Windows2000 local landing process and utilization method
When you log in from Windows 2000 Professional or Server, the views of Windows 2000 verify local logins with two processes. Windows 2000 tries to use Kerberos as a basic verification method. If you don't find the KEY Distribution Center (KDC) service, Windows will use Windows NtlanManager. NTLM) Security Mechanism to verify users in local SAM
The local login verification process is as follows:
1, you enter the username and password and press Enter key. Graphical Identification and
Authentication (GINA) will collect this information.
2, GINA transmits these safety information to LOCAL Security Authority (LSA) to verify
.
3, The LSA transmits this information to Security Support Provider Interface
(SSPI). SSPI is an interface service that communicates with Kerberos and NTLM.
4, SSPI transmit username and password to Kerberos SSP. Kerberos SSP check destination machine
Is this a unit or a domain name. If it is a machine, Kerberos returns an error message to SSPI. If you can't find KDC,
The machine generates an inner error that the user is invisible.
5, this internal error promotes the SSPI notification Gina. Gina again transmits these security information to the LSA.
The LSA is again transmitting these security information to SSPI.
6, this time, SSPI transmits username and password to NTLM Driver MSV1-0 SSP. NTLM Driver
Use Netlogon services and local SAM to verify users.
7. If NTLM and Kerberos can't verify your account, you will receive the following error message prompt you
Enter the correct username and password .Gina (Graphical Identification and Authentication) Originally a vulnerability in Microsoft's identity authentication component for IBM machines in NT.
GINA customers can get local admin privileges as long as they are slightly modified on the registry of the NT workstation, the specific: hkey_local_machine / system / currentControlSet / Services / IBMNetNT / GroupMApping key value is set to: "DOM_USERS" = "administrators" As long as this groupmapping key value is set to the Administrator group, the people in the Domain_user group have adminredroneous permissions. Restart, log in with any account belonging to the Domain User group, will have the authority of the Administrator group. This vulnerability is very serious Thoroughly bypass NT domain user security mechanism. Gina is a Gina customer software provided by Microsoft.
At NT 4.0 ... there is a new vulnerability Microsoft WindowsNT 4.0 Terminal Server has a remote and local buffer overflow vulnerability, located in the dynamic connection library (RegAPI.dll) used by Msgina.
To attack the vulnerability, you can type a long string in the user name domain. If the vulnerability is triggered, the system will crash or connect loss (if remote trigger).
If a special forged username is provided, the attacker has the ability to access the terminal server and perform any command with the user system system.
For attackers, it is not only limited to this. Microsoft's WINDOWS NT / 2000 provides Gina is Msgina.dll, which implements Windows NT / 2000 default login interface. Microsoft To support more interactive login verification methods, this Gina DLL is replaceable, you can develop Gina DLL yourself to implement other authentication methods such as smart cards, fingerprints, etc., and Microsoft also provides relevant documents and examples. Process. The password record can be performed by writing the same Gina DLL as the system GINA interface, and then replace MSGina.dll while password record. The password stealing with the NT system Gina (Graphical Identification and Authentication, graphical authentication). To get the system login password, you can also write an interface and Gina, then all functions will call Msgina.dll when implementing the same The function is OK, but this requires the original msgina.dll. Such Trojan has already appeared in August 2000. The Trojgina has only one DLL. It is a GinaStub type Trojan, so it is necessary for the original Msgina. DLL, the system can support startup, you can get the Trojet details from http://www.ntsecurity.nu/toolbox/fakegina/.
The more than the domestic use is that the NT / 2000 / XP password thief is the first one.
Recently, Net Ann LionD8, Chongqing, using Gina is loaded into the WinLogin process. WinLogin is the system's user interaction login process is a Simple implementation of a GINABACKDOOR for the system authority and gives the source code and installation test programs .. ... Realize GinabackDoor, you can find http://218.21.45.22/yh/gsyifan/liond8/artc/ginabackdoor.htm
