Previous Next Table of Contents

8. NT Accounts

The following section deals with Accounts on NT systems.

8.1 What are common accounts and passwords in NT?

There are two accounts that come with NT out of the box -- administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password.

Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access.

8.2 What if the Sys Admin has renamed the Administrator account?

It is possible that a Sys Admin will create a new account, give that account the same access as the god account, and then remove part of the access to the former god account. The idea here is that if you don't know the real god account name, you can't get in with god priviledges.

As one might expect, this could break certain programs or functions. For example, what makes root the Unix god is the fact that the UID (User ID number) and GID (Group ID number) are both zero. Any other account set this way is god, and more than one can exist on a single system. But some programs and scripts may not look to see if the user running them is UID zero, they might possibly look to see if the user's name is root. Since often Sys Admins have a stack of stuff to do anyway, monkeying around with the root account is usually not done. If you can gain access to even a limited access account like a guest account, a simple grep "0:0" /etc/passwd should let you see whose god equiv or not.

With NT typing "NBTSTAT -A targetipaddress" will give you the new Administrator account, assuming the god account is logged in. A bit of social engineering could get them to log in as well. Nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address.

Also see section From The Network which discusses a bug that allows you to get the new Administrator account name.

Renaming or assigning the same rights to a different user name than Admin is more common with Netware than with NT, and I know of NO program that checks to see what the user name is (at least on NT). The paradigm is to check if the rights allow the action, not to see who is really running it.

8.3 How can I figure out valid account names for NT?

If you are at a server and it is a domain controller (or you have simply hooked one up), try these steps to get a list of accounts on the target machine:

  1. From the USER MANAGER, create a trusting relationship with the target.
  2. Enter whatever when asked for a password. Don't fret when it doesn't work. The target is now on your trusting list.
  3. Launch NT Explorer and right click on any folder.
  4. Select SHARING.
  5. From the SHARED window, select ADD.
  6. From the ADD menu, select your target NT server.
  7. You will now see the entire group listing of the target.
  8. Select SHOW USERS and you will see the entire user listing, including full names and descriptions.

This gives you a list of user accounts to target for individual attack. By studying the group memberships, you can even make decisions about who will have more privileges than others.


Previous Next Table of Contents