# # This script was written by Renaud Deraison # # See the Nessus Scripts License for details # if(description) { script_id(10859); script_version ("$Revision$"); script_bugtraq_id(959); script_cve_id("CVE-2000-1200"); name["english"] = "SMB get host SID"; name["francais"] = "Obtentention du SID de la machine par SMB"; script_name(english:name["english"], francais:name["francais"]); desc["english"] = " This script emulates the call to LsaQueryInformationPolicy() to obtain the domain (or host) SID (Security Identifier). The domain/host SID can then be used to get the list of users of the domain or the list of local users Risk factor : Low"; desc["francais"] = " Ce script émule la fonction LsaQueryInformationPolicy() afin d'obtenir le SID du domaine ou de la machine Le SID peut ensuite etre utilisé pour récuperer la liste des utilisateurs du domaine ou les utilisateurs locaux. Facteur de risque : faible"; script_description(english:desc["english"], francais:desc["francais"]); summary["english"] = "Gets the domain SID"; summary["francais"] = "Obtention du SID du domaine"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison"); family["english"] = "Windows"; script_family(english:family["english"]); script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_dom2sid.nasl"); script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password"); script_require_ports(139, 445); exit(0); } include("smb_nt.inc"); port = kb_smb_transport(); if(!port)port = 139; #-------------------------------------------------------------# # return a 28 + strlen(data) + (odd(data)?0:1) long string # #-------------------------------------------------------------# function lsa_unicode(data) { len = strlen(data); ret = raw_string(ord(data[0])); for(i=1;i< host_sid) exit(0); str = string("The host Security Identifier (SID) can be obtained remotely. Its value is :\n\n", host_sid, "\n\n", "An attacker can use it to obtain the list of the local users of this host\n", "Solution : filter the ports 137-139 and 445\n", "Risk factor : Low\n"); security_warning(data:str, port:port); domain_sid = string(get_kb_item("SMB/domain_sid")); if((domain_sid == host_sid))exit(0); set_kb_item(name:"SMB/host_sid", value:host_sid); set_kb_item(name:"SMB/host_sid_hex", value:host_sid_hex);