NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
$ G7 l$ K& ~4 i3 ~, W3 h
From: Patrick CHAMBET <pchambet@club-internet.fr>

To: sans@clark.net
1 p6 I* M5 c' H7 S, Q6 q% NSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
5 i, C* s% g$ j2 P4 wIIS 4.0 uses its own configuration database, named "metabase", which can
- C" i" L& f; }+ T, A9 f  f, \be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
0 |1 Y6 a% W; L( `5 q; Z( jThe IIS 4.0 metabase contains these passwords:
0 P( w6 ]! o8 ?- F1 J9 s# @; c' S- IUSR_ComputerName account password (only if you have typed it in the
- O4 U% z$ ^( O" GMMC)
- IWAM_ComputerName account password (ALWAYS !)
6 J4 V3 r# H( H# `0 o- UNC username and password used to connect to another server if one of
your virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
( a8 [7 X7 T3 }srambled in the metabase.ini file, and that only Administrators and SYSTEM
+ }; D5 ^; \) w2 S8 whave permissions on this file.
& N8 ^# C+ N9 N# NBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
9 Q& F/ r9 A" D7 ]3 r! n6 Aproblem I am reporting yet. Here is an example of what can be gathered:
! h0 J1 J- P. O  |" {1 [) l' A"
' }1 W% G" v( p6 Y0 fIIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
1 y+ v$ X' t: R" s7 }3 m5 g--- UNC User ---
UNC User name: 'Lou'
2 p1 g& r2 q3 b' M: W  i* xUNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
' W0 j. x  h8 GPassword synchronization: 'False'
* ~9 g8 B, g3 `3 O% J--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
) Q, n. X4 C; W+ g6 b9 B: iODBC table name: 'InternetLog'
; B# l& C" D2 ^3 w8 R% xODBC User name: 'InternetAdmin'
2 |" I! @- i. L; u* u7 [7 v8 OODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
9 I3 A0 S; r7 K: TWAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
"
For example, you can imagine the following scenario:
6 K: X' i/ E! V& `A user Bob is allowed to logon only on a server hosting IIS 4.0, say
/ b+ A  {3 H3 u; P7 dserver (a). He need not to be an Administrator. He can be for example
% A  b3 t9 U' uan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
/ n( p' H3 ]+ u, K+ j% Pthe login name and password of the account used to access to a virtual
4 ~6 b2 a9 }* _  Z, u: Z  ~directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
  }& J. |9 I6 q$ P9 cAnd so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
- v" [% A6 W( k& ?) n  PPatrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
* z1 b; R8 I. ?" P! D! f. r  S4 wInternet, Security and Microsoft solutions
e-business Services
" \9 R0 K3 Y( W5 v6 CIBM Global Services
( V. W8 H/ n8 [7 n7 f