NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
- }* E# V+ R6 f9 e
From: Patrick CHAMBET <pchambet@club-internet.fr>

To: sans@clark.net
5 ]7 X+ `- E* ^- L9 dSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
7 Y: M8 G0 i/ ?  W/ y) ?8 jKeys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
7 a2 X( u- m( ^8 \& q$ B( lMMC)
- IWAM_ComputerName account password (ALWAYS !)
, I0 @! X! V/ g+ F; E- UNC username and password used to connect to another server if one of
" m$ |- |; r7 M% Z; W7 h- g3 Jyour virtual directories is located there.
8 a% T2 [" d. t- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
* l! Y  \3 w5 x$ K# w" z5 ^Note that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
3 n( G5 K: Z1 O3 h1 y3 L' }) Ehave permissions on this file.
+ Q. w+ e. {6 O/ OBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
"
: q5 ~: l% l( H+ W# s6 |IIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
) I  M) W. e# C! n--- UNC User ---
UNC User name: 'Lou'
, ^  ]: A6 w; \( [. iUNC User password: 'Microsoft'
; B6 `0 X; S& Z7 zUNC Authentication Pass Through: 'False'
--- Anonymous User ---
6 ~& k3 d/ W8 Y2 f: `Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
. F( \8 J4 h4 f--- IIS Logs DSN User ---
8 u$ Z9 z0 i1 b; n, [; b& B9 rODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
; W8 U) K, p) G. m3 v--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
. T# [8 v  B, d+ qDefault Logon Domain: ''
"
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
; ^5 [4 m: j$ H! G7 f- p: xan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
$ L- J. f5 n6 m( X, jthe login name and password of the account used to access to a virtual
directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
) B* i0 V# a; t# |" [, IAnd so forth...
0 A7 ^' A2 u! n) ^+ i! s! c  OMicrosoft was informed of this vulnerability.
_______________________________________________________________________
0 e6 r7 J& r) h" f1 I* C& lPatrick CHAMBET - pchambet@club-internet.fr
5 F1 N0 z2 l. w. t7 kMCP NT 4.0
, N; F+ p( Z/ N7 L! iInternet, Security and Microsoft solutions
9 y( k9 w: O% T+ P: v( se-business Services
IBM Global Services