帐号解剖安全帐号管理器(sam)结构(Anatomical safety Account Manager (SAM) structure)

帐号安全  时间:2021-03-14  阅读:()

解剖安全帐号管理器(sam)结构Anatomical safety Account

Manager (SAM) structure

Article source: www.opengram.com

Article submission: refdom

HomePage: www.opengram.com

I, abstract

I I, about SAM

III, the SAM database structure in the registry

The structure and main content of IV and SAM databaseV, conclusions about SAM database analysis

I. s umm ary

The analysis of the security account manager structure was donemore than a month ago and only fragmentary records were notposted. The main issue is not released

The reason is that the security account manager (SAM) is thecore of WIN system account management, and it' s very systematic,and I also have a lot of room for just pushing

Break and guess, while SAM hack may cause the lsass.exe to loadaccount manager error when started, even security mode can not

be repaired (start up)

It must load SAM) to cause the whole system to start crashing(I usually need to rely on the second system to delete the SAMfile to start it) . As for now released

That is mainly because the Adam and the "Administrator" Dingclone described rootkit way of concealment and harmfulness, thestructure of SAM

Familiarity can help security personnel to do security testing(and, of course, to make use of undesirable candidates) .The contents of SAM are only introduced here, and the Securityrelated ones are not public for the time being.

Two, about SAM

Don' t get it wrong, SAM, it' s not a file, Sam is so simple. SAM(Security Accounts Manager security account manager) isresponsible for

Control and maintenance of SAM database. The SAM database islocated under the registry HKLM\SAM\SAM, protected by ACL, andcan be opened using regedt32.exe

Book table editor and set the appropriate permissions to viewthe contents of SAM. The SAM database is stored on the disk inthe%systemroot%system32\conf ig\ directory

Recorded in the SAM file, in this directory also includes a

security file, the contents of the security database, there aremany relations between the two.

The SAM database contains information about all groups,accounts, including passwords, HASH, accounts, SID, and so on.These are described in detail later. Points to me

Case analysis of Chinese Win2K Adv Server.

Three 、 the structure of the SAM database in the registryExpand registry HKLM\SAM\SAM\:

H KLM---SAM

|---SAM

|---Domains

| |---Account

| | |---Aliases

| | | |---Members

| | | |---Nam e s

| | |---Group s

| | | |---00000201

| | | |---Nam e s

| | | |---None

| | |---Users

| | |---000001F4

| | |---000001F5

| | |---000003E8

| | |---000003E9

| | |---Names

| | |---Adaministrator| | |---Gu e s t

| | |---IU SR_REFDOM| | |---IWASM_REFDOM| |---Builtin

| |---Aliases

| | |---00000220

| | |---00000221

| | |---00000222

| | |---00000223

| | |---Me mbe r s

| | | |---S-1-5-21-1214440339-706699826-1708537768| | | |---000001 F4

| | | |---000001F5

| | | |---000003E8

| | | |---000003E9

| | |--- Name s

| | |---Administrators

| | |---Users

| | |---Gu e s t s

| | |---Power Users

| |---Groups

| | |---Names

| |

| |---Users

| |---Name s

|

|---RXA CT

This is the SAM tree in the registry on my machine.

Comparing the contents of the SAM file, you can see that theSAM tree in the registry is in fact the same as in the SAM file.However, the SAM file is listed first

RXACT then, in the Domains content (and so on) , the order ofexpression in the file is in reverse order with the tree orderin the registry. If used to seeing

File contents, from file 0000H to 0006Ch,

Indicates the location of the SAM database:

\systemroot\system32\conf ig\sam, but

The end is blank, until 01000h (hbin) , from here on, is thecontent of the entire database. The contents of the SAM databasefile are not included,

But it will be interspersed with the introduction, interestedin their own to study.

Four, SAM database structure and main content:

In the entire database, the main contents of the account existin the following locations:

Under \Domains\ is the SAM content in the domain (or local) ,with two branches, Account, and Builtin".

\Domains\Account is the user account content.

\Domains\Account\Users is the information of each account. Thesub key is the SID relative symbol of each account. Such as000001F4,

Each account has two sub items, F and V. Where \Names\ is theuser account name, each account name has only one default subkey,and the type in the item is not

Is the generic registry data type, but refers to the last item(relative identifier) of the SID that signs the account, suchas the Administrator under it,

The type is 0x1F4, so the 000001F4 from the front correspondsto the content of the account name administrator. This showsthe logic of MS account search.

Inference 1: from the registry structure to see the account,if you query an account name refdom related information, then,Microsoft from the account name refdom

Find its type, 0x3EB, and then find the relative sign (or SID)for the account content of 000003EB. All API functions (suchas NetUserEnum ())

That' s how it works. Therefore, if you change the type 0x3EBin the refdom account to 0x1F4, the account will be directedto the account of class 000001F4

Households. And this account 000001F4 is the administratoraccount, so that the system in the login process, the refdomaccount completely converted to administrator

Account, account refdom all content used, information isadminisrtator content, including passwords, permissions,desktop, records, access time and so on

Etc. . This inference should be true, but it will mean that twouser names correspond to one user' s information and that thereshould be an error in system startup!

The inference is that, in the previous analysis of the structure,the relationship between the account name and the SIDassociation was revealed during and after the login process.\Domains\Account\Users\000001F4, this is the accountinformation for administrator (other similar) . There are twosub items, V and F.

In the project V, the basic information of the account is kept,the user name, the user' s full name (full name) , the group, thedescription, the password, the hash, the annotation, and

whether it can be more

Change password, account enable, password setup time, etc. . Inthe project F, some login records are saved, such as the lastlogin time, the wrong login number, and so on

One important place is the SID relative symbol for this account.Before the analysis of the structure, did not pay attention tothis place, this is the idea put forward by Adam. This is wherethe SID relative sign is registered

An account in the table for two times, one is in the key of000001F4, another is the key content of F sub items, from fourbytes 48 to 51:

F4 010000, which is actually a long type variable, that is,000001 F4. When a flag appears in two places, it will happenSynchronization problem. Obviously, Microsoft has made themistake. The two variable should have been unified to mark auser account, but Microsoft played two variables separatelyBut there is no synchronization.

The 000001F4 in the subkey is used to correspond to the username administrator, which facilitates querying the accountinformation through the user, such as LookupAccountSid () andso on

The account related API function is used to locate user

这几个Vultr VPS主机商家的优点造就商家的用户驱动力

目前云服务器市场竞争是相当的大的,比如我们在年中活动中看到各大服务商都找准这个噱头的活动发布各种活动,有的甚至就是平时的活动价格,只是换一个说法而已。可见这个行业确实竞争很大,当然我们也可以看到很多主机商几个月就消失,也有看到很多个人商家捣鼓几个品牌然后忽悠一圈跑路的。当然,个人建议在选择服务商的时候尽量选择老牌商家,这样性能更为稳定一些。近期可能会准备重新整理Vultr商家的一些信息和教程。以前...

炭云188元/年,上海CN2 VPS/2核/384MB内存/8GB空间/800GB流量/77Mbps端口/共享IP

炭云怎么样?炭云(之前的碳云),国人商家,正规公司(哈尔滨桓林信息技术有限公司),主机之家测评介绍过多次。现在上海CN2共享IP的VPS有一款特价,上海cn2 vps,2核/384MB内存/8GB空间/800GB流量/77Mbps端口/共享IP/Hyper-v,188元/年,特别适合电信网络。有需要的可以关注一下。点击进入:炭云官方网站地址炭云vps套餐:套餐cpu内存硬盘流量/带宽ip价格购买上...

ZJI全新上架香港站群服务器,4C段238个IP月付1400元起

ZJI本月新上线了香港葵湾机房站群服务器,提供4个C段238个IPv4,支持使用8折优惠码,优惠后最低每月1400元起。ZJI是原Wordpress圈知名主机商家:维翔主机,成立于2011年,2018年9月更名为ZJI,提供中国香港、台湾、日本、美国独立服务器(自营/数据中心直营)租用及VDS、虚拟主机空间、域名注册等业务,所选数据中心均为国内普遍访问速度不错的机房。葵湾二型(4C站群)CPU:I...

帐号安全为你推荐
急救知识纳入考试急救证容易拿到么?sherylsandberg谷歌怎么看自己的详细资料www.kkk.com谁有免费的电影网站,越多越好?月神谭有没有什么好看的小说?拒绝言情小说!百度关键词分析如何正确分析关键词?www.haole012.com012qq.com真的假的www.kaspersky.com.cn卡巴斯基中国总部设立在?sodu.tw台湾的可以看小说的网站www.gogo.com祺笑化瘀祛斑胶囊效果。www.1diaocha.com请问网络上可以做兼职赚钱吗?现在骗子比较多,不敢盲目相信。请大家推荐下
厦门域名注册 未注册域名查询 5折 秒解服务器 xfce 搜狗抢票助手 789电视网 卡巴斯基试用版 亚马逊香港官网 512内存 magento主机 标准机柜 此网页包含的内容将不使用安全的https 超低价 压力测试工具 遨游论坛 ddos攻击工具 阿里云主机 中国最年轻博士 百度空间登陆首页 更多