Notes

Vulnerability Assessment : Windows

Frequently exploited Microsoft services

Protocol/Service	Ports	Purpose
Microsoft IIS (Internet Information Services)	TCP ports 80/443	Proprietary web server software developed by Microsoft that runs on Windows.
WebDAV (Web Distributed Authoring & Versioning)	TCP ports 80/443	HTTP extension that allows clients to update, delete, move and copy files on a web server. WebDAV is used to enable a web server to act as a file server.
SMB/CIFS (Server Message Block Protocol)	TCP port 445	Network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network (LAN).
RDP(Remote Desktop Protocol)	TCP port 3389	Proprietary GUI remote access protocol developed by Microsoft and is used to remotely authenticate and interact with a Windows system.
WinRM (Windows Remote Management Protocol)	TCP ports 5986/443	Windows remote management protocol that can be used to facilitate remote access with Windows systems.

WebDAB

WebDAV stands for Web-based Distributed Authoring and Versioning, an open standard that allows users to manage, edit, and create files remotely over the internet. It’s an extension of the HTTP protocol that enables users to collaborate on web content.

Supported executable file extensions:
- .asp
- .aspx
- .config
- .php
Use Hydra to brute-force password.
Use Davtest tool to enumerate files, identify what file extensions can be uploaded.

/usr/bin/davtest -url <url> [options]

 -auth+         Authorization (user:password)
 -realm+ Auth Realm
 -cleanup       delete everything uploaded when done
 -directory+    postfix portion of directory to create
 -debug+        DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
 -move          PUT text files then MOVE to executable
 -copy          PUT text files then COPY to executable
 -nocreate      don't create a directory
 -quiet         only print out summary
 -rand+         use this instead of a random string for filenames
 -sendbd+       send backdoors:
                        auto - for any succeeded test
                        ext - extension matching file name(s) in backdoors/ dir
 -uploadfile+   upload this file (requires -uploadloc)
 -uploadloc+    upload file to this relative location/name (requires -uploadfile)
 -url+          url of DAV location

Example: /usr/bin/davtest -url http://localhost/davdir

Use Cadaver tool to connect to DAV with

Usage: cadaver [OPTIONS] http://hostname[:port]/path
Port defaults to 80, path defaults to '/'
Options:
-t, --tolerant            Allow cd/open into non-WebDAV enabled collection.
-r, --rcfile=FILE         Read script from FILE instead of ~/.cadaverrc.
-p, --proxy=PROXY[:PORT]  Use proxy host PROXY and optional proxy port PORT.
-V, --version             Display version information.
-h, --help                Display this help message.
Please send bug reports and feature requests via <https://github.com/notroj/cadaver>

RDP

RDP stands for Remote Desktop Protocol used for GUI remote access on windows. RDP uses TCP on port 3389.

Use rdp_scanner metasploit module to check if RDP is running on given port.
Use Hydra to bruteforce credentials for RDP.
Use xfreerdp to login xfreerdp -u administrator -p password123 /v:192.168.1.1:3389

MS17-010 SMB Vulnerability : EternalBlue

EternalBlue is vulnerability found on service SMBv1 which enables arbitary code execution with highest privilege. We can use Metasploit module auxiliary/scanner/smb/smb_ms17_010 to check if system can be exploited for EternalBlue. It can be directly exploited use module exploit/windows/smb/ms17_010_eternalblue.

RDP Vulnerability : BlueKeep

BlueKeep is vulnerability found on service RDP which allows hacker to excute code using kernel exploitation. We can use Metasploit module auxiliary/scanner/rdp/cve_2019_0708_bluekeep to check if system can be exploited for bluekeep and exploit it using module exploit/windows/rdp/cve_2019_0708_bluekeep_rce. CVE-2019-0708

SMB PsExec

The SMB protocol utilizes two levels of authentication, namely:

User authentication - Users must provide a username and password in order to authenticate with the SMB server in order to access a share.
Share authentication - Users must provide a password in order to access restricted share.

SMB Authentication

Authentication Request : Client sends authentication request for account
Encrypt String with user’s hash : Server returns a random string
Encrypted string : Client encrypts random string with account’s hashed password
Access granted : Server verifies the string and access is granted if right.

Brute force login credentials and Gain code execution

Use Metasploit module smb_login to bruteforce or user hydra.
Use psexec.py or windows/smb/psexec metasploit module to login.

WinRM : Windows Remote Management

Windows Remote Management (WinRM) is a Windows remote management protocol that can be used to facilitate remote access with Windows systems over TCP port 5985 and 5986 HTTPS.

Use crackmapexec to bruteforce winrm credentials. To bruteforce : crackmapexec winrm ip -u username -p passwordFile To execute code: crackmapexec winrm ip -u username -p password -x "command"

Use Metasploit

Bruteforce Login : auxiliary/scanner/winrm/winrm_login
Login Methods supported : auxiliary/scanner/winrm/winrm_auth_methods
Run command : auxiliary/scanner/winrm/winrm_cmd
Get shell : exploit/windows/winrm/winrm_script_exec (FORCE_VBS true)

Kernel Exploitation

A Kernel is a computer program that is the core of an operating system and has complete control over every resource and hardware on a system. It acts as a translation layer between hardware and software and facilitates the communication between these two layers.

Privilege escalation

Identifying kernel vulnerabilities
Downloading, compiling and transferring kernel exploits onto the target system

post/multi/recon/local_exploit_suggestor Metasploit module.

Windows Exploit Suggester

Github : https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Windows Kernel Exploits

Github: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135

User Account Control (UAC)

User Account Control (UAC) is a Windows security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the operating system.

UAC has various integrity levels ranging from low to high, if the UAC protection level is set below high, Windows programs can be executed with elevated privileges without prompting the user for confirmation.

It allows attackers to execute malicious payloads on a Windows target with administrative/elevated privileges by abusing the inbuilt Windows AutoElevate tool.

UACMe is an open source, robust privilege escalation tool developed by @hfire0x. It can be used to bypass Windows UAC by leveraging various techniques. GitHub: https://github.com/hfiref0x/UACME

Access Token Impersonation

Windows access tokens are a core element of the authentication process on Windows and are created and managed by the Local Security Authority Subsystem Service (LSASS).

Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.

An access token will typically be assigned one of the following security levels:

Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons.
Delegate-level tokens are typically created through an interactive login on Windows, primarily through a traditional login or through remote access protocols such as RDP.

Impersonate-level tokens can be used to impersonate a token on the local system and not on any external systems that utilize the token. Delegate-level tokens pose the largest threat as they can be used to impersonate tokens on any system.

The following are the privileges that are required for a successful impersonation attack:

SeAssignPrimaryToken: This allows a user to impersonate tokens.
SeCreateToken: This allows a user to create an arbitrary token with administrative privileges.
SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges.

Use Incognito

Check if current user has SeImpersonatePrivilege privilege.
load incognito : Load incongnito tool
list_tokens -u : List available tokens
impersonate_token -u “TOKEN_NAME” : Impersonate with user token

Alternate data stream

Alternate Data Streams (ADS) is an NTFS (New Technology File System) file attribute and was designed to provide compatibility with the MacOS HFS (Hierarchical File System).

Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection. This can be done by storing the malicious code or executables in the file attribute resource stream (metadata) of a legitimate file.

We can create alternate data stream. notepad test.txt:payload.exe

Windows Password Hashes

User hashes are stored in SAM (Security Account Manager) database. Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA). NTLM hashing algorithm is used. SAM database cannot be copied when system is running. The Windows NT kernel keeps the SAM database file locked and as a result, attackers typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process. SAM database is encrypted by syskey. Need elevated access to dump hashes in windows.

NTLM is a collection of authentication protocols that are utilized in Windows to facilitate authentication between computers. The authentication process involves using a valid username and password to authenticate successfully. NTLM uses MD4 algorithm to hash passwords.

Searching credentials in windows configuration

Windows can automate a variety of repetitive tasks, such as the mass rollout or installation of Windows on many systems. This is typically done through the use of the Unattended Windows Setup utility, which is used to automate the mass installation/deployment of Windows on systems.

The Unattended Windows Setup utility will typically utilize one of the following configuration files that contain user account and system configuration information:

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Autounattend.xml

As a security precaution, the passwords stored in the Unattended Windows Setup configuration file may be encoded in base64.

Hash dumping

Get meterpreter session and elevate privilege. Load kiwi module and use creds_all to get all credentials. lsa_dump_sam to get infomation regarding SAM database. lsa_dump_secrets to get syskey.

Paas The Hash attack

Pass-the-hash is an exploitation technique that involves capturing or harvesting NTLM hashes or clear-text passwords and utilizing them to authenticate with the target legitimately. We need to get NTML hash as well as LM hash.

Once we get hashes, we can use crackmapexec or psexec to pass the hash and get shell for higher privilege.