GETUSERINFO | Anti-Hacker Tool Kit, Third Edition

GetUserInfo is one of the "joeware" utilities created by Joe Richards (http://www.joeware.net/). The joeware collection includes several utilities that fit a resource kit for administrators who really need to get into the Windows chassis.

Implementation

Although the output looks almost identical to that of the net user command, some subtle, important differences are important to note. The lines in boldface represent items that net user does not include:

 C:\>GetUserInfo.exe administrator GetUserInfo V02.07.00cpp Joe Richards (joe@joeware.net) September 2003 user information for [Local]\administrator User Name                  Administrator Full Name Description                Built-in account for administering the                            computer/domain User's Comment User Type                  Admin  Enhanced Authority Account Type  Global Workstations Home Directory User Profile Logon Script Flags                      NO_PWD_EXPIRE Account Expires            Never  Password age in days  249 Password last set          7/6/2001 3:22 PM  Bad PWD count   Num logons (this machine)  3701 Last logon                 8/22/2005 8:10 PM Logon hours                All Global group memberships   *None Local group memberships    *Administrators Completed.

From the password information (age, bad password count, number of logons), you can deduce several things about the account. Bad passwords might be an indicator of a brute-force attack, or, if you're running the brute-force attack, you can see how close you are to the lockout threshold. The password age might be an indicator of old, unchanged passwords especially for accounts that have never been used. The number of logons might be an indicator of how trafficked the system is in relation to the account. An account with a high number of logons might mean that users often use the system whereas a low number of logons might indicate a system that is not monitored as closely. Of course, if the number of logons is greater than zero for a disabled account (for example, guest), you know something suspicious is happening on the network.

Every user on the system can be enumerated with the dot (.) character, but there's a catch! You must also include a back-slash to represent the delimiter between domain and user name. Check out the correct syntax:

 C:\>GetUserInfo.exe \. GetUserInfo V02.07.00cpp Joe Richards (joe@joeware.net) September 2003 User Accounts for [Local] -------------------------------------------------------------------- Administrator            Orc                      skycladgirl test                     __vmware_user__

At this point, you can iterate through each user to collect specific account information.

Command-line tools are good, and command-line tools that work against remote systems are great. GetUserInfo can pull a user's information from a specific domain or server:

 C:\>GetUserInfo.exe \192.168.0.43\. C:\>GetUserInfo.exe domain\192.168.0.43\.

Replace the "." with a username to collect specific information.

Tip	On networks with many Windows domains, target the Local user accounts first. An administrator may erroneously believe that a strong domain administrator password supersedes a poor or nonexistent password for the local administrator account.