Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

User Info and User Dump Tutorial


{LANG_NAVORIGIN} Security Tools
By: Chris Gates, 06/28/2005



I was cruising around Tim Mullen’s site http://www.hammerofgod.com and saw the UserInfo and UserDump tools and wanted to learn how to use them. The point of the tools is to pull ("enumerate" to use the hacking exposed word) user credentials even if the Restrict Anonymous setting has been set to 1. Even though most windows 2000 server lockdown guides will tell you to set this registry key to 1 because it is supposed to stop null sessions. 
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA
RestrictAnonymous = 1 (DWORD)
Null sessions allow an anonymous attackers to extract a great deal of information about a system-most importantly, account names. They are dangerous because they allow attackers to pull juicy user data from the machine. Windows NT, 2000 and even Server 2003 domain controllers are susceptible to enumeration using null sessions. There is a lot more information available in the Hacking Exposed books on null sessions and SMB enumeration. The key point to take away on null sessions and enumeration is that you can obtain account names to use on dictionary attacks and other information like last logon, privileges, and when and if the password expires. It even gives you the logon hours so we aren’t knocking on the door when the user should be asleep and not able to log in.

The point of Tim Mullen’s tools are that the Registry Fix didn’t fix all the holes. It stopped the DumpACL tool from working but didn’t stop his tool and User2SID and SID2User from working. You can check out his PowerPoint for more information, I won’t plagiarize it all. http://www.hammerofgod.com/download/Mullen-RA.ppt UserInfo will enumerate use information over a null session even if RA is set to 1. It does this by querying NetUserGetInfo API call at layer 3. What all that mumbo jumbo means is that when MS tried to fix the problem with the registry key is stopped some other API calls but not NetUserGetInfo so enumeration is still possible. Now a RA set to 2 will stop the problem, but it limits the functionality of NT and 2000 machines and services. In Server 2003 you disable it on your domain controllers (null sessions won’t work on member servers) but the domain controller won’t be able to communicate properly and will defeat the purpose of it being a domain controller.

Ideally people block UDP 137 and 138, TCP 139, and TCP 445 at the firewall and that will not allow null session from outside your network but you are still hosed to internal attackers or even the attacker finds a way through the firewall.

Let's move on to using the tools. Now, when I read his readme for UserInfo it seemed like his tool would set up the null session for me, but on my trusty VMware Win2k Advanced Server I had no such luck. I had to set it up my self.



Cool, now we got the null session. Don’t forget at the end to delete your session.



Now let’s run the tool. Let’s start with UserInfo.



Let’s take a look and see what all this tells us. It gives us the account name, comments, the UserID and group which we can do neat stuff with if you read the User2SID and SID2User tutorial, password age, last logon and logoff. Lots of good stuff juicy stuff. If we had been lucky someone would have given us some nice comments, maybe even the password hint. No such luck this time. Let’s move on to UserDump on the same machine and see what we get. Make sure you get the syntax on the null session right, it’s a little trickey.

UserDump will give us the same information as UserInfo except it will allow us to "walk" the SID and enumerate data for all the accounts on the box. The SID for the administrator is 500 even if you rename the account. Guest is 501 and user accounts start at 1001. You can use UserDump to gather information about all the users on the system, super nice especially if you are working on a domain controller. The first account we pulled off was the same administrator account as UserInfo. Next was our account for IIS services.



Not that sexy, guest privileges, let’s move on and see what else we got.



Looks like we got an account and that’s it. You can see from the output we got a tasty user account with admin privileges and someone was nice enough to leave us the password in the comments section. We can also see there are no more accounts to be enumerated at least with this tool. I happen to know there are some more so we will have to investigate that further and later. With that tasty bit of info we can log in as that user and let the evil begin. But, we’ll leave that for another tutorial…

Chris Gates is an American living and working in Belgium doing IT work. He has obtained his CompTIA A+, Network+ & Security+ certifications. His computer security interests are in windows security and Cisco router security. Feel free to email comments and suggestions on the tutorial to chrisgates@toughguy.net

More Security Tools tutorials and guides













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
13151 Views
4.71/5 Rating
7 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact