Download Page | 1

Page | 1
1. Introduction
Despite the widespread availability of many kinds of technology, in particular
information technology and methods of transmitting information and data
between local and global networks, there are some security gaps that can cause
serious problems. This is a fact that can not be denied. For instance, according to
Olzak (2007) NetBIOS (Network Basic Input Output System) is almost certainly a
major problem for all Windows computers, especially when it is not secured
properly. It is surprisingly easy to connect to a personal computer (PC) that is on
the internet via its NetBIOS shares.
Some network and security professionals use a penetration test process for a
variety of administrative functions, such as security auditing, verifying firewall
filter operations, and discovering unauthorized device applications, as well as
details about services on target machines (Franland, 2009). Without a doubt,
today’s attackers are experienced and able to detect these gaps. They may then
try to exploit vulnerabilities they discover and attack networks for illegal
purposes.
This assignment will explore the concept of NetBIOS and how NetBIOS can be
used as part of a penetration test in order to enumerate a domain and host.
Moreover, the vulnerabilities which are related to NetBIOS are discussed, as well
as how they can be exploited. In addition, countermeasures that should be taken
in order to mitigate these vulnerabilities are explored and analyzed with
examples, using numerous free tools free available on the Internet, open sources
and commercial products such as Nmap, Wirshark, GetAcc.
Page | 2
2. Penetration Test Process
According to Long et al. (2006), a penetration test involves limitations, and these
limitations rely on the breadth and scope of the tester testing. For example, the
tester may have a specific number or type of host or private network. Any
penetration tester should follow the process in order to make sure that:
-
The target host which has been tested is approved.
-
They obtain as much information as possible about the target in order to
avoid increasing the attack.
-
They determine the services which have been provided by the target host.
-
They classify the tester target systems according to the function and
resource offering.
3. What is NetBIOS and how does it function?
According to Mencik (2002), NetBIOS is a software protocol for providing
computer communication services on local networks. NetBIOS is primarily used
for file and printer sharing within Microsoft Windows networks. NetBIOS
provides an Application Program Interface (API) for software developers to use
Mitchell (2010). This NetBIOS API includes network-related functions and
commands which can be incorporated into software programs. For example, a
programmer can use a prewritten NetBIOS function to enable a software
program to access other devices on a network. This is much easier than writing
the networking code from scratch. Tech Terms.com (2010) point out that
NetBIOS relies on a message format called Server Message Block (SMB).
NetBIOS presents three services, as follows:
1) Name service for name registration and resolution:
In this service the port used is port 137 via the User Datagram Protocol
(UDP). Moreover, when registering a new NetBIOS name a computer
Page | 3
should ask all computers on the network in order to find out whether
there is any other computer with the same name, and then wait for a
reply. If no answer is received, this means the name is not in use. NetBIOS
name resolution is a process by the NetBIOS name is placed into the IPv4
address.
3) Datagram distribution service for connectionless communication:
In this service the port used is port 138 via the UDP (User Datagram
Protocol). In this method any computer can communicate with many
computers at the same time without creating a session. Consequently,
there is no error detection or correction in this method. For this reason it is
called connectionless communication (Clarke, 2009).
2) Session service for connection-oriented communication:
In this service the port used is 139 via the TCP (Transport Layer Protocol).
NetBIOS is responsible for launching a session with the target computer
(one to one connection), and mentoring the transmission process in order
to check errors, and thereafter recovering from these errors. For this
reason it is called connection oriented communication (Clarke, 2009).
Fig. 1: The architecture of NetBT components in the TCP/IP protocol suite (Source:
Technet, 2010).
Page | 4
. Vulnerabilities associated with NetBIOS and methods of
exploiting them
There are many vulnerabilities associated with NetBIOS services that can be
exploited by attackers if ports 137, 138 and 139 are vulnerable, whether from the
Internet or an untrusted network. They include the following:
1- NetBIOS Name Service over port 137
NetBIOS spoofing Man in the Middle (MITM) connection: this means
that the MITM is a third host and performs spooning with an illegitimate
method on a communication channel between two computers.
Exploitation:
The host (victim) sends their information to the hacker rather than the
server through the connection, thinking it is the server. Consequently, the
attacker can steal important information such as password, addresses and
other sensitive data (McClure, 2009).
2- NetBIOS session over port 139
Unauthenticated enumeration over Null session: this means that the
attacker can establish a connection to a remote host by using an
anonymous username and null password.
Exploitation:
The attacker can enumerate system details, such as host name, users,
security policy, shared folders and domain information. In addition, brute
force user password attacks (McNab, 2008).
3- RPC DCOM Buffer overrun vulnerability in windows (SecurityFocus,
2008). This vulnerability can be exploited remotely a Windows Distributed
Component Object Model Remote Procedure Call interface (DCOM RPC)
that listens on TCP/IP port 135
Page | 5
Exploitation:
The attacker sends a specially crafted request to an RPC configured port. It
exploits the lack of bounds checking of client DCOM object activation
requests, and attaches a shell. Exploitation of this vulnerability can cause
running of malicious commands on an affected system with local system
privileges; consequently, the attacker would have full access and could do
any action on the system (SecurityFocus, 2008).
Remote procedure Call (RPC) "is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to seamlessly
execute code on a remote system" (MicrosoftTech, 2010).
DCOM services are small reusable objects that applications use in
order to perform a specific task. Microsoft created this service in order to
allow the client objects on a network to request services from server
objects. According to CVE (2010) there are many vulnerabilities, as shown
in the appendix. A
5. Enumeration a Domain, a Host through NetBIOS
According to Scambray and McClure (2001), there are numerous methods that
can be used to gain information from Windows, and this process it is calling
enumeration. Enumeration involves active connections to systems as well as
directed queries. However, there are some exceptions that might include passive
enumeration, such as "IP stack profiling or promiscuous-mode sniffing"
(Scambray and McClure, 2001).
Page | 6
5.1 Practical example
In this example my local area network, consisting of two machines, was used:
one of them the client (192.168.198.1) and the other the target (192.168.198.3),
which represents VMware (Windows 2000 Advanced Server). All machines work
under A Windows platform.
Tools: Nmap program, Angry IP Scanner program and Nbtscan.
Fig. 1 (Source: IP Scanner)
In order to specify the hosts that are available on the local network, an IP Scanner
was used (a free tool). As can be seen in fig. 1, there are two hosts on LAN:
akramalmosli-PC and WIN2K-AVSR-1. The target host tested is WIN2K-AVSR-1.
Syntax: Ping 192.168.198.3
Fig. 2 (using ping command)
Page | 7
By using the ping command prompt in fig. 3 it can be seen that the target
machine is a live host. Ping is a truly efficient way to identify live hosts.
Scambray and McClure (2001) state that almost all Internet connected networks
block the ping command at the present time. Consequently, a failure to receive a
ping reply from a system usually means that an intervening firewall or router is
blocking ICMP, and it may have no bearing on whether the host actually exists or
not. In order to specify whether a host is live or it is running any services, port
scanning is used.
Syntax: Nmap –sS –p 135-139 192.168.227.128
Fig. 3 (Source: Nmap)
As seen in fig. 3 and fig.4, by using Nmap and wireshark to conduct a SYN
Stealth scan the output of the scanning shows that the ports 135 and 139 are
open. This means that the file sharing service and RPC are running on the host.
Consequently, this may provide an opportunity for exploitation by attackers.
Page | 8
Fig. 3 (Source: Wireshark)
Syntax: nbtscan 192.168.198.3
Fig. 5 (Source: Command prompt)
In order to enumerate the domain through NetBIOS an nbtscan tool is used
which can be executed via command prompt. This calls up the NetBIOS Name
Table from a remote system. The Name Table contains valuable information such
as name, type and service. Fig. 5 shows that the service <00> refers to the
hostname, which is "WIN2K-ASVR-1", <00> group refers to the domain, which is
"TEACHING", <03> refers to the administrator, and <20> refers to the file share
on the host (target) enabled (McNab, 2008).
Page | 9
5.2 Practical example A
This example will explain and discuss one of the vulnerabilities associated with
NetBIOS, a Null session, which depends on an anonymous user name and null
password.
The attacker makes sure that port 139 is open in order to connect to the target
host using this syntax:
net use \\192.168.198.3\ ipc$ "" /u:""
Fig. A.1 (Source: command prompt)
It can be seen in fig. A.1 that the attack on the target machines has been
successful.
Syntax: net view \\ 192.168.198.3
Fig. A.2 (Source: command prompt)
It can be shown in fig. A.2 that in order to explore the share resources on the
target host the attacker uses a net view command.
Page | 10
Syntax: winfo 192.168.198.3 –n -v
This command explores a lot of information, such as users, domain, password
security policy and much more. Further details can be found in appendix A.
There is a free tool called GetAcct which can enumerate the same information
through a Windows interface, as shown in fig. A.3.
Fig. A.3 (Source: GetAcct tool)
According to the information taken from the target host, the attacker uses certain
password cracking tools such as SMBCrack to get user passwords through the
NetBIOS session service. They are available from the following site:
http://www.netxeyes.org/SMBCrack.exe. The tools used depend on the
password databases which are available.
Page | 11
Syntax: SMBcrack 192.168.198.3 administrator 1.txt
Fig. A.4 (Source: command prompt)
After obtaining the password, as shown in fig. A.4, fig. A.5, fig. A.6, fig. A.7 and
fig. A.8, the attacker tries to establish a connection to the target host through a
terminal services client tool in order to remote desktop a target machine.
Consequently, the attacker gets full access.
Fig. A.5 (Source: Terminal services client tools)
Page | 12
Fig. A.6 (Source: Terminal services client tools)
Fig. A.7 (Source: Terminal services client tools)
Page | 13
Fig. A.8 (Source: 192.168.198.3 Remote desktop)
5.3 Practical example B
This example involves a penetration test of the RPC DCOM Buffer overflow
vulnerability in Windows using the Metasploit framework program.
In order to know whether the target machine is patched for a specific
vulnerability, there is a constructive tool that can be used, the Retina DCOM
Scanner. Consequently, this might lead to minimize the probability of failed
attempts that may result in being noticed by administrator or crashing the
system without returning a command shell to the attacker (governmentSecurity,
2003)
As shown in fig. B.1, the target machine is vulnerable.
Fig. B.1 (Source: Retina® -DCOM scanner)
Page | 14
Syntax: Search dcom
Fig. B.2 (Source: Metasploit console)
Thereafter, the target is checked for vulnerability. It can be seen in fig. 2.2 that the
exploited name related to DCOM has been shown.
Fig. B.3 (Source: Metasploit)
Page | 15
Fig. B.3 shows that the payload ‘’generic/shell_bind_tcp’’, remote host address
and remote host port have been determined, and then the exploit is ready for
execution.
Fig. B.4 (Source: Metasploit)
Fig. B.5 (Source: Wireshark program)
As seen in fig. B.4 and fig. B.5 show that the execution an exploit.
Page | 16
Fig.B.6 (Metasploit)
The syntax command set in fig. B.6 shows that the attacker has gained valuable
information about the penetrated system (target), such as systemprofile. This
means that the attacker has system privileges on the computer. The attacker can
execute an FTP client and download command line tools from the internet.
There are many tools should be downloaded at penetrated system. For instance,
auditpol that stop the audit of events and the elsave tool remove any event logs
created from the attack. Moreover, the attacker can add a new user to the system
in order to perform login later without having IDS recording an attack.
Page | 17
6. Countermeasures to mitigate security problems associated with
NetBIOS
In
order
to
mitigate
the
exploitations
of
attackers
there
are
many
countermeasures that can be taken:
Scan and enumeration countermeasures
1- Use a network firewall in order to restrict access to potentially vulnerable
services (SMB on TCP 139, 445, MSRP on tcp135) (McNab, 2008)
2- Use the Windows firewall or other individual firewall software on each
system.
Countermeasures for defence in depth:
1- Disabling NetBIOS Null Sessions on the Windows 2000 Server by
changing local security policy settings, as show in fig. C.1.
Fig. C.1: Local security settings
In addition, according to McClure el at. (2005) anonymity can be restricted
through registry editor and changing the RestrictAnonymous value to (2), as
shown in fig. C.1.
Page | 18
Fig. 15: (Registry editor)
2- Brute force password countermeasures:
With regards to attackers gaining valuable information about passwords, the
probability of access being gained to crack passwords has increased due to the
use of advanced tools that are widely available.
The following password
countermeasures should be taken:
-
Enforce the use of a strong password use policy.
-
Log account logon failures and regularly review event logs.
-
Set an account lockout threshold and ensure that it applies to the built-in
administrator account.
-
One of the most important steps to mitigate SMB password guessing
attacks is to set an account lockout threshold. Once a user reaches the
threshold of the number of failed logon attempts, their account is locked
out until an administrator defined timeout period elapses as shown in
fig.C.3. Scrambray and McClure, (2001).
Page | 19
Fig. C.3 (Source: Registry editor)
3-Disabling DCOM
In addition, according to (MicrosoftTech, 2010) it can be disable DCOM through
registry editor and changing the EnableDCOM value to (N), as shown in fig. C.4
Fig.C.4 (Source: Registry editor)
Page | 20
7. Conclusion:
Attackers/network administrators are relying more and more on comprehensive
penetration testing and vulnerability evaluations in order to attack/secure systems.
Gathering of information (enumeration) about the target machine by the attacker or
privileged person, such as whether the ports are open or not, the services which are
running, or any other important information, is considered one of the most important
factors for specifying which vulnerabilities may be exploited, as well as which
operating system may affect these vulnerabilities. It is most appropriate to use the
tools and techniques mentioned in this assignment in order to gather valuable
information about the target machine.
Discovering the vulnerabilities, how they can be exploited, and what level of severity
may affect the machine as a whole are considered the first steps in mitigating
problems and applying countermeasures to prevent them in the future. There are
many countermeasures that can be taken in order to mitigate the severity of
exploitation. The use of a firewall is a common countermeasure related to NetBIOS.
There are also other solutions which can increase the level of security.
It can be concluded that although security tools are used by attackers to detect
vulnerabilities which exist in operating systems so that they may exploit such gaps,
they can also help administrators or any privileged person to develop and manipulate
the weaknesses which exist in these systems. Also, using the concept of enumeration
(information gathering) in order to grass on into a target system is more realistic and
clever.
Page | 21
8. References
Clarke, G. (2009), Comptia Network+ Certification Study Guide. 4th edition, New
York: McGraw-Hill.
CVE, (2010) ‘Common Vulnerabilities and Exposures’,[onile]. Available form:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=NetBIOS [Accessed 3nd March
2010].
Frankland, J. (2009) 'Penetration testing as a business enabler: making the
case.(DATABASE
AND
VIEWPOINT)'
NETWORK
[online]
INTELLIGENCE:
available
COMPANY
from:
http://www.entrepreneur.com/tradejournals/article/202562263.html [Accessed
10th March 2010]
GovernmentSecurty.org (2003) ‘Retina Rpc Dcom Vulnerability Scanner From Eeye
‘[online].
Availabel
from:http://www.governmentsecurity.org/forum/index.php?showtopic=1021
[Accessed 6th March 2010]
Long, J., Hurely, C., Sensepost, and Wolfgang, M. (2007) Penetration Tester's Open
Source Toolkit .Second Edition, USA: Syngress.
Mencik, S. (2002) ‘What is NetBIOS?’ [online]
Available from:
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,s
id14_gci811288,00.html [Accessed 10th March 2010].
McClure, S., Scrambray, J., Kurtz, G. (2005) HACKING EXPOSED security secrets
and solutions, Fifth Edition, USA: McGraw-Hill/Osborne.
McNab, C. (2008) Network Security Assessment, 2nd Edition, USA,:O’REILLY
Page | 22
MicrosoftTech
Vulnerabilities
(2010)
‘Best
Practices
‘[online].Available
for
Mitigating
RPC
and
DCOM
from:http://technet.microsoft.com/en-
us/library/dd632946.aspx#EGAA [Accessed 16th March 2010]
MicrosoftTech (2010) ‘Microsoft Security Bulletin MS03-026‘,[online].Available
from: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
[Accessed 16th March 2010]
Mitchell,
B.
(2010)
’NETBIOS’
[online].
Available
from:
http://compnetworking.about.com/od/windowsnetworking/g/netbios.htm [Accessed 7th
March2010]
Olzack, T. (2007) ‘THE PROBLEM EITH NETBIOS’,[online] .Available from:
http://blogs.techrepublic.com.com/security/?p=196 [Accessed 16th March 2010]
SecurityFocus, (2008) 'Microsoft Windows DCOM RPC Interface Buffer Overrun
Vulnerability',[online].
Available
from:
http://www.securityfocus.com/bid/8205/info [Accessed 11th March 2010]
Scrambray, J., McClure, S. (2001) HACKING EXPOSED Windows 2000 security,
secrets and solutions,USA: McGraw-Hill/Osborne.
Tech Terms.com (2010) ‘NetBIOS (Network Basic Input/Output System)‘
http://www.techterms.com/definition/netbios [Accessed 3rd March 2010]
Page | 23
9.0 Appendix A
Name
Description
CVE-2009-3676 The kernel in Microsoft Windows Server 2008 R2 and Windows 7
allows remote SMB servers to cause a denial of service (infinite
loop and system hang) via a (1) SMBv1 or (2) SMBv2 response
packet that contains (a) an incorrect length value in a NetBIOS
header or (b) an additional length field at the end of this response
packet.
CVE-2009-0094 The WINS server in Microsoft Windows 2000 SP4 and Server 2003
SP1 and SP2 does not restrict registration of the (1) "wpad" and
(2) "isatap" NetBIOS names, which allows remote authenticated
users to hijack the Web Proxy Auto-Discovery (WPAD) and IntraSite Automatic Tunnel Addressing Protocol (ISATAP) features, and
conduct man-in-the-middle attacks by spoofing a proxy server or
ISATAP route, by registering one of these names in the WINS
database, aka "WPAD WINS Server Registration Vulnerability," a
related issue to CVE-2007-1692.
CVE-2005-1216 Microsoft ISA Server 2000 allows remote attackers to connect to
services utilizing the NetBIOS protocol via a NetBIOS connection
with an ISA Server that uses the NetBIOS (all) predefined packet
filter.
CVE-2004-0444 Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton
Internet Security and Professional 2002 through 2004, Norton
Personal Firewall 2002 through 2004, Norton AntiSpam 2004,
Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0
allow remote attackers to cause a denial of service or execute
arbitrary code via (1) a manipulated length byte in the first-level
decoding routine for NetBIOS Name Service (NBNS) that modifies
an index variable and leads to a stack-based buffer overflow, (2) a
heap-based corruption problem in an NBNS response that is
missing certain RR fields, and (3) a stack-based buffer overflow in
the DNS component via a Resource Record (RR) with a long
canonical name (CNAME) field composed of many smaller
components.
CVE-2003-1448 Memory leak in the Windows 2000 kernel allows remote attackers
to cause a denial of service (SMB request hang) via a NetBIOS
continuation packet.
Page | 24
CVE-2003-0661 The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0,
2000, XP, and Server 2003 may include random memory in a
response to a NBNS query, which could allow remote attackers to
obtain sensitive information.
CVE-2002-2138 RFC-NETBIOS in HP Advanced Server/9000 B.04.05 through
B.04.09, when running HP-UX 11.00 or 11.11, allows remote
attackers to cause a denial of sevrice (panic) via a malformed UDP
packet on port 139.
CVE-2002-1712 Microsoft Windows 2000 allows remote attackers to cause a denial
of service (memory consumption) by sending a flood of empty
TCP/IP packets with the ACK and FIN bits set to the NetBIOS port
(TCP/139), as demonstrated by stream3.
CVE-2002-1117 Veritas Backup Exec 8.5 and earlier requires that the
"RestrictAnonymous" registry key for Microsoft Exchange 2000
must be set to 0, which enables anonymous listing of the SAM
database and shares.
CVE-2002-1104 Cisco Virtual Private Network (VPN) Client software 2.x.x and 3.x
before 3.0.5 allows remote attackers to cause a denial of service
(crash) via TCP packets with source and destination ports of 137
(NETBIOS).
CVE-2002-0419 Information leaks in IIS 4 through 5.1 allow remote attackers to
obtain potentially sensitive information or more easily conduct
brute force attacks via responses from the server in which (1) the
server reveals whether it supports Basic or NTLM authentication
through 401 Access Denied error messages, (2) in certain
configurations, the server IP address is provided as the realm for
Basic authentication, which could reveal real IP addresses that
were obscured by NAT, or (3) when NTLM authentication is used,
the NetBIOS name of the server and its Windows NT domain are
revealed in response to an Authorization request.
CVE-2002-0190 Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote
attackers to execute arbitrary code under fewer security
restrictions via a malformed web page that requires NetBIOS
connectivity, aka "Zone Spoofing through Malformed Web Page"
vulnerability.
CVE-2001-1162 Directory traversal vulnerability in the %m macro in the smb.conf
configuration file in Samba before 2.2.0a allows remote attackers
to overwrite certain files via a .. in a NETBIOS name, which is used
as the name for a .log file.
CVE-2001-1110 EFTP 2.0.7.337 allows remote attackers to obtain NETBIOS
credentials by requesting information on a file that is in a network
share, which causes the server to send the credentials to the host
that owns the share, and allows the attacker to sniff the
connection.
CVE-2001-0264 Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote
attackers to obtain NETBIOS credentials by requesting information
on a file that is in a network share, which causes the server to
send the credentials to the host that owns the share, and allows
the attacker to sniff the connection.
Page | 25
CVE-2000-1079 Interactions between the CIFS Browser Protocol and NetBIOS as
implemented in Microsoft Windows 95, 98, NT, and 2000 allow
remote attackers to modify dynamic NetBIOS name cache entries
via a spoofed Browse Frame Request in a unicast or UDP broadcast
datagram.
CVE-2000-1003 NETBIOS client in Windows 95 and Windows 98 allows a remote
attacker to cause a denial of service by changing a file sharing
service to return an unknown driver type, which causes the client
to crash.
CVE-2000-0979 File and Print Sharing service in Windows 95, Windows 98, and
Windows Me does not properly check the password for a file share,
which allows remote attackers to bypass share access controls by
sending a 1-byte password that matches the first character of the
real password, aka the "Share Level Password" vulnerability.
CVE-2000-0673 The NetBIOS Name Server (NBNS) protocol does not perform
authentication, which allows remote attackers to cause a denial of
service by sending a spoofed Name Conflict or Name Release
datagram, aka the "NetBIOS Name Server Protocol Spoofing"
vulnerability.
CVE-2000-0347 Windows 95 and Windows 98 allow a remote attacker to cause a
denial of service via a NetBIOS session request packet with a NULL
source name.
CVE-1999-0810 Denial of service in Samba NETBIOS name service daemon
(nmbd).
CVE-1999-0621 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about a
configuration
that
does
not
directly
introduce
security
vulnerabilities, so it is more appropriate to cover under the
Common Configuration Enumeration (CCE). Notes: the former
description is: "A component service related to NETBIOS is
running."
CVE-1999-0520 A system-critical NETBIOS/SMB share has inappropriate access
control.
CVE-1999-0519 A NETBIOS/SMB share password is the default, null, or missing.
CVE-1999-0518 A NETBIOS/SMB share password is guessable.
CVE-1999-0499 NETBIOS share information may be published through SNMP
registry keys in NT.
CVE-1999-0407 By default, IIS 4.0 has a virtual directory /IISADMPWD which
contains files that can be used as proxies for brute force password
attacks, or to identify valid users on the system.
CVE-1999-0288 The WINS server in Microsoft Windows NT 4.0 before SP4 allows
remote attackers to cause a denial of service (process termination)
via invalid UDP frames to port 137 (NETBIOS Name Service), as
demonstrated via a flood of random packets.
Page | 26
10.0 Appendix 2
- Path to user profile:
- Password has expired: No
* IWAM_WIN2K-ASVR-1
- Password age: 2596 days
- Privilege level: User
- Home directory:
- Home directory mapped as:
- Comment: Built-in account for Internet Information Services to start out o
f process applications
- Account is: Enabled
- User can change password: No
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Launch IIS Process Account
- User comment: Built-in account for Internet Information Services to start
out of process applications
- Can log in from workstations: All
- Last logon to this DC / computer: Thu Oct 15 19:30:35 2009
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Frodo
Page | 27
- Password age: 2542 days
- Privilege level: Administrator
- Home directory:
- Home directory mapped as:
- Comment: A Simple Hobbit Adventurer
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Frodo Baggins
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: Thu Feb 05 13:44:01 2004
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Fredegar
- Password age: 2596 days
- Privilege level: User
- Home directory:
- Home directory mapped as:
- Comment: A Simple Hobbit Adventurer
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
Page | 28
- The account is: Normal user
- Logon script path:
- Full name: Fredegar Bolger
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: Tue Feb 07 15:31:25 2006
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Samwise
- Password age: 2596 days
- Privilege level: User
- Home directory:
- Home directory mapped as:
- Comment: A Simple Hobbit Adventurer
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Samwise Gamgee
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: Tue Feb 07 15:31:25 2006
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
Page | 29
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Meriadoc
- Password age: 2596 days
- Privilege level: User
- Home directory:
- Home directory mapped as:
- Comment: A Simple Hobbit Adventurer
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Meriadoc Brandybuck
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: Tue Feb 07 15:31:25 2006
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Peregrin
- Password age: 2596 days
- Privilege level: User
- Home directory:
- Home directory mapped as:
Page | 30
- Comment: A Simple Hobbit Adventurer
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Peregrin Took
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: Tue Feb 07 15:31:26 2006
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Gandalf
- Password age: 2275 days
- Privilege level: Administrator
- Home directory:
- Home directory mapped as:
- Comment: A Member of the Istari
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Gandalf the Grey
- User comment:
Page | 31
- Can log in from workstations: All
- Last logon to this DC / computer: None
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* Radagast
- Password age: 2596 days
- Privilege level: Administrator
- Home directory:
- Home directory mapped as:
- Comment: A Member of the Istari
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Radagast the Brown
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: None
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
Page | 32
* Saruman
- Password age: 2275 days
- Privilege level: Administrator
- Home directory:
- Home directory mapped as:
- Comment: A Member of the Istari
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
- Password never expires: Yes
- The account is: Normal user
- Logon script path:
- Full name: Saruman the White
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: None
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: No
* tom
- Password age: 0 days
- Privilege level: Administrator
- Home directory:
- Home directory mapped as:
- Comment:
- Account is: Enabled
- User can change password: Yes
- Account is locked out: No
Page | 33
- Password never expires: No
- The account is: Normal user
- Logon script path:
- Full name: Tom Bombidil
- User comment:
- Can log in from workstations: All
- Last logon to this DC / computer: None
- Last logon to this DC / computer: None
- Account expires: Never
- Max disk space: Unlimited
- Failed logins in a row to this DC / computer: 0
- Path to user profile:
- Password has expired: Yes
WORKSTATION TRUST ACCOUNTS:
INTERDOMAIN TRUST ACCOUNTS:
SERVER TRUST ACCOUNTS:
SHARES:
* My Documents
- Type: Disk drive
- Remark:
* IPC$
- Type: Unknown
- Remark: Remote IPC
* Inetpub
- Type: Disk drive
- Remark:
* NETLOGON
- Type: Disk drive
- Remark: Logon server share
*D
- Type: Disk drive
Page | 34
- Remark:
*s
- Type: Disk drive
- Remark:
* ADMIN$
- Type: Special share reserved for IPC or administrative share
- Remark: Remote Admin
* SYSVOL
- Type: Disk drive
- Remark: Logon server share
* C$
- Type: Special share reserved for IPC or administrative share
- Remark: Default share
C:\Users\akram almoslimani\Desktop>
Page | 35