Anatomy of the Security Account Manager (SAM) Structure

I. Summary
II. About SAM
III. Structure of the SAM Database in the Registry
IV. structure and main content of the SAM Database
V. Conclusion on SAM Database Analysis

I. Summary

The structure of the security account manager was analyzed for more than a month ago. It only recorded fragments in parts and was not released. Major non-release issues
The reason is that the security account manager (SAM) is the core of WIN system account management, and it is very systematic. I also have many places to simply push
At the same time, when SAM hackcan build a startup, lsass.exe fails to load the account manager, even in safe mode (start
The system starts to crash (I usually need to delete the SAM file from the second system to start it ). Release now
This is mainly because Adam and Ding's "clone Administrator Account" describes the concealment and harmfulness of the rootkit method, and the structure of SAM.
Can help security maintenance personnel do a good job of Security Detection (of course, it may also be exploited by malicious attackers ).

Here we will only introduce SAM's content, which is not publicly available for the moment.

Ii. About SAM

Don't misunderstand SAM. It's not as simple as a file sam. SAM (Security Accounts Manager Security Account Manager)
Control and maintenance of the SAM Database. Samdata is stored in the Registration Table hklmsamsamand is protected by acl. you can use regedt32.exe to open the note.
Table editor and set appropriate permissions to view contents in SAM. The SAM Database is stored in the % systemroot % system32config directory on the disk.
The sam file in the directory also contains a security file, which is the content of the security database. There are many relationships between the two.

The SAM Database contains information about all groups and accounts, including password HASH and account SID. These contents are described in detail later. Score by me
The analysis system uses the Chinese language Win2K Adv Server as an example.

Iii. Structure of the SAM Database in the Registry

Expand the Registry HKLMSAMSAM:

HKLM---SAM
| --- SAM
| --- Domains
| --- Account
| --- Aliases
| --- Members
| --- Names
| --- Groups
| --- 00000201
| --- Names
| --- None
| --- Users
| --- 000001F4
| --- 000001F5
| --- 000003E8
| --- 000003E9
| --- Names
| --- Adaministrator
| --- Guest
| --- IUSR_REFDOM
| --- IWASM_REFDOM
| --- Builtin
| --- Aliases
||| --- 00000220
||| --- 00000221
||| --- 00000222
||| --- 00000223
| --- Members
| --- S-1-5-21-1214440339-706699826-1708537768
| --- 000001F4
| --- 000001F5
| --- 000003E8
| --- 000003E9
| --- Names
| --- Administrators
| --- Users
| --- Guests
| --- Power Users
| --- Groups
| --- Names
|
| --- Users
| --- Names
|
| --- RXACT

This is the SAM tree in the Registry on my machine.

We can see from the contents of the SAM file that the SAM tree in the registry is actually the same as that in the SAM file. However, the SAM file contains the first column
RXACT is followed by Domains (and so on). The expression order in the file is the opposite to that in the tree sequence in the registry. If you are used to reading
The file content, from the memory H of the file to 0006Ch, indicates the location of the SAM Database: systemrootsystem32configsam.
The end is blank until 01000 h (hbin). From here, it is the content of the entire database. The file content of the SAM Database is not described in detail,
However, they will be interspersed with introductions. If you are interested, you can study them on your own.

Iv. structure and main content of the SAM Database:

In the entire database, the main account content exists in the following locations:

In Domains, the SAM content in the domain (or local machine) has two branches: "Account" and "Builtin ".

DomainsAccount is the content of the user account.

In DomainsAccountUsers, the information of each account is displayed. The sub-key is the relative identifier of the SID of each account. For example, 000001F4,
Each account has two subitems, F and V. Names is the user account name. Each account name has only one default subitem, and the type of the item is not
Is a general registry data type, but points to the last (relative identifier) of the SID that marks this account, such as the Administrator,
The type is 0x1F4, so the previous 000001F4 corresponds to the account name administrator. This shows the logic for searching MS Accounts.

Inference 1: From the Perspective of the account structure in the registry, if you query information related to the account name refdom, Microsoft will
Find its type 0x3EB, and then find the account content with the relative identifier (or SID) 000003EB. All API functions (such as NetUserEnum ())
All of them are executed in this way. Therefore, if the type 0x3EB in the refdom account is changed to 0x1F4, the account will be directed to the account with the class 000001F4
User. This account 000001F4 is the administrator account. In this way, the system transfers the refdom account to the administrator account during logon.
All content and information used by the account refdom are adminisrtator content, including passwords, permissions, desktops, records, access times, etc.
. This inference should be true, but it will mean that the two usernames correspond to one user information. An error should occur during system startup!

It is inferred from the previous analysis structure that the relationship between account names and SID during and after logon is revealed.

DomainsAccountUsers00001F4, which is the account information of the administrator (others are similar ). There are two subitem V and F.
Project V stores the basic account information, including the user name, full name, group, description, password hash, comment, and whether
Change the password, enable the account, and set the password time. Project F saves some logon records, such as the last logon time and number of wrong logins, and
An important part is the relative identifier of the Account's SID.

I didn't pay attention to this point when I analyzed the structure. This is what Adam proposed. This is where the relative identifier of the SID is registered.
One account appears twice in the Table. One is in the sub-key 000001F4, and the other is in the sub-key's content of item F, four bytes from 48 to 51:
F4 01 00 00, which is actually a long type variable, that is, 00 00 01 F4. When a sign appears in two places
Synchronization problems. Obviously, Microsoft has made this mistake. The two variables should mark a single user account, but Microsoft uses the two variables separately
Is not synchronized.

In the subkey, 000001F4 is used to correspond to the User Name administrator, so that you can easily query account information, such as LookupAccountSid ().
Account-related API functions use this location to locate user information. This association should be used after account logon. In project V
F4 01 00 is the most directly associated with account logon.

Conclusion 2: during logon, the relative identifier is obtained from SAM, and the relative identifier is at F4 01 00 in the V value. However,
The SAM subkey used for account information query.

Assumption 2 (hypothesis 1): During account logon, the logon process obtains the information in the account record used by the username in the SAM Database
The relative flag value (equivalent to F4 01 00 00 in the V value). After the account is logged on, this value is no longer used by the API Function
And the relative identifier is replaced by the field name of a data record item (equivalent to the sub-key 000001F4 ). Microsoft has made a synchronization logic problem!

Inference 2 is based on Adam's suggestion. It has never been inferred before. (Inferred second, if it is true, it reveals that the account SID is used during the login process.
. This is why the value in V is related to the Account Logon record (logon time, Password error count, etc. At the same time, because F saves
And the API function queries the user name, so the Adam cloning method is easy to show your face. After ding, the user
The original user name has been restored, and it is relatively difficult to detect the user name.

You can see the introduction of Project V, which stores the basic information of the Account, username, full name, group, description,
Password hash, comment, whether the password can be changed, Account Activation, and password setting time. Now we are concerned about the password HASH.

Suppose 2: item V of the account contains the user HASH, including the encryption HASH of LM2 and NT, which can be separated during Crack. After all
LM2 is simple.

The content in DomainsBuiltin is related to the account group. Its structure is similar to that under the Account, and there are also corresponding problems, so it is no longer
Long-winded.

The file SAM stored in the sam database does not have such concise content in the registry, but mainly uses offset and length to locate the content. And
The information of a single account is centralized in one partition, rather than separated in the registry form (one key for the name and the content is in another key ).

In the sam file, you can locate the data meaning based on the following delimiters:

Nk (6E 6B) Key or subkey name
Value corresponding to vk (76 6B)
If (6C 66) subkey list
Sk (73 6B) Permission

V. Conclusion on SAM Database Analysis:

Sam hack is very dangerous. Improper modification will damage the security data manager of the system and cause system startup problems.
Delete the SAM file to restore the startup. If you are familiar with the structure of SAM, you will find that you can
Exchange and account group forgery completely break Microsoft's account structure. It is also very concealed, so that the account-related API functions are confused.

Although Microsoft has made many logical problems in processing account information, the security account database is not insecure and all operations must be fully managed.
Member permission.

When a concealed backdoor approach is proposed, many "hackers" will be allowed to exploit it. administrators should also be familiar with related technologies to perform security detection,
My goal is achieved. The simple detection tool for clone Administrator account can be downloaded on my homepage (www.opengram.com). However, the administrator needs to learn more about the tool to better detect intrusions.