帐号解剖安全帐号管理器(sam)结构(Anatomical safety Account Manager (SAM) structure)

帐号安全  时间:2021-03-14  阅读:()

解剖安全帐号管理器(sam)结构Anatomical safety Account

Manager (SAM) structure

Article source: www.opengram.com

Article submission: refdom

HomePage: www.opengram.com

I, abstract

I I, about SAM

III, the SAM database structure in the registry

The structure and main content of IV and SAM databaseV, conclusions about SAM database analysis

I. s umm ary

The analysis of the security account manager structure was donemore than a month ago and only fragmentary records were notposted. The main issue is not released

The reason is that the security account manager (SAM) is thecore of WIN system account management, and it' s very systematic,and I also have a lot of room for just pushing

Break and guess, while SAM hack may cause the lsass.exe to loadaccount manager error when started, even security mode can not

be repaired (start up)

It must load SAM) to cause the whole system to start crashing(I usually need to rely on the second system to delete the SAMfile to start it) . As for now released

That is mainly because the Adam and the "Administrator" Dingclone described rootkit way of concealment and harmfulness, thestructure of SAM

Familiarity can help security personnel to do security testing(and, of course, to make use of undesirable candidates) .The contents of SAM are only introduced here, and the Securityrelated ones are not public for the time being.

Two, about SAM

Don' t get it wrong, SAM, it' s not a file, Sam is so simple. SAM(Security Accounts Manager security account manager) isresponsible for

Control and maintenance of SAM database. The SAM database islocated under the registry HKLM\SAM\SAM, protected by ACL, andcan be opened using regedt32.exe

Book table editor and set the appropriate permissions to viewthe contents of SAM. The SAM database is stored on the disk inthe%systemroot%system32\conf ig\ directory

Recorded in the SAM file, in this directory also includes a

security file, the contents of the security database, there aremany relations between the two.

The SAM database contains information about all groups,accounts, including passwords, HASH, accounts, SID, and so on.These are described in detail later. Points to me

Case analysis of Chinese Win2K Adv Server.

Three 、 the structure of the SAM database in the registryExpand registry HKLM\SAM\SAM\:

H KLM---SAM

|---SAM

|---Domains

| |---Account

| | |---Aliases

| | | |---Members

| | | |---Nam e s

| | |---Group s

| | | |---00000201

| | | |---Nam e s

| | | |---None

| | |---Users

| | |---000001F4

| | |---000001F5

| | |---000003E8

| | |---000003E9

| | |---Names

| | |---Adaministrator| | |---Gu e s t

| | |---IU SR_REFDOM| | |---IWASM_REFDOM| |---Builtin

| |---Aliases

| | |---00000220

| | |---00000221

| | |---00000222

| | |---00000223

| | |---Me mbe r s

| | | |---S-1-5-21-1214440339-706699826-1708537768| | | |---000001 F4

| | | |---000001F5

| | | |---000003E8

| | | |---000003E9

| | |--- Name s

| | |---Administrators

| | |---Users

| | |---Gu e s t s

| | |---Power Users

| |---Groups

| | |---Names

| |

| |---Users

| |---Name s

|

|---RXA CT

This is the SAM tree in the registry on my machine.

Comparing the contents of the SAM file, you can see that theSAM tree in the registry is in fact the same as in the SAM file.However, the SAM file is listed first

RXACT then, in the Domains content (and so on) , the order ofexpression in the file is in reverse order with the tree orderin the registry. If used to seeing

File contents, from file 0000H to 0006Ch,

Indicates the location of the SAM database:

\systemroot\system32\conf ig\sam, but

The end is blank, until 01000h (hbin) , from here on, is thecontent of the entire database. The contents of the SAM databasefile are not included,

But it will be interspersed with the introduction, interestedin their own to study.

Four, SAM database structure and main content:

In the entire database, the main contents of the account existin the following locations:

Under \Domains\ is the SAM content in the domain (or local) ,with two branches, Account, and Builtin".

\Domains\Account is the user account content.

\Domains\Account\Users is the information of each account. Thesub key is the SID relative symbol of each account. Such as000001F4,

Each account has two sub items, F and V. Where \Names\ is theuser account name, each account name has only one default subkey,and the type in the item is not

Is the generic registry data type, but refers to the last item(relative identifier) of the SID that signs the account, suchas the Administrator under it,

The type is 0x1F4, so the 000001F4 from the front correspondsto the content of the account name administrator. This showsthe logic of MS account search.

Inference 1: from the registry structure to see the account,if you query an account name refdom related information, then,Microsoft from the account name refdom

Find its type, 0x3EB, and then find the relative sign (or SID)for the account content of 000003EB. All API functions (suchas NetUserEnum ())

That' s how it works. Therefore, if you change the type 0x3EBin the refdom account to 0x1F4, the account will be directedto the account of class 000001F4

Households. And this account 000001F4 is the administratoraccount, so that the system in the login process, the refdomaccount completely converted to administrator

Account, account refdom all content used, information isadminisrtator content, including passwords, permissions,desktop, records, access time and so on

Etc. . This inference should be true, but it will mean that twouser names correspond to one user' s information and that thereshould be an error in system startup!

The inference is that, in the previous analysis of the structure,the relationship between the account name and the SIDassociation was revealed during and after the login process.\Domains\Account\Users\000001F4, this is the accountinformation for administrator (other similar) . There are twosub items, V and F.

In the project V, the basic information of the account is kept,the user name, the user' s full name (full name) , the group, thedescription, the password, the hash, the annotation, and

whether it can be more

Change password, account enable, password setup time, etc. . Inthe project F, some login records are saved, such as the lastlogin time, the wrong login number, and so on

One important place is the SID relative symbol for this account.Before the analysis of the structure, did not pay attention tothis place, this is the idea put forward by Adam. This is wherethe SID relative sign is registered

An account in the table for two times, one is in the key of000001F4, another is the key content of F sub items, from fourbytes 48 to 51:

F4 010000, which is actually a long type variable, that is,000001 F4. When a flag appears in two places, it will happenSynchronization problem. Obviously, Microsoft has made themistake. The two variable should have been unified to mark auser account, but Microsoft played two variables separatelyBut there is no synchronization.

The 000001F4 in the subkey is used to correspond to the username administrator, which facilitates querying the accountinformation through the user, such as LookupAccountSid () andso on

The account related API function is used to locate user

Friendhosting四五折促销,VPS半年付7.5欧元起

Friendhosting发布了针对“系统管理日”(每年7月的最后一个星期五)的优惠活动,针对VPS主机提供55%的优惠(相当于四五折),支持1-6个月付款使用,首付折扣非永久,优惠后最低套餐首半年7.18欧元起。这是一家保加利亚主机商,成立于2009年4月,商家提供VDS和独立服务器租用等,数据中心目前可选美国洛杉矶、保加利亚、乌克兰、荷兰、拉脱维亚、捷克和波兰等8个地区机房。下面以最低套餐为例...

Hostodo(年付12美元)斯波坎VPS六六折,美国西海岸机房

Hostodo是一家成立于2014年的国外VPS主机商,现在主要提供基于KVM架构的VPS主机,美国三个地区机房:拉斯维加斯、迈阿密和斯波坎,采用NVMe或者SSD磁盘,支持支付宝、PayPal、加密货币等付款方式。商家最近对于上架不久的斯波坎机房SSD硬盘VPS主机提供66折优惠码,适用于1GB或者以上内存套餐年付,最低每年12美元起。下面列出几款套餐配置信息。CPU:1core内存:256MB...

Hostodo(年付$34.99), 8TB月流量 3个机房可选

Hostodo 算是比较小众的海外主机商,这次九月份开学季有提供促销活动。不过如果我们有熟悉的朋友应该知道,这个服务商家也是比较时间久的,而且商家推进活动比较稳,每个月都有部分活动。目前有提供机房可选斯波坎、拉斯维加斯和迈阿密。从机房的地理位置和实际的速度,中文业务速度应该不是优化直连的,但是有需要海外业务的话一般有人选择。以前一直也持有他们家的年付12美元的机器,后来用不到就取消未续约。第一、开...

帐号安全为你推荐
云爆发养兵千日用兵千日这个说法对不对百度商城百度积分有什么用?阿丽克丝·布莱肯瑞吉唐吉诃德·多弗朗明哥知道什么秘密比肩工场比肩接踵的意思陈嘉垣大家觉得陈嘉桓漂亮还是钟嘉欣漂亮?xyq.163.cbg.com『梦幻西游』那藏宝阁怎么登录?rawtoolsU盘显示是RAW格式怎么办seo优化工具想找一个效果好的SEO优化软件使用,在网上找了几款不知道哪款好,想请大家帮忙出主意,用浙江哪款软件效果好同一服务器网站服务器建设:一个服务器有多个网站该如何设置?haole16.com高手们帮我看看我的新网站WWW.16mngt.com怎么不被收录啊?
mysql虚拟主机 Oray域名注册服务商 河南vps 申请免费域名 免费动态域名 东莞电信局 便宜域名 国外php主机 流媒体服务器 bash漏洞 日志分析软件 ibox官网 泉州移动 in域名 下载速度测试 畅行云 阿里dns 阿里云邮箱申请 免备案cdn加速 512内存 更多