# Windows Shennanigans ###### tags: `cyber security` `windows` ## Randoms The system variable for windows directory is **%windir%** You can config users by running the **lusrmgr.msc** utility. You can config policies by running the **secpol.msc** utility. UAC User Account Control was first introduced in Windows Vista and has been included in releases that followed. When a user with an account type of administrator logs into a system, the current session **does not run with administrative privileges** When an operation requiring elevated permissions needs to execute, the user will be prompted to confirm if they permit the operation to run. UAC, by default, doesn't apply to the local admin account. You can read more on UAC [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). **UserAccountControlSettings.exe** is used for UAC The System Configuration utility (**MSConfig**) is for advanced troubleshooting, and its main purpose is to help diagnose startup issues. **winver.exe** is used to find out info about the sys version and who it is registered to. **compmgmt.msc** is used for computer management. **wininfo32.exe** can give you info about the system. to display the help page for commands in cmd use **/?** e.g **netstat /?** For the **net** command, to display the help manual /? will not work. In this case, you need to use different syntax, which is **net help**. The Windows registry is a hierarchical database used to store information necessary to configure the system for one or more users, applications or hardware devices. The registry contains information that Windows continually references during operation, such as: * Profiles for each user * Applications installed on the computer and the types of documents that each can create * Property sheet settings for folders and application icons * What hardware exists on the system * The ports that are being used. ### Files permission can be set by an administrator or a privileged account. These permissions can be applied to: Users and Groups Permissions that can be set are: * Special permissions * Full control - allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files. * Modify - allows the user/users/group/groups to modify, read, write, and execute files. * Read & execute - allows the user/users/group/groups to read and execute files. * List folder contents - allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder. * Read - only allows the user/users/group/groups to read files. * Write - allows the user/users/group/groups to write data to the specified folder (automatically set when "Modify" right is checked). **icacls** can be used to check and modify file and folder permissions. ## Authentication Is the process of verifying the identity of a user, service, or object. The goal is to verify that the user / object / service is not an impostor. ## Local Authentication Done using the **Local Security Authority** subsystem that keeps track of the security policies and accounts that are on a computer system. LSA maintains info on all aspects of security on a local computer. ## Authentication on On-Prem AD On_Rem AD has a record of all users, pcs and servers and authenticates users signing in via network logon. Authentication can be done via: 1. NTLM 2. LDAP/LDAPS 3. Kerberos ### NTLM/NTLM2 NTLM uses a **challenge-response** sequence of messages between a client and server. Authentication is based on the challenge-response scheme and thus does not provide data integrity or confidentiality. - NTLM flow ```sequence Client->Server: NTLM negotiate authentication Server->DC: Netlogon information Server-->Client: NTLM Challenge Client->Server: NTLM authenticate message DC-->Server: Netlogon validation (authentication okay) ``` ### LDAP/LDAPS LDAPS supports encryption The DC can be considered a db of users, groups, computers etc. The user's workstation sends credentials to the DC using an API so as to validate them and be able to login. ### Kerberos Kerberos uses symmetric-key cryptography and requires trusted third party authorization to verify user identities. Definitions: - DC: domain controller, - TGT: ticket granting ticket, acts as client's authentication ticket - TGS: ticket granting service, - KDC: Key Distribution center - SPN: Service Principal Name - kerberos flow: ```sequence Client->DC: Requests TGT from the KDC DC->Client: KDC verifies credentials and sends back TGT ,encrypted with TGS secret key, and session key Client->DC: Client stores TGT and when it expires the local session manager requests another TGT Client->DC: Client sends current TGT to TGS with the SPN of the desired resource DC->Client: TGS sends a valid session key for the service to the client Client-->Server: Client forwards the session key to the service ``` ## Authentication on Azure AD Azure AD is a secure online authentication store which can contain users and groups. Users have a username and password that are used when you log into an app that uses Azure AD for authentication e.g all microsoft cloud services - O365, Dynamics365, Azure. Azure AD supports the following authentication methods: 1. SAML (Security Assertion Markup Language) 2. OAUTH2.0 3. OpenIDConnect ### SAML Is a type of single sign-on(SSO) standard. Defines a set of rules that allows users to access web apps with a single login. This works because those service providers all trust the identity provider. Service providers: systems and apps that users access. Identity provider: the system that performs the authentication. ### OAUTH2.0 Is a standard apps use to provide access to clients. The specification has 4 important roles: * The **Authorization server**: server that issues the access token. * The **Resource owner**: usually app's end user , grants permission to access resource server with an access token. * The **Client**: app that requests the access token and then passes it to the resource server. * The **Resource server**: accepts the access token and must verify that it is valid. i.e your app. ### OpenIDConnect(OIDC) An authentication standard built on top of OAUTH2.0 Adds an additional token - **ID Token** Uses JWT - Json Web tokens OAUTH2.0 is about resource access and sharing while OpenIDConnect is about user authentication only. CMD is the command line interpreter for Windows and is used to automate various system related tasks using scripts and batch files. CMD can only intepret batch commands. Powershell is mainly used by sysadmins to manage the network and domain they handle. Powershell is a scripting language and can interpret batch commands and powershell commands. CMD has limited administration capabilities when compared to powershell. ## Registry Editor can be considered a database that contains low-level settings for Microsoft Windows settings and applications. The registries are structured as follows: * HKEY_CLASSES_ROOT * HKEY_CURRENT_USER * HKEY_LOCAL_MACHINE * HKEY_USERS * HKEY_CURRENT_CONFIG You can use powershell to browse the registries by ```cd [REG DB] e.g cd HKLM:\``` Windows also has a builtin tool named "reg" which can be used from the command line to add, remove, query, import, export, etc registry keys. ## Active Directory Active directory is the directory service for windows domain networks. Components of AD: * Domain Controllers * Forests, Trees, Domains * Users + Groups * Trusts * Policies * Domain Services Allows for the control and monitoring of users' computers through a single domain controller. Allows for any user in a company to use any machine that the company owns, without having to set up multiple users on a machine. ### Domain Controller Is a windows server that has the ADDS(Active Directory Domain Services) installed on it and has been promoted to a domain controller in the forest. DC controls the rest of the domain. Functions: * holds the AD DS data store * handles authentication and authorization services * replicate updates from other domain controllers in the forest * Allows admin access to manage domain resources ### AD DS Data Store holds the databases and processes needed to store and manage directory information e.g users, groups and services. x-tics: * Contains the **NTDS.dit** - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users * Stored by default in **%SystemRoot%\NTDS** * **accessible only by the domain controller** ### Forest A forest is a collection of one or more domain trees inside an AD network. Components: * Trees - A hierarchy of domains in Active Directory Domain Services * Domains - Used to group and manage objects * Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs * Trusts - Allows users to access resources in other domains * Objects - users, groups, printers, computers, shares * Domain Services - DNS Server, LLMNR, IPv6 * Domain Schema - Rules for object creation ### Trust and policies Help the domain and trees communicate with each other and maintain security inside of the network. They define: 1. how domains inside a forest can interact with each other, 1. how an external forest can interact with the forest, and 1. the overall domain rules that a domain must follow. Trusts are a mechanism for users in the network to gain access to other resources in the domain. Types of trust: 1. **Directional**: direction of trust flows from a trusting domain to a trusted domain. 2. **Transitive**:the trust relationship expands beyond just two domains to include other trusted domains. Trusts can be abused for lateral movement within a network. Policies dictate how a server operates and the rules it will or will not follow. e.g of policies: * Disable Windows Defender - Disables windows defender across all machine on the domain * Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller ### AD DS Are the core functions of an AD network. Allow for the management of the domain, security certificates, LDAPS, etc. Is how the DC decides what it wants to do and the services it wants to provide for the domain. ### Domain Services overview Are services the DC provides to the rest of the domain / tree. The default ones are: * LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services * Certificate Services - allows the domain controller to create, validate, and revoke public key certificates * DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames ### Domain Authentication Services overview Authentication protocols in place can make this vulnerable and thus a good target. The maintypes of authentication are NTLM and kerberos. ### Azure AD vs On-Prem AD | Windows Server AD | Azure AD | | ----------------- |:----------------------- | | LDAP | REST APIs | | NTLM | 0AUTH / SAML | | Kerberos | OpenID | | OU Tree | Flat Structure | | Domains and Forests | Tenants | | Trusts | Guests | ## Power View Download powerview and navigate to the directory it is in. ```=1 # load a powershell shell with execution policy bypassed powershell -ep bypass # import the PowerView module . .\PowerView.ps1 # list all operating systems on the domain Get-NetComputer -fulldata | select operatingsystem # list all users on the domain Get-NetUser | select cn # list group names Get-NetGroup -GroupName * # list services that run as domain admins Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} ``` Read how to use [powerview](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) to exploit AD ## Windows Command line You can get tips for the windows command line interface [here](https://www.windows-commandline.com/)