Electronic Books

Certain
RIDs are static. The SID2USER application is used to enumerate the username
from a given SID regardless of what the account may have been renamed.
(Refer to Lab 10 for a SID.)
Procedure:
Establish a NULL session and initiate a query against the target.
From the directory containing the sid2user executable establish a NULL session
(refer to Lab 8). From a DOS prompt, type the following syntax:
sid2user <\\Target IP Address> SID RID
*Note:
The computer name is optional with this utility. If none is given the local
computer is used.
User accounts that carry the same RID regardless of what the account has been
renamed to are shown here:
In this example, the known SID (refer to Lab 10) is given plus the known Administrator
RID of 500.
Username RID
Administrator 500
Guest 501
User Accounts 1000 +
94


Practical Hacking Techniques and Countermeasures
*Note:
Notice that the dashes are not included in the SID as identified from Lab 10,
as well as the S-1 at the beginning of the number. You must leave these out
for sid2user to correctly identify the username based on the SID plus RID.
In the results from the example above notice that from the SID from Lab
10 plus the static RID of the Administrator account (500):


The username for that RID is actually the Administrator account.


The target resides in the WIN2000S-V domain.
On the target computer the Administrator account has been renamed to Kermit.


Pages:
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61