Neohapsis Archives - SecurityFocus-Microsoft - Re: = Change SID: it`s posible? - From ryan<img src=3D"/imgs/at.gif" = align=3D"middle" border=3D"0">EEYE.COM

From: Subject: Neohapsis Archives - SecurityFocus-Microsoft - Re: Change SID: it`s posible? - From ryan

EEYE.COM Date: Mon, 23 Feb 2004 14:55:45 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0000_01C3FA1D.1DE1F8D0"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://archives.neohapsis.com/archives/sf/ms/2000-q4/0181.html Neohapsis Archives - SecurityFocus-Microsoft - Re: = Change SID: it`s posible? - From ryan<img src=3D"/imgs/at.gif" = align=3D"middle" border=3D"0">EEYE.COM ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://archives.neohapsis.com/shivmain.gif R0lGODlh4QA3APcAADU1NYGBgRFMec/PzwotSZCQkAUUIGZmZgIDBG5ubjo6OhUfJyUlJaKiopyc nA06XZ+fnwsLDKCgoGxsbKioqAkiNXR0dNTU1AYaKgkoQAMLEmBgYA4+ZCMrMV5eXh4eHiwtLQgk OSgoKKampkREREBAQBpWhCEhIfj4+NfX15eXl+vr60JCQhBGcB0qMw0dKb29vRQYGyorKzIyMvX1 9WJiYkxMTN7e3hEhLX19fRFKdjw8PEhISBJOfSotMMTExIuLi8LCwgw2Vk9PT1tbW4eHhww4WXx8 fAoUHGRkZBEREQkmPRkZGTAwMAcSG1xcXBJPfgceMHJychBIdLm5uRUVFRYlMQQTHkZGRgsyUAch NAorRAYYJhcXFwosRjc3Nw5AZj4+PgswTQMJDhBIcgMGCA9Daz5BQxwgIg9EbVdXVwoZJRBFbiks LgkXIQwSFxgnMiMkJDE1ORwcHQ0lNxIWGQQPF8jIyA08YNPT08HBwRFLeGlpac3NzZOTk5mZmeTk 5K+vr4ODg1lZWZWVlUpKSlhYWIWFhb6+vlVVVY2NjaSkpO7u7np6eo+Pj3d3d7KystjY2Jqamnt7 e7a2ttzc3Obm5svLy6urq1FRUbu7u62trbW1tezs7N3d3YiIiMDAwOjo6OPj4/b29vPz8w9BaEtL S6WlpfDw8NnZ2Wd2gRJQf1BQUAw3WAw0U9ra2nZ2duHl6K6urggjOOLi4omJidvb22pqasrKynyJ lJSUlLCwsERTX+Dg4HBwcIyMjDZEUfLy8rq6unh4eI6Ojig3Qpubm2hoaLe3t4KCgr+/v7Gxsenp 6S4vMA9CaQ4+Y8XM0bOzs9HR0YSEhAwzUpOep7S0tNLS0sfHxxFNe5KSkqu0u+Hh4fHx8VNTUw49 Yvf39+/v7w49YUVHSWJjZEBDRXZ3eMzMzElKSwgMECgrLSgwNvz8/B0mLRAYHw9DbHV2d+3t7SMm KPr6+gwoPhU/X8nJyTU4OhobHBEUFllbXE5QUS4uLgAAAP///xJQgCH5BAAAAAAALAAAAADhADcA AAj/AP0JHEiw4MBYuYAtKNOvocOHECNKnEixosWLGDNeRLJgAS9e1aAZHEmypMmTKFOqJKjKRRkM BPDs+Uezps2bOHPq3Mmzp8+fQH2WwoMnQwYDGvp5zLWyqdOnUAXG4lUmSqugWLNq3cq1q82iGPq5 UBUrqtmzUFWVyTDTq9u3cOMGbRWlTLFqaPPqNQhtQZS2cgMLHgw3i4EFePcqNptLAx7CkCNLDorn 8LbFmFeqwgB4sufPn/HYAVY2s+mRqqKAXs16MoF0l0/L9pe6dU0xc0Do3s1bt4y1q3BmqffPBE8z GhiAkMG8uXMQJzLY/tnCjqrZpnNhmP5vjxNcKFPk/+u35eYUBGN86nixDCUtfC24+4wCDPtiaBo6 s/aibxSKUQAGGCAKNGzQTwQISFcTAf2UoV9ORpQDCAqkVGihhcHMA4sW8vlEQDH27bXAY9MJ4AYV KHSDyoosskjDHREoUUU+CJRHExf9IEAiT9lwEQg4jAQp5JDd5OEOGR32lAWIIZ5VG3etoENLMJ1U aeWV4fBRxgdcMlEGNf+kkRQCrvwkxj60rBDKmmyyuQIzSXiRpJJMNvlULA5yt0oIf9BgyZ+ABmoJ IFyKYKgIJ6TzgBj9XIHAEj/p4EQfzABi6aWYxkMFF1DMydMs5Nj5FC8KTvdOO8owIsqqrLYaSgNV zP8gq6wAyPCGBghk0c92P81yyA2eBCvssLRcIscDnvJkgAv8NOvss9BGK+201FIrUJ7cGcHKDTdU 4u234DIzSBwKlGtuGDI0KgACV3Tq0zNnVPJKKvTWW68tniRgY7I57VGGD9UGLPDA0tKmGndQLJHD CilE4vDDD79ygQgAkMDCxSyQgEW6GnBghx06/NQDEspckMfJKKfMjQNRZMOvTng4QfDMNE/rjwtX cTcFHBRUkvLPedjiwAkk2GDK0abYwAM+CDCAhAZjcABUFNNI08fVWGedhzXrOPOyTlFYUfPYNePZ oRkA2DPAJWy37XYkt4hgAyt00+0NCQhUYYMCZSD/IARQYmQywB2EF274JX1kYsTX/f5L9uMCa9eh EYVEYvjlhKeARRxEEDHI54M8oUA/zWxABAD9EACUGTLcocfrsMeuxzXHqM64cGtArvu0wNjOnRfH 9AHK8MQXH4QecoxRQg0bNL/BEx8gwEMSG9jQjx3x+SQAGtaAgsj34IePSwB09HA7Thp0sPv6zo4o Xw90TPODJvTXb78ei7jwABIs3HLAAXwgQt42cAs+PAEBZeBCyHqSDRwUAAaUiKAEJ4gIP8Bhgeer SczYxz5sTaeBBRAGJ0ZIwhLCQBFW6AEY0jEEWCTAFzzoBwhc6IsDRIAJAODCFHoCBTo8QhiQCKIQ /4eIDAd0IHsZrMmyOLi7fnRIAAuAQDQCQcUqWlEYjyjfP4zwBg8cARYnKAMrcmCBR/jiA1U4AAkU yJNVbMEDyNiEHOdIx11QoBlmSOJXZMZEyDlxMBwgwAPctZM9nGAXmEikIheJCWTwoVSteEMSGtGP KgwjADnIQSNmgIAnFCGHLttJFoawi1OY8pSoHMEyvlCKdwnSfB0KWx8f90e57AEDZzDHGXTIEwF8 QBaLCKYwh7mIQCRhX1uMQQn6MYNaJCMZghAEFvqRCEXkgB9aICROXGGDTTTgm+AMZwMg8QWv7SQb WrgHPMZhADZ0yF8Am2XNahkXekhBINdQAqd2Qv+GOFAAAgANqEAhIAtTgMkm1EBABPjwi1o4tAAH 6Ech/PCLacxAC6HECRhAQAFJePSjIJUEBRTwjZ2sogK+EMgPIsAr+bTCDfKcp2DqAB5/UABBWgiB Tne6UwwoAAJ/CKpQh/oHCvCAC0vg6RIUOgwVEOOphEhAPxRQgAL4AQgzqEAPxMDTECwhCiBoACHG StayEkICNjBAV3k6izFEQiDLYMicZoGDmM6MnnBBQAn+UAARYGQHf/CDYAdLWD9IgAQSSSADBOEA XRBCEgGIgAwUoQJdGMMPIAiLRGTgAEd49rOgdcQfhnCRIUBABajDK3fsoD67Cky1brkCRMbwDQ7/ 2Pa2tyUAAPygiN769reKkAQLtoDb2+qAAHEAwiKMIYFfnKAKRWiAA4yxCGIwoB8hKK4rRKCLT3j3 u+D9RAFKkN3i3vYZskWAQzTgqT2w1rUBg61XxMEQh2SBJzqYwy8Owd/++vcQ2ijB33SyBREUgALS VQACDoHgb2KCH+S5iRlE4IhoWvjC0XREM8DAEzzUN0dl8lQp7BBP+EpLvl4phRa4EIUd6WQPTKhF AGZM4xoHAAhDKBVOVqGFHTQgEJsgbQAgQQEKBOIXVWCCPLxASGooQBCTiLKUpzyJIsiglTxRMYtd PKcRl9jEz0LxZ/bQBU024sxoTnMyTKFjnPRA/ws8oIAebtGPYVBCFrLQBDn6QQ4HxIEAwflHFhQQ gEcY+tCIvqQIsKxHnYy4tWB2lpg9IwB38AEWFsi0pjc9iSFocSdQgLMwAtAPNUDCGiMcnQpgUIAY DHgLYXBhAmZNa1pLYQJoSEOjs2wHZkW6WZOeTDZeYAhf1PrYCZCCIXCAQZ28ORFAUAIJoqEJPehC CQwIBAz0oA33VaAQCeCDuMdN7gl4YAFI2nUhDVDXXwdbMj2oAAn897962/sYRFgAEs/JBRIYahd6 wIVUE6CH72FDFwtoxQsycQByOPzhED+ADV7QbHXnZBZOgDR83y0ZAszgAM4LucjxYc6ekIELZf+o wi76gIhlqmAAP4j5OYwRgwgkwnOgy/nnNqCAEGjT4jnBwxjavfEkPWAOGzCE0pfOdEN44AQh9skU DNAPWaTgpiKIRh8Ih4079CEA+TBEIsZO9rIn4gky8B3QC5mBMYjNtRyPTBrqYANvZOLueM+7Gpqx hED7JAP9sIAtDtEPPqRAGgNI/ADyMIkTmKIQkI+85E2xNGSt3SctiILb7Rp3yOhgDV+gPA9GT3rS F0IBboClTxIaeFOUQQW0uIDsZW8LHoCABLjPve41pgB35PHy1KnLCzTOvs4TZhUZiAMWSsD85juf +enYN08eUIYrOCECAMBFL17B/VfYIg8nAMD/DsZP/vLvoAQyiILqge+TPRDADmN4ga/XZ3zCPCAf 5sq//nfABLXzpAUawAVe0A8bQArc0AsI2AuhQAhV0ASz8oAPCAD9x35a0QIEQHVOgANwQHw0U3+D MQVuIAIz0AQkWIImOANxcAVAkQ12gABhkQ8QwAiDYinBwApV0Bs4yA8i8AaMRoFaARZJ4QRugAM4 4AIuwIEn5ilLwAQycChO+IRjwGE/QXWN8gDuQAHg0AkrEAzSIAJVcAJcEoZi+AEn0AVc4INxgQet kAGzYABI8RBj4ARyOIdy6IGD8QDpMAdjuIcfoASzMDUNwSGugAbKwA6M4A9FEAH5UAVd0IiOyPiI VRABYoCGntECRHGJl2iHgiEABiAjVfCJoBiKVaAEGlBxBJYjlicEbXAH/hAOyxQBsBiLshiLGrBD lDgdmigYrlAGs9iLsFgGyLQTQtAPGqB6rqAOkUAJEZAjCNCMzviMzdhmt7gauRgYPWAA0JiNzXg9 7tQTbHAFwSgEzZBaF6EBAjCNuMgvD2AAV9CO7viO7mgA4hAp60cTW6CN+DiJ6Ggb1biP/jgn/fiP ApmOA1mQ6haQBpmQkoGQCtmQgsGQDhmRbxEQADs= ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://archives.neohapsis.com/shivtitle.gif R0lGODlh7QA3AMQAAAcSGw08YMbGxo6OjmZmZjs7O9fX1/Hx8XR0dEhISOTk5J6enoGBgVVVVaur q7m5uQAAALCwsL29vWJiYvLy8oqKiuXl5XBwcJaWlhJQgP///y4uLgAAAAAAAAAAAAAAACH5BAAA AAAALAAAAADtADcAAAX/oCaOZGmeaKqubOu+cCzPdG3feK7vfO//wKBwSCwaj8ikcslsOp/QqHRK rVqv2Kx2y+16v+CweEwum8/otHrNbrvfcPdmTq/b7/i8fs/v+/+AgYKDhIV1BRMVEhQyho6PkJGS k5SPFxEwlZqbnJ2enAUYjCyfpaanqKcFmCuprq+wsYATFiqyt7i5qQUSKbq/wMGSrCbCxsfIfMQk pwkEBAm4Dc9/0wS7zwW/zgTajssiegIiDXXjAnPjJ+h0CAokBgjmGux053YIIgN36vD7dAMOkHDg bcO9OQEHFsRTQEQ9gOvk1WnQj145hOHqDMi4UcMGByIWbjCgwcCGjifo/xB4N0LAxUK9mOVRZ9Ie vXQo6qEswcDmQ4M36zwQoYAfin87R9QEyi6piKV4UEbTmELiBgYnDlzsaIfryXD5NPSkk0DfVxRz GmSdSqhArRHiRvxjitPAs7sELhJ4KhEBSQ3X6M572HBEYJt2nyXUoO2dgWgFQGqQeNAxZMlW7/zV MBcj4LsMBBbdkEBgvA0FOjbNCNHj2TkCH1DVEK0j3rtzQB4I3HGBowky8fQ74O3gQeEaiB8SyO44 zocdSTqw4zzsNRG+5xQQIGDsQex0tnfPo7akhtGtu2ZcIILt1wO1WXue/zEkHZI1vSKH6kBAdkPE xCWQBrIJ5pwd4NnBnv9rBzpH0gMdLeQcVoCN5BAD7j03x1/dZYgHe1qJkJl+OB2wIYF2FMAWia+1 GNZYZYlF34dEDfASJAWMEpd/IlxjHArX7FWhHUL6mEI95SFQ2Fh13ZWQiRsIOYICAxR0kJQ1ilSH QL5JNxt33LH0j1l6OCWTfrF55o2ZnGk3oAgHOOAhIRjIRx09BYi2XVAVkRBkj3cUCVROdIA4x1BQ 9TkCkxSVoMBUxzVKwqN4hFVOhK2VcMB/ZObBJkesSabNg5mWMFdkmmZWSGE7XqXPj4nhpY2Qqm5g HVCxPkNSPcw9syBbigpQawEMODBggQcSa6wIBdox1G4EUMhkRwMMwFL/Zp1G1SNeks34YozTbouX hwgswBKUj2DS6qDvNBfUHYX9V2hGDQYVlgn/HUgWAp0NqmEC/N7p2iEoLOVVAX8dNg5UVxlQZYvp QbxBbBuhK/EhBAzgnm2QXDCwUezE6JCGMyXnXp58vkvyUCegp+8cFGa2oIYx1zGzeihMpV956HGs 3TvKsegViZJ5GfEdMcp7KyQUrHtWyrniFiVRfbEUWL3oxFtHWJSpTHByEoWWctZwhs2cZiV9nR2J 1P6c3ADR/oWUnUPLd+9ks92WjYWczUqScpBI4PQGLLmL1hwLmjAX1mfdSDiKgml7wtVBsXlYWtnW ByWLf0/VwJtKrUk3/6gfTwwnzpNPfUK/hlQwuJCGp9TOZiVlxjhJ6M3LWORRsfSUwu9aC8/liLeH j4gXC9lsaiw5PBvOM+aWYKklBEYA7VROMkEzz8yZijXe2wF+MqVw4ziO5Kev/vrst+/++/DHL//8 9Ndv//3456///vYD4P//AAygAAdIwAIa8IAITKACF8jABjrwgRCMoAADQMEKWvCCGMygBjfIwQ56 8IMgDKEIR0jCEprwhBeEQAZWyMIWuvCFMIyhDGdIwxra8IY4zKEOd8jDHvrQhSr8oRCHSMQiGvGI SExiBoKoxCY68YlQjKITmSjFKlrxilisIhWzyMUuevGLNdwiGMdIxiMySlGMZkyjGtfYQzSy8Y1w jCML3SjHOtpxjHS8ox73qMUQAAA7 ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://archives.neohapsis.com/imgs/at.gif R0lGODlhEgARAID/AMDAwAAAACH5BAEAAAAALAAAAAASABEAAAIrhI+pyxoPG3iOhXariTkfD3aJ iJDfVp7ptHpqiGoctbjaaE95CdHSD1wUAAA7 ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://archives.neohapsis.com/imgs/atw.gif R0lGODlhDgAPAID/AP///8DAwCH5BAEAAAEALAAAAAAOAA8AAAIkjI+pm+DAHJJzwRrkvdnsfUDc GHZeeZLmmT0UpnBsKNMPgxsFADs= ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://archives.neohapsis.com/shivback.gif R0lGODlhBgA3AKIAAA08YAcSGxJQgP///y4uLgAAAAAAAAAAACH5BAAAAAAALAAAAAAGADcAAAMj OLrc/jDKSR25OOvNu/9gKI5kaZ5YoK5A6wpwLM90bd/4nAAAOw== ------=_NextPart_000_0000_01C3FA1D.1DE1F8D0--

LOCATION: Neohapsis /=20 Archives / SecurityFocus-Micr= osoft=20 / = Message=20 Index / Re: Change SID: it`s posible? =

Subject:=20 Re: Change SID: it`s posible?
From:=20 Ryan Permeh (ryanEEYE.COM)
Date: Wed = Oct 11=20 2000 - 16:22:12 CDT=20

Next message: L= oschiavo,=20 Dave: "SIDs and Security"=20
Previous message: N= athan=20 O'Brien: "Re: Change SID: it`s posible?"=20
In reply to: F= ree,=20 Bob: "Re: Change SID: it`s posible?"
Next in thread: R= ich=20 Logan: "Re: Change SID: it`s posible?"=20
Reply: R= yan=20 Permeh: "Re: Change SID: it`s posible?"
Messages sorted by: [=20 date ] [=20 thread ] [=20 subject ] [=20 author ]

in reference to changing a user's (or group for that = matter) sid.=20

this is generally not a really good idea, especcially in = the=20 context of a
domain. Sids have the property that they = are=20 globally unique and that they
should never be reused = after an=20 account is deleted.
WHY:
    a=20 SID(Security Identifier) is globally unique. A SID is = globally=20 unique
to allow them to uniquely reference a specific = user,=20 group, or computer
regardless of the current context in = a=20 domain, interrealated domain, or
local authority = scenario.=20
     aSid is a long string of = basically=20 numbers, represented like this:=20 =
        S-1-5-21-1234567890-0= 987654321-1029384756-500=20 =
        basically, this=20 can be broken up into some useful information (s
and - = are added=20 to make it easier to read):=20
        1 - Sid = Revision=20 (in this case rev 1)=20
        5 - = Identifier=20 Authority (in this case SECURITY_NT_AUTHORITY)=20
        21 - Sid = identifier (in this case, 21 mean non unique, requires a=20
trailing RID to identify this SID Globally)=20 =
        1234567890 -=20 Theese three numbers are Identifier Authority SIDS You =
can have=20 up to 3 of theese=20 =
        1987654321 -=20 =
        1029384756 -=20
        580 - = RID=20 Relative Identifier-This is the part of a SID that is =
unique=20 within a system(local or domain)

a RID(relative identifier) is non = unique,=20 and represents a known offset
from a SID. Rids are what = are=20 often used to reference users. It is
basically just the = last=20 chunk of a SID, and loses meaning without reference
to a = SID.=20 there are well known RIDS like administrator(500) or = guest(501).=20
These will be on every nt system(local or domain), and = always=20 are in
reference to a SID.
There = could be=20 serious security concerns on reusing RID's, or changing =
them.=20 There can be lots of DACLs on domain resources that linger = even=20
after an account is deleted. This is why NT never reuses = a=20 SID/RID once it
has used it.

EXAMPLE:
Joe is SID=20 S-1-5-21-1234567890-0987654321-1029384756-580(RID 580 for = this=20
discussion).
Ntwork Printer \\PRINT\hp1 allows only = RID 580=20 print and admin access, all
other sids can only print. =
joe=20 quits.
Jane joins the company. her RID is 581. This is = due to nt=20 incrementing
sids and never reusing them.
if SIDs = were=20 reused, Jane may have gotten RID 580, giving him access that =
may=20 or may not have been revoked for joe.

How to do it if you really, really need to:
Now, to = change a=20 SID, you need to be administrator(or system), and have =
direct=20 write access to the SAM. There are few places where this = should be=20
nessecary, so there are no known tools to directly deal = with=20 this scenario,
but i beleive winnt.h has all the = structures for=20 dealing with this if it is
nessecary.

Signed,
Ryan
eEye Digital Security Team
http://www.eeye.com/

----- Original Message -----
From: "Free, Bob" = <RWF4PGE.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Wednesday, = October 11,=20 2000 9:43 AM
Subject: Re: Change SID: it`s posible?

> Yea...but....The original question was about the = USER's=20 SID not the
> MACHINE's
>=20
> > May somebody tell me about = possibility of=20 change users SID?
>
> = -----Original=20 Message-----
> From: Conor Crowley = [mailto:ConorCONORCROWLEY.COM]
> Sent: = Tuesday,=20 October 10, 2000 5:03 PM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: = Re:=20 [FOCUS-MS] Change SID: it`s posible?
>=20
>
> Use ghost walker.=20
>
> "Easy, intelligent = alteration of=20 the Machine Name in the operating systems
>=20 registries and file systems of Windows 9x and Windows NT=20 installations.
> The update of the Machine = Security=20 Identifier (SID) in the operating
system =
>=20 registry and file systems of Windows NT installations so = that the=20 cloned
> workstation becomes unique again."=20
>
> To obtain the latest = version of=20 Norton Ghost Walker, download GW20B5.
> http://w= ww.symantec.com/techsupp/files/ghost/ghost.html=20
>
> ----- Original Message = -----=20
> From: "Alexej V. Goncharov" <axelMIEE.RU>
> To: = <FOCUS-MSSECURITYFOCUS.COM>
> Sent: = Tuesday,=20 October 10, 2000 12:03 AM
> Subject: Change = SID:=20 it`s posible?
>
> =
>=20 > Hi all,
> > May somebody tell me = about=20 possibility of change users SID?
> > I = have=20 Domain Admin rights, physical access to PDC, everything...=20
> > May be exist some utilites allow make = this=20 change? It is very
> > interesting...=20
> >
> > Thanks and = regards.=20
> > [ And sorry my ugly english ].=20
> >
> > Alex V. = Goncharov. [=20 axelmiee.ru ]
> = >=20
>

Next message: L= oschiavo,=20 Dave: "SIDs and Security"=20
Previous message: N= athan=20 O'Brien: "Re: Change SID: it`s posible?"=20
In reply to: F= ree,=20 Bob: "Re: Change SID: it`s posible?"
Next in thread: R= ich=20 Logan: "Re: Change SID: it`s posible?"=20
Reply: R= yan=20 Permeh: "Re: Change SID: it`s posible?"
Messages sorted by: [=20 date ] [=20 thread ] [=20 subject ] [=20 author ]

Portions of this site are = copyright=A9=20 1998-2000, Neohapsis, Inc. Questions, comments or feedback, = send=20 E-mail to webmasterneohapsis.com=20 =