Try   HackMD

Windows Shennanigans

tags: cyber security windows

Randoms

The system variable for windows directory is %windir%
You can config users by running the lusrmgr.msc utility.
You can config policies by running the secpol.msc utility.
UAC User Account Control was first introduced in Windows Vista and has been included in releases that followed.
When a user with an account type of administrator logs into a system, the current session does not run with administrative privileges
When an operation requiring elevated permissions needs to execute, the user will be prompted to confirm if they permit the operation to run.

UAC, by default, doesn't apply to the local admin account.
You can read more on UAC here.
UserAccountControlSettings.exe is used for UAC

The System Configuration utility (MSConfig) is for advanced troubleshooting, and its main purpose is to help diagnose startup issues.
winver.exe is used to find out info about the sys version and who it is registered to.
compmgmt.msc is used for computer management.
wininfo32.exe can give you info about the system.
to display the help page for commands in cmd use /? e.g netstat /?
For the net command, to display the help manual /? will not work. In this case, you need to use different syntax, which is net help.

The Windows registry is a hierarchical database used to store information necessary to configure the system for one or more users, applications or hardware devices.

The registry contains information that Windows continually references during operation, such as:

  • Profiles for each user
  • Applications installed on the computer and the types of documents that each can create
  • Property sheet settings for folders and application icons
  • What hardware exists on the system
  • The ports that are being used.

Files permission

can be set by an administrator or a privileged account. These permissions can be applied to: Users and Groups
Permissions that can be set are:

  • Special permissions
  • Full control - allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files.
  • Modify - allows the user/users/group/groups to modify, read, write, and execute files.
  • Read & execute - allows the user/users/group/groups to read and execute files.
  • List folder contents - allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder.
  • Read - only allows the user/users/group/groups to read files.
  • Write - allows the user/users/group/groups to write data to the specified folder (automatically set when "Modify" right is checked).

icacls can be used to check and modify file and folder permissions.

Authentication

Is the process of verifying the identity of a user, service, or object.
The goal is to verify that the user / object / service is not an impostor.

Local Authentication

Done using the Local Security Authority subsystem that keeps track of the security policies and accounts that are on a computer system.
LSA maintains info on all aspects of security on a local computer.

Authentication on On-Prem AD

On_Rem AD has a record of all users, pcs and servers and authenticates users signing in via network logon.
Authentication can be done via:

  1. NTLM
  2. LDAP/LDAPS
  3. Kerberos

NTLM/NTLM2

NTLM uses a challenge-response sequence of messages between a client and server.
Authentication is based on the challenge-response scheme and thus does not provide data integrity or confidentiality.

  • NTLM flow
Created with Raphaël 2.2.0ClientClientServerServerDCDCNTLM negotiate authenticationNetlogon informationNTLM ChallengeNTLM authenticate messageNetlogon validation (authentication okay)

LDAP/LDAPS

LDAPS supports encryption
The DC can be considered a db of users, groups, computers etc.
The user's workstation sends credentials to the DC using an API so as to validate them and be able to login.

Kerberos

Kerberos uses symmetric-key cryptography and requires trusted third party authorization to verify user identities.
Definitions:

  • DC: domain controller,
  • TGT: ticket granting ticket, acts as client's authentication ticket
  • TGS: ticket granting service,
  • KDC: Key Distribution center
  • SPN: Service Principal Name
  • kerberos flow:
Created with Raphaël 2.2.0ClientClientDCDCServerServerRequests TGT from the KDCKDC verifies credentials and sends back TGT  ,encrypted with TGS secret key, and session keyClient stores TGT and when it expires the local session manager requests another TGTClient sends current TGT to TGS with the SPN of the desired resourceTGS sends a valid session key for the service to the clientClient forwards the session key to the service

Authentication on Azure AD

Azure AD is a secure online authentication store which can contain users and groups.
Users have a username and password that are used when you log into an app that uses Azure AD for authentication e.g all microsoft cloud services - O365, Dynamics365, Azure.
Azure AD supports the following authentication methods:

  1. SAML (Security Assertion Markup Language)
  2. OAUTH2.0
  3. OpenIDConnect

SAML

Is a type of single sign-on(SSO) standard.
Defines a set of rules that allows users to access web apps with a single login.
This works because those service providers all trust the identity provider.
Service providers: systems and apps that users access.
Identity provider: the system that performs the authentication.

OAUTH2.0

Is a standard apps use to provide access to clients.
The specification has 4 important roles:

  • The Authorization server: server that issues the access token.
  • The Resource owner: usually app's end user , grants permission to access resource server with an access token.
  • The Client: app that requests the access token and then passes it to the resource server.
  • The Resource server: accepts the access token and must verify that it is valid. i.e your app.

OpenIDConnect(OIDC)

An authentication standard built on top of OAUTH2.0
Adds an additional token - ID Token
Uses JWT - Json Web tokens
OAUTH2.0 is about resource access and sharing while OpenIDConnect is about user authentication only.

CMD is the command line interpreter for Windows and is used to automate various system related tasks using scripts and batch files. CMD can only intepret batch commands.
Powershell is mainly used by sysadmins to manage the network and domain they handle. Powershell is a scripting language and can interpret batch commands and powershell commands.
CMD has limited administration capabilities when compared to powershell.

Registry Editor

can be considered a database that contains low-level settings for Microsoft Windows settings and applications. The registries are structured as follows:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

You can use powershell to browse the registries by cd [REG DB] e.g cd HKLM:\
Windows also has a builtin tool named "reg" which can be used from the command line to add, remove, query, import, export, etc registry keys.

Active Directory

Active directory is the directory service for windows domain networks.
Components of AD:

  • Domain Controllers
  • Forests, Trees, Domains
  • Users + Groups
  • Trusts
  • Policies
  • Domain Services

Allows for the control and monitoring of users' computers through a single domain controller.
Allows for any user in a company to use any machine that the company owns, without having to set up multiple users on a machine.

Domain Controller

Is a windows server that has the ADDS(Active Directory Domain Services) installed on it and has been promoted to a domain controller in the forest.
DC controls the rest of the domain.
Functions:

  • holds the AD DS data store
  • handles authentication and authorization services
  • replicate updates from other domain controllers in the forest
  • Allows admin access to manage domain resources

AD DS Data Store

holds the databases and processes needed to store and manage directory information e.g users, groups and services.
x-tics:

  • Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users
  • Stored by default in %SystemRoot%\NTDS
  • accessible only by the domain controller

Forest

A forest is a collection of one or more domain trees inside an AD network.
Components:

  • Trees - A hierarchy of domains in Active Directory Domain Services
  • Domains - Used to group and manage objects
  • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
  • Trusts - Allows users to access resources in other domains
  • Objects - users, groups, printers, computers, shares
  • Domain Services - DNS Server, LLMNR, IPv6
  • Domain Schema - Rules for object creation

Trust and policies

Help the domain and trees communicate with each other and maintain security inside of the network.
They define:

  1. how domains inside a forest can interact with each other,
  2. how an external forest can interact with the forest, and
  3. the overall domain rules that a domain must follow.

Trusts are a mechanism for users in the network to gain access to other resources in the domain.
Types of trust:

  1. Directional: direction of trust flows from a trusting domain to a trusted domain.
  2. Transitive:the trust relationship expands beyond just two domains to include other trusted domains.

Trusts can be abused for lateral movement within a network.

Policies dictate how a server operates and the rules it will or will not follow. e.g of policies:

  • Disable Windows Defender - Disables windows defender across all machine on the domain
  • Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller

AD DS

Are the core functions of an AD network.
Allow for the management of the domain, security certificates, LDAPS, etc.
Is how the DC decides what it wants to do and the services it wants to provide for the domain.

Domain Services overview

Are services the DC provides to the rest of the domain / tree. The default ones are:

  • LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services
  • Certificate Services - allows the domain controller to create, validate, and revoke public key certificates
  • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

Domain Authentication Services overview

Authentication protocols in place can make this vulnerable and thus a good target.
The maintypes of authentication are NTLM and kerberos.

Azure AD vs On-Prem AD

Windows Server AD Azure AD
LDAP REST APIs
NTLM 0AUTH / SAML
Kerberos OpenID
OU Tree Flat Structure
Domains and Forests Tenants
Trusts Guests

Power View

Download powerview and navigate to the directory it is in.


















# load a powershell shell with execution policy bypassed
powershell -ep bypass

# import the PowerView module
. .\PowerView.ps1

# list all operating systems on the domain
Get-NetComputer -fulldata | select operatingsystem

# list all users on the domain
Get-NetUser | select cn

# list group names
Get-NetGroup -GroupName *

# list services that run as domain admins
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}

Read how to use powerview to exploit AD

Windows Command line

You can get tips for the windows command line interface here

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
267

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD