WHOAMI – How to use WHOAMI command on Windows 7
The WHOAMI command enumerates SIDs, Groups and privileges. For a hacker, it can enumerate groups and privileges from the command line of the current user.
Step1 – run the command prompt with admin rights
Start > all programs > accessories > cmd (black tv icon)
Right click on CMD > run as admin
Step 2 – whoami
On it’s own the workgroup or domain will be displayed.
Step 3 – whoami /user
Notice the information is USER then SID.
A RID of 1001, tells us this is a user, not an Administrator.
A RID of 500 is the local Administrator.
A RID of 512 is Domain Admins
A RID of 518 is Schema Admins
A RID of 519 is Enterprise Domain Admins (*YAY*)
Step 4 – whoami /groups
Here groups are enumerated.
The SID is 32 – 544.
32 = BUILTIN and 544 = Administrators group.
So this is a powerful group membership.
Step 5 – whoami /priv
If we need to add privileges to the user account, we use ntrights.
ntrights -u smile +r SeSecurityPrivilege
This means that the user Smile can now control and delete security logs.
Step 6 – whoami /all
A one hit command to get all of the above information.
If the user doesn’t have the privileges you need to shutdown auditing, then assign them the privileges with ntrights. THEN shutdown auditing.
Step 7 – Eventlog codes
If you shutdown auditing it will appear as event code 517 in the event viewer. That would tell the SysAdmin, that you’ve shut down all his hard work 🙂
Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.
The Primary User Name and Client User Name fields will identify the user who cleared the log. Primary User Name will correspond to the system, and Client user name will indicate the user who cleared the log.