Windows Attacks

Go back to Tutorial

Various types of windows attacks are listed which includes privilege escalation, file hiding, etc.

Privilege Escalation

If the attacker can gain access to a Windows system as a standard user, the next step is privilege escalation. This step is required as standard user accounts are limited; to be in full control, administrator access is needed. This might not always be an easy task, as privilege escalation tools must be executed on the victim’s system. How do you get the victim to help you exploit a vulnerability? Three common ways include

  • Trick the user into executing the program.
  • Copy the privilege escalation tool to the targeted system and schedule the exploit to run at a predetermined time, such as the AT command.
  • Gain interactive access to the system, such as Terminal Server, PC Anywhere, and so on.

It’s important to realize that the vulnerabilities used to escalate system privilege are patched over time. Therefore, these exploits work only for specific versions of the Windows OS. Microsoft does patch these vulnerabilities after they have been publicized.

One of the first activities an attacker wants to do after he owns the box is to make sure that he has continued access and that he has attempted to cover his tracks. One way to ensure continued access is to compromise other accounts. Stealing SAM is going to give the attacker potential access to all the passwords. SAM contains the user account passwords stored in their hashed form. Microsoft raised the bar with the release of NT service pack 3 by adding a second layer of encryption called SYSKEY. SYSKEY adds a second layer of 128-bit encryption. After being enabled, this key is required by the system every time it is started so that the password data is accessible for authentication purposes.

If you have physical access, you can simply use tools, such as LINNT and NTFSDOS, to gain access. NTFSDOS is capable of mounting any NTFS partition as a logical drive. NTFSDOS is a read-only network file system driver for DOS/Windows. If loaded onto a bootable disk or CD, it makes a powerful access tool. Logical access presents some easier possibilities. The Windows SAM database is a binary format, so it’s not easy to directly inspect. Tools, such as Pwdump and L0phtCrack, can be used to extract and crack SAM.

GetAdmin.exe is a small program that adds a user to the local administrators group. It uses a low-level NT kernel routine to allowing access to any running process. A logon to the server console is needed to execute the program. GetAdmin.exe is run from the command line or from a browser. It works only with Windows NT 4.0 Service Pack 3. PsExec is a program that connects to and executes files on remote systems. No software needs to be installed on the remote system. Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation) services. Administrators with null or weak passwords may be exploited through Task Scheduler (1025/tcp or above) or Distributed Component Object Mode (DCOM; default 135/tcp).

Covering Tracks

The attacker must attend to a few unfinished items. According to Locard’s Exchange Principle, “Whenever someone comes in contact with another person, place, or thing, something of that person is left behind.” This means that the attacker must disable logging, clear log files, eliminate evidence, plant additional tools, and cover his tracks. Listed here are some of the techniques that an attacker can use to cover his tracks.

Disabling logging Auditpol was originally included in the NT Resource kit for administrators. It works well for hackers too, as long as they have administrative access. Just point it at the victim’s system as

C:\>auditpol \\192.168.13.10 /disable

Auditing Disabled

Clear the log file The attacker will also attempt to clear the log. Tools, such as Winzapper, evidence Eliminator, or Elsave, can be used. Elsave will remove all entries from the logs, except one entry that shows the logs were cleared. It is used as

elsave -s \\192.168.13.10 -l “Security” -C

Cover their tracks One way for attackers to cover their tracks is with rootkits. Rootkits are malicious codes designed to allow an attacker to get expanded access and hide his presence. While rootkits were traditionally a Linux tool, they are now starting to make their way into the Windows environment. Tools, such as NTrootkit and AFX Windows rootkits, are available for Windows systems. If you suspect that a computer has been rootkitted, you need to use an MD5 checksum utility or a program, such as Tripwire, to determine the viability of your programs. The only other alternative is to rebuild the computer from known good media.

File Hiding

Various techniques are used by attackers to hide their tools on the compromised computer. Some attackers might just attempt to use the attribute command to hide files, whereas others might place their files in low traffic areas. A more advanced method is to use NTFS alternate data streams.

NTFS alternate data streams (ADS) was developed to provide for compatibility outside of the Windows world with structures, such as the Macintosh Hierarchical File System (HFS). These structures uses resource forks to maintain information associated with a file, such as icons, and so on.

ADS is a security concern because an attacker can use these streams to hide files on a system. As the streams are almost completely hidden, they represent a near perfect hiding spot on a file system. It allows the attacker the perfect place to hide his tools until he needs to use them at a later date. An ADS stream is essentially files that can be executed. To delete a stream, its pointer must be deleted first or copy the pointer file to a FAT file system. That will delete the stream, as FAT cannot support ADS.

Active Directory (AD) came with Windows 2000 and heralded a big change from the old NT trust model. AD is a directory service, which contains a database that stores information about objects in a domain. AD keeps password information and privileges for domain users and groups that were once kept in the domain SAM. Unlike the old NT trust model, a domain is a collection of computers and their associated security groups that are managed as a single entity.

NetBIOS was a creation of IBM. It enables applications on different systems to communicate through the LAN and has become a de facto industry standard. On LANs, usually NetBIOS systems identify themselves by using a 15-character unique name. Because NetBIOS is non-routable by default, Microsoft adapted it to run over Transmission Control Protocol/Internet Protocol (TCP/IP). NetBIOS is used in conjunction with Server Message Blocks (SMB). SMB allows for the remote access of shared directories and files. This key feature of Windows is what makes file and print sharing and the Network Neighborhood possible.

Password Guessing

When password guessing is successful, it is usually because people like to use easy to remember words and phrases. A diligent penetration tester or attacker will look for subtle clues throughout the enumeration process to key in on probably words or phrases the account holder might have used for a password. NetBIOS Auditing Tool (NAT) is a command-line automated password guessing tool. Just build a valid list of users from the tools discussed during enumeration.

Obtaining Password Hashes

If your attempts to guess passwords have not been successful, sniffing or keystroke loggers might offer hope. Do you ever think about how much traffic passes over a typical network every day? Most networks handle a ton of traffic, and a large portion of it might not even be encrypted. Password sniffing requires that you have physical or logical access to the device. If that can be achieved, you can simply sniff the credentials right off the wire as users log in.

Keystroke Loggers

Keystroke loggers can be software or hardware devices used to monitor activity. Software keystroke loggers sit between the operating system and the keyboard. Most of these software programs are simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can grab all the text a user enters.

From a technical perspective there are several categories:

  • Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual example.
  • Kernel-based: A program on the machine obtains root access to hide itself in the OS and starts intercepting keystrokes that pass through the kernel. This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications who don’t have root access. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware, making them very powerful. A keylogger using this method can act as a keyboard device driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
  • API-based: These keyloggers hook keyboard APIs inside a running application. The keylogger registers for keystroke events, as if it was a normal piece of the application instead of malware. The keylogger receives an event each time the user presses or releases a key. The keylogger simply records it.
  • Windows APIs such as GetAsyncKeyState(), GetForegroundWindow(), etc. are used to poll the state of the keyboard or to subscribe to keyboard events. A more recent example simply polls the BIOS for pre-boot authentication PINs that have not been cleared from memory.
  • Form grabbing based: Form grabbing-based keyloggers log web form submissions by recording the web browsing on submit events. These happen when the user finishes filling in a form and submits it usually by clicking a button or hitting enter. This records form data before it is passed over the Internet.
  • Memory injection based: Memory Injection (MitB)-based keyloggers alter memory tables associated with the browser and other system functions to perform their logging functions. By patching the memory tables or injecting directly into memory, this technique can be used by malware authors who are looking to bypass Windows UAC (User Account Control). The Zeus and Spyeye Trojans use this method exclusively. Non-Windows systems have analogous protection mechanisms that need to be thwarted somehow by the keylogger.
  • Packet analyzers: This involves capturing network traffic associated with HTTP POST events to retrieve unencrypted passwords. This is made more difficult when connecting via HTTPS, which is one of the reasons HTTPS was invented.
  • Remote access software keyloggers – These are local software keyloggers with an added feature that allows access to the locally recorded data from a remote location. Remote communication may be achieved using one of these methods:
    • Data is uploaded to a website, database or an FTP server.
    • Data is periodically emailed to a pre-defined email address.
    • Data is wirelessly transmitted by means of an attached hardware system.
    • The software enables a remote login to the local machine from the Internet or the local network, for data logs stored on the target machine to be accessed.

Most of these aren’t stopped by HTTPS encryption because that only protects data in transit between computers; this is a threat in your own computer – the one connected to the keyboard.

Enumeration

The Network Neighborhood might have given way to My Network Places; however, the same underlying insecure protocols exist, such as Server Message Block (SMB) and InterProcess Communication (IPC). SMB makes it possible for users to share files and folders, although IPC offers a default share on Windows systems. This share, the IPC$, is used to support named pipes that programs use for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration. As you might think, this can be a problem Hopefully, you remember some basic Microsoft information that you learned when getting your first Microsoft certification. In the world of Windows, the $ syntax represents a hidden share. So, even though you may not see the IPC$ share when looking for shared drives and folders, that doesn’t mean that it is not there. The IPC$ share exists so that commands can be sent back and forth between systems.

Years ago when protocols such as SMB were thought up, the mindset of the time was not on security, but on connectivity. After all, Microsoft’s first networked OS was of a peer-to-peer design. While it’s true that Linux runs similar services with the Samba suite of services, Windows remains the primary focus of these vulnerabilities. The most basic connection possible with IPC$ is the Null, or anonymous, connection, which is achieved by executing a net command. There’s an entire host of Net commands. A few are discussed here, but for a more complete list, just type net from the command line and the /? syntax after any of the commands you see that you would like more information on. For example, if you have identified open ports of 135, 139, and 445 on some targeted systems, you might start with the net view /domain command.

Exploiting IPC$

IPC$ is further exploited for these activities. Specifically, you will need to set up a Null session. It is set up manually with the net command

C:\>net use \\target\ipc$ “” /u:””

Accessing the IPC$ share might not give you full administrator rights, but it will give you the ability to run the tools that are about to be discussed. There is a limit to how far this command will get; table shows its capabilities, as per table below

Operating System Enumerate Shares Enumerate Usernames Enumerate SIDs Enumerate Running Services
Windows XP and 2003 Yes Yes Yes No
Windows 2000 Yes Yes Yes No
Windows NT Yes Yes Yes Yes

 

Native mode means that the systems are only compatible with Windows 2000 or later domain controllers. A Windows 2003 default installation will reveal far less sensitive information than an older system. However, a Windows 2003 PDC might still divulge information, such a usernames and domain info.

The tools like SID2USER, USER2SID, and DumpSec are to be used to circumvent the security but, they require a Null session established before you attempt to use them. Many other tools can be used for enumeration, as

  • Userinfo Released by HammerofGod, this command-line tool retrieves all available information about any known user from any NT/Win2k/XP system.
  • 4GetAcct Developed by SecurityFriday, this GUI tool also has the capability to enumerate vulnerable Windows systems.
  • GetUserInfo Created by JoeWare, this command-line tool extracts user info from a domain or computer.
  • Ldp This executable is what you will need if you’re working with AD systems. After you find port 389 open and authenticate yourself using an accounteven guest will workyou will be able to enumerate all the users and built-in groups.

Other tools are available to enumerate a Windows system. For example, if you are local to the system, you can also use NBTStat. Microsoft defines NBTStat as a tool designed to help troubleshoot NetBIOS name resolution problems. It has options, such as local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query. Typing nbtstat at a Windows command prompt will tell you all about its usage.

Countermeasures

It’s almost hard to believe the amount of information that you are able to retrieve with just a Null session. Usernames, account info, password policies, share information, system services, and more are all ripe for taking. Responsible security professionals want to practice the principle of least privilege

  • Block ports
  • Disable unnecessary services
  • Use the RestrictAnonymous setting

SNMP Enumeration

Simple Network Management Protocol (SNMP) is a popular TCP/IP standard for remote monitoring and management of hosts, routers, and other nodes and devices on a network. It works through a system of agents and nodes. SNMP version 3 offers data encryption and authentication, although version 1 is still widely used. Version 1 is a clear text protocol and provides only limited security through the use of community strings. The default community strings are public and private and are transmitted in cleartext. If the community strings have not been changed or if someone can sniff the community strings, they have more than enough to launch an attack.

Devices that are SNMP enabled share a lot of information about each device that probably should not be shared with unauthorized parties. Even if RestrictAnonymous has been set to 2, SNMP will return plenty of account and share information. Some tools available for SNMP enumeration include

  • SNMPUtil A Windows resource kit command-line enumeration tool that can be used to query computers running SNMP.
  • IP Network Browser A GUI-based network discovery tool from www.solarwinds.net that allows you to perform a detailed discovery on one device or an entire subnet.
  • SNScan A free GUI-based SNMP scanner from Foundstone.

Null Session

A null session is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers. It allows immediate read and write access with Windows NT/2000 and read-access with Windows XP and 2003.

To establish such a connection from a DOS-prompt these commands can be used:

net use \\IP address_or_host name\ipc$ “” /user:””

net use

Regarding the possibilities from such a connection, hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

Go back to Tutorial

Windows Security
Countermeasures

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?