Day 17/100 of?#cybertechdave100daysofcyberchallenge - System and Host Based attacks on Windows
Bild von jplenio auf pixabay.com

Day 17/100 of?#cybertechdave100daysofcyberchallenge - System and Host Based attacks on Windows

Now that the various assessment fundamentals have been covered, the learning path continues with the exploitation of vulnerabilities. We will start with system and host based attacks.?

What does this mean?

Simply Attacks that are targeted towards a specific system or host running a specific operating system - e.g. Windows or Linux.

  • Usually come into play after gaining access to a target network
  • Are primarily focused on exploiting inherent vulnerabilities and misconfigurations of the target operating system
  • An understanding of the target operating system is vital here, thus the vulnerabilities are much more specialized → especially in terms of local privilege escalation or dumping passwords these and other techniques which will be explained in more detail in the next days

In this context I can recommend these courses from TCM Security , instructed by Heath Adams :

These have given me a lot of pleasure and a good insight into the topics. I look forward to how INE can complement these topics.

So we started with Windows specific vulnerabilities. Up front, a little bit about the history of Windows vulnerabilities:

  • Windows is the most dominant and popular OS worldwide with a market share ≥ 70% as of 2021
  • It is the prime target for attackers given the threat surface
  • Most vulnerabilities have publicly accessible exploit code → making some of them straightforward to exploit


All Windows OS’s share a likeness given the development model and philosophy

  • Developed in C, making them vulnerable to specific vulnerabilities inherited from the programming language
  • By default not configured to run securely, it requires a proactive implementation of security practices in order to configure Windows securely eg. -> endpoint protection, antivirus software (although defender is nowadays pretty good), patchmanagement, security policies etc.
  • Many systems are left unpatched → shifting versions are tedious in organizations
  • Many companies take a long time to upgrade their systems to the latest versions
  • Opt to use older versions that may be affected to an increasing number of vulnerabilities


So what are common types of vulnerabilities exist in Windows (not exhaustive):

  • Information Disclosure??- access confidential data
  • Buffer overflows??- allowing to write data to a buffer and overrun allocated buffer and writing data to allocated memory addresses
  • Remote code execution?- remotely execute code on the target system
  • Privilege escalation?- elevate privileges after initial compromise
  • Denial of Service?- consume system/hosts’s resources (CPU, RAM, Network etc.) to prevent the system from functioning normally


On windows various native services and protocols can be configured to run on a host

- having a good understanding of these services are vital in terms of how they work and what are their potential vulnerabilities

The following services and their potential vulnerabilities will be covered over the next few days:

IIS (Internet Information Service):

  • Proprietary web server software developed by microsoft

WebDAV (Web Distributed Authoring & Versioning):

  • HTTP extension that allow clients to update, delete, move or copy files on a web server
  • Essentially it enables Webserver to act as a file server

SMB (Server Message Block):

  • Network file sharing → facilitate the sharing of files and peripherals (eg. printer) between computers via LAN

RDP (Remote Desktop Protocol):

  • Remotely authenticate and interact with a Windows system via a graphical user interface (GUI)

WinRM (Windows Remote Management Protocol):

  • Remotely authenticate and interact with a Windows system via the windows terminal

It should be mentioned that all services have their default ports on which they run. However, these can also be configured individually. Therefore, it is vital to be able to detect them in the recon phase on other ports as well.?

So that‘s it for today.?

#cybertechdave100daysofcyberchallenge?#100daysofhacking?#penetrationtesting?#ine?#eJPTv2 #tcm

Thanks for the support Dimitriy Volosnik! Have you taken our Movement, Pivoting and Persistence course? It's a great follow up to the Windows/Linux Privilege course! Thank you again for your continued support, we appreciate you <3!

要查看或添加评论,请登录

Dimitriy Volosnik的更多文章

社区洞察

其他会员也浏览了