*** SAM文件基础知识*** *** *** SAM file basics
windows NT及win2000中对用户帐户的安全管理使用了安全帐号管理器(security account manager)的机制,安全帐号管理器对帐号的管理是通过安全标识进行的,安全标识在帐号创建时就同时创建,一旦帐号被删除,安全标识也同时被删除。 windows NT and win2000 security of user account management and use of the security account manager (security account manager) mechanism, security accounts manager of account management is conducted through a secure identity, security, identity is created in the account created on the same time, Once the account is deleted, the security identity also be deleted. 安全标识是唯一的,即使是相同的用户名,在每次创建时获得的安全标识都时完全不同的。 Security identity is unique, even if the same user name, in the creation of security of each identity are at completely different. 因此,一旦某个帐号被删除,它的安全标识就不再存在了,即使用相同的用户名重建帐号,也会被赋予不同的安全标识,不会保留原来的权限。 Therefore, once an account is deleted, its security identity no longer exists, and that reconstruction using the same user account name will be given a different security identity, will not retain the original permissions.
安全账号管理器的具体表现就是%SystemRoot%\system32\config\sam文件。 Security Account Manager is manifested% SystemRoot% \ system32 \ config \ sam file. sam文件是windows NT的用户帐户数据库,所有NT用户的登录名及口令等相关信息都会保存在这个文件中。 sam file is windows NT user account database, all the NT user's login name and password and other related information will be saved in this file. sam文件可以认为类似于unix系统中的passwd文件,不过没有这么直观明了。 sam file system can be considered similar to the unix passwd file, but not so simple and clear. passwd使用的是存文本的格式保存信息,这是一个linux passwd文件内容的例子 passwd is used in text format stored information, which is a linux passwd file contents example
0: root:8L7v6:0:0:root:/root:/bin/bash 0: root: 8L7v6: 0:0: root: / root: / bin / bash
1: bin:*:1:1:bin:/bin: 1: bin: *: 1:1: bin: / bin:
2: daemon:*:2:2:daemon:/sbin: 2: daemon: *: 2:2: daemon: / sbin:
3: adm:*:3:4:adm:/var/adm: 3: adm: *: 3:4: adm: / var / adm:
4: lp:*:4:7:lp:/var/spool/lpd: 4: lp: *: 4:7: lp: / var / spool / lpd:
5: sync:*:5:0:sync:/sbin:/bin/sync 5: sync: *: 5:0: sync: / sbin: / bin / sync
6: shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown 6: shutdown: *: 6:0: shutdown: / sbin: / sbin / shutdown
7: halt:*:7:0:halt:/sbin:/sbin/halt 7: halt: *: 7:0: halt: / sbin: / sbin / halt
8: mail:*:8:12:mail:/var/spool/mail: 8: mail: *: 8:12: mail: / var / spool / mail:
9: news:*:9:13:news:/var/spool/news: 9: news: *: 9:13: news: / var / spool / news:
10: uucp:*:10:14:uucp:/var/spool/uucp: 10: uucp: *: 10:14: uucp: / var / spool / uucp:
11: operator:*:11:0:operator:/root: 11: operator: *: 11:0: operator: / root:
12: games:*:12:100:games:/usr/games: 12: games: *: 12:100: games: / usr / games:
13: gopher:*:13:30:gopher:/usr/lib/gopher-data: 13: gopher: *: 13:30: gopher: / usr / lib / gopher-data:
14: ftp:*:14:50:FTP User:/home/ftp: 14: ftp: *: 14:50: FTP User: / home / ftp:
15: nobody:I0iJ.:99:99:Nobody:/home/httpd:/bin/bash 15: nobody: I0iJ.: 99:99: Nobody: / home / httpd: / bin / bash
16: david:c6CuzM:500:500::/home/david:/bin/bash 16: david: c6CuzM: 500:500:: / home / david: / bin / bash
17: dummy:fIVTl4IgU:501:503::/home/dummy:/bin/bash 17: dummy: fIVTl4IgU: 501:503:: / home / dummy: / bin / bash
18: msql:!!:502:504::/home/msql:/bin/bash 18: msql:!!: 502:504:: / home / msql: / bin / bash
unix中的passwd文件中每一行都代表一个用户资料,每一个账号都有七部分资料,不同资料中使用":"分割格式如下: unix passwd file in each line represents a profile, each account has a seven-part data, the use of different data ":" Split the following format:
账号名称:密码:uid:gid:个人资料:用户目录:shell Account name: password: uid: gid: Personal Information: User directory: shell
除了密码是加密的以外(这里的密码部分已经shadow了)其他项目非常清楚明了。 In addition to the password is encrypted outside (where the password has been part of a shadow) other projects is very clear. 而NT中就不是这样,虽然他也是用文件保存账号信息,不过如果我们用编辑器打开这些NT的sam文件,除了乱码什么也看不到。 And NT, is not the case, although he also used to save the file account information, but if we use the editor to open the NT-sam file, in addition to garbage not see anything. 因为NT系统中将这些资料全部进行了加密处理,一般的编辑器是无法直接读取这些信息的。 NT systems because all these data will be encrypted, the general editor is not directly read this information. 注册表中的 Registry
HKEY_LOCAL_MACHINE\SAM\SAM HKEY_LOCAL_MACHINE \ SAM \ SAM
HKEY_LOCAL_MACHINE\SECURITY\SAM HKEY_LOCAL_MACHINE \ SECURITY \ SAM
保存的就是SAM文件的内容,在正常设置下仅对system是可读写的。 SAM file is saved in the content, in the normal setting is the only system can read and write.
*** NT的帐号信息在SAM文件中是如何存储的呢? *** NT account information in the SAM file is how to store it? *** ***
在SAM文件中保存了两个不同的口令信息:LanManager(LM)口令散列算法和更加强大的加密NT版。 Stored in the SAM file in two different password information: LanManager (LM) password hashing algorithms and more powerful encryption NT version. LM就是NT口令文件的弱点。 LM is the weakness of NT password file. 我们来看看LM口令算法是如何加密口令的,考虑这样一个口令:Ba01cK28tr,这样的口令已经可以称的上是一个安全的口令了,虽然没有!#等特殊字符,但是已经包含大写字母,小写字母和数字,并且具有无规律性。 We take a look at how the LM password encrypted password algorithm, consider a password: Ba01cK28tr, this password is already known on a secure password, though not! # And other special characters, but already contains uppercase letters, lowercase letters and numbers, and with no regularity. 可以认为是符合安全的要求的一个口令。 Can be considered to meet the safety requirements of a password.
LM对口令的处理方法是:如果口令不足14位,就用0把口令补足14位,并把所有的字母转称大写字母。 LM approach to the password is: If the password is less than 14, with 0 to 14 make up a password, and to transfer said all uppercase letters. 之后将处理后的口令分成两组数字,每组是7位。 After treatment, the password will be divided into two sets of figures, each group is 7. 刚才我们所提到的口令经处理后就变成BA01CK2和8TR0000部分。 We have just mentioned, it becomes BA01CK2 password treated and 8TR0000 part. 然后由这两个7位的数字分别生成8位的DES KEY,每一个8位的DES KEY都使用一个魔法数字(将0x4B47532140232425用全是1的一个KEY进行加密获得的)再进行一次加密,将两组加密完后的字符串连在一起,这就是最终的口令散列。 Then two seven figures were generated 8-bit DES KEY, each 8-bit DES KEY uses a magic number (with all the 0x4B47532140232425 1 obtained a KEY encrypted) and then once encrypted, the After two encrypted strings together, and this is the ultimate password hash. 这个字符传看起来是个整体,但是象L0phtcrack这样的破解软件,他能将口令字符串的两部分独立的破解,因此,破解上面所提到口令(10位),由于口令已经被分解为两部分破解,而后面的那部分口令由于只有3位,破解难度可想而知并不困难。 This transfer appears to be a whole character, but L0phtcrack such as crack software, he can separate the two parts of the password string, the crack, so crack the password mentioned above (10), because the password has been broken down into two parts crack, while the back part of the password as only three, crack is not difficult to imagine the difficulties. 实际的难度就在前面的七位口令上了。 The actual difficulty in the password on the front seven. 因此就NT而言,一个10位的口令与一个7位的口令相比并没有太高的安全意义。 Therefore, the NT is concerned, a 10-bit password and a 7-bit password is not too high compared to the safety significance. 由此还可以了解:1234567*$#这样的口令可能还不如SHic6这样的口令安全。 This can also learn: 1234567 * $ # This password may not be as SHic6 this password security. (关于如何设置安全口令的问题不是本文的范围,有兴趣的可以参考相关文章) (On how to set password security problem is not the scope of this article, interested can refer to related article)
而正式的口令(加密NT版)是将用户的口令转换成unicode编码,然后使用MD4算法将口令加密。 The formal password (encrypted NT version) is the user's password into a unicode encoding, and then encrypt the password using the MD4 algorithm.
NT之所以保留两种不同版本的口令是由于历史原因造成的,在一个纯NT的环境中应该将LAN manager口令关闭。 The reason why keep two different versions of NT password is due to historical reasons, in an environment of pure NT LAN manager passwords should be closed. 因为LAN manager口令使用了较弱的DES密钥和算法,比较容易破解。 Because LAN manager passwords using weak DES key and algorithm, it is easier to crack. 相比较之下,使用较强加密算法的NT正式口令要安全些。 By comparison, the use of strong encryption algorithms to the NT password security more formally.
但是这两种口令的加密方法从总体上来说强度还是不足,因此,微软在win NT4的SP3之和以后的补丁中,提供了一个syskey.exe的小工具来进一步加强NT的口令。 However, both password encryption methods, or from lack of strength on the whole, therefore, win NT4 SP3, Microsoft's patch and later provides a syskey.exe gadget to further strengthen the NT password. 这个软件是可以选择使用的,管理员只要运行一下这个程序并回答一些设置问题就可以添加这项增强功能。 This software can choose to use, as long as the administrator to run this program and answer some questions you can add this setting enhancements. (windows2000已经作为缺省安装设置了) (Windows2000 has been set as the default installation)
syskey被设计用来防止轻易获得SAM口令,它是如何工作的呢? syskey is designed to prevent easy access to SAM password, how it work?
当syskey被激活,口令信息在存入注册表之前还进行了一次加密处理。 When syskey is activated, the password information is also stored in the registry before you make a encrypted. 然而,在机器启动后,一个旧的格式的信息还是会保存在内存中,,因为这个旧格式的口令信息是进行网络验证的所需要的。 However, the machine starts, an old format of the information still stored in memory, because the old password format for network authentication information is needed.
可以这样认为:syskey使用了一种方法将口令信息搞乱。 Can be considered: syskey a method is used to confuse the password information. 或者说使用了一个密钥,这个密钥是激活syskey由用户选择保存位置的。 Or using a key, this key is activated by the user chooses to save syskey location. 这个密钥可以保存在软盘,或者在启动时由用户生成(通过用户输入的口令生成),又或者直接保存在注册表中。 This key can be stored on a floppy disk, or generated by the user at boot time (the password generated by user input), or directly stored in the registry. 由于没有官方的正式技术说明如何关闭syskey,所以syskey一旦启用就无非关闭,除非用启用syskey之前的注册表备份恢复注册表。 In the absence of any official technical description of how to turn off syskey, so once enabled syskey on nothing more than shut down, unless the registry before opening syskey registry backup and recovery.
*** 将syskey激活后系统有什么发生了什么,如何关掉syskey呢?*** *** The system will be activated syskey what happened, how to turn off syskey it? ***
-1- -1--
将syskey激活后,在注册表HKLM\System\CurrentControlSet\Control\Lsa下被添加了新的键值'SecureBoot'中保存了syskey的设置: Will syskey activated, in the registry HKLM \ System \ CurrentControlSet \ Control \ Lsa be added under a new key 'SecureBoot' to save the syskey settings:
1 - KEY保存在注册表中 1 - KEY stored in the registry
2 - KEY由用户登录时输入的口令生成 2 - KEY input by the user login password generation
3 - KEY保存在软盘中 3 - KEY stored in the floppy disk
但是把主键删除或者把值设成0并没能将syskey关闭,看来还有其他的地方...... But to remove the primary key value set to 0 or to be able to syskey did not shut down, it seems there are other places ......
-2- -2--
HKLM\SAM\Domains\Account\F HKLM \ SAM \ Domains \ Account \ F
是一个二进制的结构,通常保存着计算机的SID和其他的描述信息。 Is a binary structure, usually holds the computer's SID and other descriptive information. 当syskey被激活后,其中的内容就变大了(大小大约是原来的两倍) When syskey is activated, the contents of which becomes larger (approximately twice the original size)
增加的部分估计是加密的KEY+一些标记和其他的数值,这些标记和数值中一定有一部分包括SecureBoot Part of the increase is estimated to encrypted KEY + some of the tags and other values, these values in some tags and some include SecureBoot
相同的内容。 The same content. 所以,在NT4(已安装SP6补丁包)将这些标记位设为0可能就可以关闭syskey了。 Therefore, NT4 (SP6 patch installed) bit set to 0, these markers may be able to close the syskey up. 在改变这些设置时系统给出了一个错误提示说明SAM和系统设置相互冲突,但是在重新启动计算机后,系统已经不再使用syskey了。 Changing these settings, the system gives an error message shows SAM and system settings conflict with each other, but after you restart the computer, the system is no longer used syskey the.
-3- -3--
再win2000中还有另一个地方还存储着关于syskey的信息 Win2000 in another place and then also stores information about syskey
HKLM\security\Policy\PolSecretEncryptionKey\
这也是一个二进制的结构,也是使用同样的存储方式,将这里相应部分同样设为0,syskey就已经从win2000中移除了。 This is a binary structure, but also use the same storage, where the corresponding part of the same set 0, syskey has been removed from win2000. (如果这三部分修改出现错误(不一致),系统会在下次启动是自动恢复为默认值) (If you modify this three-part error (inconsistency), the system will automatically resume at the next start is the default value)
-4- -4--
, ,
然后就是口令信息部分。 And is part of the password information. 旧的口令信息是长度是16字节,但使用syskey后长度全部被增加到20字节。 The old password length is 16 bytes of information is, but after using syskey length have all been increased to 20 bytes. 其中头四个字节看起来想是某种计数器,可能是历史使用记录计数器。 Which the first four bytes look like some sort of counter, the counter may be historical use records. 奇怪的是,当syskey被激活时,他并不立即记录,而是在系统下次启动时才记录。 The strange thing is, when syskey is activated, he did not immediately record, but when the next boot record. 而且,当密钥被改变时,口令信息似乎并没有相应更新 Moreover, when the key is changed, the password information does not seem to be updated
-- -
月升时星星探出夜幕,人能仰望,就是幸福 Unearthed in the night when the stars rose, people can look up to, is being
Tidak ada komentar:
Posting Komentar