----- Another way to clone accounts
Author: aXis)
Source: www.3389.net
Abstract: About the acl, token, and privilege of nt, and bypassing the acl through privilege, the object access is achieved. It can be said that it is another way to clone the administrator, but it is more concealed and difficult to use. It is necessary to bypass the detection. Currently, the breakthrough is to bypass the acl using permissions.
Keywords: ACL, ACE, DACL, TOKEN, SID, PRIVILEGE
Statement: I would like to dedicate this article to Chen Jing.
1. Basic concepts (This section describes basic concepts such as tokens and ACLs, and prepares for the second part. If you already know about the content, skip this section)
1. What is a TOKEN)
When a user logs on to Windows NT/2000/XP and passes identity authentication, the system will assign a token to the user. A token is a data structure used for all processes and threads activated by this user. The structure of the token is as follows:
Token source
Impersonation Type
Token ID
Authentication ID
Modified ID
Expiration Time
Default Primary Group
Default DACL
User Account SID
Group 1 SID
......
Group n SID
Restricted SID 1
......
Restricted SID n
Privilege 1
......
Prililege n
This is not easy to understand. Let's look at an instance and use whoami.exe in win2000 resource Kitto view the detailed information in the Access Token of the current user.
C: \\> whoami/all
[User] = "DARKDEAMON \ Administrator \" S-1-5-21-1409082233-1957994488-47230797
1-500
[Group 1] = \ "DARKDEAMON \ None \" S-1-5-21-1409082233-1957994488-472307971-513
[Group 2] = \ "Everyone \" S-1-1-0
[Group 3] = \ "BUILTIN \ Administrators \" S-1-5-32-544
[Group 4] = \ "BUILTIN \ Users \" S-1-5-32-545
[Group 5] = \ "nt authority \ INTERACTIVE \" S-1-5-4
[Group 6] = \ "nt authority \ Authenticated Users \" S-1-5-11
[Group 7] = \ "LOCAL \" S-1-2-0
(X) SeChangeNotifyPrivilege =
(O) SeSecurityPrivilege =
(O) SeBackupPrivilege =
(O) SeRestorePrivilege =
(O) SeSystemtimePrivilege =
(O) SeShutdownPrivilege =
(O) SeRemoteShutdownPrivilege =
(O) SeTakeOwnershipPrivilege =
(O) SeDebugPrivilege =
(O) SeSystemEnvironmentPrivilege =
(O) SeSystemProfilePrivilege =
(O) SeProfileSingleProcessPrivilege =
(O) SeIncreaseBasePriorityPrivilege =
(X) SeLoadDriverPrivilege =
(O) SeCreatePagefilePrivilege =
(O) seincreasequot1_vilege =
(X) SeUndockPrivilege =
(O) SeTcbPrivilege =
C :\>
This is the information in my token, including my SID, the group to which it belongs, the detailed list of permissions, and so on. Therefore, the token determines a user's ability on a computer.
2. security identifier (SID)
The SID is assigned by the system when a user or group is created. It is unique. When a local user logs on, the SID is retrieved from the user database in SAM.
For the SID structure, refer to the section in "INSIDE WINDOWS2000:
A sid is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.
Below are some built-in SID
Well-Known SIDs
SID
Group
Use
S-1-1-0
Everyone
A group that includes des all users.
S-1-2-0
Local
Users who log on to terminals locally (physically) connected to the system.
S-1-3-0
Creator Owner ID
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable access-control entries (ACEs ).
S-1-3-1
Creator Group ID
Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.
The number ending with SID is RID (relative identifier ). 500 indicates the Administrator group, and the GUEST group is 501.
The clone Administrator Account proposed by ADAM is to clone the SID of an account to 500, so that the system will think it is the administrator.
For a complete SID structure, see the SID in the above token.
S-1-5-21-1409082233-1957994488-472307971-500
3. What is the access control list (ACL)
ACL (access control list) is literally easy to understand. A system uses ACL to determine the extent to which users access resources. There are two types of ACLs: DACL (Discretionary Access Control List) and SACL (System Access Control List ). DACL includes the list of users and groups, as well as the corresponding permissions, allowing or rejecting them to determine the access permissions to resources. SACL is used to determine the audit policy of security resources. An ACL consists of zero or multiple accesskeys (Access Control Entries). An ACE includes a SID and a description of the resource that the SID can Access, such as allow and deny. Deny takes precedence over allow.
In win2000 resource kit, there are several tools about acl, which is typically xcacls. The following is an example of using xcacls to view the acl.
C: \ Program Files \ Resource Kit> xcacls whoami.exe
C: \ Program Files \ Resource Kit \ whoami.exe BUILTIN \ Users: R
BUILTIN \ Power Users: C
BUILTIN \ Administrators: F
Nt authority \ SYSTEM: F
Nt authority \ terminal server user: C
C: \ Program Files \ Resource Kit>
Other tools related to aclinclude svcacls.exe, showaclsand subinacl.exe. I will not go into detail here.
4. Permission (privilege)
In short, permissions are the permissions granted to users by the system. They allow or do not allow privileged operations that affect the entire computer system, rather than a specific object. The following table lists some system permissions and functions.
Privilege
Windows Privilege
Description
SeTcbPrivilege
Act as part of the operating system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services shocould require this privilege.
SeMachineAccountPrivilege
Add computers to a domain
Allows the user to add a computer to a specific domain. For the privilege to be valid, it must be assigned to the user as part of local security policy for domain controllers in the domain.
SeBackupPrivilege
Back up files and directories
Allows the user to circumvent file and directory permissions to back up the system. the privilege is checked only when an application attempts access through the NTFS backup application programming interface (API ). otherwise, normal file and directory permissions apply.
By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.
SeChangeNotifyPrivilege
Bypass traverse checking
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. this privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.
SeSystemTimePrivilege
Change the system time
Allows the user to set the time for the internal clock of the computer.
By default, this privilege is assigned to Administrators and Power Users.
SeCreatePagefilePrivilege
Create a page filepagefile
Allows the user to create and change the size of a page file.
By default, this privilege is assigned to Administrators.
SeCreateTokenPrivilege
Create a token object
Allows a process to create an access token by calling NtCreateToken () or other token-creating APIs.
SeCreatePermanentPrivilege
Create permanent shared objects
Allows a process to create a directory object in the Windows