator (SidTypeUser)
@ S-1-5-21-1482476501-963894560-682003330-500

Enumerating RID's from 400 to 3000 . . .

500 XXXXXX\Administrator (SidTypeUser)
501 XXXXXX\Guest (SidTypeUser)
513 XXXXXX\None (SidTypeGroup)
1000 XXXXXX\HelpAssistant (SidTypeUser)
1001 XXXXXX\HelpServicesGroup (SidTypeAlias)
1002 XXXXXX\SUPPORT_388945a0 (SidTypeUser)
1004 XXXXXX\IUSR_PCL001424 (SidTypeUser)
1005 XXXXXX\IWAM_PCL001424 (SidTypeUser)
1006 XXXXXX\Debugger Users (SidTypeAlias)
.
.
.

You get the Idea.
Also, if you start out with a domain account, you will find the name of the domain administrator. To query a remote machine you can try creating a null connection the the IPC$ share first.

Ill post the utility here soon.

The moral?: Although it is good practice to change the name of the Administrator account on a machine, you should not rely on this obscurity as a means of security. Anyone familiar with the methods above can easily find your new "secret" name.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)