Complete Anatomy Security Account Manager (SAM) Structure _ Security Tutorial

Security settings need to know something
I. Summary
　　
The analysis of the security Account manager structure was done one months ago, only fragmentary records of fragments, not published. The main reason for not publishing is that the Security Account Manager (SAM) is the core of WIN system account management and very systematized, and I have a lot of places just to make inferences and guesses, while SAM Hack may cause an error in the Lsass.exe load account manager at startup, even safe mode cannot be repaired (Sam must be loaded at boot time) to make the entire system start crashing (I usually need to rely on the second system to remove the SAM file to boot). As for the release now, mainly because of the concealment and harmfulness of the fabrication rootkit method described in Adam and Ding's clone administrator account, the familiarity of Sam's structure can help the security maintenance personnel to do the safety inspection (which may also be exploited by the bad intention). The contents of Sam are only described here, and the security related is temporarily closed.
　　
second, about Sam
　　
Don't misunderstand Sam, this is not a file Sam so simple. The SAM (Security Accounts Manager Safety Account Manager) is responsible for the control and maintenance of the SAM database. The SAM database is under the registry Hklmsamsam and is protected by ACLs, and you can use Regedt32.exe to open Registry Editor and set the appropriate permissions to view the contents of the SAM. The SAM database is stored on disk in the Sam file in the%systemroot%system32config directory, and a security file is included in this directory, which is the content of the secure database, and has a lot of relationship.
　　
The SAM database contains information about all groups and accounts, including password hashes, the SID of the account, and so on. The content is described in detail later. Analysis of the system Chinese Win2K ADV Server for example.
　　
III. structure of the SAM database in the registry
　　
Expand registry Hklmsamsam:
　　
HKLM---SAM
|---SAM
|---Domains
| |---Account
| | | |---aliases
| | | | |----Members
| | | | |---Names
| | | |---Groups
| | | | |---00000201
| | | | |---Names
| | | | |---None
| | | |---Users
| | | |---000001F4
| | | |---000001F5
| | | |---000003E8
| | | |---000003E9
| | | |---Names
| | | |---adaministrator
| | | |----Guest
| | | |---iusr_refdom
| | | |---iwasm_refdom
| | |---Builtin
| | |---aliases
| | | |---00000220
| | | |---00000221
| | | |---00000222
| | | |---00000223
| | | |----Members
| | | | |---s-1-5-21-1214440339-706699826-1708537768
| | | | |---000001F4
| | | | |---000001F5
| | | | |---000003E8
| | | | |---000003E9
| | | |---Names
| | | |---Administrators
| | | |---Users
| | | |---Guests
| | |----power Users
| | |---Groups
| | | |---Names
| |
| |---Users
| | |---Names
|
|---rxact
　　
This is the SAM tree in the registry on the machine.
　　
As you can see from the contents of the Sam file, the Sam tree in the registry is actually the same as the Sam file. However, in the Sam file is the first column rxact and then in the domains content (and so on), the order of expression in the file is the opposite of the tree order in the registry. If you are accustomed to looking at the contents of a file, from 0000h to 0006Ch of the file, it represents the location of the SAM database: Systemrootsystem32configsam, then one end of the blank, until 01000h (Hbin), from where it is the entire contents of the database. SAM database file content is not a major introduction, but will be interspersed with introductions, interested in their own to study.
　　
iv. structure and main content of SAM database:
　　
In the entire database, the account main content exists in these locations:
　　
Under domains is the SAM content in the domain (or native) with two branches "account" and "Builtin"
　　
Domainsaccount is the user account content.
　　
Domainsaccountusers is the information of each account. The subkey below is the SID relative identifier for each account. For example 000001F4, there are two subkeys, F and V below each account. Under names is the user account name, each account name has only one default subkey, the item type is not the general registry data type, but points to flag this account SID last (relative identifier), such as its administrator, the type is 0X1F4, So the 000001f4 from the front corresponds to the contents of the account name administrator. This shows the logic of MS account search.
　　
Infer one: From the registry structure to look at the account, if you query an account name Refdom related information, then, Microsoft from the account name Refdom
　　
Locate its type 0x3eb, and then find the account content for the relative identifier (or SID) 000003EB. All API functions, such as netuserenum (), are executed in this way. Therefore, if you change the type of Refdom account 0x3eb to 0x1f4, then this account will be directed to the class 000001f4 account. And this account 000001F4 is the administrator account, so that the system in the login process to the Refdom account completely into the Administrator account, the account Refdom all the content, information is adminisrtator content, Includes passwords, permissions, desktops, records, access times, and so on. This inference should be set up, however, will mean that two user names corresponding to a user information, system boot should be error!
　　
It is inferred that the first time the structure was analyzed, the relationship between the account name and the SID associated during and after the login process was revealed.
　　
Domainsaccountusers00001f4, this is the administrator's account information (other similar). There are two subkeys V and F.
　　
The basic information of the account is saved in Project V, the user name, the full name of the user, the owning group, the description, the password hash, the comment, whether the password can be changed, account enabled, password set time, and so on. In Project F, there are some login records, such as the last logon time, the number of incorrect logins, and so on, and an important place is the SID relative identifier of this account.
　　
I didn't notice this place when I was analyzing the structure, which is Adam's idea. This is where this SID is. A relative marker in the registry an account appears two times, one is in the subkey 000001f4, the other is the contents of item F in the subkey, from 48 to 51 of four bytes: F4 01 00 00, which is actually a long variable, which is 00 00 01 F4. Synchronization problems occur when a flag appears in two places. Obviously, Microsoft has made this mistake. Two variables should be unified logo a user account, but Microsoft has two variables play their respective roles, but not synchronized unified.
　　
000001f4 used to correspond to the user name administrator, easy to query account information through the user, such as LookupAccountSid () and other account related API functions are located through this location to locate the user information, this association should be used in the account after the login. The F4 01 00 00 in the project V value is most directly associated with the account login.
　　
Second: Win login, the relative marker is obtained from the SAM, and the relative marker position is F4 01 00 00 in the V value. However, the account information query uses the contents of the SAM Neutron key.
　　
Infer the reason of the second hypothesis (hypothesis one): When the account is logged in, the logon process obtains the relative identifier value in the Account record information used by the user name in the SAM database (equivalent to the F4 01 00 00 in the V value), after the account is logged in, and after all associated with the account, this value is no longer used by the API function, The relative marker is replaced by the field name of a data record item (equivalent to the subkey 000001f4). Microsoft has made a sync logic problem!
　　
The second inference is based on Adam's proposal, which has not been inferred before. :( Inferred second, if established, reveals the process of the account SID during the logon process. This is why the values in V are related to account logon records (logon hours, number of password errors, and so on). At the same time, because the F store a user name content, and the API function query is this username, so Adam's cloning method is easy to face, after ding-ding supplements, this user name is also restored the original username, from the user name on the relatively difficult to detect.
　　
The above introduction to Project V can be known, where the basic information of the account is saved, the user name, the full name of the user, the owning group, description, password hash, comment, whether the password can be changed, account enabled, password set time, and so on. Now the concern is password hash.
　　
Assuming two: In the account of the item V, contains the user hash, including LM2 and NT password encryption hash, crack, can be separated. After all, LM2 simple.
　　
The content under Domainsbuiltin is related to the account group. Its structure is similar to account, and there are corresponding problems, no longer wordy.
　　
SAM database-saved files in Sam, there is no such concise content in the registry, but mainly by offset, length to locate the content. And the information for a single account is concentrated in one piece, rather than separated by the registry form (a key of the name and the content in another key).
　　
Sam file, you can locate the data meaning based on these delimiters:
　　
NK (6E 6B) key or subkey name
VK (6B) corresponding value
if (6C 66) subkey List
SK (6B) privileges
　　
v. Conclusions on SAM database analysis:
　　
SAM hack is very dangerous. Improper modification destroys the system's security data manager, causing system startup problems, although you can remove the SAM file to allow startup recovery. If you are familiar with the structure of Sam, you will find that you can switch between user name and user name, user group and user group, and account and account group forgery, completely breaking Microsoft's account pattern. And very covert, so that account-related API functions are confused. Although Microsoft has made a lot of logical problems with account information, the security account database is not insecure and all operations must have full administrator privileges.
　　
When the hidden backdoor approach is proposed, it will make a lot of "hacker" use, the administrator should be more familiar with the relevant technology, make good security testing.