Guidelines for Exploiting Windows-Based Vulnerabilities

Here are some guidelines you can follow when exploiting Windows-based vulnerabilities.

• Port scan, vulnerability scan, and fingerprint the OS to identify likely vulnerability starting points.
• When cracking passwords, attempt to dump hashes or steal a copy of the SAM or ntds.dit, then crack offline to avoid detection and account lockout.
• Use large dictionaries or rainbow tables when cracking passwords.
• When confronted with passwords that are difficult to crack, consider passing the hash or stealing a token to impersonate a user instead.
• When examining port scan output, do not overlook unusual ports, as they may be used by a vulnerable service.
• Keep in mind that many services can be negotiated down to a less secure protocol version.
• When targeting the file system, consider exploiting weak permissions, unquoted service paths, or vulnerable file system driver code.
• Keep in mind that kernel exploits can evade detection and give you system privilege, but they can also destabilize your target.
• Attempt to escalate to SYSTEM level privilege for maximum exploit effectiveness.
• Keep in mind that buffer overflows, while considered to be the "gold standard" of exploits, will by their very nature destabilize the target service. Create your backdoor and get out.
• Take advantage of default accounts and SIDs that cannot be changed.
• Target the user account krbtgt to create a Golden ticket for access to the domain.
• Remember that Windows still ships with vulnerable defaults. Most of these are code weaknesses that are allowed for backward compatibility.
• As more servers and applications are moved into a virtual environment, stay informed on upcoming sandbox escapes that you can use.