SMB sam file
advICE :Intrusions : 2002702

Summary

Attempt to access the SAM (Security Accounts Manager) file, which contains the encrypted user account information, including passwords.

Details

Microsoft Windows NT stores all the user account information in a file called simply "SAM". This file represents a "hive" in the Windows NT registry. The file is stored in %systemroot%\system32\config\sam. A backup of this file is also stored in the directory %systemroot%\repair\sam._.

The goal of intruders is to get a copy of these files and run crack programs that try dictionary words and combinations of numbers and letters in order to discover "weak" passwords. A "weak" password is one that is very short or in the dictionary, which a crack utility can usually discover in minutes.

If all the passwords are very long and a mixture of upper-case, lower-case, and digits, then it is unlikely that the person who stole the file will be able to break into a computer.

Intruders can get the SAM information in two ways. The first is by reading the file. The "SAM" file itself is usually locked (because it's being used by the operating system), but intruders can usually grab the backup SAM._ file. Any facility that provides file system access can be used to grab the file, such as File Sharing, HTTP servers, and FTP servers. For example, the %systemroot% directory may have been accidentally been shared, or the web-server may be vulnerable to the "../.." bug.

The second common way is through the registry. A tool called "PWDUMP" can retrieve the SAM information through remote registry calls. The registry is exposed over a feature called "named pipes". Unfortunately, partial access to the server's registry is necessary for many file service activities, and sometimes this key is also left open. See intrusion 2003201 for more information.

False Positives

Backup programs that read files from across the network will often trigger this alert. However, this highlights a problem: persons with "Backup" privileges should be barred from accessing the SAM file. In addition, the SAM file should never be transferred across the network in an unencrypted format. Instead, SAM databases should be backed up using a separate procedure.

Compromise

If somebody steals your SAM file, the only thing you can do is to change all the account passwords.

Defense

First of all, the recommended defense is to create secure passwords on your system that are hard to crack when people steal the SAM file. See general password tips for more information on selecting the right passwords, as well as hardening WinNT accounts for specific information for Windows NT. Also, get the tool that crackers use, l0phtcrack in order to regularly crack your own files to see if any of your users have chosen weak passwords.

Second of all, lock down access to the SAM files in the first place. Carefully check every subsystem that allows access to the hard-disk, namely web-servers, file-services, FTP servers, and so on. Also change permissions on the REPAIR directory so only Administrators can access it (by default, EVERYONE on the machine has access to the repair\sam._ file).

Never run file sharing on a "Domain Controller", because only Domain Controllers have the full SAM database, which should be protected at all costs.

More Details

Passwords are encrypted by first hashing them via MD4 then encrypting them via DES.

parametric information protocol The protocol in which this file name was used. filename The complete filename.

 
Version appeared: