What is SAM?
Maybe everyone watched a lot of SAM's legendary story! So let me go today - "paranoid madness you enter SAM!
Section 1: Primary understanding SAM
Microsoft has made two different system skeletons, a Win32, and the Win9x / ME system we use is attached to it; another name is NT (New Technology), which is the skeleton of Winnt / 2000 / XP / 2003. But very unfortunate, Microsoft is a bit "eccentric", Win32's skeleton is obviously too small, so it has become a thin child, and NT is a typical American strong man. More unfortunately, Microsoft gives Win32 PWL door guards are a vase, not only can't see a home, but also can't stand the secret; NT, but also fish, SAM door guards, mouth is also difficult Open. The password security of the NT core Windows operating system is more secure than the password security of the Win32 kernel Windows operating system. In this article, we will meet the watch God of the NT core Windows operating system - SAM.
It only listen to local security certification (LSASS.EXE), and the review is also the instruction of LSASS when connecting to the door. If you kill the lsass, you will wait to be driven out - Of course, for ordinary users, if you try to use the normal process management tool or the process management of the Windows system to kill the "lsass.exe" process, Only "The process is the key system process, the task manager cannot end the process." Local Security Authority is mainly responsible for the following tasks in the Windows system: 1. Re-retrieve the SID and users of the local group Permissions; 2. Create a user's access token; 3. Manage the service account used by the local installed service; 4. Storage and mapping user rights; 5. Management of reviews and settings; 6. Management Trust relationship.
Due to some design errors, in WinNT / 2000, if you have forgotten your password, then you have to do it, just need to expell the hard drive in a non-NT environment. But in the Windows operating system after XP, this situation is improved. If you kicked SAM, NT is also hiding to die. Of course, this is not to say that the Windows operating system password after XP will not be broken. You must know that the classic LC4 and NTPassword are specifically take SAM.
WINDOWS NT and WIN2000 uses the security account of the user account using the security account manager (Security account manager), the security account manager is based on the security ID, and the security ID is created at the same time when the account is created. Once the account is deleted, the security ID is also deleted. The security logo is unique, even the same username, the security identifier obtained at each creation is completely different. Therefore, once an account is deleted, its security ID will no longer exist, even if the same username rebesses the account, it will also be given a different security ID, and the original permissions will not be retained.
Section 2: How is the account information stored in a SAM file?
Two different password information is saved in the SAM file: LanManager (LM) password hash algorithm and a more powerful encryption NT version. LM is the weakness of the NT password file. Let's take a look at how the LM password algorithm is encrypting, considering such a password: BA01CK28TR, such a password is already called a safe password, although there is no! # Waiting for special characters, but already contains uppercase letters, lowercase Letters and numbers and have no regularity. It can be considered a password that meets the requirements of the security. The method of processing the LM to password is: If the password is less than 14 bits, use 0 to make up the password to add 14 bits, and all letters are referred to in uppercase letters. The processed password will then be divided into two sets of numbers, each of which is 7 bits. The password we mentioned has turned into BA01CK2 and 8TR0000 after processing. Then generate 8 DES Key, respectively, and each 8-bit DES Key uses a magic number (encrypted 0x4b47532,140,232,425 with a KEY of all 1), will be encrypted again. The string of the two groups after encryption is connected together, which is the final password hash. This character passes look a whole, but it is like a crack software like L0PHTCRACK, he can break the two parts of the password string, so crack the password (10 bits) mentioned above, since the password has been decomposed into two parts Crack, while the part of the password is only 3, the difficulty of crack is not difficult. The actual difficulty is on the previous seven passwords. Therefore, in terms of NT, a 10-bit password is not too high than a seven-bit password. It can also be learned: 1234567 * $ # This password like this may not be as safe as SHIC6. (Regarding how to set the problem with the security password is not the scope of this article, interested in referring to related articles), the official password (encrypted NT version) is converted to Unicode encoding, and then encrypts the password using the MD4 algorithm. The password for NT remains due to historical reasons, and the LAN Manager password should be turned off in a pure NT environment. Because the LAN Manager password uses a weaker DES key and algorithm, it is easier to crack. In comparison, the NT formal password using a strong plus algorithm is subject to safety. However, the encryption method of these two passwords is in general, and therefore, Microsoft provides a small tool for syskey.exe to further enhance NT password in the patch of SP3 of WIN NT4. This software can be used, and the administrator can add this enhancement function as soon as running this program and answering some settings issues. (Windows2000 has been set as the default installation) Syskey is designed to prevent it easily to get SAM passwords, how is it work? When Syskey is activated, the password information has been encrypted once before depositing the registry. However, after the machine is started, the information in an old format is still saved in memory, because the password information of this old format is required for network verification. It can be thus considered: Syskey uses a method to mess with the password information. Or use a key, this key is to activate Syskey by the user to save the location. This key can be saved in a floppy disk, or generated by the user at startup (generated by the password input by the user), or directly in the registry. Since there is no official formal technology explains how to turn off Syskey, Syskey is not closed once it enabled unless the registry backup is restored with the registry before enabling syskey. (About what happened after the system after activating Syskey, how to turn off syskey? See: http://blog.9cbs.net/suspension/archive/2004/11/08/172185.aspx)
Section III: Solve the method of "accidentally deleting SAM files"
Solve the problem: I forgot the XP login password, can't solve it by deleting SAM files, those "online approach" have harmed many people. If you encounter this problem, you can perform the following: Copy the SAM file of the% WINDIR% / Repair folder to the% Windir% / System32 / Config folder. The following command is performed under the fault recovery console (example): COPY C: / Windows / Repair / Sam C: / Windows / System32 / Config / SAM If it is a dual system, you can perform this copy / paste operation on another system or : Do the hard drive from the disk to other 2K or XP systems for this operation. Note: The SAM file under RePair is generated when the XP is installed, so that you will lose the system and user group you created in the system after you lose your system. After such operations successfully log in, if the system opens the system restore, you can restore to the latest restore point. Of course, if your system has made an ASR backup, you can use the ASR backup to restore the SAM file directly. (ASR: Security Accounts Manager, But Home Edition does not support ASR
Section IV: Conclusion About SAM Database Analysis:
SAM Hack is very dangerous. Incorrect modifications will destroy the system's security data manager, causing system launch issues, although the startup recovery can be started by deleting the SAM file. If you can be familiar with SAM's structure, you will find that you can exchange between user names and user names, user groups and user groups, and the account and account group forgery, completely break the Microsoft account pattern. And very concealed, let the account-related API function can not touch the mind. Although a lot of logic issues have been made in Microsoft handling account information, the security account database is not safe, and all operations must be fully owned by administrator privileges.
