Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

nt-sid.txt

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 8
nt-sid.txt
nt-sid.txt
nt-sid.txt

+---------------------------------------------------------------------------
--+
|Author : NtWaK0
|
|Subject: nt-sid.txt

+---------------------------------------------------------------------------
--+
|Author : NtWaK0
|
|Subject: EVENT VIEWER SPIT OUT THE SID
|
|Date: Sep-3-2000
|
+---------------------------------------------------------------------------
--+

SECURITY ISSUE FOUND WHILE I WAS WRITING SOME PAPER ABOUT NT LOGS
=================================================================

To the one of you who know the SID in NT and the tool "sid2user" that
allow
you to get the SID of the users .

Well I found a way to get the SID even Administrator Remotly if certain
conditions are meet:

1- By default NT logs can be viewed remotly :)
2- If you have Audting Enabled
3- If your policies Block The account after certain failure count.

Now here is what you need to do to get NT Spit out the SID
----------------------------------------------------------

Try to login to the remote box using any exisiting account and the box
you will get a logong failure and in event viewer you will generate an
entry

Logon Failure:
Reason: Unknown user name or bad password
User Name: WaKiNg
Domain: WaK0
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\BRAINCELL

If like I said you have a policy that block an account after certain
count
You will you see this entry in your log file.
ser Account Locked Out:
Target Account Name: WaKiNg
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500
Caller Machine Name: \\BRAINCELL
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)

So now if you connect to the remote EVENT box using event viewer you will
be able to see the logs and you will see the SID
Target Account ID: S-1-5-21-431509504-1754822488-1124750213-500

I did not do any other research into this cause the objective was not to
find something but it was to write this paper :)


The Full paper about NT logs will be on www.legions.org


============================================================================
===
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good, Accept no limitations --:)
Social Media Share