浅谈NT的ACL,令牌,权限与安全性问题
浅谈NT的ACL,令牌,权限与安全性题目
-----另一种克隆帐号的途径
作者:刺(aXis)
泉源:www.3389.net
择要:关于nt的acl,token,and privilege的,以及通过privilege绕过acl,到达拜访文件的目标。可以说是另一种克隆administrator的方法,不过更潜伏,利用起来难度较大,需要绕过检测才行,目前取的的突破是利用权限绕过acl。
要害字:ACL,ACE,DACL,TOKEN,SID,PRIVILEGE
申明:谨以此文,献给陈静。
一.基本概念(这部门介绍的是令牌,ACL等基本概念,是为第二部门做准备,如果你曾经了解其内容,请跳过这一部门)
1.什么是令牌(TOKEN)
当用户登录到Windows NT/2000/XP,同时通过了身份认证,此时将会由体系为该用户分派一个令牌。令牌是一个数据结构,用于由全部该用户激活的进程和线程。令牌的结构如下图:
Token source
Impersonation Type
Token ID
Authentication ID
Modified ID
Expiration Time
Default Primary Group
Default DACL
User Account SID
Group 1 SID
......
Group n SID
Restricted SID 1
......
Restricted SID n
Privilege 1
......
Prililege n
这样看不太容易明白。我们来看一个实例,使用win2000 resource kit中的whoami.exe来查看以后用户的拜访令牌(Access Token)中的细致信息
C:\\\\>whoami /all
[User] = \\\"DARKDEAMON\\\\Administrator\\\" S-1-5-21-1409082233-1957994488-47230797
1-500
[Group 1] = \\\"DARKDEAMON\\\\None\\\" S-1-5-21-1409082233-1957994488-472307971-513
[Group 2] = \\\"Everyone\\\" S-1-1-0
[Group 3] = \\\"BUILTIN\\\\Administrators\\\" S-1-5-32-544
[Group 4] = \\\"BUILTIN\\\\Users\\\" S-1-5-32-545
[Group 5] = \\\"NT AUTHORITY\\\\INTERACTIVE\\\" S-1-5-4
[Group 6] = \\\"NT AUTHORITY\\\\Authenticated Users\\\" S-1-5-11
[Group 7] = \\\"LOCAL\\\" S-1-2-0
(X) SeChangeNotifyPrivilege =
(O) SeSecurityPrivilege =
(O) SeBackupPrivilege =
(O) SeRestorePrivilege =
(O) SeSystemtimePrivilege =
(O) SeShutdownPrivilege =
(O) SeRemoteShutdownPrivilege =
(O) SeTakeOwnershipPrivilege =
(O) SeDebugPrivilege =
(O) SeSystemEnvironmentPrivilege =
(O) SeSystemProfilePrivilege =
(O) SeProfileSingleProcessPrivilege =
(O) SeIncreaseBasePriorityPrivilege =
(X) SeLoadDriverPrivilege =
(O) SeCreatePagefilePrivilege =
(O) SeIncreaseQuotaPrivilege =
(X) SeUndockPrivilege =
(O) SeTcbPrivilege =
C:\\\\>
这便是我的令牌中的信息,它包罗我的SID,属于的组,具有的权限的细致列表等信息。所以可见,令牌决定了一个用户在一台盘算机上所具有的本领。
2.安全性标记符(SID)
SID是在创立一个用户或组的时间由体系分派的,是独一的。当一个本地用户登录时,SID将由体系从SAM中的用户数据库中取出。
关于SID的结构可以参照《INSIDE WINDOWS2000》里的一段:
A SID is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.
下面是一些体系内置的SID
Well-Known SIDs
SID
Group
Use
S-1-1-0
Everyone
A group that includes all users.
S-1-2-0
Local
Users who log on to terminals locally (physically) connected to the system.
S-1-3-0
Creator Owner ID
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable access-control entries (ACEs).
S-1-3-1
Creator Group ID
Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.
SID末端的数字是RID(relative identifier)。500表现是办理员组,GUEST组的是501
ADAM提出的克隆办理员帐号便是在SID上做手脚,把一个帐号的SID的RID克隆成500,这样体系就会以为是办理员了。
一个完备的SID的结构可以参看下面令牌中的SID。
S-1-5-21-1409082233-1957994488-472307971-500
3.什么是拜访控制列表(ACL)
ACL(access control list)从字面的意思很好明白。一个体系通过ACL来判断用户对资源的何种水平的拜访。由两种类型的ACL:DACL(Discretionary Access Control List)和SACL(System Access Control List)。DACL包罗户和组的列表,以及相应的权限,容许或是拒绝,用来确定对资源的拜访权限。SACL则用来确定安全资源的考核计谋。ACL由零个或多个ACE(Access Control Entries)构成,一个ACE包罗一个SID和该SID可拜访资源的形貌,好比容许和拒绝,拒绝优先于容许。
在win2000 resource kit中有几个东西是关于acl的,较为典型的是xcacls。下面是一个用xcacls查看acl的例子
C:\\\\Program Files\\\\Resource Kit>xcacls whoami.exe
C:\\\\Program Files\\\\Resource Kit\\\\whoami.exe BUILTIN\\\\Users:R
BUILTIN\\\\Power Users:C
BUILTIN\\\\Administrators:F
NT AUTHORITY\\\\SYSTEM:F
NT AUTHORITY\\\\TERMINAL SERVER USER:C
C:\\\\Program Files\\\\Resource Kit>
其他的关于acl的东西另有svcacls.exe,showacls以及subinacl.exe等。这里不再逐一赘述。
4.权限(privilege)
简略来说,权限是体系付与用户的一定的权利,它们容许或者不容许某些影响整个盘算机体系而非某一对象的特权操作。下面的表格列出了体系的一些权限和功效。
Privilege
Windows Privilege
Description
SeTcbPrivilege
Act as part of the operating system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.
SeMachineAccountPrivilege
Add computers to a domain
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain.
SeBackupPrivilege
Back up files and directories
Allows the user to circumvent file and directory permissions to back up the system. The privilege is checked only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.
SeChangeNotifyPrivilege
Bypass traverse checking
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.
SeSystemTimePrivilege
Change the system time
Allows the user to set the time for the internal clock of the computer.
By default, this privilege is assigned to Administrators and Power Users.
SeCreatePagefilePrivilege
Create a page filepagefile
Allows the user to create and change the size of a page file.
By default, this privilege is assigned to Administrators.
SeCreateTokenPrivilege
Create a token object
Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
SeCreatePermanentPrivilege
Create permanent shared objects
Allows a process to create a directory object in the Windows 2000 object manager.
SeDebugPrivilege
Debug programs
Allows the user to attach a debugger to any process.
By default, this privilege is assigned to Administrators.
SeEnableDelegationPrivilege
Enable computer and user accounts to be trusted for delegation
Allows the user to change the Trusted for Delegation setting on a User or Computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
SeRemoteShutdownPrivilege
Force shutdown from a remote system
Allows a user to shut down a computer from a remote location on the network. See also Shut down the system in this table.
By default, this privilege is assigned to Administrators.
SeAuditPrivilege
Generate security audits
Allows a process to create, generate, and add entries in the security log. The security log is used to trace unauthorized system access. See also Manage auditing and security log in this table.
SeIncreaseQuotaPrivilege
Increase quotas
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack.
By default, this privilege is assigned to Administrators.
SeIncreaseBasePriorityPrivilege
Increase scheduling priority
Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box.
By default, this privilege is assigned to Administrators.
SeLoadDriverPrivilege
Load and unload device drivers
Allows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can be installed only by Administrators. Because device drivers run as trusted (highly privileged) programs, this privilege can be misused to install hostile programs and give them destructive access to resources.
By default, this privilege is assigned to Administrators.
SeLockMemoryPrivilege
Lock pages in memory
Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege can significantly degrade system performance. This privilege is obsolete and is therefore never selected.
SeSecurityPrivilege
Manage auditing and security log
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer.
By default, this privilege is assigned to Administrators.
SeSystemEnvironmentPrivilege
Modify firmware environment values
Allows modification of system environment variables either by a process through an API or by a user through System Properties.
By default, this privilege is assigned to Administrators.
SeProfileSingleProcessPrivilege
Profile a single process
Allows a user to run Microsoft? Windows NT? and Microsoft? Windows? 2000 performance-monitoring tools to monitor the performance of nonsystem processes.
By default, this privilege is assigned to Administrators and Power Users.
SeSystemProfilePrivilege
Profile system performance
Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes.
By default, this privilege is assigned to Administrators.
SeUndockPrivilege
Remove computer from docking station
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
By default, this privilege is assigned to Administrators, Power Users, and Users.
SeAssignPrimaryTokenPrivilege
Replace a process-level token
Allows a parent process to replace the access token associated with a child process.
SeRestorePrivilege
Restore files and directories
Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also Back up files and directories in this table.
By default, this privilege is assigned to Administrators and Backup Operators.
SeShutdownPrivilege
Shut down the system
Allows a user to shut down the local computer. See also Force shutdown from a remote system in this table. In Windows 2000 Professional:
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users. In Windows 2000 Server:
By default, this privilege is not assigned to Users, only to Administrators, Backup Operators, and Power Users.
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
