The Windows 2000 Security Architecture from the Hacker s Perspective in .NET

Generate Code 128B in .NET The Windows 2000 Security Architecture from the Hacker s Perspective

S-1-1-0 S-1-2-0 S-1-3-0 S-1-3-1

As is obvious by now (we hope), the Administrator account on Computer A is different from the Administrator account on Computer B because they have different SIDs, and Windows 2000 can tell them apart even if humans can t This feature can cause headaches for the uninformed hacker Occasionally in this book, we will encounter situations where logging on as Administrator fails For example:

C:\>net use \\19216823444\ipc$ password /u:Administrator System error 1326 has occurred Logon failure: unknown user name or bad password

One might be tempted to turn away at this point, without recalling that Windows automatically passes the currently logged-on users credentials during network logon attempts Thus, if the user was currently logged on as Administrator on the client, this logon attempt would be interpreted as an attempt to logon to the remote system using the local Administrator from the client Of course, this account has no context on the remote server You can manually specify the logon context using the same net use command with the remote domain, computer name, or IP address prepended to the username with a backslash, like so:

Obviously, prepend the remote computer name or IP address if the system you are connecting to is not a member of a domain Remembering this little trick will come in handy when we discuss remote shells in 7; the technique we use to spawn such remote shells often results in a shell running in the context of the SYSTEM account Executing net use commands within the LocalSystem context cannot be interpreted by remote servers, so you almost always have to specify the domain or computer name as shown in the previous example

You can use the user2sid tool from Evgenii Rudnyi to extract SIDs Here is user2sid being run against the local machine:

C:\>user2sid Administrator S-1-5-21-1507001333-1204550764-1011284298-500

Number of subauthorities is 5 Domain is CORP Length of SID in memory is 28 bytes Type of SID is SidTypeUser

The sid2user tool performs the reverse operation, extracting a username given a SID Using the SID extracted in the previous example:

C:\>sid2user 5 21 1507001333 1204550764 1011284298-500 Name is Administrator Domain is CORP Type of SID is SidTypeUser

Note that the SID must be entered starting at the identifier authority number (which is always 5 in the case of Windows 2000), and spaces are used to separate components rather than hyphens As we will discuss in 4, this information can be extracted over an unauthenticated session from any Windows 2000 system running SMB services in its default configuration

Now that you know the players involved, let s discuss the heart of the Windows 2000 security model: authentication and access control (authorization) How does the operating system decide whether a security principle can access a protected resource First, Windows 2000 must determine if it is dealing with a valid security principle This is done via authentication The simplest example is a user who logs on to Windows 2000 via the console The user strikes the standard CTRL-ALT-DEL attention signal to bring up the Windows 2000 secure logon facility and then enters an account name and password The secure logon facility passes the entered credentials through the user mode components responsible for validating them, as shown in Figure 2-1 (Winlogon and LSASS) Assuming the credentials are valid, Winlogon creates a token (or access token) that is then attached to the users logon session and is produced on any subsequent attempt to access resources The secure logon facility can be Trojan-ed by Administrator-equivalent users, as we will discuss in 8

The token contains a list of all of the SIDs associated with the user account, including the account s SID, and the SIDs of all groups and special identities of which the user account

2: