Basics

Windows Networks

There are two ways to structure a Windows network:

  • Domain → server-client model

  • Worksgroup → peer-to-peer like model

Windows domain

On a Windows domain:

  • All users are connected to a domain controller

  • When you log into a machine it authenticates against the domain controller

  • The domain controller decides the security policies (lenght of password, how often it should be changed, disabling accounts, etc)

  • The person in control over the domain is in control of the network

  • Hackers have interest in gaining access to the domain controller with Administrator privileges to control the network

  • Since you authenticate against a domain controller you can log in to your account to any of the machines in the network (school/universities systems)

  • In order to set up a Domain network you need at least one Windows Server for the Domain Controller

  • To know if a machine is part of a domain or workgroup go to Control Panel > System. If it says Workgroup: something it means the machine is connected to a workgroup, not a domain.

Active Directory

Active Directory has been program used for maintaining the central database of users and configurations.

Domain Controller

  • Any windows computer can be configured to be a domain controller

  • The domain controller manages all the security aspects of the interaction between user and domain.

  • There are usually ate least two computers configured to be domain-controllers, in case on breaks down

If you have compromised a machine that belong to a domain, you can check if it has any users since DC's don't have local users.

If you run enum4linux you can look out for this section:

Nbtstat Information
<1c> - <GROUP> B <ACTIVE>  Domain Controllers

Other way is to run this command:

echo %logonserver%

SMB

On networks that are based on Linux and you need to integrate a windows machine you can use SMB to do that.

Kerberos

  • Kerberos is a network authentication protocol

  • It is used by windows Domains to authenticate users

  • Usually, a machine having port 88 open (default kerberos port) can be assumed to be a Domain Controller

  • When the user insert her password it gets one-way encrypted and sent with Kerberos to the Active directory, which then compares it with its password database

  • The Key Distribution Center responds with a TGI ticket to the user machine

Workgroup

  • A workgroup architecture stands in contrast to the domain-system

  • If a computer is part of a workgroup it cannot be part of a domain

  • In a workgroup architecture each computer is in charge of its own security settings

  • In a workgroup users can see each other and share files

User Privileges

System (user)

  • System is not a user, is technically a security principle

  • One big difference between System and Administrator is that if the computer is connected to a domain, the system user can access the domain in the context of the domain account while the administrator cannot

  • On Windows it is possible to grant permission of a file to System byt not to Administrator

  • One example of this is the SAM key. The System user has access to thos information, but the administrator does not

Administrator

Administrator is a default account on Windows. It is the user with the highest privileges.

Normal user

The normal user obviously has less privileges than the Administrator.

You can add a new user through the cmd with the following command:

net user username /add
net user kalle secret_password123 /add

# Add user to administrator group - thus making it administrator
net localgroup administrators kalle /add

# Add to Remote Desktop User
<https://www.windows-commandline.com/add-user-to-group-from-command-line/>

Windows Structure

Registry

Well the windows registry is a hierarchical database that stores low-level settings used by the OS or any other application that uses it. The SAM (Security account manager) uses it, along with a lot of other stuff.

Edit the registry

In Windows you open Regedit and you can see the whole hierarchy. The registry is built with Key-value pairs.

Drivers

Drivers are software that lets the OS communicate with the hardware. Like networks cards, graphics card, printers, etc. To list all the drivers in the machine we use the following command:

driverquery

This can be good to know since drivers can contains vulnerabilities that can be used for priv-esc.

IIS - Windows web server

IIS stands for Internet Information Services (before it was Internet Information Server).

The software is usually included in most Windows versions, except for the home editions. The IIS version usually corresponds to the OS version. There is a new IIS version for every new OS, in general.

ASP

Active Server Pages is the scripting environment for IIS. ASP renders the content on the server side. The scripting languages that are supported are: VBScript, JScript and PerlScript

File types

BAT

.bat → windows equivalent to bash-scripts

In order to write a batch script you just write your commands in an editor, then save it as something.bat and run the script from the cmd

DLL - Dynamic Link Library

  • A DLL file is a library that is used for one or more programs.

  • It is a binary file that it is not executable by itself, but contains code that an executable calls.

  • It is used to modularize the code of a program

  • Since dll-files are dynamically loaded at run-time, they are still around for the user to see

LIB

  • Libs is a bit like DLL, it is a library

  • Lib-files are linked on compile-time while dll-files are linked on run-time

  • Since lib-files are compiled into the executable, usually you will never see them (unless you are developing them)

PreviousWindowsNextPowerShell

Last updated