Completely dissect the Security Account Manager (SAM) Structure

What security settings do not need to know
I. Summary
　　
The structure of the security account manager was analyzed for more than a month ago. It only recorded fragments in parts and was not released. The main reason for not publishing is that the security account manager (SAM) is the core of WIN system account management, and it is very systematic. I also have a lot of places to simply make inferences and guesses. At the same time, an error occurred while loading the account manager of lsass.exe during startup of SAM hackable. Even in safe mode, it cannot be fixed (SAM must be loaded during startup), causing the entire system to crash (I usually need to start it by deleting the SAM file from the second system ). As for the current release, it is mainly because Adam and Ding's "clone Administrator Account" described in the rootkit creation method are concealed and harmful, and they are familiar with SAM's structure, it can help security maintenance personnel to perform security detection (which may also be exploited by malicious attackers ). Here we will only introduce SAM's content, which is not publicly available for the moment.
　　
Ii. About SAM
　　
Don't misunderstand SAM. It's not as simple as a file sam. Security Account Manager (SAM) controls and maintains the SAM Database. The samdata database is stored in the Registration Table hklmsamsamand is under aclprotection. You can use regedt32.exe to open the Registry Editor and set the appropriate permissions to view the contents in SAM. The SAM Database is stored on the disk in the sam file under the % systemroot % system32config directory. This directory also contains a security file, which is the content of the security database. There are many relationships between the two.
　　
The SAM Database contains information about all groups and accounts, including password HASH and account SID. These contents are described in detail later. The analysis system uses the Chinese language Win2K Adv Server as an example.
　　
Iii. Structure of the SAM Database in the Registry
　　
Expand the Registry HKLMSAMSAM:
　　
HKLM---SAM
| --- SAM
| --- Domains
| --- Account
| --- Aliases
| --- Members
| --- Names
| --- Groups
| --- 00000201
| --- Names
| --- None
| --- Users
| --- 000001F4
| --- 000001F5
| --- 000003E8
| --- 000003E9
| --- Names
| --- Adaministrator
| --- Guest
| --- IUSR_REFDOM
| --- IWASM_REFDOM
| --- Builtin
| --- Aliases
||| --- 00000220
||| --- 00000221
||| --- 00000222
||| --- 00000223
| --- Members
| --- S-1-5-21-1214440339-706699826-1708537768
| --- 000001F4
| --- 000001F5
| --- 000003E8
| --- 000003E9
| --- Names
| --- Administrators
| --- Users
| --- Guests
| --- Power Users
| --- Groups
| --- Names
|
| --- Users
| --- Names
|
| --- RXACT
　　
This is the SAM tree in the Registry on the machine.
　　
We can see from the contents of the SAM file that the SAM tree in the registry is actually the same as that in the SAM file. However, the SAM file first columns RXACT and then Domains (and so on). The expression order in the file is the opposite to the tree sequence in the registry. If you are used to viewing the file content, from the memory h of the file to 0006Ch, it indicates the location of the SAM Database: systemrootsystem32configsam, and then the end is blank until 01000 h (hbin ), the content of the entire database starts from here. The file content of the SAM Database is not described in detail, but will be interspersed with introductions. If you are interested, you can study it on your own.
　　
Iv. structure and main content of the SAM Database:
　　
In the entire database, the main account content exists in the following locations:
　　
Under Domains is the SAM content in the domain (or local machine), there are two branches under it: "Account" and "Builtin"
　　
DomainsAccount is the content of the user account.
　　
In DomainsAccountUsers, the information of each account is displayed. The sub-key is the relative identifier of the SID of each account. For example, 000001F4, each account has two sub-items, F and V. Names is the user account name, and each account name has only one default subitem. the type of the item is not a general registry data type, instead, it points to the last item (relative identifier) indicating the SID of this account. For example, the type of the Administrator under it is 0x1F4, so the contents of the account name administrator are mapped from the previous 000001F4. This shows the logic for searching MS Accounts.
　　
Inference 1: From the Perspective of the account structure in the registry, if you query information related to the account name refdom, Microsoft will
　　
Find its type 0x3EB, and then find the account content with the relative identifier (or SID) 000003EB. All API functions (such as NetUserEnum () are executed in this way. Therefore, if the type 0x3EB in the refdom account is changed to 0x1F4, the account will be directed to the account with the class 000001F4. This account 000001F4 is the administrator account. In this way, the system transfers the refdom account to the administrator account during logon. All the content and information used by the account refdom are adminisrtator content, including passwords, permissions, desktops, records, and access time. This inference should be true, but it will mean that the two usernames correspond to one user information. An error should occur during system startup!
　　
It is inferred from the previous analysis structure that the relationship between account names and SID during and after logon is revealed.
　　
DomainsAccountUsers00001F4, which is the account information of the administrator (others are similar ). There are two subitem V and F.
　　
Project V stores the basic account information, including the user name and full name), group, description, password hash, comment, whether the password can be changed, account enabling, password setting time, etc. Project F stores logon records, such as the last logon time and number of wrong logins. Another important factor is the relative SID identifier of the account.
　　
I didn't pay attention to this point when I analyzed the structure. This is what Adam proposed. This is where the relative identifier of this SID appears twice in an account in the registry. One is in the sub-key 000001F4, and the other is in the sub-key's F content, four bytes from 48 to 51: F4 01 00 00, which is actually a long variable, that is, 00 00 01 F4. Synchronization occurs when a sign appears in two places. Obviously, Microsoft has made this mistake. The two variables should mark a single user account, but Microsoft did not synchronize the two variables.
　　
In the subkey, 000001F4 is used to correspond to the user name "administrator". It is convenient for users to query account information, such as LookupAccountSid () and other account-related API functions. This location is used to locate user information, this association should be used after account logon. The F4 01 00 in the project V value is most directly associated with account logon.
　　
Conclusion 2: during logon, the relative identifier is obtained from SAM, and the relative identifier is at F4 01 00 in the V value. However, the SAM subkey is used for account information query.
　　
Assumption 2: when the account is logged on, obtain the relative Identifier value (equivalent to F4 01 00 in the V value) in the account record used by the username in the SAM Database during logon. After the account is logged on, this value is no longer used by API functions, and the relative identifier is replaced by the field name of a data record item (equivalent to the sub-key 000001F4 ). Microsoft has made a synchronization logic problem!
　　
Inference 2 is based on Adam's suggestion. It has never been inferred before. (Infer 2 if it is true, it reveals the process of account SID during logon. This is why the value in V is related to the Account Logon record (logon time, Password error count, etc. At the same time, because F stores a user name and the API function queries this user name, the Adam cloning method is easy to show your face, this user name has also been restored to the original user name, and it is relatively difficult to detect the user name.
　　
You can see the introduction of Project V, where the basic information of the account is saved, the user name, and the full name of the user (full name), group, description, password hash, comment, whether the password can be changed, account enabling, password setting time, etc. Now we are concerned about the password HASH.
　　
Suppose 2: item V of the account contains the user HASH, including the encryption HASH of LM2 and NT, which can be separated during Crack. After all, LM2 is simple.
　　
The content in DomainsBuiltin is related to the account group. Its structure is similar to that under the Account, and there are also corresponding problems, so it is no longer arrogant.
　　
The file SAM stored in the sam database does not have such concise content in the registry, but mainly uses offset and length to locate the content. In addition, the information of a single account is centralized, rather than separated in the form of a registry (one key for the name and the content is in another key ).
　　
In the sam file, you can locate the data meaning based on the following delimiters:
　　
Nk (6E 6B) Key or subkey name
Value corresponding to vk (76 6B)
If (6C 66) subkey list
Sk (73 6B) Permission
　　
V. Conclusion on SAM Database Analysis:
　　
Sam hack is very dangerous. Improper modification will damage the system's security data manager and cause system startup problems, although you can delete the SAM file to recover the startup. If you are familiar with the structure of SAM, you will find that you can switch between the user name and the user name, between the user group and the user group, and forge accounts and account groups to completely break the Microsoft account structure. It is also very concealed, so that the account-related API functions are confused. Although Microsoft has made many logical problems in processing account information, the security account database is not insecure and all operations must have full administrator privileges.
　　
When a hidden backdoor approach is proposed, many "hackers" will be allowed to exploit it. administrators should also be familiar with related technologies to perform security detection.