Windows is one of the most common operating system used in workplaces, worker use windows OS to create and operate on sensible data. Windows OS is a big target for attacker and it has different flaws, a lot of flaws are there because of the Windows Backward Compatibility, very often enabled by default. The complexity increases as the time passes causing security problems because the complexity of the backward compatibility sum up with the prolification of new features prone to errors and vulnerabilities. The major factors of risk are: popularity and complexity.

There are an average of 70 Microsoft security bulletins for year, in which they explain the vulnerabilities discovered and how to patch them. With time there was a change in the focus of the attacks within the Window OS, at first the main focus was on Network Services (easy to use and easy exposed to the internet), then when Microsoft fixed network services attackers focused on Kernel Driver, kernal drivers are very difficoult to defend, today the attack target applications: from standard ones, to non standard.

A lot of improvement have been done in Windows to increase the security of the Operating System like: default firewall on hosts, and UAC (User Access Control).

There are two major kinds of attacks:

• Unauthenticated attacks: the attacker can try to spoof authentication, guess user credentials or use remote network exploits. The attacker can also try an application vulnerability attack.
• Authenticated attacks: this kind of attack is performed by a insider user, that has to escalate privileges to perform malicious actions.

To countermeasure these kind of attacks Windows has introduced security measures.

There are four major approaches to conduct a unauthenticated attack:

• Authentication spoofing
• Network Services
• Client Software Vulnerabilities
• Device Drivers

The traditional target of Windows attack is the Server Message Block (used also by WannaCry) on TCP ports 445 and 139. If the attacker finds that one of the previous ports is open it will surely try to use that. Other popular targets are:

One simple, but sometimes effective, approach is to try to guess the password, exploiting the fact that people tends to use weak password for laziness. Of course password security policies do not allows high number of tries in a short period of time.

In case of a large pool of user the attacker will try to guess a password for each user, in a manual or automated fashion, exploiting the fact that the security policy will not be triggered if the attempts are spaced out in time.

Of course the network administrator can detect this kind of attack if the attacker is not smart enough. Automated tools like enum, Brutus, THC Hydra can be used; but also a simple PowerShell for commands works:

FOR /F "tokens=1,2*" %i in (credentials.txt) do net use \\targetip

where credentials.txt is a text file that contains a list of username, password pair to try. Other automatic tools with a GUI are TSGrinder, and Rdeskop after a patch.

Techniques that use Machine Learning are now been used, they work really good because ML is very good at learning correlation using as training dataset the leaked password databases; teaching the neural network how human create passwords making possible for a GANN to generate password like human beings do. (PassFlow), Machine Learning approaches can shortly leads to the end of the password era, because it will be trivial for a GANN to guess any human generated password.

Password databases leaks represents really valuable informations that can speed up password guessing attacks.

Use network firewall to restrict access to SMB services and use host resident features of Windows (IPSec filter and Windows Firewall) or disable SMB services.

The enforcing of strong/long password is not every a good idea: if a password is difficult to remember user will write it down. Account lockout threshold and ensure that it applies to the built-in Administrator attack: always check the log and periodically review the Event Logs to ensure that no password guessing attacks have occurred.

SECPOL.MSC command will open the Local Security Policy application, in this application it's possible to set password policies and account lockout policies. Password policies software in future will use ML to check if the password is to easy to guess. Audit Policy contains all the logs about login, system and account events. There are log analysis tools that can be used on the host side like Microsoft Dumpel.

Complementary Intrusion Detection System can be used.

In the operating system passwords are not stored in clear text. When a password is chosen, its hash is stored. No trace of the clear text password remains in the system. When a user try to log in, a hash function is applied to the password he enters and is compared with the hash stored in the system. For this reason the attacker will try to sniff the hash of the password.

The major protocols that are vulnerable to this kind of attack are LM (Lan Manager), Kerberos and, less than the previous ones, NTLM.

cain is a tool used, among other things, to sniff LAN Manager password challenge-response hashes. cain sniffs the traffic and show the exchanged hashes; after the retrieving of the hash, cain can also try to crack the password, in theory the computation of the inverse of an hash is difficult to compute, but in case of non-salted hashes, rainbow tables can be used.

Are precomputed table of tuples (password, hash of password), that contains large amount of passwords. The attacker can use them to compute in linear time (to respect with the length of the dictionary) the inverse of an hash. Today GPUs are so powerful that rainbow tables are not used anymore: hashes are computed in real time thanks to GPU.

Kerberos is another service that can be sniffed to acquire user password. That's because Kerberos sends a pre-authentication packet which contains a time stamp encrypted with a key derived from the user's password, so offline attacks on that exchange can reveal a weak password; cain has an authenticated MSKerb5-PreAuth packet sniffer and can perform an ARP poisoning.

Other used tools are: LCP, L0phtcrack and KerbSniff.

To disable password sniffing disable LM authentication, instead use extensions like NT LAN Manager which uses salt. Obviously pick good passwords and do not allow dictionary password; also use public key encryption and built-in Windows IPsec to authenticate and encrypt traffic.

The attacker is in between the client and the server, and it's capable to intercept every packet the client and the server exchange in a transparent way: the attacker can just relay the messages or inject them. In windows the SMBRelay and the SMBproxy pass authentication hashes along, to get authenticated access to the server, a man in the middle can perform to different attacks that are performed by the attacker pretending to be the client with the server and to be the server with the client playing with the authentication hashes.

• SMB credentials reflection attack: the attacker target the client machine.
• SMB Credential forwarding attack: the attacker try to use the informations gained during the Man in the Middle attack to target other machines in the organization. This is a kind of lateral movement attack, and its based on the credentials that the attacker is capable to get to acquire access other services.

SMB is used commonly inside organizations for file sharing, for this reason it is an easy and common target.

cain is an important tool that can be used to perform man in the middle attack, because it integrates a lot of functionalities like: password sniffing, password cracking, dictionary attacks, rainbow tables attack and ARP poisoning. ARP poisoning enable the attacker to redirect the flow of the communication from the client machine to its own in a switched network. cain can also downgrade the authentication features of a Remote Desktop Server pretending to be a client with an older version of the Remote Desktop client (retro-compatibility of Windows) exploiting vulnerabilities present in old protocols. cain can also perform MITM attack against Kerberos service.

MITM attacks have to be prevented with multi-layer security, because they are very destructive and difficult to stop when performed.

If an attacker in inside the Local Area Network it's very difficult to countermeasure a MITM attack, to limit the risk of this kind of attacks it's important to use authenticated and encrypted protocols enforcing them with Group Policy and firewall rules. It's also suggested to verify identity of remote servers with strong authentication or trusted third parties (like public key authentication and digital signatures). Another countermeasure useful to limit MITM attacks is to disable NetBIOS Name Services.

One of the popular attack on windows machines is pass-the-hash, it is composed by different steps and can be performed when the attacker is inside the network:

1. compromise a machine
2. dump password hashes stored in RAM, some servers cache the last authenticated user's hash of credential for optimization purposes.
3. the attacker can use them as credentials for other network services without crack them

this kind of attack can compromise a windows domain with just compromising one machine, leading to a possible recursive attack. Sometimes the hash of the administrator credentials can be found, allowing the attacker to perform escalation. The attacker can also ambush the administrator in logging into a given server crashing a service an waiting his login to dump the hash.

This kind of attack is difficult to perform, but there are tools to perform it: Windows Credentials Editor, useful to check if an hacker can perform this attack on a given machine. WCE can dump in memory credentials of logon session with usernames and domain.

Some of old windows services do not use hash of password but encrypt them, so in order to verify the password (for login) the OS need to store the encryption key in RAM, WCE can easily dump the encryption key of the password to allow the attacker to retrieve the clear text password.

Kerberos service can be exploited dumping Kerberos RAM ticket and re-use them, in the same way of Pass-the-hash attack. Of course also this kind of attack is viable only if the attacker has compromised the host machine.

NTLM is vulnerable by design, so no fixes are possible, so prevention mechanisms are needed to prevent this post-exploitation technique; a possible prevention technique is 2FA, that can defend from unauthorized logins.

Exploit some of the vulnerabilities present on major components of the operating system like kernel and also applications The target are:

• misconfiguration in Windows software like TCP/UDP services, driver interfaces and user-mode application (office, internet explorer and so on).

metaesploit is the main tool used to perform this kind of exploits, it is a complete framework with gui and cli that use an archive of exploits and modules allowing to easily perform remote unauthenticated attacks knowing only the IP address and which service to exploit. Databases of exploits used by metaesploit is two months behind the official Microsoft security bullets.

Microsoft services were the main target of the attacks, after fixes the attackers focused on the device drivers because they are not written by Microsoft and can have vulnerabilities that can be exploited.

It's important to quickly apply patches, if a service is unpatched or legacy workarounds have to be used (disable services, use Access Control Lists and so on). To prevent and spot attacks it's important to audit, log and monitor traffic. Computer Security Incident Response Teams has to be formed to prevent, response and mitigate a cyber attack; it is an heterogeneous team composed by technical, law, and public relationships people that should be ready before a cyber attack with a solid response plan.

The response plan is a complicated set of procedures and action to be taken where a cyber attack take place, there are specialised companies that provide response plans and Computer Security Incident Response Teams for other organizations.

End users are the weakest link of the chain, most of the time end users are not technically capable and use complex application software, the combination of the to can easily lead to attacks: user data and user credentials are both managed by the application. Usually application software are not under observation of the IT department and security department, also the implementation of end user application is focused on security but in providing features.

• Flash Player was a common target of attacks
• Adobe PDF reader also had a lot of vulnerabilities officially acknowledged

National Vulnerability Database contains a list of vulnerabilities that affects end user applications, interestingly vulnerabilities of some software increases year after year.

Configure firewall in all machines to limit outbound connections, so even if the machine is compromised the attacker can't infiltrate. Of course keep updated all the software and use antivirus (to limit intrusions performed using basic or well known malwares). Another security procedure is to not run end user applications with administrator privileges, read email in plain-text and limit macro in MS Office or run them is a security layer (limiting the damage that they can perform).

Device drivers are a major target of attacks, a famous vulnerability was a buffer overflow in a wireless device's driver that could be exploited using a simple beacon frame allowing a remote administrator shell. Device driver vulnerabilities are possible for different reasons, first of all driver software is written by third companies and is written to be plug and play: software runs at kernel level with administrator privileges, compromising one driver lead to compromise of the entire system.

First of all apply vendor patches, and disable wireless networking at high concentration of Aps or in high risk environment. Be sure to use signed trusted drivers, but be aware that signed drivers might be no carefully tested (eternal blu vulnerability). User mode driver framework is a wall defined interface used to write drivers provided by the Windows operating system that enforce driver developers to use system calls already implemented by the kernel to limit code that can lead to vulnerabilities.

In this phase, the attacker has obtained user account for at least one machine in the network, and he try to became administrator or SYSTEM of that machine (privilege escalation). In windows tools that can be used to perform a privilege escalation are generally called getadmin, getadmin.exe was a early exploit used to became system administrator.

System status is an additional status in windows machine, it is more powerful than the Administrator account. The administrator can schedule tasks to be performed as SYSTEM.

To prevent privilege escalation it's important to keep Windows machine patched and to restrict interactive logon to trusted account by running security policies on critical systems (no guest account), ever assume that every interactive logon is possibly an Administrator login. Check secpol.msc to view local policies and deny logon locally.

Suppose that the attacker manages to acquire the Administrator status; his next step is to penetrate deeper into the network so he will try to crack and acquire password and to perform post-exploitation operations like disabling the local firewall.

Dictionary attacks use a "dictionary", set of words, at which is applied the same hash function used by the operating system and then the hashes are compare with the user's password hash. When a match is found the plain text password is obtained. The attacker to perform this attack trade space with time: exponential space with linear time solution, the hash salt makes less feasible the attack increasing the space needed and so its presence slow the attack. Salts are stored in clear text in the password file of the OS (/etc/shadow file in *nix).

Today the hash power of GPUs permit to perform this kind of attack online, without the need of sacrifice space speeding the attack. Machine Learning dictionary attacks may be more efficient because they can generate passwords by correlation as human being would do creating dictionaries.

One of the first location in Windows OS where its possible to find hashes of password is the Security Account Manager (NT4 and earlier), it's a file that contains the local users of a machine. In an organization setting the user's accounts are located on a remote machine, but local administrator accounts can be present. Fundamentally SAM file is the equivalent of /etc/shadow and it's located in \system32\config\SAM, and in the registry key HKEY_LOCAL_MACHINE\SAM , but if the system is running SAM file is locked.

On Windows 2000 and greater hashes of password are stored inside the active directory: \WindowsDS\ntds.dit.

An easy way to get the hashes of the user password's is to use cain from the cracker tab and save the SAM file to the disk, even if the system is running. It works by injecting a DLL into an high privileged process in a running system. Other ways to get the SAM file are to boot the system in a live OS, to use a Repair Disk Utility or to sniff Windows authentication exchanges.

There is no defense against this kind of attack because to perform it the attacker has to have Administrative privileges. Hackers will try to get access to the domain controller.

In general Hashes are supposed to be difficult to invert, but older implementations (LM Hashes) are weak and easy to break, unfortunately older implementations are still used for backward compatibility reason. Note that windows versions prior to Windows 7 do not use salt making possible the use of pre-computed Rainbow Table: same password, same hash.

NTLM used MD4 hashing until 2004. The 16-byte NTLM hash is null padded to 21 bytes, then its splitted into three 7-byte thirds used to create three DES keys used to DES-encrypt the challenge from Type 2 message resulting in three 8-byte chipertexts that at the end are concatenated to form a 24-byte value. This algorithm is weak because the attacker can obtain the final 24-byte value attacking the singles 7-bytes strings.

In general slow algorithm are better to hash passwords, the legitimate user compute just one hash (because he knows the password), but the attacker has to compute a huge amount of hashes in order to crack the password. All fast hashes should not be used for password authentication.

The two major techniques for cracking password are Brute Force and Dictionary attacks with variations rules. Some famous tools are John the Ripper, LCP, Cain, 0phcrack, and Elcomsoft.

To prevent password cracking use strong passwords, but it's difficult to define what is a strong password. The correlation between the probability that a password is cracked and it's length, after a given point, do not decrease anymore because of the way of humans create passwords: characters are correlated, so no entropy is added.

The real strength of the password is related to the unpredictability of the characters used.

Some applications store a local copy of user credentials in cache without any kind of encryption. A famous application that do this is the Local Security Authority, that caches the logon credentials for external systems outside the local domain. LSA cached credentials are available under the registry subkey of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. The external services which credentials are stored commonly are: backup machines, and remote machine used by employees. It is a very source of credentials for the attacker.

When the machine is off the cached credentials are encrypted, but them are decrypted and retained in memory after login. LSA secret can be dumped used cain lsa secret dumper.

If an host is offline, and cannot reach the domain controller, it still can perform correct logon of the user because all the information of the last ten users are keep locally. The tool CacheDump can reverse the encryption of the last ten domain logons stored; this tool work if executed as Administrator of the machine. Also john (John the ripper) can crack it.

Usually to became administrator of a local machine used by a normal employee because it is easier to perform escalation. Be aware that every time Remote Desktop Protocol is used, the credential used by the connection are stored locally, so if that machine is compromised the attacker can retrieve the credentials.

Another tool that can be used to dump credential cached in memory is windows credential editor, particularly for users logged in the exact same moment as the attack because it extract clear text password from the RAM.

Microsoft offer a patch that limit the amount of credentials cached, preventive security is fundamental to prevent this kind of attack because the attacker need Administrator or SYSTEM privileges to dump the passwords. An attacker local admin account can lead to compromise other accounts by performing a cache dump. A valid advice is to avoid to use high privileged domain accounts to log on local machines (i.e. to start services); also try to avoid RDP connections.

Back doors are a way attackers use to consolidate their access on the machine, back doors are hidden services that allows the attacker to control remotely a machine. The objective of the attacker is to be able to consolidate a remote access without logon on a given machine.

nc -l -e cmd.exe -p 8080

Netcat listening on port 8080 and executing the command port on connection without any need for credential; -d option can be used to make it more stealthy. If the command was executed with administrator privileges the command prompt spawned will have administrator privileges.

telnet <ip> 8080

The above is the command performed by the attacker to connect to the previous created backdoor.

psexec.exe can be used to perform a remote control passing credentials, uses the SMB port on TCP 139 or 445. In metaesploit a lot of ready-to-deploy backdoor are present. This kind of backdoor is very basic.

Virtual Network Control (VNC), can be installed on the target machine by the attacker (it is also part of the metaesploit ready-to-use back doors), this is useful because a lot of modern network devices are equipped with a GUI used to modify configurations.

Assume that the attacker has a backdoor running on the target machine, and he was to use telnet but the firewall blocks port 23, the attacker can set up a port redirection allowing him to access a specific port of the attacker behind a firewall. fpipe can be used to perform a port redirection.

fpipe -v -l 53 -r 23 192.168.234.37

Everyone that comes from port 53 will be redirected to port 23 on the target machine (and vice versa).

After the attacker as expanded it's control inside the target network, he will hide evidences of his intrusion and hide a toolkit to use for regaining control in the future and to use against other system. Also back doors have to be installed in such a way to not gain suspects.

First of all the attacker will disable auditing.

The IDS can detect traces of the intrusion, or the administrator can notice strange things. The attacker will use:

auditpol / disable

to stop the auditing, this command is part of the operating system itself. At the beginning of the attack, creation of backdoor and creation of toolkit the hacker will disable the auditpol and the restart it before leaving the system. Another tool that can be used is elsave, that allow to do selective cleaning of the log.

After the deletion of the evidence of the attack in the log, the attacker has to hide the presence of maliciously installed software. An easy way is to use the +h attribute that sets an hidden bit that hide the file in the folder. The more complicated, but more powerful, way is the use of Alternate Data Stream; alternate data stream is a feature of NT filesystem designed for compatibility with Macintosh, it permits to hide a file within a file. The alternate data stream can contain additional data and/or metadata so a file was composed by:

• content of the file
• metadata of file
• alternate stream which contains huge amount of metadata (like icon bitmap)

Alternate Stream can be used to contain hidden huge amount of data, because the operating system do not show the size of the alternate data stream. However it's very easy to remove all Alternate Datastream of a file, just copy the file to a FAT partition and then back to NTFS.

The name of alternate datastream can be any string, also a random alphanumeric string, making alternate data streams more difficult to find. cp command can copy one alternate datastream to another, with LADS or SFIND it's possible to detect alternate datastreams.

Rootkits are used to hide malicius processes running on a machine, but also files, accounts and back doors. They are a very flexible tool to mantain the attack stealthy. In order to install a rootkit the attacker has to be system administrator, the most powerful rootkit is the kernel rootkit, and it's installed in a similar way as the drivers are installed. The kernel rootkit takes posses of the kernel jump table. The kernel jump table, which is a vector of \(n\) location, and each location correspond to a sys call. In each location there is a pointer to an executable code of the correspondent sys call.

When the rootkit takes posses of the kernel jump table, it can call a malicious version of a system call before calling the real one (system call interposition). It have full control on the views that the users have on the operating system, in practice the machine is under the control of the attacker. The administrator can do nothing to counter a kernel rootkit. A way to identify the presence of a rootkit, boot the system with a live operating system searching for the presence of mismatch of result of sys calls.

There are several kind of rootkits: persistent (survive to reboot, installing the code on the filesystem of the target), memory based (are installed only on ram, they do not survive reboot but no evidence) they are launched with ram disks. Another huge distinction is between kernel and user rootkits.

User rootkits can intercept modify the outcome of a sys calls by modifying a library (C library, Java and so on); it's a simpler type of rootkit but it can be easily detected. The administrator should invoke system calls trough kernel and library to see if there are differences.

WHIPS, Windows Intrusion Detection System, was a rootkit designed to make the Windows operating system more reliable.

If a system as been compromised with administrator privileges, the OS has to be reinstalled completely. If the OS can't be reinstalled four areas have to be covered: Files, Registry Key, Processes and Network Ports.

• Files. We have to look for suspicious files, like known dangerous name (netcat) or vnc files. Then run an antivirus software through a live operating system on the filesystem as read-only mode. Also we can use tripwire to check for changes to filesystem and for startup programs.
• Registry Keys. There can be suspicious entry in the registry: entry of vnc or NetBus. Malicious keys can be removed with reg delete command. Another thing related to backdoors is the Autostart Extensibility Points, it contains all the programs executed at boot time, the attacker use back door like that when it's doing lateral movement.
• Processes. Checks for malicious processes with CPU utilization, end process or kill it and then check the scheduler queue: schtasks, task.
• Network. Use netstat -aon to see all the network connections.

Windows has some built-in security features like the windows firewall, automatic updates and the security center, for consumer. This security features are really useful for hardening the security of the OS.

The Windows Firewall is enabled by default with very restricted policies regarding open ports blocking all inbound connections. Automated Updates can be viewed as a security feature for consumer, but in enterprises environment automatic updates may be produce malfunctioning or introduce vulnerabilities; in general for end users automatic user are a good idea. Another thing to keep in mind when considering automatic updates is that the updated machine has to be rebooted to finish the update, in large environments a plan has to be made to perform them and an infrastructure has to be put in place to perform tests of compatibility with third party software and updates. The security center allows end-user to perform some configuration tasks regarding firewall, antivirus and permissions.

For professionals Windows has some more specific tools:

• Group Policy tool, that allow security policies settings in large windows domains
• Microsoft Security Essentials that is a free antivirus
• EMET, is an advanced toolkit that allow sophisticated protection against complex attacks. It allows user to configure Data Execution Prevention and Address Space Layout Randomization (counters Buffer Overflow attacks).

Another important features of Windows is the protection of the File System. The Encrypting File System, uses a symmetric key that is encrypted by public key of the user and stored as an attribute of the file; the symmetric key is then decrypted by a private key first, before decrypting the file. It prevents unauthorized access to remote files, and protect the files in case of a boot from a live OS. Microsoft provides a tool to recover encrypted files through the recovery agent, it is an account that can decrypt any file; the recovery agent is implemented by using a secondary attribute in each file, where the symmetric key is encrypted with the public account of the Recovery Agent account. Clearly this tool can lead to privacy and security issues: it is a single point of failure.

Commonly the Recovery Agent is stored in the Domain Controller, that its a common target of attacks.

BitLocker Encrypts the whole hard drive, the OS manage the encryption and decryption of files. It is implemented by a Kernel Module that manage the access to files, and the key is stored inside the module itself.

Published several years ago, its an hardware attack that allows to tamper BitLocker encryption keys from the RAM. This attack is performed by cooling down RAM and then retrieving the keys. A countermeasures for Cold Boot attack is to use a removable module to store the keys.

Windows also has some additional protection measures for files critical for the system; it prevent accidental misconfiguration or malicious editing of those file. A trusted installer account is needed to access in write those kind of file. Built-in into the kernel there is the Mandatory Integrity Control which implements Mandatory Access Control, where security level can be defined to assure a right access to files.

Usually the administrator account can administer all the resources of the system, the idea of service resource isolation is that different administrator can be specialised to different part of the system, in such a way if a administrator account is compromised just some services are compromised. It is an implementation of the least privilege execution idea; also Windows map all system processes and services in session 0 and all user' processes in session 1, this division enforce the windows service hardening.

Compiler based enhancements can be used to add buffer overflow security checks: GS (Guard Stack or canary), ASLR and SafeSEH; all of this security measures can be enabled by options during compile time. The canary is generated randomly and is a string that contains character that normally can't be written in the stack preventing an attacker to tamper the stack with the same string exploiting the canary. Other approaches involve the use of external modules like TPM to manage the creation and the check of the canary string. This schemes assume that we have the source code to ri-compile all the services with security flags. For decades the Microsoft Service installation system was the same for every system, so each service had the same address space allocated, for this reason ASLR is needed to prevent an exploit to work on every host. Center for Internet Security offers free advice for securing windows systems (more on this).