NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

From: Patrick CHAMBET <pchambet@club-internet.fr>

" C" z+ z& w1 _! i  R8 nTo: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
) @, r+ y  G. p( Ybe compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
- n1 W$ }2 v, l9 P5 C% ^C:\WINNT\system32\inetsrv\MetaBase.bin
+ v# B" n- N2 n+ r$ o2 TThe IIS 4.0 metabase contains these passwords:
& W/ t8 n+ k2 e, g6 C" ?- IUSR_ComputerName account password (only if you have typed it in the
MMC)
- IWAM_ComputerName account password (ALWAYS !)
# P. j( D; q3 s$ x1 J- UNC username and password used to connect to another server if one of
your virtual directories is located there.
2 G. E* t, E& u+ H* p$ q- The user name and password used to connect to the ODBC DSN called
% ]) B& m- U& S" Y5 F"HTTPLOG" (if you chose to store your Logs into a database).
( K* E) m# ^+ g- H4 K! DNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
) R& J3 J# f* F6 ?/ z7 ihave permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
  U- i& z4 }8 Dthese passwords in CLEAR TEXT.
8 m/ x# V+ H9 X. o. D# D$ MThe user name and password used to connect to the Logs DSN could allow a
& k8 G; ~' Y, [0 L  f7 Rmalicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
"
1 F0 r2 Y# J( ?! Y' c( J, b& AIIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
% S2 t/ ?. O8 X3 H. ~3 \--- UNC User ---
UNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
7 |9 R( J: {, {% S: hAnonymous User password: 'x1fj5h_iopNNsp'
6 y" I5 D7 H7 c* |& _Password synchronization: 'False'
--- IIS Logs DSN User ---
; L% B, E8 \! Y! H2 o& iODBC DSN name: 'HTTPLOG'
- \. L; T( }: k3 xODBC table name: 'InternetLog'
& O6 B6 Q6 n' K# k  TODBC User name: 'InternetAdmin'
. ~' t% X& v! [7 \, M  gODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
6 i+ j7 m+ Q$ d1 ^8 hWAM User password: 'Aj8_g2sAhjlk2'
$ T7 e4 l- T- F; `. e- q% ?Default Logon Domain: ''
"
' S2 H5 I& ?# b" w- MFor example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
$ A5 t0 d. K/ D3 T7 bserver (a). He need not to be an Administrator. He can be for example
: L' U: y+ x5 U9 g' E5 b2 Zan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
/ B/ @  O" Y' r4 m" p1 S( Mdirectory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
1 M) @- V$ X. }( Z0 D% `_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
. [1 a0 m1 W6 V( j2 `MCP NT 4.0
Internet, Security and Microsoft solutions
" _: ~) @* d" X, l" q3 ce-business Services
IBM Global Services
4 H+ C# p  K3 d, X