Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PLUGIN HELP [nes #BFP-98828-930]

from [John Scherff] Network Security [Permanent Link]
Subject: RE: PLUGIN HELP [nes #BFP-98828-930]
Date: Thu, 10 May 2007 17:46:15 -0700 
Okay, George, I figured it out.
 
The SIDs for Local built-in groups do not contain a host or domain SID
component.  They are "well-known" SIDs.  For example, the SID for a user
account with a RID of 1007 may look something like
S-1-5-21-1277933745-1127690641-2306662984-1007 (with everything between
21 and 1007 belonging to the host or domain SID), while the SID for the
built-in group Backup Operators (RID 551) will always be S-1-5-32-551 on
every host.
 
Obviously, joining the host SID to the group RID and then looking it up
with LsaLookupSid will not work for local built-in groups.
 
Instead, we need to convert this directly to a raw byte string (see
http://support.microsoft.com/kb/243330 and
http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx):
 
  The revision (1): 01
  The number of dashes (4) minus two (2): 02
  Six-byte big-endian hex value for 5: 000000000005
  Four-byte little-endian hex value for 32: 20000000
  Four-byte little-endian hex value for the RID: 27020000
 
Which becomes:
 
  01020000000000052000000027020000
 
Calling my getObjectName on this value does, indeed, produce "Backup
Operators."
 
The range of well-known RIDS for built-in local groups is 544 through
561, so modifying my getObjectSid function as follows produces a correct
raw object SID value regardless of the object type:
 
  function getObjectSid ( hostSid, objRid ) {
    local_var objSid;
    if( objRid >= 544 && objRid <= 561 ) {
      objSid = raw_string(0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05 ) +
        raw_dword( 32 ) + raw_dword( objRid );
    } else {
      hostSid = hex2raw2( s: hostSid );
      objSid = hostSid[0] + raw_byte( b: ord( hostSid[1] ) +1 ) +
        substr( hostSid, 2, strlen( hostSid ) -1 ) + raw_dword( d:
objRid );
    }
    return objSid;
  }
 
Passing this to my getObjectName function produces the correct object
name - again, regardless of object type:
 
  function getObjectName ( lsaHandle, objSid ) {
    local_var objSids, objNames, objInfo;
    objSids = NULL; objSids[0] = objSid;
    objNames = LsaLookupSid( handle: lsaHandle, sid_array: objSids );
    if( !isnull( objNames ) ) objInfo = parse_lsalookupsid( data:
objNames[0] );
    return objInfo[2];
  }
 
Thanks again for the tips, George.
 
Regards,
 
John Scherff
Sr. IT Security Engineer
24 Hour Fitness
  

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: RE: PLUGIN HELP [nes #BFP-98828-930], John Scherff
Next by Date:  RE: Nessus :: Port scanners - tcp connect() & SYN scan MISSING, Asterisks *
Previous by Thread:  Nessus and Nikto, Holstein, Robert - BLS CTR
Next by Thread:  RE: RE: PLUGIN HELP [nes #BFP-98828-930], John Scherff
Indexes:  [Date] [Thread] [Top] [All Lists]