The Hack FAQ

12.0 NT Accounts

The following section deals with Accounts on NT systems.

12.1 What are common accounts and passwords in NT?

There are two accounts that come with NT out of the box -- administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password.

Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access.

NetFRAME Systems Engineers use "aaa" as the default password for new installs.

12.2 What if the Sys Admin has renamed the Administrator account?

It is possible that a Sys Admin will create a new account, give that account the same access as the god account, and then remove part of the access to the former god account. The idea here is that if you don't know the real god account name, you can't get in with god priviledges.

As one might expect, this could break certain programs or functions. For example, what makes root the Unix god is the fact that the UID (User ID number) and GID (Group ID number) are both zero. Any other account set this way is god, and more than one can exist on a single system. But some programs and scripts may not look to see if the user running them is UID zero, they might possibly look to see if the user's name is root. Since often Sys Admins have a stack of stuff to do anyway, monkeying around with the root account is usually not done. If you can gain access to even a limited access account like a guest account, a simple grep "0:0" /etc/passwd should let you see whose god equiv or not.

With NT typing "NBTSTAT -A targetipaddress" will give you the new Administrator account, assuming the god account is logged in. A bit of social engineering could get them to log in as well. Nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address.

Also see section From The Network which discusses a bug that allows you to get the new Administrator account name.

Renaming or assigning the same rights to a different user name than Admin is more common with Netware than with NT, and I know of NO program that checks to see what the user name is (at least on NT). The paradigm is to check if the rights allow the action, not to see who is really running it.

12.3 How can I figure out valid account names for NT?

If you are at a server and it is a domain controller (or you have simply hooked one up), try these steps to get a list of accounts on the target machine:

  1. From the USER MANAGER, create a trusting relationship with the target.
  2. Enter whatever when asked for a password. Don't fret when it doesn't work. The target is now on your trusting list.
  3. Launch NT Explorer and right click on any folder.
  4. Select SHARING.
  5. From the SHARED window, select ADD.
  6. From the ADD menu, select your target NT server.
  7. You will now see the entire group listing of the target.
  8. Select SHOW USERS and you will see the entire user listing, including full names and descriptions.

This gives you a list of user accounts to target for individual attack. By studying the group memberships, you can even make decisions about who will have more privileges than others.

12.4 What can null sessions to an NT machine tell me?

By establishing a null session from your NT attacking machine to the target server, there are a few different things you can do to get account info:

net use \\server_name\ipc$""/user:""

if you see "The command completed successfully" then you are connected. Using local.exe and global.exe from the NT Resource Kit shold get you some usefull info. Here are two examples.

Get the local administrators on the target:

local anmistrators \\server_name

Get the members of the group Domain Admins:

global "domain admins" \\server_name

For even more information, run DumpACL and go for the user and group reports. This should give you every account on the box, plus a host of other useful info, such as who logged in last, if a password is required, who is in what group, etc. From this you can target specific accounts to attempt access.

To find the role of the machine, domain names, and dc names try using netdom.exe. To find the last logon time try usrstat.exe. Both are in the resource kit.

For some info on shares try net view.

Also, netcat works on multiple platforms and it can be used to forward nt-specific attacks if a direct connection to the target does not exist

Finally, if a password is shorter than seven characters, then lanman-hash(a modified samba client whose source code can be found from the ntbugtraq website) could be used as a password equivalent.

Top | Next: NT Passwords | Previous: NT Basics | Table of Contents