nerdexam
EC-Council

312-50V9 · Question #547

What did the following commands determine? C: user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH

The correct answer is D. That the true administrator is Joe. The sid2user command resolved the SID ending in RID 500 to the name Joe, revealing that Joe is the built-in Administrator account regardless of any display name change.

Enumeration

Question

What did the following commands determine? C: user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH

Options

  • AThat the Joe account has a SID of 500
  • BThese commands demonstrate that the guest account has NOT been disabled
  • CThese commands demonstrate that the guest account has been disabled
  • DThat the true administrator is Joe
  • EIssued alone, these commands prove nothing

How the community answered

(65 responses)
  • A
    2% (1)
  • B
    5% (3)
  • C
    9% (6)
  • D
    83% (54)
  • E
    2% (1)

Why each option

The sid2user command resolved the SID ending in RID 500 to the name Joe, revealing that Joe is the built-in Administrator account regardless of any display name change.

AThat the Joe account has a SID of 500

The SID ending in 501 - returned by user2sid for the guest account - belongs to Guest, not Joe; Joe's SID ends in 500 which is the Administrator RID.

BThese commands demonstrate that the guest account has NOT been disabled

Neither command queries or returns account status such as enabled or disabled; they only perform username-to-SID and SID-to-username translations.

CThese commands demonstrate that the guest account has been disabled

These commands have no mechanism to check whether an account is enabled or disabled, so no conclusion about the guest account's status can be drawn.

DThat the true administrator is JoeCorrect

In Windows, every built-in Administrator account is assigned a fixed Relative Identifier (RID) of 500 appended to the domain SID. The sid2user command was passed the domain SID components plus RID 500 and returned the name Joe, conclusively proving that Joe is the true built-in Administrator. This technique is commonly used in penetration testing to unmask renamed administrator accounts by querying the well-known RID directly.

EIssued alone, these commands prove nothing

Used together, the commands do prove a specific and meaningful fact - that the account holding the built-in Administrator RID 500 is named Joe.

Concept tested: Windows built-in Administrator RID 500 identification via SID tools

Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

Topics

#SID enumeration#SID 500#Windows administrator#user2sid

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice