Re: Finding out particular admin username!

From: Russ (rwsinclair@mcpmail.com)
Date: 10/15/02 

From: "Russ" <rwsinclair@mcpmail.com>
Date: Tue, 15 Oct 2002 10:37:51 -0700

Anonymous access - set to 1 or 2 in the registry?

user2sid and sid2user will work for this, but needs access
to those netbios ports. The first finds the long part of
the sid, in the second command you add 500 (admin account
always ends in 500) to find out true name of admin account.

C:\>user2sid \\yourcomputer "domain users" (or any other
user or group)

S-1-5-21-3137915875-2155488123-2216609870-513

Number of subauthorities is 5
Domain is yourdomain
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup

C:\>sid2user \\yourcomputer 5 21 3137915875-2155488123-
2216609870 500

Name is Weirdname
Domain is Yourdomain
Type of SID is SidTypeUser

>-----Original Message-----
>You can also get this information via SNMP if you have it
enabled.
>
>"Dmitry Kulshitsky" <dimkin(remove)@mbox.com.au> wrote in
message
>news:u$DNBArcCHA.508@tkmsftngp12...
>> Are you usually logged on as an administrator on that
server (the logon
>name
>> which you tried to hide)?
>> If yes and if your netbios ports are not blocked by
firewall then it is a
>> piece of cake to get this
>> user name.
>> Try it by yourself.
>> Execute the following command:
>> nbtstat -A xxx.yyy.zzz.aaa
>> (where xxx.yyy.zzz.aaa is the IP address of your
computer. The command is
>> case sensitive)
>> It will give you the domain name, the name of the
currently logged on user
>> and some other information.
>>
>>
>> "SvS" <sevims@olisys.com> wrote in message
>> news:uH9xo7ocCHA.3752@tkmsftngp08...
>> > Guys, I've been maintaining couple of Windows 2000
Advanced Servers and
>> > using terminal services to administer them. Since
terminal service is
>wide
>> > open to internet, I decided to log the bad
username/password attempts
>to
>> > it. One result really scared the hell out of me.. I'm
using very unique
>> > administrator username , (I changed the administrator
account username )
>> and
>> > a very unique password to it.
>> > I was going thru the logs today and noticed that
somebody from outer
>> > internet, knew my admin username!!!!.. From the logs
I can only see the
>> > usernames and the IP addresses of the user connecting
from. I can't see
>> what
>> > password he tried, but he definitely knew my admin
username which he
>MUST
>> > have extracted from somewhere.. There is absolutely
no way, I mean NO
>WAY
>> he
>> > could guess it...
>> > Now, I'm curios if there is a bug in my server. All
the security
>patches
>> > everything is upto date. But I guess this is not
enough, Anybody have an
>> > idea, how might be this happening ?
>> > Thank you in advance,
>> >
>> > PS : Servers have netbios ports are opened but no
anonymous access is
>> > allowed. Shared to everyone however.
>> >
>> >
>> >
>> >
>>
>>
>
>
>.
>