Exploit-db.com lists 1,239 Windows-related exploits. The Metasploit query grep -c exploit search platform:windows returns a count of 1,160 Windows exploit modules. The following table summarizes some of the most exploited Windows vulnerabilities of all time.

Vulnerable Feature

Description

Exploits and Tutorials

Null sessions

A deliberate feature that allowed anonymous connections to the IPC$ share. It also unintentionally allowed attackers to enumerate large amounts of detail about the system, NetBIOS names, users, group memberships, shares, password/login policy, and more. CVE-1999-0519.

  • Enum4Linux
  • WinScanX
  • smb-enum-users.nse
  • smb-enum-shares.nse
  • getacct.exe
  • winfingerprint-x

LM password hash

A weak hashing algorithm used in early versions of Windows, and still available in Windows Server 2016 and Windows 10. The password is converted to uppercase, and the hash is divided into two parts that are padded if necessary to be exactly 7 bytes long. Cracking LM hashes is simple and in some cases trivial.

  • Cain & Abel
  • Hydra
  • John the Ripper
  • Medusa
  • Ophcrack
  • L0phtCrack
  • Hashcat
  • NetBIOS Auditing Tool (NAT)

IIS 5.0 Unicode

Certain Unicode characters (such as %255c%255c) cause IIS 5.0 to behave unexpectedly, allowing for directory traversal, information disclosure, and remote code execution from a browser URL. This was a major vector in the spread of the nimda worm.

  • Internet Explorer 5 or other browsers from that time period
  • HTML-based email messages

IIS 5.0 WebDAV

Buffer overflow against the ntdll.dll SEARCH WebDAV method. Gave the attacker SYSTEM level remote code execution capabilities. CVE-2003-0109. Worked against Windows 2000, any service pack.

  • Metasploit module exploit/windows/iis/ms03_007_ntdll_webdav
  • https://www.exploit-db.com/exploits/16470/

RPC DCOM

The RPCSS service controls DCOM messaging between software components on networked computers. The original exploit was published in many places and worked against Windows Server 2000, 2003, and XP. It is a buffer overflow that provides remote code execution at SYSTEM level and is highly reliable. CVE-2003-0352. There is a new variant that works against Windows 8.1. CVE-2015-2370.

  • Metasploit module: exploit/windows/dcerpc/ms03_026_dcom
  • https://downloads.securityfocus.com/vulnerabilities/exploits/dcom.c
  • Windows 8.1: https://www.exploit-db.com/exploits/37768/

SMB NetAPI

Microsoft Server service relative path stack corruption. A weakness in NetAPI32.dll path parsing code permits a buffer overflow that grants remote code execution in SYSTEM privilege. Works against Windows 2000 through XP, and some 2003 targets. CVE-2008-4250.

  • Metasploit module exploit/windows/smb/ms08_067_netapi
  • https://www.exploit-db.com/exploits/40279/