Windows Local Group Names

["John Scherff" <JScherff@24hourfit.com>]

I'm writing a plugin to verify compliance with company standards regarding local users and groups (renaming admin, decoy accounts, group memberships, disabled accounts, etc.)  I had no problem getting NASL to do what I wanted, with ONE exception:

 

I need to be able to use the local host SID and local group RIDs to retrieve the actual NAMEs of local groups.

 

I can establish a session to the $IPC share, I can get the local group RIDs using NetUserGetLocalGroups(), I can an LSA handle with LsaOpenPolicy(), I can get the hex sid of the host from another plugin, and I can convert the hex sid to a raw sid with hex2raw2(). 

 

I know I need to massage the sid a little more and pass it to LsaLookupSid(), and I know I need to convert its return value with parse_lsalookupsid().  I've seen it done a couple ways in other plugins.

 

But I can't seem to make it work.

 

I'm not that smart on how local objects are represented internally in Windows ...  one problem may be that I'm trying to retrieve the local GROUP name from the RID in exactly the same way I'd retrieve the local USER name using the RID.  Is that a bad premise?

 

John Scherff

24 Hour Fitness

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus