Sujith's Library

Appearance

Attacking Windows systems

Attacking Windows systems involves four key aspects:

  • Windows OS
  • Windows Networking
  • Windows Services and Applications
  • Windows Authentication

Once one of these areas has been compromised and access has been gained, exploitation begins, which includes privilege escalation, establishing persistence, and lateral movement.

Exploiting Windows Operating System

Windows comes in two forms: workstation and server.

They are nearly identical, with the only differing factors being storage, memory, CPU cores, and network connections. Server supports more simultaneous connections and processes than workstations.

  • Most exploits and vulnerabilities exist through applications and not the operating system.

  • The Windows OS itself, with no applications installed, is difficult to exploit as long as it has been updated and patched on a regular basis.

  • Exploitation of the operating system can occur and mostly consists of data handling or protocol implementation issues.

Windows has to manage its network connectivity and resources, memory allocation, disk and storage access, and whatever devices are connected to the system. Within all this interconnectivity is where security holes can be found; they can either exist from a lack of security implementation to programming errors.

Exploits

Windows SMB denial of service vulnerability (CVE-2022-32230)
Server Message Block (SMB) is a protocol used by Windows to share files on a network. This vulnerability occurred because the protocol did not properly deal with malformed requests, causing a denial of service.

Windows print spooler elevation of privilege vulnerability (CVE-2022-38028)
This particular vulnerability is a flaw in the implementation of the print spooler service, which, when exploited, escalates privileges to SYSTEM.

Exploiting Windows Device Drivers

When Windows boots, it performs a series of operations before presenting an interface for users to interact with. During this process, the system loads tiny programs called drivers; these programs provide basic functions that allow the operating system to interact with different devices attached to the machine, such as the mouse, display, hard drive, printer, and USB.

One method of exploiting Windows is to replace these driver files with their own driver, which introduces malicious code.

Attackers can perform this operation in one of three ways:

  • Once they have exploited a system, they can use their access to install the malicious program.
  • Once they have exploited a system, they can use their access to download and overwrite the specific driver or file.
  • The attacker can compromise the vendor and inject their code into their deployment structure.

The third one, known as a supply chain attack, has been gaining popularity as a means of compromising larger numbers of systems and organizations.

Some recent attacks falling into this category include the following:

  • log4j supply chain attack, which was a vulnerability in the popular Java logging library log4j that allowed attackers to execute arbitrary code on affected systems. This vulnerability was widely exploited in the wild and affected a large number of organizations.

  • The 2021/2022 NPM supply chain attack, where dozens of NPM modules containing malicious JavaScript were downloaded. One such package, called icon-package, had over 17,000 downloads and was designed to exfiltrate data to several attacker-controlled domains.

  • The 2018 attack on ASUS took advantage of the automatic update feature to install malware on the system and impacted as many as 500,000 systems.

  • The 2020 attack on SolarWinds, where a backdoor, known as SUNBURST, was injected into the Orion IT update tool.

Exploiting Windows Networking

Windows supports many network protocols, Address Resolution Protocol (ARP), Simple Network Management Protocol (SNMP), Server Message Block (SMB), and NetBIOS.

Some of them have vulnerabilities that can be exploited.

ARP

Address Resolution Protocol (ARP) is a protocol that connects network devices like computers, printers, and routers to a network switch by matching their media access control (MAC) address assigned to their network interface card (NIC) and the IP address assigned to them by the network.

  • ARP protocol is used to resolve the MAC address of a device when only the IP address is known.
  • It is a critical component of how devices communicate on a local area network (LAN).
  • Without ARP, a host is not able to get the hardware address of the host they are attempting to communicate with.

The LAN keeps a table that maps IP addresses to the MAC addresses of the different devices. This is known as a content-addressable memory (CAM) table, which includes both the endpoints and routers on that network.

There are several ways to exploit this protocol :

  • ARP flood (MAC flooding) : is the simplest of the attacks. It involves overloading the switches by flooding them with ARP replies, which the switch attempts to cache in its CAM table. When overloaded, the switch is no longer able to effectively match IP addresses to a MAC address and, subsequently, begins sending all switch traffic to all devices on the switch. At this point, the switch acts like a hub, and as a result, the attack can capture all switch traffic using sniffing software.

  • The ARP poisoning/spoofing attack is a man-in-the-middle attack. The attacker has eavesdropped on LAN activity, likely through an ARP flood, but this can be done with an Internet Control Message Protocol (ICMP) request as well. Once the attacker has the list of devices, they use ARP flood against the devices instead of the switch itself. The difference is that each ARP reply message is faked, telling all devices on the LAN that the default gateway is the attacker's machine. Once acknowledged by the devices, the attacker is in the middle of communications and can inspect and manipulate traffic on the LAN. This type of activity is more complicated than the ARP flood itself.

Tools such as Ettercap and Bettercap can be used to manage the man-in-the-middle attack as well as manipulate clients on the network to go to malicious websites or download malware for further exploitation.

SNMP

Simple Network Management Protocol (SNMP) is a protocol used to collect information about devices on the network and is widely used for monitoring and managing devices. Examples include low disk space, high CPU or RAM utilization, and security violations.

To do this, SNMP uses small configuration files called management information bases (MIBs) on the client that act like an agent. This agent then listens for queries from a manager to report the data it has, and the manager just needs to provide the correct community string, which is the same for both the agent and the manager.

  • The default community string for all SNMP installations is either public or private, but it can easily be changed (yet rarely is) because many network administrators do not take the time to set up and maintain it.

  • SNMP implementations largely transmit in cleartext, which means they are subject to capture by a network sniffer. One exception to that is SNMP version 3, which uses encryption.

There are 3 areas where SNMP can be used or exploited:

  • The first, is to use a network sniffer to capture the SNMP communications between managers and agents to obtain the community string or information from the devices. This can include statistics about hardware, interface traffic, services, users, groups, route tables, listening ports, running processes, and much more.

  • Next way is to pose as an SNMP manager, providing the correct community string and enumerating what information the MIBs can provide.

  • Next exploit is the implicit trust that the SNMP managers have themselves by injecting false, misleading, or improperly formatted data for ingestion by the management system. This could be used to hide attacker activity, send staff to look at other systems while an attack is underway, or possibly buffer overflow or command injection in the management system.

Metasploit, which is an exploit framework, has several modules that cover SNMP exploitation, including scanning and enumeration, exploitation, and brute forcing. There are several other SNMP tools that attackers can leverage:

  • Onesixtyone: Standalone SNMP scanner by Solar Designer.
  • Snmpcheck: Enumerates information from a target system.
  • Snmpblow: Retrievies the configuration of a Cisco router or switch.
  • Snmpset: Uploads changed configurations to a Cisco router or switch.
  • Snmpwalk: Enumerates the network using SNMP GETNEXT requests.

Steps to take for protecting network while still being able to use SNMP for its intended purpose of monitoring:

  • Disable SNMP on hosts that are not being monitored.
  • Change the default community strings.
  • Block SNMP traffic to ports 161 and 162 from anything not authorized to access.
  • When setting SNMP security levels, avoid NoAuthNoPriv and use AuthNoPriv or AuthPriv (SNMPv3); this enables encryption.
  • Configure SNMP users with views (SNMPv3).

SMB

The Server Message Block (SMB) protocol in Windows is used for resource sharing. Resources such as printing, file sharing, or others can be hosted and retrievable via the SMB protocol. An authorized user or application can access resources within a network. It runs over port 139 or 445.

  • Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, Internetwork Packet Exchange/Sequence Packet Exchange (IPX/SPX), or NetBIOS Extended User Interface (NetBEUI).

Depending on which version of SMB the system is running, the attack can take full advantage of the system. With an exploit framework such as Metasploit, several modules can be employed :

  • smb_enumshares: To get a list of shares from a target
  • smb_enumusers: To get a list of users
  • smb_ms17-010: The Eternal Blue exploit, security-updates/SecurityBulletins/2017/ms17-010
  • psexec: Runs psexec commands on a remote host
  • download_file: Download a file
  • upload_file: Upload a file

The SMB protocol is natively supported by Windows; however, for Linux, a Samba server needs to be installed because Linux does not support SMB protocols.

NetBIOS

Network Basic Input/Output System (NetBIOS) works. NetBIOS is a Windows programming interface that allows computers to communicate across a local area network (LAN). Most Windows OSs use NetBIOS to share files and printers. NetBIOS listens on :

  • UDP ports 137 (NetBIOS Name service) 138 (NetBIOS Datagram service)
  • TCP port 139 (NetBIOS Session service).

File and printer sharing in Windows also requires an upper-level service called Server Message Block (SMB), which runs on top of NetBIOS. In Windows 2000 and later, SMB listens on TCP port 445 and doesn't need to use NetBIOS over TCP/IP unless support for older Windows versions is required.

By using NetBIOS enumeration, an attacker can discover the following:

  • A list of machines within a domain
  • File and printer sharing
  • Usernames and passwords
  • Group information and policies

The computer names you assign to Windows systems are called NetBIOS names and have a limit of 16 characters; the last character is reserved for a hexadecimal number (00 to FF) that identifies the service running on the computer.

  • Therefore, you can use only 15 characters for a computer name, and NetBIOS adds the last character automatically to identify the service that has registered with the OS.
  • If a computer is running the Server service, the OS stores this information in a NetBIOS table.

The nbstat command is part of Windows and is a useful tool for displaying information about NetBIOS over TCP/IP. Additionally, information such as NetBIOS name tables, name caches, and other data are displayed using it.

Exploiting Windows Authentication

Everything executed in Windows will take place in the context of a user account, even low-level security provider modules. The user account contains a security identifier (SID) which determines the trusts and permissions afforded to the user and what operations that account can perform.

  • SYSTEM account has access to the core operating system and is used by many applications as its running account in order to get the level of access needed to perform their tasks.

  • In Task Manager select Details, it will show all the running processes and the user context of each process in the User name column.

User Authentication and Movement

One of the simplest ways to exploit systems through authentication is through passwords and password attacks which can occur in one of three ways:

  • First is to find and exploit a vulnerability to gain access to the system. Once the system has been breached, dump the account and password hashes and crack them later off the system. Once the passwords are cracked, the attacker can access the machines(s)/network using multiple accounts.

  • Second way uses the opposite approach, where the attacker performs automated password guessing to determine passwords for one or many accounts. If successful, the attacker gains access to target systems from which they can dump account and password hashes and, again, gain access to a machine(s)/network with multiple accounts, or they could proceed to exploit the system in other ways, depending on their access level.

  • There is still another way to get passwords, and this is through social engineering; the attacker may use a phishing email to trick the user(s) into giving up their credentials unknowingly to the attacker.

Obtaining and Extracting Passwords

Dumping the SAM is also one of the most powerful tools for privilege escalation and trust exploitation because when the attacker has valid credentials, it is difficult to differentiate the attacker's activity from legitimate user activity.

Attackers might discover user accounts in network's overall architecture and may want to install additional tools to compromise more of the network.

One of the first post-exploit activities of attackers is to harvest as many usernames and passwords as possible since these credentials can be key to extending exploitation beyond one or two machines to the entire network and possibly even other networks through associations.

An attack that targets accounts with access to money or where there may be a chance for financial benefit.

If the attacker has compromised a standalone system that is not part of the Windows domain, the user account and password data are stored locally in a privileged registry hive referred to as the Security Accounts Manager (SAM).

SAM is located under HKEY_LOCAL_MACHINE\SAM. By default, only the SYSTEM user has permission to access this area. On the actual disk, the SAM data can be found in the file C:\windows\system32\config\SAM.

While the machine is running, these files are locked and cannot be accessed or copied without certain tools. Even if the SAM comes from a standalone system, it may contain credentials that grant access to the enterprise network domain controller, domain member, or other standalone system, thanks to the reuse of passwords by typical users or insecure IT policies.

Account and password information is kept by the domain controller(s) in the Active Directory database for systems that are a part of an Active Directory domain.

Tools

Certain tools can grab the database from a live system, including from memory; these include but are not limited to the following:

  • PwDump: This is one of the oldest programs for dumping passwords, but it is effective. In order to be effective with PwDump, you will need the following:

    • An account with administrator-level privileges
    • A machine or domain controller with a share on its PwDump will only extract the IDs and the hash

  • Mimikatz: This is an open source program that gives hackers access to authentication information, including Kerberos tickets, and allows them to save it. This is then used to further exploit the system and the network.

Password Cracking Techniques

  • Dictionary cracking
  • Brute force cracking
  • Rainbow tables

Dictionary Cracking

This is the simplest of all the cracking techniques. It takes a list of terms and hashes them one by one, hopefully finding a match. Many of these lists are not only derived from known list types but also from disclosed compromises, where both the ID and passwords were revealed.

Brute Force Cracking

Brute force just attempts to use an algorithm to generate key combinations until a match is made. This method tends to be very slow and has lost its effectiveness as Windows has implemented complexity requirements.

Complexity requirements are a set of specific criteria that passwords must meet to be acceptable by the Windows operating system as valid:

  • cannot contain the user's account name or part of the name
  • must be 6 characters or more in length
  • must contain characters from three of the following areas:
    • Upper case (A – Z)
    • Lower case (a – z)
    • Base 10 digits (0 – 9)
    • Non-alphanumeric characters (e.g. !, $, #, and %)

Rainbow Tables

Rainbow tables work in the opposite way to brute-force. They just have a list of hashes already calculated and just look them up. This method is extremely fast, as the computer does not compute hashes; however, if a hash is not already in the table, it will not attempt to compute it, and you will have to return to the standard brute force methods.