Introduction to Windows
As a penetration tester, it is important to have knowledge of a wide variety of technologies. A thorough understanding of Windows and Linux operating systems is beneficial in a wide range of assessment types. The majority of systems that we encounter during assessments, whether on-premise or in the cloud, will be based on these two operating systems. It is important to understand how to attack and defend these operating systems and how they can each be used as a platform to perform further penetration testing activities.
The Windows Operating System
Microsoft first introduced the Windows operating system on November 20, 1985. The first version of Windows was a graphical operating system shell for MS-DOS. Later versions of Windows Desktop introduced the Windows File Manager, Program Manager, and Print Manager programs.
Windows 95 was the first full integration of Windows and DOS and offered built-in Internet support for the first time. This version also debuted the Internet Explorer web browser. Since the initial version, there have been over a dozen versions of Windows released, such as Windows XP, Vista, and 8, up to the current version: Windows 10. Over time, Microsoft has offered various editions of each Windows Desktop release catering to everyone from casual consumers to enterprise customers.
Windows Server was first released in 1993 with the release of Windows NT 3.1 Advanced Server. Windows NT saw several updates over the years, adding in technologies such as Internet Information Services (IIS), various networking protocols, Administrative Wizards to facilitate admin tasks, and more. With the release of Windows 2000, Microsoft debuted Active Directory, originally intended to help sysadmins set up file sharing, data encryption, VPNs, etc. Windows Server 2000 also included the Microsoft Management Console (MMC) and supported dynamic disk volumes.
Windows Server 2003 came next with server roles, a built-in firewall, the Volume Shadow Copy Service, and more. Windows Server 2008 included failover clustering, Hyper-V virtualization software, Server Core, Event Viewer, and major enhancements to Active Directory. Over the years, Microsoft released further Server versions, including Server 2012, Server 2016, and most recently, Server 2019. This latest version added support for Kubernetes, Linux containers, and more advanced security features.
As new versions of Windows are introduced, older versions are deprecated and no longer receive Microsoft updates (unless a long-term support contract is purchased in some cases). Windows Server 2008 and 2012 reached end of life for security updates on January 14, 2020. Currently, only Server 2012 R2 and later are in support. However, Microsoft has released out-of-band patches for earlier versions of Windows in the past few years due to the discovery of the critical SMBv1 vulnerability (EternalBlue).
Many versions of Windows are now deemed "legacy" and are no longer supported. Organizations often find themselves running various older operating systems to support critical applications or due to operational or budgetary concerns. An assessor needs to understand the differences between versions and the various misconfigurations and vulnerabilities inherent to each.
The following is a list of the major Windows operating systems and associated version numbers:
|Operating System Names||Version Number|
|Windows NT 4||4.0|
|Windows Server 2003, 2003 R2||5.2|
|Windows Vista, Server 2008||6.0|
|Windows 7, Server 2008 R2||6.1|
|Windows 8, Server 2012||6.2|
|Windows 8.1, Server 2012 R2||6.3|
|Windows 10, Server 2016, Server 2019||10.0|
We can use the Get-WmiObject cmdlet to find information about the operating system. This cmdlet can be used to get instances of WMI classes or information about available WMI classes. There are a variety of ways to find the version and build number of our system. We can easily obtain this information using the
win32_OperatingSystem class, which shows that we are on a Windows 10 host, build number 18362.
PS C:\htb> Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber Version BuildNumber ------- ----------- 10.0.19041 19041
Some other useful classes that can be used with
Win32_Process to get a process listing,
Win32_Service to get a listing of services
Win32_Bios to get BIOS information. We can use the
ComputerName parameter to get information about remote computers.
GetWmiObject can be used to start and stop services on local and remote computers, and more. Further information about the cmdlet can be found here and here.
Connect via Remote Desktop (RDP) using the following command:
[!bash!]$ xfreerdp /v:<targetIp> /u:htb-student /p:Password
Note: It may take 1-2 minutes for your target instance to spawn.