Thursday, May 26, 2011

Windows Security regarding Well Known SIDs


A relatively common security practice is to rename the built-in administrator accounts and groups so as to obscure them from potential attacks.  While this suggestion holds some merit regarding outside attacks, it does little to prevent even non-privileged users from discovering administrative accounts. 



There are a handful of ways of querying Active Directory to resolve an account using the SID, but Window's "WMIC" command presents one of the simplest.  Here are 3 examples on how WMIC can be used to determine an administrator account or group:

Using 3 steps we can quickly determine the administrative account/group:

wmic useraccount where "name='%username%' and domain='%userdomain%'" get sid


will return something similar to this:
SID
S-1-5-21-1111111111-2222222222-333333333-444444
The thing to realize is that SID's, although unique, share common properties within a domain.  By simply removing the "444444" section, we can replace it with "Well Known SID Identifyers" to locate common accounts.  More specifically, we're interested in SIDs that end in "512" for the Administrators Group or "500" for the Administrator Account.  To search for the Administrator's Group, you need only search for the following:
wmic group where "Domain='%USERDOMAIN%' and SID='S-1-5-21-1111111111-2222222222-333333333-512'"
Likewise, for the Administrator Account, simply use "500" instead of "512."
wmic group where "Domain='%USERDOMAIN%' and SID='S-1-5-21-1111111111-2222222222-333333333-500'"
For those of you familiar with the filter capabilities of WMIC, you may be wondering why you don't simply do the following:
wmic group where "Domain='%USERDOMAIN%' and SID like '%-500'"
While this method will certainly work, it has been my experience that this method takes significantly longer to complete than simply inserting the completed SIDs.
To bring these these concepts together, I've written the following batch file.  It first searches for the current user to resolve the common SID.  Next, it stips off the last portion of the user's SID and replaces it with the well known SIDs for the Administrator Group and Administrator Account. 
@echo off
echo.Well Known SID resolver - Robert F. Van Etta III 2011
echo.
echo %1| find "/v" /i > nul && set v=1
if '%1'=='/?' (
echo.   %0 [/v]
echo.
echo.Locates administrator accounts using "Well Known SIDs" without elevated privileges.
goto :eof
)
echo Using current user information to resolve Base SID...
for /f %%a in ('wmic useraccount where "name='%username%' and domain='%userdomain%'" get SID^|find "-"') do set SID=%%a
echo Base SID: %SID:~,-6%...
echo.
echo Determining Administrator group...
for /f "tokens=2* delims==" %%a in ('wmic group where "Domain='%USERDOMAIN%' and SID='%SID:~,-6%512'" get Name /value ^|find "="') do set DAGroup=%%a
echo Administrator group: %DAGroup%
echo.
if '%v%'=='1' (
for /f "tokens=* skip=4" %%a in ('net group "%DAGroup%" /domain') do echo.%%a | find "d completed s" /v
echo.
)
echo Determining Administrator account name...
for /f "tokens=2* delims==" %%a in ('wmic useraccount where "Domain='%userdomain%' and SID='%SID:~,-6%500'" get Name /value ^|find "="') do set DA=%%a
echo Administrator: %DA%
echo.
if '%v%'=='1' (
for /f "tokens=* skip=3" %%a in ('net user "%DA%" /domain') do echo.%%a | find "d completed s" /v
)
:eof

No comments:

Post a Comment