NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡(jiǎn)單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

From: Patrick CHAMBET <pchambet@club-internet.fr>
5 o1 M5 `# M/ v" O) h
/ x8 U1 e! n) Q4 ZTo: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
0 J" b! I) K' I5 n+ u" WWe knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
1 y: M5 [& k9 L7 ?( @8 zbe compared to the Windows Registry: the metabase is organised in Hives,
; }7 g4 p, V& c) \' E; vKeys and Values. It is stored in the following file:
' l# N2 @, f) _( mC:\WINNT\system32\inetsrv\MetaBase.bin
, V5 s/ t" m0 B# h+ y! f& Z! d! YThe IIS 4.0 metabase contains these passwords:
. L+ {. q* J5 `6 Q3 F1 T$ d- IUSR_ComputerName account password (only if you have typed it in the
MMC)
" P7 C, o/ E# X0 f4 a' @- IWAM_ComputerName account password (ALWAYS !)
& m) `- L( ~2 X/ T2 [5 J* C, `' r! s) b- UNC username and password used to connect to another server if one of
$ s$ u/ E2 Z- S, d- u0 yyour virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
) I$ l5 u1 X) P3 g0 k9 ~"HTTPLOG" (if you chose to store your Logs into a database).
0 L% ^( p; W/ |& J) W1 O, `Note that the usernames are in unicode, clear text, that the passwords are
6 V# F/ ?6 \( D1 L5 ]2 psrambled in the metabase.ini file, and that only Administrators and SYSTEM
) Y% H" z8 N: X( s+ t6 g3 X. Y+ Jhave permissions on this file.
  H8 E& a: R+ ?' t5 H( UBUT a few lines of script in a WSH script or in an ASP page allow to print
: Y8 V' Y/ k. ]these passwords in CLEAR TEXT.
# g9 L9 e, g! c1 [- b' \& {+ s1 UThe user name and password used to connect to the Logs DSN could allow a
& b' {8 y; \$ m7 Fmalicious user to delete traces of his activities on the server.
- W$ _0 S8 G9 K% ]( fObviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
2 M% z% w( c) `' X" T2 P- Y6 Z3 [. _problem I am reporting yet. Here is an example of what can be gathered:
" }5 z8 x! |$ A8 {5 q# n"
IIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
% d  l7 r% ^' r, o--- UNC User ---
6 S7 ^2 _" j+ \9 Y1 N9 qUNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
% U( ~( {- W) z( o# ]--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
, }& \6 S  L; A$ Y3 f--- IIS Logs DSN User ---
8 t+ h) l& y! |% Z5 |) |ODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
- r, p* x' v+ f0 j4 b* kWAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
- S- Z$ I4 ~2 a' @8 U"
For example, you can imagine the following scenario:
8 d' J3 d; c- V8 r6 NA user Bob is allowed to logon only on a server hosting IIS 4.0, say
- j) }" V2 j' a: g0 q5 O$ cserver (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
: j5 v! f, C& x+ `- y$ g' ]the login name and password of the account used to access to a virtual
directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
9 f5 b, Q# r! y, S. R, {! m1 @: ?And so forth...
Microsoft was informed of this vulnerability.
: Y1 W, U- Y; ?: A_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
+ z$ t# ~1 N: _3 t+ [6 C# c2 M; gMCP NT 4.0
Internet, Security and Microsoft solutions
. `2 ]1 N5 g/ m: V5 Me-business Services
( z& R4 k4 E2 {6 n' y6 H. jIBM Global Services
4 _- g4 f- }( v4 S. E  }