浅谈NT的ACL，令牌，权限与安全性问题-另一种克隆帐号的途径

作者：刺（aXis）

来源：www.3389.net

摘要：关于nt的acl,token,and privilege的，以及通过privilege绕过acl,达到访问文件的目的。可以说是另一种克隆administrator的方法，不过更隐蔽，利用起来难度较大，需要绕过检测才行，目前取的的突破是利用权限绕过acl。

关键字：ACL,ACE,DACL,TOKEN,SID,PRIVILEGE

申明：谨以此文，献给陈静。

一．基本概念（这部分介绍的是令牌，ACL等基本概念，是为第二部分做准备，如果你已经了解其内容，请跳过这一部分）

1．什么是令牌（TOKEN）

当用户登录到Windows NT/2000/XP，同时通过了身份认证，此时将会由系统为该用户分配一个令牌。令牌是一个数据结构，用于由所有该用户激活的进程和线程。令牌的结构如下图：

Token source

Impersonation Type

Token ID

Authentication ID

Modified ID

Expiration Time

Default Primary Group

Default DACL

User Account SID

Group 1 SID

......

Group n SID

Restricted SID 1

......

Restricted SID n

Privilege 1

......

Prililege n

这样看不太容易理解。我们来看一个实例，使用win2000 resource kit中的whoami.exe来查看当前用户的访问令牌（Access Token）中的详细信息

C:\\>whoami /all

[User] = \"DARKDEAMON\\Administrator\" S-1-5-21-1409082233-1957994488-47230797

1-500

[Group 1] = \"DARKDEAMON\\None\" S-1-5-21-1409082233-1957994488-472307971-513

[Group 2] = \"Everyone\" S-1-1-0

[Group 3] = \"BUILTIN\\Administrators\" S-1-5-32-544

[Group 4] = \"BUILTIN\\Users\" S-1-5-32-545

[Group 5] = \"NT AUTHORITY\\INTERACTIVE\" S-1-5-4

[Group 6] = \"NT AUTHORITY\\Authenticated Users\" S-1-5-11

[Group 7] = \"LOCAL\" S-1-2-0

(X) SeChangeNotifyPrivilege =

(O) SeSecurityPrivilege =

(O) SeBackupPrivilege =

(O) SeRestorePrivilege =

(O) SeSystemtimePrivilege =

(O) SeShutdownPrivilege =

(O) SeRemoteShutdownPrivilege =

(O) SeTakeOwnershipPrivilege =

(O) SeDebugPrivilege =

(O) SeSystemEnvironmentPrivilege =

(O) SeSystemProfilePrivilege =

(O) SeProfileSingleProcessPrivilege =

(O) SeIncreaseBasePriorityPrivilege =

(X) SeLoadDriverPrivilege =

(O) SeCreatePagefilePrivilege =

(O) SeIncreaseQuotaPrivilege =

(X) SeUndockPrivilege =

(O) SeTcbPrivilege =

C:\\>

这就是我的令牌中的信息，它包括我的SID，属于的组，具有的权限的详细列表等信息。所以可见，令牌决定了一个用户在一台计算机上所具有的能力。

2.安全性标志符（SID）

SID是在创建一个用户或组的时候由系统分配的，是唯一的。当一个本地用户登录时，SID将由系统从SAM中的用户数据库中取出。

关于SID的结构可以参照《INSIDE WINDOWS2000》里的一段：

A SID is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.

下面是一些系统内置的SID

Well-Known SIDs

SID
Group
Use

S-1-1-0
Everyone
A group that includes all users.

S-1-2-0
Local
Users who log on to terminals locally (physically) connected to the system.

S-1-3-0
Creator Owner ID
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable access-control entries (ACEs).

S-1-3-1
Creator Group ID
Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.

SID结尾的数字是RID（relative identifier）。500表示是管理员组，GUEST组的是501

ADAM提出的克隆管理员帐号就是在SID上做手脚，把一个帐号的SID的RID克隆成500，这样系统就会认为是管理员了。

一个完整的SID的结构可以参看上面令牌中的SID。

S-1-5-21-1409082233-1957994488-472307971-500

3．什么是访问控制列表（ACL）

ACL（access control list）从字面的意思很好理解。一个系统通过ACL来判断用户对资源的何种程度的访问。由两种类型的ACL：DACL（Discretionary Access Control List）和SACL（System Access Control List）。DACL包括户和组的列表，以及相应的权限，允许或是拒绝，用来确定对资源的访问权限。SACL则用来确定安全资源的审核策略。ACL由零个或多个ACE（Access Control Entries）组成，一个ACE包括一个SID和该SID可访问资源的描述，比如允许和拒绝，拒绝优先于允许。

在win2000 resource kit中有几个工具是关于acl的，较为典型的是xcacls。下面是一个用xcacls查看acl的例子

C:\\Program Files\\Resource Kit>xcacls whoami.exe

C:\\Program Files\\Resource Kit\\whoami.exe BUILTIN\\Users:R

BUILTIN\\Power Users:C

BUILTIN\\Administrators:F

NT AUTHORITY\\SYSTEM:F

NT AUTHORITY\\TERMINAL SERVER USER:C

C:\\Program Files\\Resource Kit>

其他的关于acl的工具还有svcacls.exe,showacls以及subinacl.exe等。这里不再一一赘述。

4．权限（privilege）

简单来说，权限是系统赋予用户的一定的权力，它们允许或者不允许某些影响整个计算机系统而非某一对象的特权操作。下面的表格列出了系统的一些权限和功能。

Privilege
Windows Privilege
Description

SeTcbPrivilege
Act as part of the operating system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.

SeMachineAccountPrivilege
Add computers to a domain
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain.

SeBackupPrivilege
Back up files and directories
Allows the user to circumvent file and directory permissions to back up the system. The privilege is checked only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.

By default, this privilege is assigned to Administrators and Backup Operators. See also Restore files and directories in this table.

SeChangeNotifyPrivilege
Bypass traverse checking
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.

SeSystemTimePrivilege
Change the system time
Allows the user to set the time for the internal clock of the computer.

By default, this privilege is assigned to Administrators and Power Users.

SeCreatePagefilePrivilege
Create a page filepagefile
Allows the user to create and change the size of a page file.

By default, this privilege is assigned to Administrators.

SeCreateTokenPrivilege
Create a token object
Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.

SeCreatePermanentPrivilege
Create permanent shared objects
Allows a process to create a directory object in the Windows