by Commonalities Among Windows-Based Vulnerabilities
All common operating systems, regardless of vendor or platform, have vulnerabilities. Although APTs and nation-state actors might keep vulnerabilities they discover to themselves, most vulnerabilities are well-documented with exploits that are available to the public. On any particular platform, many vulnerabilities have common traits. Vulnerabilities for Windows-based operating systems have the following commonalities:
- All Windows operating systems and most Windows applications are written in some variant of the C programming language, which has no default mechanism for bounds-checking. If developers do not deliberately write bounds-checking and input validation into their code, it can lead to overflows, arbitrary code execution, and escalation of privilege by attackers.
- All systems depend on developers incorporating security best practices, including unit testing as they code. Most developers do not understand how, or have the time, to fully implement secure coding practices. All Windows products are dependent on their administrator to install and maintain them using best practices, including configuring appropriate security controls, changing defaults, shutting off unnecessary services, and applying patches in a timely manner. The failure to do so introduces vulnerabilities.
- Windows is a proprietary product. As such, the general public has no visibility into its source code. Unlike open source products, only developers specifically contracted by Microsoft will vet Windows products before they are released to market. While this leads to a more controlled software assurance process, it also can mean that fewer people have had a chance to review the code for security risks. This can lead to more software bugs escaping notice.
- Windows operating systems are complex, with tens of millions of lines of code. Vulnerabilities continue to be discovered long after the product is released to market. End users are dependent on the vendor to respond to new vulnerabilities with timely patches.
- Microsoft does not attempt to patch every vulnerability. Some of the most notorious exploits were never completely eradicated. Like most vendors, Microsoft sometimes simply releases a new version of their product, rather than try to completely fix the old version. Of course, there are still many installations of old (vulnerable) versions in existence. Additionally, new versions introduce their own vulnerabilities.
- Servers are likely to have more network-based vulnerabilities because they run applications that listen on open ports. Workstations are likely to have more end-user application-based vulnerabilities because end users often do not follow good practices when installing software and maintaining their systems.
- Because Windows uses many standard protocols and technologies, it is vulnerable to cross-platform exploits as well, including POODLE, Heartbleed, XSS, XSRF, and SQL injection.
- As with other products, Windows systems are at dramatically greater risk if the attacker has physical access. This can include plugging in cables to administrative console ports, booting to a different operating system, inserting removable media, and stealing or damaging hardware components.
- A number of Windows vulnerabilities become directly exposed if the user can be socially engineered into opening a malicious web page or infected document.
Research Tools
As a pen tester, you will often be looking for the latest information and tools. Some good places to conduct research on local host vulnerabilities and search for exploits include:
- cve.mitre.org
- www.sans.org
- cvedetails.com
- exploit-db.com
- www.rapid7.com
- packetstormsecurity.com
- github.com
Windows Operating System Vulnerabilities
Microsoft Windows continues to have more documented vulnerabilities than any other vendor, including open source products. www.cvedetails.com lists over 7,000 distinct Windows operating system vulnerabilities. These can be organized into 10 general categories, as summarized in the following table, which lists these vulnerabilities from most prevalent to least prevalent.
| Category | Description |
| Remote code execution | Any condition that allows the attacker to execute arbitrary code. |
| Buffer or heap overflow | A programming error that allows the attacker to overwrite allocated memory addresses with malicious code. |
| Denial of service | Any condition that allows the attacker to consume resources (network, CPU, RAM, disk, allowed connections, etc.) so that the process can no longer service legitimate requests. |
| Memory corruption | A programming error that allows the attacker to hijack the normal execution flow of a program by corrupting the application’s memory space. |
| Privilege escalation | Any condition that allows the attacker to gain elevated access after a system has been compromised. |
| Information disclosure | Any condition that allows the attacker to gain access to protected information. |
| Security feature bypass | A software weakness that allows an attacker to bypass policies, filters, validation, or other security safeguards. |
| Cross-site scripting (XSS) | A vulnerability in which a malicious script is injected into a trusted website and then downloaded and executed by the browser of a different end user. |
| Directory traversal | Any condition that allows an attacker to access restricted directories. |
| Cross-site request forgery (XSRF) | A vulnerability that allows unauthorized commands to be transmitted from a user to a trusting web application. |
Note: Data obtained from https://www.cvedetails.com/top-50-products.php
Frequently Exploited Windows Features
Exploit-db.com lists 1,239 Windows-related exploits. The Metasploit query grep -c exploit search platform:windows returns a count of 1,160 Windows exploit modules. The following table summarizes some of the most exploited Windows vulnerabilities of all time.
| Vulnerable Feature | Description | Exploits and Tutorials |
| Null sessions | A deliberate feature that allowed anonymous connections to the IPC$ share. It also unintentionally allowed attackers to enumerate large amounts of detail about the system, NetBIOS names, users, group memberships, shares, password/login policy, and more. CVE-1999-0519. | Enum4Linux WinScanX smb-enum-users.nse smb-enum-shares.nse getacct.exe winfingerprint-x |
| LM password hash | A weak hashing algorithm used in early versions of Windows, and still available in Windows Server 2016 and Windows 10. The password is converted to uppercase, and the hash is divided into two parts that are padded if necessary to be exactly 7 bytes long. Cracking LM hashes is simple and in some cases trivial. | Cain & Abel Hydra John the Ripper Medusa Ophcrack L0phtCrack Hashcat NetBIOS Auditing Tool (NAT) |
| IIS 5.0 Unicode | Certain Unicode characters (such as %255c%255c) cause IIS 5.0 to behave unexpectedly, allowing for directory traversal, information disclosure, and remote code execution from a browser URL. This was a major vector in the spread of the nimda worm. | Internet Explorer 5 or other browsers from that time period HTML-based email messages |
| IIS 5.0 WebDAV | Buffer overflow against the ntdll.dll SEARCH WebDAV method. Gave the attacker SYSTEM level remote code execution capabilities. CVE-2003-0109. Worked against Windows 2000, any service pack. | Metasploit module exploit/windows/iis/ms03_007_ntdll_webdav https://www.exploit-db.com/exploits/16470/ |
| RPC DCOM | The RPCSS service controls DCOM messaging between software components on networked computers. The original exploit was published in many places and worked against Windows Server 2000, 2003, and XP. It is a buffer overflow that provides remote code execution at SYSTEM level and is highly reliable. CVE-2003-0352. There is a new variant that works against Windows 8.1. CVE-2015-2370. | Metasploit module: exploit/windows/dcerpc/ms03_026_dcom https://downloads.securityfocus.com/vulnerabilities/exploits/dcom.c Windows 8.1: https://www.exploit-db.com/exploits/37768/ |
| SMB NetAPI | Microsoft Server service relative path stack corruption. A weakness in NetAPI32.dll path parsing code permits a buffer overflow that grants remote code execution in SYSTEM privilege. Works against Windows 2000 through XP, and some 2003 targets. CVE-2008-4250. | Metasploit module exploit/windows/smb/ms08_067_netapi https://www.exploit-db.com/exploits/40279/ |
Password Cracking in Windows
Password cracking is the act of trying to guess or decode encrypted passwords. Windows uses passwords to authenticate users, services, and computers. Third-party applications can have their own passwords as well. Passwords can be found in many locations, all of which are vulnerable to attack. A few passwords are stored in cleartext, but most are stored as a hashed value. One of the biggest constraints to effective password cracking is having the necessary CPU power, or a sufficiently large password dictionary or rainbow table.
From a broader perspective, not all authentication is done through passwords. Some credentials are stored as private keys, certificates, or Kerberos tickets. Those too can be targeted. The Windows Local Security Authority (LSASS) uses LSA secrets to store a variety of user, service, and application passwords. In some cases, such as with Kerberos or LSA secrets, they can be found in memory after the user logs on or the computer boots up.
Since Windows NT 4.0, Windows has stored local user names and passwords in the Security Account Manager (SAM). This is a Registry hive that is stored on disk in %WINDIR%\System32\config\SAM and loaded into memory on bootup. Passwords are stored as two types of hashes:
- LanMan (LM) hash—Before hashing, passwords are converted to uppercase and then either truncated or padded to become 14 characters long. The actual value that is stored is not the password hash itself. Instead, the hash is divided into two 7-byte parts, each of which is used as a 56-bit DES key to encrypt the fixed string “KGS!@#$%”. Because the hash is unsalted, it is susceptible to dictionary and rainbow table attacks.
- NT hash—This is a simple MD4 hash of the password (encoded as UTF-16 little endian). It is unsalted, but allows passwords up to 128 characters long.
In the days of NT 4.0, Microsoft introduced a special utility called SYSKEY to make decrypting hashes more difficult. Administrators used it to encrypt the SAM, LSA secrets, and cached domain passwords. During bootup you could provide an unlock password, insert a floppy disk, or store the key in the Registry so the computer would boot with no special intervention. If the SYSKEY is stored in the Registry, it can be found in four parts in SYSTEM\CurrentControlSet\Control\Lsa\, in the subkeys JD, Skew1, GBG, and Data. These parts, however, can be extracted and used to generate the necessary RC4 key to decrypt the LM and NT hashes. It is also possible to use a special boot disk to delete the SYSKEY.
Active Directory Hashing Algorithms
The following hashes are stored in the ntds.dit Active Directory database file.
| Hashing Algorithm | Description |
| MD4 (aka NT Hash) | Used for NTLM authentication. |
| LM | Used for LM authentication. Disabled by default since Windows Server 2003. |
| DES_CBC_MD5 | Used for Kerberos authentication. Salted with user logon name and hashed 4,096 times using MD5. |
| AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 | Salted with user logon name and hashed 4,096 times using HMAC-SHA1. Since Windows Server 2008, used for Kerberos authentication. |
| MD5 | 29 variants, each using a different combination of login and domain name. Used for WDigest authentication. |
| Reversibly encrypted cleartext password | Used for MS-CHAPv1 RADIUS authentication. Disabled by default. |
Password Cracking Options
You can try several approaches to crack passwords:
- Brute force the password across the network. This technique attempts to crack passwords from network-based services so that an attacker can try to authenticate across the network to remote services.
- Dump credentials currently loaded in memory, including:
- LSA secrets.
- User hashes.
- Hashes from privileged accounts such as krbtgt.
- Tokens (temporary access keys) from current or previously logged-on users.
- Copies of previous user passwords that are used to enforce password history policies.
- Steal a copy of a file that contains the credentials and attempt to crack offline (SAM, SYSTEM, ntds.dit).
- Dump locally cached domain logon information.
- Steal the Group Policy Preference (GPP) file to extract any passwords (cPassword).
- Not bother to crack, but instead:
- Use current privileges from a buffer overflow or other exploit to create a new account.
- Use the dumped hash of a privileged account to create a new account or ticket.
- Boot into another OS to overwrite the disk location where the password, including SYSKEY, is stored.
More About Credential Dumps and Other Cracking Options
The following table briefly describes how certain credential dumps and other cracking techniques work.
| Technique | Description |
| LSA secrets dump | This technique attempts to crack passwords stored in the Registry (HKEY_LOCAL_MACHINE/Security/Policy/Secrets) by the Local Security Authority Subsystem (LSASS). The Registry is loaded into RAM when the machine boots up. Stored passwords include: Default administrator password from installation Internet Explorer passwords Remote Access connection passwords SYSTEM account passwords EFS encryption keys |
| Hash dump | You can dump hashes directly from the Registry hives HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM and pass them to a cracker. Must be in SYSTEM privilege or using SYSTEM token Extract hashes and credentials directly from the Registry Extract hashes through DLL injection into the lsass.exe process |
| User token dump | By inspecting memory and running processes, you can view which processes are owned by various users. You can then steal and use one of the user tokens to impersonate that user. Anything you do will be in the context of that user, and will be logged as having been performed by that user. |
| Windows Vault dump | The Windows Vault is a set of local files that store credentials for: Internet Explorer 10.0/11.0 and Microsoft Edge (Windows 8 or later) Windows Mail (Windows 8 or later) Microsoft Account (Hotmail, Live, MSN, Office 365, OneDrive, etc.) Windows Explorer Network Drive Mappings Online credentials for various websites Single sign-on (SSO) passwords Files are located in several places: C:\Users\[User Profile]\AppData\Local\Microsoft\Vault C:\ProgramData\Microsoft\Vault C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault |
| Kerberoasting | Dump the hash of the krbtgt account from the memory of a server with a service that uses a domain-based user account, and use it to create new golden tickets. These allow any domain user to request the Ticket Granting Ticket from a domain service account and crack the account’s plaintext password offline. This is significant because many services have admin privilege and their passwords are seldom changed. Note: For more information on kerberoasting, see https://pentestlab.blog/2018/06/12/kerberoast/ and https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/. |
| SYSKEY boot key | You can extract the SYSKEY boot key parts from the Registry and crack it so it can be used to decrypt the SAM, LSA secrets, and cached domain passwords. The Registry keys that store this information are: SYSTEM\CurrentControlSet\Control\Lsa\JD SYSTEM\CurrentControlSet\Control\Lsa\Skew1 SYSTEM\CurrentControlSet\Control\Lsa\GBG SYSTEM\CurrentControlSet\Control\Lsa\Data |
| Cached domain login dump | By default, Windows domain members (from XP on) cache domain credentials for users who try to log on to the domain but no domain controller is available. This cache is stored in HKEY_LOCAL_MACHINE/Security/CACHE/NL$X. The default policy is to allow these cached credentials to be used 10 times before a domain controller must be reached. The Local System can extract these values. |
| Offline SAM cracking | You must get a copy of the Registry keys from HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM or the physical files they’re loaded from and send those to the cracker. Copy the HKLM\SAM and HKLM\SYSTEM hives reg.exe or regedit.exe: regedit –> Right-click HKLM\SYSTEM –> Export regedit –> Right-click HKLM\SAM –> Export reg.exe save HKLM\SYSTEM sysback.hiv reg.exe save HKLM\SAM sambak.hiv Use cscript vssown.vbs to make a Volume Shadow Copy, then use the copy command to extract the two physical files from it: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ Windows\System32\config\SYSTEM \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ Windows\System32\config\SAM csript vssown.vbs /create Boot another OS and copy the two physical files: %WINDIR%\System32\Config\SAM, %WINDIR%\System32\Config\SYSTEM. |
| Offline Active Directory cracking | Steal a copy/backup of Active Directory database file on a domain controller. Located at %SystemRoot%\NTDS\Ntds.dit. Perform offline cracking on the file. |
| cPassword dump | Read and crack the cPassword value from the Group Policy Preferences (GPP) file. This is located in the SYSVOL share of any Active Directory domain controller. Domain admins use this optional setting to standardize local account (usually administrator) passwords on all workstations/member servers across the domain. MS14-025. |
| Keylogging | Install a physical- or software-based keylogger on a computer to capture a user’s login credentials. |
| Social engineering | Trick a user into revealing their password to you through shoulder surfing (including mobile device across-the-room camera recording), Wi-Fi evil twins, phishing emails, bogus login pages, etc. |
| Unattended installation answer file dump | Steal the answer file used in a Windows unattended installation, as the local administrator password is stored in cleartext. If you can edit the file, you can also make sure that the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword section is added so that the administrator is not prompted to change their password on first logon so the stolen password will be usable on that machine. |
| Hard drive overwriting | Boot into another operating system and erase/overwrite the location on disk where the password is stored (C:\Windows\System32\Config). |
Password Cracking Tools
There are many password cracking tools available. Many are multi-featured. Some tools, like Hashcat, use the additional processing power of the computer’s graphics card (GPU). Others, like John the Ripper, have the ability to coordinate cracking across multiple networked computers. Here are some common Windows password cracking techniques and tools:
| Technique | Tools |
| Network brute forcing | Hydra Medusa Ncrack AET2 Brutus L0phtCrack Metasploit modules such as: auxiliary/scanner/ftp/ftp_login auxiliary/scanner/telnet/telnet_login auxiliary/scanner/smb/smb_login Note: For some password dictionaries and rainbow tables, see https://github.com/ah8r/password-dictionaries and http://project-rainbowcrack.com/table.htm. |
| Dumping LSA secrets | Cain & Abel Mimikatz Metasploit module post/windows/gather/lsa_secrets LSAdump procdump PWDumpX secretsdump.py Creddump CacheDump QuarksDump gsecdump hobocopy Note: For more information on using PowerShell to decrypt LSA secrets, see https://blogs.technet.microsoft.com/heyscriptingguy/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry/. |
| Online SAM cracking | Meterpreter hashdump Metasploit modules: post/windows/gather/credentials/credential_collector post/windows/gather/hashdump cachedump samdump2 fgdump.exe pwdump7.exe gsecdump PWDumpX hobocopy |
| Impersonating user tokens | Meterpreter steal_token command (formerly Incognito) |
| Dumping Windows Vault passwords | Built-in Windows Credential Manager (for the user to manage their own credentials) NirSoft VaultPasswordView |
| Kerberoasting | Some of these tools are used together, and may require additional support tools: Mimikatz PowerSploit John the Ripper Hashcat Kerberoasting tool kit https://github.com/nidem/kerberoast Empire Impacket Metasploit module auxiliary/gather/get_user_spns |
| Recovering the SYSKEY bootkey | bkhive bkreg (pre-Service Pack 4 machines) |
| Dumping cached domain login information | Cain & Abel creddump Passcape’s Windows Password Recovery cachedump fgdump PWDumpX |
| Offline SAM cracking | Cain & Abel John the Ripper Hashcat L0phtCrack Ophcrack vssown.vbs |
| Offline Active Directory cracking | ntdsutil.exe VSSAdmin PowerSploit NinjaCopy DSInternals PowerShell module ntds_dump_hash.zip Metasploit modules: post/windows/gather/ntds_grabber post/windows/gather/ntds_location |
| Dumping GPP file cPasswords | Metasploit module post/windows/gather/credentials/gpp PowerSploit Get-GPPPassword.ps1 gpprefdecrypt.py |
| Keylogging | Meterpreter keyscan_start and keyscan_dump commands, various hardware-based USB keyloggers |
| Social engineering | Kali Social Engineering Toolkit (SET) WiFi-Pumpkin |
| Dumping unattended installation answer file passwords | Text editor Knowledge of and access to the file (typically in a shared folder on a Windows Deployment Services server) |
| Hard Drive overwriting | Ultimate Boot CD for Windows Offline NT Password & Registry Editor http://pogostick.net/~pnh/ntpasswd/ |
Windows Service and Protocol Configurations
Windows services tend to have one thing in common: in order to support as many clients as possible, they must support multiple protocols and configurations, even ones that are less secure. A port scan alone won’t tell you if a service is vulnerable. A vulnerability scan will only identify signatures that it knows to look for. Exploit developers may or may not devote time to more obscure configurations. And yet, vulnerabilities—and opportunity for exploitation—can still exist.
As you look to exploit Windows services, keep the following points in mind:
- All network-based services listen on at least one open port, making them a target for remote attacks.
- Protocols that are used across all versions of Windows are likely to have their own version-specific exploits. For example, here are some SMB-based exploits by OS version. Notice that some of them work against multiple versions:
- Windows Server 2016: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
- Windows 10: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
- Windows Server 2012: MS17-010 EternalBlue GitHub worawit/eternalblue8_exploit.py
- Windows 8: MS17-010 EternalBlue GitHub worawit/eternalblue8_exploit.py
- Windows Server 2008: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption, MS08-068 Microsoft Windows SMB Relay Code Execution
- Windows 7: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
- Windows Vista: MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
- Windows Server 2003: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS15-020 Microsoft Windows Shell LNK Code Execution
- Windows XP: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
- Windows 2000: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS05-039 Microsoft Plug and Play Service Overflow
- Windows NT 4.0: MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
Note: The previous list is not comprehensive. For more information, conduct a Google search for Windows x SMB exploits.
- Do not overlook ports that are unfamiliar to you. They may have known exploits. For example:
- TCP 5985: WinRM. Used for WS-Management and PowerShell remoting. Exploits: Numerous. Metasploit search winrm
- UDP 1900: UPnP/SSDP. Used for Universal Plug and Play. Exploits: ssdp Reflection DoS https://www.exploit-db.com/exploits/37561/, Metasploit search auxiliary name:ssdp
- UDP 5355: LLMNR. Used when DNS cannot resolve names. Exploits: Kali Responder, MITMf, Metasploit search auxiliary name:llmnr
- Keep in mind that IPv6 can carry exploits to the same TCP and UDP ports as well as IPv4.
- Some services open secondary ports. Even if current exploits do not target the secondary port by default, the process could still have vulnerabilities.
- Banner grabbing and nmap -sV interrogation can identify many services, even if the port is non-standard.
- Many services can be negotiated down to a less secure protocol or configuration. For example:
- Web server TLS –> SSLv3 or SSLv2 (POODLE attack)
- File and Print SMBv3 –> SMBv2 or SMBv1
- Authentication NTLMv2 –> NTLMv1 or LM
- DNS DNSSEC –> cleartext DNS
- Active Directory LDAPS –> cleartext LDAP
- Mail server SMTP/TLS –> cleartext SMTP
- IPsec Security Required –> Security Requested (no encryption)
- Services tend to be the least secure out-of-the-box. It is up to the administrator to apply patches, change defaults, and set firewall rules. Many administrators are not trained sufficiently or are not diligent enough to do this properly.
- Many administrators reuse the same user account or password for different services across the domain.
- Many services, especially on older platforms, use accounts with higher privilege levels than necessary.
- Many administrators do not know the actual security level a service needs, or they are not familiar with new security best practices, so they tend to configure the service with lower security or more privileged accounts “just to be sure.” For example:
- SQL Server Reporting Services (and many others) should use a “virtual” (managed local) account—an administrator might instead give it a high-privilege Local System or domain admin account.
- Remote Desktop Services should be configured for “Network Level Authentication”—an administrator might not know if all clients are compatible, and thus turn this feature off.
- Most exploits allow you to change the target port. In addition to adjusting your attack to account for “security by obscurity,” you can also experiment to see if secondary ports react the same way as primary ports.
- Services with a lower privilege level can be used as a stepping stone to escalate privilege. Tools include:
- Windows Escalate Service Permissions Local Privilege Escalation, Metasploit module: exploit/windows/local/service_permissions
- PowerSploit Invoke-ServiceAbuse or Write-ServiceBinary
Note: For more examples of exploiting weak service permissions, see pentestlab.blog/2017/03/30/weak-service-permissions
Note: For more information on well-known ports, see www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Windows File Systems
Most Windows file system vulnerabilities are related to improperly set permissions. However, there have been other notable vulnerabilities and exploits. The following are the most common.
Permissions
This is by far the biggest file-system-related security problem. By default, the Everyone group can read a share, and the Users group can read a folder or file. This means insiders could use tools like FileLocator Pro, Agent Ransack, or Effective File Search to search the network for files with sensitive information. Additionally, a tool like NTFSDOS can be used along with physical access to the machine to bypass NTFS permissions.
You can also use Metasploit module post/windows/gather/file_from_raw_ntfs to bypass some restrictions such as locks on open files. This allows the attacker to retrieve otherwise uncopyable files such as the Active Directory database ntds.dit.
Alternate Data Streams (ADS)
Microsoft included ADS in the NTFS file system for compatibility with the Macintosh HFS file system. It can be abused, however, because you can use it to hide files in the file system. The drive might report less free space, but the hidden files cannot be viewed or listed through normal means.
A simple example of using ADS is C:\>echo “Super secret info” > test.txt:hidden.txt. This creates an empty file called test.txt, while simultaneously creating a hidden file called hidden.txt. The hidden file has the secret message. To view the secret message, you could use a text editor; for example, C:\>notepad.exe test.txt:hidden.txt. You can use this to hide whole video files if desired.
You can also use tools such as LADS, Streams, or PowerShell Get-Item and Set-Content cmdlets to create, view, and manipulate ADS files.
Unquoted Service Paths
This is potentially a very powerful vulnerability. It takes advantage of file paths that have spaces in the names, and can be used to hijack DLLs and other executables. Consider the following example:
C:\Gaming Group\coolgames\mygame.exe
The path has a space between Gaming and Group. If this path is not surrounded in quotes, for example “C:\Gaming Group\coolgames\mygame.exe”, then Windows will stop at the space to see if it can execute the name before the space. In this case, Windows would try to launch an executable named C:\Gaming.exe.
A variant of this is DLL hijacking, in which the path to any DLLs called by the application could be abused in a similar manner. If the application is a service that starts with Local System privilege, then your malicious version can do just about anything because it too would start with that privilege level.
You can search for services that have this vulnerability using:
- Metasploit module exploit/windows/local/trusted_service_path
- PowerSploit Get-ServiceUnquoted cmdlet
- WMIC query wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
Note: For more information on unquoted service paths, see https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/s://pentest.blog/windows-privilege-escalation-methods-for-pentesters/, https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
Weak or Nonexistent Encryption
Historically, Windows files were not encrypted by default. They might have permissions that require SYSTEM privilege, or be in a format that you can’t open with a text editor, or have their data hashed or encrypted, but the files themselves were not encrypted. There have been several attempts to correct this:
- NTFS encryption—Encrypts NTFS access to files and folders. Can be bypassed using tools like ER Commander and NTFSDOS.
- SYSKEY to encrypt the SAM—A special boot disk such as Ultimate Boot CD for Windows or Offline NT Password & Registry Editor can delete it.
- Encrypting File System (EFS)—Uses multiple keys to encrypt/decrypt files. Only works on that local file system. Encrypted files that are transmitted across the network, or copied to an unencrypted location, are unencrypted before they are copied or sent. Some commercial tools also dump the file from memory. If the system crashes while you are working on an encrypted file, a cleartext version of the file is saved in the crashdump.
- BitLocker—Encrypts the whole drive. Files on the drive stay encrypted, even in use. Data from the files, however, are decrypted as they are loaded into memory. There are commercial forensics tools that can be used to dump loaded content from RAM.
Code Vulnerabilities
Here are some common code vulnerabilities:
- NTFS 3.1 Master File Table DoS Exploit—Currently no CVE. This exploits a vulnerability in the Windows Master File Table. Specially crafted HTML will cause a browser to try to access a non-existent file. The browser will hang and then the entire system will become unresponsive. Affects Windows XP – 8.1. https://www.exploit-db.com/exploits/42253/s://www.exploit-db.com/exploits/42253/.
- Windows 10 NTFS Owner/Mandatory Label Privilege Bypass Escalation of Privilege Exploit—CVE-2018-0748. Circumvents security checks allowing a non-admin user to set the security descriptor on a file with non-standard values. https://www.exploit-db.com/exploits/43514/s://www.exploit-db.com/exploits/43514/.
- Windows NTFS DoS Exploit—Currently no CVE. This exploit generates a Blue Screen of Death using a handcrafted NTFS image. Affects Windows XP through 10, Server 2012 R2. https://github.com/mtivadar/windows10_ntfs_crash_doss://github.com/mtivadar/windows10_ntfs_crash_dos.
Note: There are currently additional Windows file system code vulnerabilities, but as yet no exploits for them have been found in the wild.
Most Windows file system vulnerabilities are related to improperly set permissions. However, there have been other notable vulnerabilities and exploits. The following are the most common.
Windows Kernel Vulnerabilities
The Windows kernel (ntoskrnl.exe) is the core part of the operating system. Its duties include managing memory, scheduling threads to run on the CPU, controlling device I/O, and other tasks. It runs at the most privileged level on the CPU (Ring 0), and has priority over all other processes. Exploits that attack the kernel are extremely powerful. They escalate your privilege, but can also destabilize the system. Advanced persistent threats (APTs) use kernel vulnerabilities to keep their malware hidden. Malicious code that runs in the kernel is hard to detect and even harder to get rid of. GitHub lists over 50 Windows kernel exploits for download. A Metasploit search query search kernel platform:windows returns about 20 results. The following table summarizes some of the more notable Windows kernel exploits. Nearly all are local exploits, meaning that they must be run after you have gained access to the system.
| Vulnerability | Description | Exploit |
| EternalBlue | CVE-2017-0143, MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption buffer overflow. SMB 1.0 improper handling of certain requests. Affects Windows Server 2016, 2008 R2, and Windows 7 (x64 all service packs). | Metasploit module: exploit/windows/smb/ms17_010_eternalblue |
| Kernel mode drivers | CVE-2016-7255, MS16-135 Windows kernel mode drivers incorrectly handle objects in memory. Local privilege elevation. Affects Windows Server 2016, Windows 8.1, 8, and 7. | https://github.com/mwrlabs/CVE-2016-7255 |
| Secondary Logon Service | CVE-2016-0099, MS16-032 Secondary Logon Handle Local privilege elevation. Exploits lack of sanitization of standard handles in Windows Secondary Logon Service. Affects Windows Vista through Server 2016, all platforms and service pack levels. | Metasploit module: exploit/windows/local/ ms16_032_secondary_logon_handle_privesc https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032 |
| Kernel mode drivers | CVE-2015-1701, MS15-051 Windows kernel mode drivers allow local privilege elevation and arbitrary code. Affects Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, and Windows Server 2012. | Metasploit module: exploit/windows/local/ms15_051_client_copy_image |
| Null pointer dereference | CVE-2014-4113, MS14-058 WindowsTrackPopupMenu Win32k NULL Pointer Dereference. Exploits vulnerabilities in how Windows kernel-mode drivers handle objects in memory. Affects Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, and 8. | Metasploit module: exploit/windows/local/ms14_058_track_popup_menu https://github.com/sam-b/CVE-2014-4113 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip |
| Kernel vulnerability | CVE-2013-5065, MS14-002 Windows Kernel Vulnerability. Affects Windows XP, Windows Server 2003. | Metasploit module: exploit/windows/local/ms_ndproxy |
| Kernel mode drivers | CVE-2013-008, MS13-005 Kernel Mode Driver. Allows a lower-level process to broadcast to a higher-level process, thus effecting a privilege escalation. Affects Windows Server 2003, Windows Server 2008, 7, 8, and Windows Server 2012. | Metasploit module: exploit/windows/local/ms13_005_hwnd_broadcast https://www.exploit-db.com/exploits/24485/ |
| Kernel vulnerability | CVE-2010-0232, MS10-015 Kernel vulnerabilities create a new session with SYSTEM privilege. Exploit relies on kitrap0d.x68.dll and does not run on x64 editions. Affects Windows Server 2003, Windows Server 2008, 7, XP. | Metasploit module: exploit/windows/local/ms10_015_kitrap0d https://www.exploit-db.com/exploits/11199/ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip |
Note: For an interesting article on the anatomy of kernel exploits, see https://www.lastline.com/labsblog/unmasking-kernel-exploits/
Privilege Escalation in Windows
Privilege escalation is one of the primary objectives in any exploit. It allows the attacker to gain control, access/change sensitive files, and leave permanent backdoors. During a pen test, you will rarely get administrative access to a target system on your first attempt. You’ll need to find a way to elevate your access to administrator, and then (hopefully) SYSTEM level.
In addition to kernel-specific exploits, there are other types of exploits that can elevate privilege. They take advantage of services, drivers, and applications running in SYSTEM or administrator privilege. Like the kernel exploits, most are run locally after you have gained access to the target. Here are a few examples.
| Vulnerability/Technique | Description | Exploit |
| SAM file | Dump the contents of the SAM file to get cleartext or hashed passwords. Or, copy the SAM file using Volume Shadow Service or by booting into another OS to crack passwords offline. | gsecdump fgdump pwdump Metasploit Meterpreter hobocopy (See previous discussion, “Password Cracking Tools.”) |
| User application compromise | Compromise applications such as Internet Explorer, Adobe Reader, or VNC to gain access to a workstation. From there you can use Windows User Account Control (UAC) bypass techniques to escalate privilege. These attacks typically require a victim to open a file or web page through social engineering. | Metasploit modules: exploit/windows/vnc/realvnc_client exploit/windows/browser/ms10_002_aurora exploit/windows/fileformat/adobe_pdf_embedded_exe |
| Local UAC bypass | Bypass local UAC. Example: use process injection to leverage a trusted publisher certificate. | Metasploit modules: post/windows/gather/win_privs exploit/windows/local/bypassuac Meterpreter getsystem |
| Weak process permissions | Find processes with weak controls and see if you can inject malicious code into those processes. | Metasploit modules: post/multi/recon/local_exploit_suggester post/multi/manage/shell_to_meterpreter Meterpreter migrate and getsystemcommands Tarasco Process Injector |
| Shared folders | Search for sensitive information in shared folders, as it is common for them to have few or no restrictions. | Metasploit module auxiliary/scanner/smb/smb_enumshares |
| DLL hijacking | Elevate privileges by exploiting weak folder permissions, unquoted service paths, or applications that run from network shares. Replace legitimate DLLs with malicious ones. | www.greyhathacker.net/?p=738 Metasploit module exploit/windows/local/trusted_service_path |
| Writable services | Edit the startup parameters of a service, including its executable path and account. You could also use unquoted service paths to inject a malicious app that the service will run as it starts up. | AccessChk.exe Metasploit module exploit/windows/local/service_permissions |
| WebDAV | Microsoft WebDAV clients could elevate privilege with specially crafted requests. Affects Windows Server 2008, Vista, 7. CVE-2016-0051, MS16-016. | Metasploit module exploit/windows/local/ms16_016_webdav https://github.com/koczkatamas/CVE-2016-0051 |
| Ancillary Function Driver | Ancillary Function Driver (AFD) does not properly validate input before passing it from user mode to the kernel. This could grant a local attacker elevation of privilege. Affects Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012. CVE-2014-1767, MS14-040. | www.exploit-db.com/exploits/39446 https://github.com/JeremyFetiveau/Exploits/blob/master/MS14-040.cpp |
| Task Scheduler 2.0 | Task Scheduler 2.0 does not properly determine the security context of its scheduled tasks. This could allow an attacker to escalate privilege. Affects Windows Vista SP1/SP2, Windows Server 2008 Gold, SP2/R2, Windows 7. CVE-2010-3338, MS10-092. | Metasploit module /exploit/windows/local/ms10_092_schelevator www.exploit-db.com/exploits/15589 |
| Missing patches and misconfigurations | Search for missing patches or common misconfigurations that can lead to privilege escalation. | BeRoot Project https://github.com/AlessandroZ/BeRoot Sherlock https://github.com/rasta-mouse/Sherlock |
Note: For more information on bypassing UAC for privilege escalation, see www.hackingarticles.in/7-ways-to-privilege-escalation-of-windows-7-pc-bypass-uac
Note: To search Metasploit for local exploits that escalate privilege, at the msf console, enter search exploit/windows/local -S Escalation.
Note: For more information on services that are writable or have weak permissions, see https://pentestlab.blog/2017/03/30/weak-service-permissions, www.greyhathacker.net/?p=738, https://hackingandsecurity.blogspot.com/2016/08/common-windows-privilege-escalation.html
Memory Vulnerabilities
Memory vulnerabilities are programmatic flaws in which the application improperly accesses or handles objects stored in memory. These vulnerabilities can result in memory corruption leading to arbitrary code execution or denial of service. Because memory exploits work outside the normal bounds of the operating system, many activities conducted during those exploits will not be logged. If you exploit a memory vulnerability, you must keep in mind that you have destabilized that particular service or the system. Set up your backdoor and get out. If you run a buffer overflow against a target, you usually cannot run the same overflow again until the target reboots and resets its memory.
Common exploits against Windows memory include:
- Use-After-Free—One of the simplest ways to corrupt memory. The attacker attempts to access memory that has been freed (is no longer needed) by the program. This can cause the program to crash or allow execution of arbitrary code.
- Buffer overflow—A difficult attack to develop but very powerful when done correctly. The attacker attempts to put more data in a program’s memory buffer than it can hold. This overruns the buffer’s boundaries, allowing malicious code to be entered (and executed) in adjacent memory addresses.
- Heap overflow—A type of buffer overflow that occurs in dynamically allocated memory addresses.
- Integer overflow—An arithmetic operation that creates a numeric value that is outside the range (too large or too small) of the bits assigned to represent it. It could allow an attacker to access arbitrary parts of memory for code execution.
- Memory leak denial of service—The intentional triggering of a memory leak to crash the program or take advantage of unexpected behavior due to low memory.
There are many Windows memory exploits available. A search on www.exploit-db.com for windows memory returns 97 entries. To find Metasploit modules that exploit Windows memory, open the msf console and enter these searches:
search integer platform:windows
search “Buffer Overflow” platform:windows -S great
search Use-After-Free platform:windows
Default Accounts in Windows
Both Windows and Active Directory ship with a number of default accounts. They cannot be deleted, and have fixed privileges that cannot be removed. Some are disabled by default, but can be enabled. All default accounts have a fixed relative ID (RID) that cannot be changed, even if the account name is changed. This makes them immediately identifiable. Even low-level accounts can be dangerous, because they provide access to the system and can have their privilege escalated. The following table summarizes common ways to exploit default Windows accounts.
| Account | Description | Exploit |
| Guest | Does not require a password Has limited user-level access Disabled by default Has the RID of 501 | Can be added to any user group, including administrators Can run privilege escalation exploits, https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213 |
| Administrator | Can perform any action on a system Cannot be locked out Has the RID of 500 | Use Meterpreter getsystem command to elevate to SYSTEM privilege |
| krbtgt | Encrypts and digitally signs all Kerberos tickets Has the RID of 502 | Use a tool such as Mimikatz, Meterpreter hashdump, ntdsutil, or Metasploit DCSync to dump account password hash Use dumped hash in Metasploit module or Kiwi plugin to create an unauthorized Golden ticket for access to Active Directory: kerberost_ticket_use golden_ticket_create post/windows/escalate/golden_ticket Note: For more information on creating Golden tickets, see https://pentestlab.blog/tag/krbtgt, https://pentestlab.blog/2018/04/09/golden-ticket. |
| DefaultAccount | Added in Windows 10, Server 2016 Has the RID of 503 Managed by SYSTEM | Can be added to any user group, including administrators Can have its password changed |
| WDAGUtilityAccount | Used by Windows Defender Application Guard Has the RID of 504 | Can be added to any user group, including administrators Can have its password changed |
| defaultuser0 | Created during Windows 10 installation before any user accounts are created Has the RID of 100x (dependent on install) | Can be added to any user group including administrators Can have its password changed |
Windows Account Manipulation
Accounts (including Guest and DefaultAccount) can be manipulated using the net user and net localgroup commands. Here are some examples. You will need administrator or SYSTEM level privilege to run some of these commands.
| To Do This Action: | Run This Command: |
| List all users | net user |
| See information about guest | net user guest |
| Search the status of guest to determine if it’s active (enabled) or not | net user guest | findstr /C:”active” |
| Activate (enable) guest | net user guest /active:yes |
| Set/change the guest password to Pa22w0rd | net user guest Pa22w0rd |
| Add guest to the local administrators group | net localgroup administrators /add guest |
| View the SID of each account | wmic useraccount get name,sid |
Note: For information about default accounts/groups and their SID numbers, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
Default Configurations in Windows
Default configurations all have one thing in common: they are predictable and can thus be studied for vulnerabilities. Many exploits depend on systems having unpatched defaults. In the past, Windows shipped with less-restrictive defaults that were easier to exploit. For example, administrator passwords could be simple (or even blank) and non-expiring. Unnecessary services, such as IIS, were installed by default, sometimes with disastrous consequences. One of the most notable examples was IIS 5.0, which was part of any default Windows Server 2000 installation. It allowed directory traversal, information leakage, privilege escalation, and arbitrary code execution—all through the URL of a browser. This default helped spread the infamous nimda worm, one of the fastest-moving and costliest computer viruses of all time.
Over the years, Microsoft shifted their default configurations from being more permissive to more restrictive. However, all default installations must be followed up by applying patches and additional security policies. Not all administrators do this. In some cases, default configurations are relaxed to permit backward compatibility or extra functionality, especially for legacy applications that cannot be updated.
Vulnerable defaults that still persist include:
- Unnecessary services—Default installations of Windows have always included services that you might not actually need. Use the following to identify and disable unnecessary services:
- PowerShell get-service | fl and set-service cmdlets
- msconfig.exe
- Support for SMB v1.0—This weak file and print protocol has been the subject of many exploits, the latest being EternalBlue. It still ships with all Windows operating systems, including Server 2016.
- Domain account password caching—Domain user credentials that have been cached on the local machine can be dumped and used by an attacker.
- Default accounts—Accounts such as administrator, guest, krbtgt, and others have Security IDs (SIDs) that cannot be changed. This makes them a target for dumping hashes and passing-the-hash.
- Default security logging—Windows security logging does not include sensitive file/folder access. Additionally, log file sizes are often too small for an enterprise organization, and logging is not automatically forwarded to a central server. All of these things make it easier for an attacker to go unnoticed or cover their tracks.
Note: For more information on disabling unnecessary server services, see https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabling-system-services-on-windows-server-2016-with-desktop-experience/
Guidelines for Exploiting Windows-Based Vulnerabilities
Here are some guidelines you can follow when exploiting Windows-based vulnerabilities.
- Port scan, vulnerability scan, and fingerprint the OS to identify likely vulnerability starting points.
- When cracking passwords, attempt to dump hashes or steal a copy of the SAM or ntds.dit, then crack offline to avoid detection and account lockout.
- Use large dictionaries or rainbow tables when cracking passwords.
- When confronted with passwords that are difficult to crack, consider passing the hash or stealing a token to impersonate a user instead.
- When examining port scan output, do not overlook unusual ports, as they may be used by a vulnerable service.
- Keep in mind that many services can be negotiated down to a less secure protocol version.
- When targeting the file system, consider exploiting weak permissions, unquoted service paths, or vulnerable file system driver code.
- Keep in mind that kernel exploits can evade detection and give you system privilege, but they can also destabilize your target.
- Attempt to escalate to SYSTEM level privilege for maximum exploit effectiveness.
- Keep in mind that buffer overflows, while considered to be the “gold standard” of exploits, will by their very nature destabilize the target service. Create your backdoor and get out.
- Take advantage of default accounts and SIDs that cannot be changed.
- Target the user account krbtgt to create a Golden ticket for access to the domain.
- Remember that Windows still ships with vulnerable defaults. Most of these are code weaknesses that are allowed for backward compatibility.
- As more servers and applications are moved into a virtual environment, stay informed on upcoming sandbox escapes that you can use.