NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡(jiǎn)單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

2 V" p7 {" E" a  wFrom: Patrick CHAMBET <pchambet@club-internet.fr>
/ x$ j4 y2 e1 I6 r
To: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
# s' [0 f" S$ M* CWe knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
* i7 t: i. P; r1 d8 d4 w5 d0 UIIS 4.0 uses its own configuration database, named "metabase", which can
. E7 {  t: n! P+ ?( F5 ebe compared to the Windows Registry: the metabase is organised in Hives,
1 o7 q/ g: A5 c8 F5 J% E) A) hKeys and Values. It is stored in the following file:
: f8 b1 x0 @& @& ?C:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
0 U) O0 K# p# g: ^4 H: Y$ y- IUSR_ComputerName account password (only if you have typed it in the
# E. c- B: L# ~+ DMMC)
- IWAM_ComputerName account password (ALWAYS !)
7 s- J' ^3 ~4 L+ ]- UNC username and password used to connect to another server if one of
* Z. v& Y! T8 n9 H8 e7 M7 r+ j# Tyour virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
- V  v4 }* c7 nNote that the usernames are in unicode, clear text, that the passwords are
, @' {/ m: W, A0 ~8 p$ Wsrambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
3 Z# i9 w+ {7 I& a' rBUT a few lines of script in a WSH script or in an ASP page allow to print
) V3 Z1 p; b: `these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
) l+ g/ q( T( m; q; ], cObviously this represents a significant risk for Web servers that allow
# k/ o8 b1 D$ H+ S1 ylogons and/or remote access, although I did not see any exploit of the
9 |1 Q9 I% X% ~2 u0 Wproblem I am reporting yet. Here is an example of what can be gathered:
"
# S. V. k9 r5 e' K: W! j! u9 q% DIIS 4.0 Metabase
) O' B0 @$ B$ ~) j' k/ L6 @7 i?Patrick Chambet 1998 - pchambet@club-internet.fr
% e  o5 [, m1 z9 }--- UNC User ---
# ^3 P& f6 F. G( T& [2 _" c; GUNC User name: 'Lou'
( O( ]7 \% C0 ?8 Y2 HUNC User password: 'Microsoft'
9 }. v- I& K8 S  G2 J" PUNC Authentication Pass Through: 'False'
--- Anonymous User ---
% x2 j3 k% Q- d+ e7 u4 v1 DAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
7 D  o6 \  o( E% XPassword synchronization: 'False'
! ]3 W5 M2 A1 X' j--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
2 x) h2 k( ^3 c% Q4 w0 oODBC User name: 'InternetAdmin'
* o; e. @6 L1 lODBC User password: 'xxxxxx'
--- Web Applications User ---
. g3 Y9 c4 q+ D& r3 K/ RWAM User name: 'IWAM_SERVER'
  M& n+ b+ K  w) y- N- t8 U# oWAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
4 r# ?+ |" m1 s/ x$ W& t"
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
  a% Z/ E8 ?7 }- s- Q2 E4 ~directory located on another server, say (b).
# T; s9 \% a$ tNow, Bob can use these login name and passord to logon on server (b).
) ~6 Y; K" z( jAnd so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
( `. D% C& B& e: H: e$ |6 \, t, wPatrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
Internet, Security and Microsoft solutions
e-business Services
* W. J# s1 ~/ I: ^+ OIBM Global Services
1 i  t* ?* L. m' R! P( g