Hardening Windows endpoints against cyberattack: Part II
In Part I of the blog series, Hardening Windows Endpoints Against Cyberattack, I covered the first three steps of an ethical hack:
Step 0: Pre-Engagement
Step 1: Passive Recon
Step 2: Active Recon (Read about Active Recon for Linux in Part III)
Now the run really begins.
In this blog post, you’ll learn how to put all the knowledge you gained during the planning and reconnaissance steps into action. Let’s walk through the next steps:
Step 3: Service Enumeration
Step 4: Access Exploitation
Step 5: Privilege Escalation
For each step, I’ll cover the goals, strategies, and resources I use in an ethical hacking exercise. Then, I’ll share recommendations for endpoint security activities to block attackers and mitigate your risk.
Step 3: Service enumeration
At this point in the hacking process, I know roughly what is running on the Windows system; now I want to confirm and see if anything provides an initial foothold. So, I build a detailed blueprint of the target and environment.
The first port to check is port 80 the IIS web server. To do this I run curl against the IP address:
-i = include the protocol response in the header
The response shows the version is IIS/10.0, which confirms this is a Windows 10 endpoint. The response is also typical of the default IIS web page, which can be shown below. This indicates that:
- the system has been just provisioned and is due to be a web server but hasn’t yet been set up;
- it was misconfigured;
- a website has been removed; or
- it could be running on another port.
Some of the most common service enumeration tools include:
- rpcclient – Tool for executing client-side MS-RPC functions
- netcat – Powerful network utility
- nbtscan – Tool to scan NetBIOS to find open shares
- smbclient – Client to talk to SMB / CIFS servers
- Metasploit – Penetration Testing Framework
- WFUZZ – Web Application Fuzzer
- DIRB – Web Content Scanner
- GOBUSTER – Web Object Scanner
- NIKTO – Web Vulnerability Scanner
Next, I determine the attack path. I use my own algorithms to determine the best options, based on:
- Do No Harm
I research the possible exploits along the attack path. Some of the tools I use during this process are:
I determine my path to the initial access, such as:
- Exploiting public-facing hardware, OS, or applications
- USB drops
- Supply chain and third parties
- Weak or default credentials
- Through the Wi-Fi
How to reduce your attack surface
- Set up antivirus and malware protection. This can protect users from known threats.
- Run vulnerability scans. Periodic scans help find misconfigured applications, systems, and unpatched software. Integrate your vulnerability scanner into a PAM solution to ensure it has credentials to scan systems fully and provide a complete view of your attack surface. Ensure all USB devices are properly scanned.
- Create multiple network layers and segmentation. Defense-in-depth strategies limit an attacker’s ability to move around. Create blockers between different networks for public-facing applications, services, production servers, data vaults, operations systems, managed employee devices, and bring your own devices. BYOD, which today is more like bring your own office (BYOO), is sometimes referred to as “Bring Your Own Disaster.”
- Train users. Document and share security policies. Hold periodic security training focused on specific threats.
- Secure passwords. Get employees into the habit of using a PAM solution. Reduce one of the biggest causes of cyber fatigue by automating password creation and rotation. Ensure password complexity and integration with SSO and MFA.
- Control access for supply chain and third parties. Take a least privilege and zero-trust approach to your third-party access. Force third parties to access via a PAM solution so you know who they are, what they’ll be doing, and what approvals are required before they’re permitted access.
Related Reading: Download our free eBook, Least Privilege Cybersecurity for Dummies, and see how you can limit user and application access to privileged accounts—especially on endpoints.
Step 4: Access exploitation
There are many potential attack paths. I will stick to the two most popular: bugs in Windows OS/apps and humans.
Bugs in Windows Operating Systems and Applications
This is probably one of the oldest attack methods. It’s been around since the retro days of computing. Yep, around when I was still using an Atari ST 800 XL computer and writing programs in Atari BASIC.
Software has bugs. Ethical hackers participating in bug bounty programs get rewarded for discovering them and some companies make a business out of selling them. There are kernel bugs in operating systems and application bugs that allow attackers to use the software in an unintended way to gain initial access.
With the digital transition to virtualization, cloud computing, and DevOps, we’ve seen an increase in misconfigurations – typically from security not enabled by default – that leaves access open for everyone. The same security methods you use for traditional, on-premise tools are no longer sufficient.
Microsoft has improved Windows operating systems significantly over my near 30 years of using Windows – yes, even DOS days. I know; I am that old!
Windows is the best it’s ever been. Significant improvements in security, the patching process, and less frequent kernel exploits have made Windows more difficult to exploit. Once you introduce users and applications, however, security weakens. (But honestly what is the operating system without users and applications? It’s like a car without wheels or a driver).
The biggest security risk to Windows endpoints is using legacy versions. If you’re using Windows 7/8 or even XP – or, God forbid, you still have any Windows NT or Vista around – your security is like paper waiting for a windy day.
I’m originally from Belfast, Northern Ireland, where every day is windy.
Just like operating systems, applications come in different flavors and security risks. Many application owners tend to install the default with everything checked, which is likely to introduce many features and bugs.
Almost all exploits against operating systems and applications involve at least one of the following:
- Legacy OS with existing known exploits
- Unpatched system with existing known exploits
- Weak credentials – OS and applications
- Default credentials – OS and applications
- Misconfigured system
- Unpatched application with existing known exploits
- Misconfigured application
- Security not enabled
For web applications, I use the OWASP Top Ten:
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities
5. Broken Access Control
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring
Also, check out the 2020 CWE Top 25 Most Dangerous Software Weaknesses from MITRE.
Users are on the front line. They’re under attack from countless cyber criminals. Simply telling users to “click on less of the bad stuff” means we’re leaving them to tackle cyber threats alone. We must work together to make humans a strong link in cybersecurity defense.
Cyber criminals attempt to abuse trust by offering legitimate-looking services. One click on a hyperlink could install malware or ransomware. One shared password could provide personal information and credentials.
BTW, did you click on that hyperlink above?
I’m one of the good guys. As an ethical hacker, the links I set up will only take you to educational or maybe useless information.
But I do hope you at least hovered over the link to see where I was taking you.
If I’m unable to gain access via an operating system or application, I turn to the users.
There are many ways to do this:
- Politely ask users for the password – some will actually hand it over
- Ask support to reset a user’s account for you (Twitter might remember this one)
- Phishing over the phone
- Phishing, pretending to be a legitimate internet service
- Getting users to install a software update—aka a RAT (Remote Access Tool)
- Unattended laptops, especially if they’re logged in
- Man/Woman-in-the-Middle attack
- Using unsecured Wi-Fi or network
- Reused or weak passwords
One of my most successful phishing campaigns was enticing people to pay for speeding tickets. This had a high success rate because it triggered fear. People wanted to avoid spending money and save time.
Similar examples encourage people to click or log in to see:
- Parking fines
- Health insurance
- Health information
- IT surveys
- Unsubscribe buttons
Simply showing people a logon screen makes them want to enter their credentials.
The worst-case scenario is when users are running as a Local Administrator on their Windows endpoints. Then, the game is almost over.
How to protect against access exploitation
Don’t make it easy for attackers. The following Windows hardening practices reduce risk.
- Patch and update Windows endpoints and applications regularly. Remove unused software and get rid of your legacy operating systems and applications. If you can’t get rid of legacy systems, put a strong lock around them via network access and privileged access controls.
- Use antivirus and malware protection. Give users a chance by protecting them from known threats.
- Secure passwords. Use password managers and PAM solutions.
- Practice the principle of least privilege. Ensure users aren’t overprivileged. Don’t let users run as local admins on Windows endpoints.
- Use application control. Only permit trusted applications to execute. Prevent unwanted software from running with elevated privileges.
Step 5: Privilege escalation
All attackers seek privileged accounts. These accounts allow them to come and go as they wish while staying hidden behind legitimate-looking services and credentials.
Windows endpoints come with several types of access control—user accounts, service accounts, and Groups. Each of these is delegated in an ACL (Access Control Lists) that determines access to system resources, such as files, folders, registries, and services. The most wanted accounts are Domain Admin, Local Admin, service accounts, and any accounts listed in the Local Domain group.
To gain access to privileged accounts, the next step in my hacking process is to repeat enumeration, this time as an internal user on a Windows endpoint. Below are some tools I use to gather enumeration for possible privilege escalations or lateral moves.
Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to find. Defenders can use BloodHound to identify and eliminate those same paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Windows Exploit Suggester – Next Generation (WES-NG). WES-NG is a tool based on the output of Windows’ systeminfo utility. It provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
Windows Privilege Escalation Awesome Scripts. WinPEAS is a compilation of local Windows privilege escalation scripts to check for cached credentials, user accounts, access controls, interesting files, registry permissions, services accounts, patch levels, possible misconfigurations, and more. WinPEAS is helpful because it includes hints on where you should focus your attention.
PowerUp. PowerUp is a collection of PowerShell scripts for finding common Windows privilege escalation vectors that rely on misconfigurations. Running Invoke-All checks will look for common misconfigurations on Windows endpoints.
Seatbelt. Seatbelt is a C# project that performs a number of security-oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives. Simply Seatbelt is an enumeration tool to show information that could lead to privilege escalation.
The majority of these tools and scripts are looking for the following Windows misconfigurations or weaknesses:
Cached or stored credentials
To check for cached or saved creds that could allow you executables with elevated permissions, run the following:
- Cmdkey /list = currently stored credentials
- winPEAS.exe quiet cmd windowscreds
- findstr /si password *.txt
Misconfigured services or services with weak/default credentials are a top target for privilege escalation. Services that aren’t hardened, such as write access, can be abused. Service path unquoted can allow an attacker to break out and run malicious malware, registry permissions not restricted, etc.
Check for misconfigurations or weak access controls.
- tasklist /svc = list all processes and services
- sc query = service control manager query service
- net start/stop = stop and start services
- sc config = change service configuration
- winPEAS.exe quiet applicationsinfo
- accesschk.exe /accepteula -uvqc
- sc query state= all | findstr “SERVICE_NAME:” >> Servicenames.txt
Unpatched applications or OS
An attacker will look for unpatched applications and Windows operating systems.
- Systeminfo and then check it against WES-NG
- tasklist /v
Recently, Potato exploits take advantage of NTLM Relay attacks to elevate privileges. Common attacks include Hot Potato, Juicy Potato, and Rogue Potato.
Attackers enumerate for local and Group privileges typically using the following commands.
- User Privileges
- Group Enumeration
net localgroup /domain
Attackers may try to connect directly to your corporate Wi-Fi. If you aren’t using keys and using a WPA2 passphrase, attackers with local privileges can display the password in clear text and then connect their own devices to your Wi-Fi network.
- netsh WLAN show profile
- netsh WLAN show profile key=clear
Execute, copy, and reverse shells
Attackers will use built-in or popular security tools to gain further access and elevate privileges. Below are just a few of those:
- Certutil – Certutil.exe is a command-line program that is installed as part of Certificate Services.
- Mshta.exe – Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files.
- Powershell – PowerShell is a task automation and configuration management framework from Microsoft.
- Misexec – This provides the means to install, modify, and perform operations on Windows Installer from the command line.
Each of these tools is used for legitimate purposes for systems management and configuration but is also commonly abused by malicious actors. Attackers can use these tools to download scripts, create reverse shells, and execute applications.
Attackers need persistence. Of course, they also need sleep, so they abuse these configurations so they can maintain persistent access to systems. When they wake up, they can regain control of a victim’s Windows endpoint. To make this possible, I use:
- User Creation
- Scheduled Tasks
- schtasks /query /fo LIST /v = list scheduled tasks
Other common methods I use for privileged escalation are:
- Configuration Files
- Dll Injection
- Pass the Hash
- Impersonate Access Tokens
- Startup Apps
How to protect against privilege escalation
- Use application control on all Windows endpoints. Control which applications can execute, which known malicious applications are denied, and which require additional auditing. Application control can also help prevent enumeration scripts from running.
- Patch and update. It’s not a 100% solution but it will slow attackers down.
- Use a privileged access security solution. Ensure all services have a provisioned account with the correct security controls, including complex passwords, rotated frequently. Throw universal keys and standing privileges away and move to on-demand, just-in-time privileges.
- Restrict domain admin account usage. Rotate account passwords after every use.
- Log and audit as much privilege activity as possible. Monitor for abuse and set alerts for anomalous activity.
Hardening Windows endpoints is only one part of reducing risk
I hope blog posts part 1 and part II have given you some insights into the mind of a cyber criminal and tips to secure your Windows endpoints. Read about hardening Linux and Unix endpoints here.
There is never 100% security. No single tool can protect against cyberattacks. The better we understand how attackers operate, the more difficult we can make it for them.
Attackers will exhaust all of the methods above in their attempt to infiltrate your organization and access sensitive information. As defenders, you must discover all of these methods and harden Windows endpoints the best you can to protect against them.
How many risky applications are running on your high-risk endpoints?