Education

Exploitation of common windows services is an important area of knowledge for both offense and defence.

  • Server Message Block (SMB)
  • Remote Desktop Protocol (RDP)
  • Windows Management Instrumentation (WMI)
  • Windows Remote Management (WinRM)
  • File Transfer Protocol (FTP)

Other common technology platforms in the Windows Stack Include

  • Active Directory Domain Services (ADDS)
  • Active Directory Certificate Services (ADCS)
  • Internet Information Services (IIS)
  • Microsoft SQL Server (MSSQL)

For now I’m just going to look at a few of the common protocols and vectors.

Common Attack Vectors

I’m not going to go into much detail, but I wanted to show people the types of attack each service faces from a route able/network adjacent perspective.

RDP (TCP 3389)

  • Brute Force
  • Bluekeep
  • Backdoor with Sticky Keys or Accessibility Features

A common tool for attacking RDP is HYDRA

SMB (TCP 445)

  • Insecure Configuration
  • Brute Force
  • Credential Spray
  • MS17-010
  • PSEXEC/RPC
  • MITM/RELAY

There’s a quick intro to SMB vectors here.

WMI (TCP 135)

  • Brute Force
  • Remote Command Execution
  • Post Exploitation & Lateral Movement
  • Backdoors/Implants

WINRM (TCP 5985 and 5986 (TLS))

  • Brute Force
  • Remote Code Execution
  • Post Exploitation & Lateral Movement
  • Backdoors/Implants

A good tool to understand in this space is EVIL WINRM

IIS (Commonly TCP 80 and 443)

Summary

Knowing what is in your network is key to attack and defence, knowing what each service does and how all this ties together is important when it comes to cyber defence.

Often people talk about the number of IPs inside a network as a key metric, it’s more the number of services and how they are exposed those matters.