Windows services tend to have one thing in common: in order to support as many clients as possible, they must support multiple protocols and configurations, even ones that are less secure. A port scan alone won't tell you if a service is vulnerable. A vulnerability scan will only identify signatures that it knows to look for. Exploit developers may or may not devote time to more obscure configurations. And yet, vulnerabilities—and opportunity for exploitation—can still exist.
As you look to exploit Windows services, keep the following points in mind:
- All network-based services listen on at least one open port, making them a target for remote attacks.
- Protocols that are used across all versions of Windows are likely to have their own version-specific exploits. For example, here are some SMB-based exploits by OS version. Notice that some of them work against multiple versions:
- Windows Server 2016: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
- Windows 10: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
- Windows Server 2012: MS17-010 EternalBlue GitHub worawit/eternalblue8_exploit.py
- Windows 8: MS17-010 EternalBlue GitHub worawit/eternalblue8_exploit.py
- Windows Server 2008: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption, MS08-068 Microsoft Windows SMB Relay Code Execution
- Windows 7: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
- Windows Vista: MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
- Windows Server 2003: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS15-020 Microsoft Windows Shell LNK Code Execution
- Windows XP: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
- Windows 2000: MS08-067 Microsoft Server Service Relative Path Stack Corruption, MS05-039 Microsoft Plug and Play Service Overflow
- Windows NT 4.0: MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
Note: The previous list is not comprehensive. For more information, conduct a Google search for Windows x SMB exploits.
- Do not overlook ports that are unfamiliar to you. They may have known exploits. For example:
- TCP 5985: WinRM. Used for WS-Management and PowerShell remoting. Exploits: Numerous. Metasploit search winrm
- UDP 1900: UPnP/SSDP. Used for Universal Plug and Play. Exploits: ssdp Reflection DoS https://www.exploit-db.com/exploits/37561/, Metasploit search auxiliary name:ssdp
- UDP 5355: LLMNR. Used when DNS cannot resolve names. Exploits: Kali Responder, MITMf, Metasploit search auxiliary name:llmnr
- Keep in mind that IPv6 can carry exploits to the same TCP and UDP ports as well as IPv4.
- Some services open secondary ports. Even if current exploits do not target the secondary port by default, the process could still have vulnerabilities.
- Banner grabbing and nmap -sV interrogation can identify many services, even if the port is non-standard.
- Many services can be negotiated down to a less secure protocol or configuration. For example:
- Web server TLS --> SSLv3 or SSLv2 (POODLE attack)
- File and Print SMBv3 --> SMBv2 or SMBv1
- Authentication NTLMv2 --> NTLMv1 or LM
- DNS DNSSEC --> cleartext DNS
- Active Directory LDAPS --> cleartext LDAP
- Mail server SMTP/TLS --> cleartext SMTP
- IPsec Security Required --> Security Requested (no encryption)
- Services tend to be the least secure out-of-the-box. It is up to the administrator to apply patches, change defaults, and set firewall rules. Many administrators are not trained sufficiently or are not diligent enough to do this properly.
- Many administrators reuse the same user account or password for different services across the domain.
- Many services, especially on older platforms, use accounts with higher privilege levels than necessary.
- Many administrators do not know the actual security level a service needs, or they are not familiar with new security best practices, so they tend to configure the service with lower security or more privileged accounts "just to be sure." For example:
- SQL Server Reporting Services (and many others) should use a "virtual" (managed local) account—an administrator might instead give it a high-privilege Local System or domain admin account.
- Remote Desktop Services should be configured for "Network Level Authentication"—an administrator might not know if all clients are compatible, and thus turn this feature off.
- Most exploits allow you to change the target port. In addition to adjusting your attack to account for "security by obscurity," you can also experiment to see if secondary ports react the same way as primary ports.
- Services with a lower privilege level can be used as a stepping stone to escalate privilege. Tools include:
- Windows Escalate Service Permissions Local Privilege Escalation, Metasploit module: exploit/windows/local/service_permissions
- PowerSploit Invoke-ServiceAbuse or Write-ServiceBinary
Note: For more examples of exploiting weak service permissions, see pentestlab.blog/2017/03/30/weak-service-permissions
Note: For more information on well-known ports, see www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml