Windows Basics
There are two structures for Windows networks, server-client model and peer-to-peer model.
We refer server-client model as Domain and peer-to-per as Worksgroup.
Windows Domain
On the Windows Domain model all users are connected to a Domain Controller, when users are logging in, it actually authenticates against the domain controller. The domain controller is in control of the network, for example disabling accounts, security policies, password length or when it's due to be changed etc.
A good example of a domain type network is a school or university where you can access your account from any computer.
If you would be interested in setting up a a Domain Network you would need at least one windows server for the domain controller.
If you want to find out if a machine is part of a Domain or a Workgroup you can visit Control Panel\System and Security\System
Active Directory (AD)
This is used as a central database to maintain all the configurations and users.
Domain Controller
As I previously mentioned, a DC is in control of all the security aspects between a user and a domain. It's common to have at least two machines configured as domain controllers for emergency in the event that one might fail. Any windows computer is possible to be configured as a DC.
You can check for Domain controller with this cmd echo %logonserver%
Server Message Block (SMB)
SMB is a network communication protocol that provides shared access to files, printers and serial ports on a network. Linux based networks that need to be integrated with a windows machine make use of SMB to accomplish that.
Kerberos and NTLM
Let's start with Kerberos since it's the newest, it's name comes from (Cerberus)
yeah you guessed, the big three headed dog that guards the gates of the underworld, the name was derived because Kerberos uses symmetric key cryptography and requires three entities to authenticate. The default port for Kerberos is 88.
It was not made by Windows, and it's used in many unix systems.
To simply explain how it works when a user logs into the Active Directory domain it's using the kerberos to authentificate, when the password is inserted it will be oneway encrypted and sent to the Active Directory where it will be matched against its password database. The Key Distribution Center (KDC) responds with a ticket-granting ticket (TGT) to the user machine.
Kerberos provides more security than NTLM but is still vulnerable to attacks.
These are the most common attacks against Kerberos
Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
Golden Ticket: A ticket that grants a user domain admin access
Silver Ticket: A forged ticket that grants access to a service
Credential stuffing and Brute force: automated continued attempts to guess a password
Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
NT Lan Manager (NTLM) is a challenge response authentication protocol, the domain controller challanges and checks the password. The password hashes are also stored for reuse.
The main difference between Kerberos and NTLM is quite obvious, the stronger encryption possibility and extra third-party verification. These differences set apart Kerberos from NTLM and make systems more secure and harder for cyber criminals to infiltrate in a network.
NTLM is old technology but still in use, it is saving passwords locally in the Windows SAM file. NTLM is using md4 cipher to hash passwords, a weaker algorithm that can be cracked easily.
In order to hack an NTLM you need to get the hash, pick a tool, and a cracking technique.
There are severals ways to get the hashes, windows passwords are stored in the SAM file, but this file is encrypted with the system boot key (SYSTEM file) so in order to have access to the hashes you need both of these files. Another method could be obtained from spear phishing attacks or tricking the target system into authentificating with its current login credentials.
The first method would be harder to perform but would potentially get you more hashes in one operation versus the other methods that will get you only one hash.
Most common tools for cracking these hashes are Hashcat, JohnTheRipper and Ophcrack. The main difference between those would be that Hashcat supports GPU which is much faster than CPU cracking.
Cracking techniques are based on brute force attacks or dictionary based attacks.
A dictionary attack is basically entering every word from a dictionary as a password.
A brute force attack or also known as guessing attack is trying every possible combinations of a target until the correct match is found.
Workgroup
A Workgroup is usually designed for a smaller network unlike the Domain, in a workgroup network each computer is in control of it's own security policies for the workgroup. Within a workgroup network users can see each other and share files.
A workgroup network has its own pros and cons, it's better because there is not one single point of failure, and worse because you have to assume users will set up their machines securely.
Accounts in Windows
System is a security principle, it is not a user. A difference between Administrator and System is that it is possible to give permission of a file to System but not to the Administrator.
A example of this would be the SAM file, this has all the local accounts information, the System has access to this file but Administrator doesn't.
Administrator is a user with the highest priviledges.
Normal User, it is created and stored as objects in the Active Directory and used by us or programs to log in to a computer.
You can add a new user in Windows with the commands below
net user Flaviu mypassword123 /add
# Add the user to administrator group (making it administrator)
net localgroup administrators Flaviu /add
Registry
Windows registry is a hierarchical database that is storing settings used by the operating system or other applications.
You can edit the registry or view the database with the regedit
command.
Drivers
Drivers on Windows are software that is allowing the operating system to communicate with the hardware.
A few examples would be network cards, printers, graphic cards etc.
If you want to view all the drivers installed on a machine, type driverquery
in cmd.
IIS and ASP
Internet Information Services (IIS) is a Windows web server and Activ Server Pages (ASP) is the scripting for IIS, the supported languages are Perl, JS, and VBScript.
DLL and BAT files
Dynamic Link Library is a library that contains instructions(code) that other programs can call upon to do certain things.
Bat files in windows are the equivalent to bash scripts in Linux.
Continue reading about Windows Commands
Thank you for reading my article, Until next time!
Your friendly neighborhood Hacker