Infiltrating Windows

🪟 Infiltrating Windows – Summary Notes

🔥 Windows Attack Surface

Microsoft continues to dominate enterprise and home systems.
Expanding features: Active Directory, Cloud Integration, Windows Subsystem for Linux (WSL).
Growing attack surface → 3688 vulnerabilities in the last five years (as of the referenced table).

⚠️ Prominent Windows Exploits

Vulnerability

Description

MS08-067

SMB flaw used by Conficker & Stuxnet for RCE. Very efficient.

EternalBlue (MS17-010)

Exploited SMBv1; used in WannaCry and NotPetya. Leaked NSA exploit.

PrintNightmare

RCE in Print Spooler; privilege escalation with printer driver abuse.

BlueKeep (CVE 2019-0708)

RDP vulnerability. Used a channel miscall for RCE (Windows 2000 – 2008 R2).

SigRed (CVE 2020-1350)

DNS server flaw. Exploiting it could grant Domain Admin access.

SeriousSam (CVE 2021-36934)

Weak ACLs allow access to C:\Windows\system32\config & SAM files via shadow copies.

Zerologon (CVE 2020-1472)

Cryptographic flaw in Netlogon (MS-NRPC). Can reset passwords on DCs via ~256 login attempts.

🔍 Enumerating Windows & Fingerprinting

✅ Method 1: Ping TTL Value

Windows systems typically respond with TTL = 128 (can vary slightly due to hops).
Command:

ping 192.168.86.39

Sample Output:

64 bytes from 192.168.86.39: icmp_seq=0 ttl=128 time=102.920 ms

✅ Method 2: OS Detection Using Nmap

Use -O for OS detection and -v for verbosity.
Command:

sudo nmap -v -O 192.168.86.39

Sample Output:

OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 1909

📌 If results are poor, use:

sudo nmap -A -Pn 192.168.86.39

✅ Method 3: Port Enumeration & Banner Grabbing

Use banner.nse script for banner detection.
Command:

sudo nmap -v 192.168.86.39 --script banner.nse

Sample Output:

902/tcp open  iss-realsecure
| banner: 220 VMware Authentication Daemon Version 1.10: ...
912/tcp open  apex-mesh
| banner: 220 VMware Authentication Daemon Version 1.0, ...

⚙️ Payload Types for Windows Exploitation

File Type

Purpose

DLL

Used for shared code; inject/hijack to gain SYSTEM privileges.

Batch (.bat)

DOS scripts to automate commands; can run enumeration or reverse shells.

VBS

Visual Basic scripts often used in phishing attacks.

MSI

Used by Windows Installer to install apps; can run reverse shells via msiexec.

PowerShell

Used for scripting and shell interactions; very flexible for payloads and post-exploitation.

🛠️ Tools, Tactics & Procedures (TTPs)

🔧 Payload Generation Tools

Tool

Description

MSFVenom / Metasploit

Most common tools for generating and delivering payloads.

PayloadsAllTheThings

Huge resource for payload cheat sheets and examples.

Mythic C2

Full-featured Command and Control framework.

Nishang

PowerShell offensive scripts and implants.

Darkarmour

Payload obfuscation and evasion framework.

🚚 Payload Transfer & Execution Methods

Tool / Method

Description

Impacket

Python-based suite for SMB, WMI, psexec, Kerberos, etc.

PayloadsAllTheThings

Handy one-liners and cross-protocol examples for transfer.

SMB

Common internal transfer method using C$, ADMIN$, or shared folders.

MSF modules

Many Metasploit modules handle automatic delivery & execution.

FTP, TFTP, HTTP/S

Useful when exposed or enabled on target.

PreviousCrafting Payloads with MSFvenom Next🛠️ MS17-010 EternalBlue

Last updated 10 months ago

hashtag🪟 Infiltrating Windows – Summary Notes

hashtag🔍 Enumerating Windows & Fingerprinting

hashtag⚙️ Payload Types for Windows Exploitation

hashtag🛠️ Tools, Tactics & Procedures (TTPs)

hashtag🚚 Payload Transfer & Execution Methods

🪟 Infiltrating Windows – Summary Notes

🔍 Enumerating Windows & Fingerprinting

⚙️ Payload Types for Windows Exploitation

🛠️ Tools, Tactics & Procedures (TTPs)

🚚 Payload Transfer & Execution Methods