Electronic Books

SIDs are static for the machine the user accounts are
installed on. The USER2SID application is used to enumerate the SID
from a given username. Once the SID has been identified the username
can be enumerated regardless of what the user account has been
renamed (covered in Lab 11).
Procedure:
First establish a NULL session. From a DOS prompt type the
following syntax:
user2sid <\\Target IP Address>
account name
*Note:
The computer name is optional with this utility. If none is given the local
computer is used.
In this example, the target IP address is 172.16.1.40 and the target account
name is Administrator.
92


Practical Hacking Techniques and Countermeasures
In this example the username of the Administrator:


Has a SID of 5-21-1220945662-1343024091-854245398. (The S-1 and
number at the end, in this case 500, is not part of the SID.)


Is in the WIN2000S-V domain.
*Note:
As you will learn in the next lab you can immediately verify if certain account
names are the ???real??? names. For instance, this example shows that the Administrator
account number ends in 500. The 500 is known as the Relative
Identifier (RID) and is ALWAYS 500 on a Windows computer.
Target Enumeration


93
Lab 11: Enumerate User ID from SID
Enumerate the Username from the Known SID: SID2USER
Prerequisites:
NULL Session
Countermeasures:
Restrict Anonymous, host-based firewalls
Description:
Every user account on a Windows computer has a RID.


Pages:
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60