1 00:00:00,000 --> 00:00:02,603 Windows provides more than just a few 2 00:00:02,609 --> 00:00:05,429 opportunities for pen testers. Although, it's 3 00:00:05,429 --> 00:00:07,739 generally a secure environment, same thing with 4 00:00:07,739 --> 00:00:12,329 Linux, but if it's not deployed in a secure 5 00:00:12,329 --> 00:00:14,759 manner, and all the Ts are crossed, and all the 6 00:00:14,759 --> 00:00:17,849 Is are dotted, then there are little chinks in 7 00:00:17,849 --> 00:00:19,679 the armor, different places where you can 8 00:00:19,679 --> 00:00:21,839 actually poke and find some vulnerabilities. 9 00:00:22,049 --> 00:00:25,379 Services in windows would be one of those areas. 10 00:00:25,589 --> 00:00:27,989 It's very possible that services even though 11 00:00:27,989 --> 00:00:31,349 they're very secure in general, work with a 12 00:00:31,349 --> 00:00:34,679 higher elevated privilege level, which is 13 00:00:34,679 --> 00:00:36,989 something that you want, and it's possible to find 14 00:00:37,014 --> 00:00:39,594 some vulnerabilities occasionally with services 15 00:00:39,629 --> 00:00:41,909 that you can then leverage and you can increase 16 00:00:41,909 --> 00:00:45,569 your own privilege level. Let's talk about, let's 17 00:00:45,569 --> 00:00:49,049 look at a couple of the service vulnerabilities, 18 00:00:49,049 --> 00:00:51,299 potential service vulnerabilities. One would be 19 00:00:51,299 --> 00:00:55,319 unquoted service paths. Those are paths that point 20 00:00:55,319 --> 00:00:58,619 to the executable for the service, that's not, that 21 00:00:58,649 --> 00:01:01,739 are not quoted, and includes spaces, that gives an 22 00:01:01,739 --> 00:01:05,489 attacker an opportunity to actually put their own 23 00:01:05,489 --> 00:01:08,990 executable in and the other would be writable services. 24 00:01:09,014 --> 00:01:10,829 Let's take a look at services and see 25 00:01:10,829 --> 00:01:13,499 what each one of those might mean. If we look at 26 00:01:13,499 --> 00:01:16,049 the list of services, we can see that we have lots 27 00:01:16,049 --> 00:01:19,589 and lots of services for any Windows machine. So 28 00:01:19,589 --> 00:01:21,539 let's scroll down, and let's see, find one that 29 00:01:21,539 --> 00:01:24,059 looks interesting. How about the Windows Defender 30 00:01:24,059 --> 00:01:26,639 Advanced Threat Protection Service? That would be 31 00:01:26,639 --> 00:01:30,089 a nice one to replace if you want to decrease the 32 00:01:30,089 --> 00:01:33,149 overall security of a Windows box. So if we take a 33 00:01:33,149 --> 00:01:36,779 look at it, let's look at the Properties, we see 34 00:01:36,779 --> 00:01:39,299 several things going on here. First off, notice 35 00:01:39,299 --> 00:01:41,999 that I cannot write to the path. This is not a 36 00:01:41,999 --> 00:01:44,699 writable service. That was the second 37 00:01:44,789 --> 00:01:47,189 vulnerability that we talked about services, and 38 00:01:47,189 --> 00:01:49,649 that's the ability to have a writable service. If 39 00:01:49,649 --> 00:01:52,739 you can write to it, then an attacker could gain 40 00:01:52,739 --> 00:01:55,769 access to the system, change the path to whatever 41 00:01:55,769 --> 00:01:58,259 he or she wants, and then the next time the system 42 00:01:58,259 --> 00:02:01,589 launches this service, it would run the executable 43 00:02:01,589 --> 00:02:04,919 code the attacker wanted. But since this is not 44 00:02:04,919 --> 00:02:07,469 writable, we can't do that. What else can we do? 45 00:02:07,859 --> 00:02:10,407 Take a look at this path here. Now first off, 46 00:02:10,439 --> 00:02:14,098 this is a quoted path. That's a good thing. But if 47 00:02:14,098 --> 00:02:17,339 this service was defined and the path was not 48 00:02:17,339 --> 00:02:20,369 quoted, that could be a problem, because we see 49 00:02:20,579 --> 00:02:25,439 that the path here is C:\Program Files\Windows 50 00:02:25,439 --> 00:02:27,749 Defender Advanced Threat Protection. What if we 51 00:02:27,749 --> 00:02:31,589 did this though? What if we went to drive C and 52 00:02:31,589 --> 00:02:36,323 let's create a new directory, a new folder called Program. 53 00:02:36,347 --> 00:02:38,571 [No audio] 54 00:02:38,603 --> 00:02:41,406 Now notice we have Program space Files 55 00:02:41,789 --> 00:02:47,219 and Program. If we wanted to redirect the service, 56 00:02:47,243 --> 00:02:51,154 [No audio] 57 00:02:51,179 --> 00:02:57,159 we could go into Program and create a New Folder called 58 00:02:58,681 --> 00:02:59,701 Windows 59 00:02:59,725 --> 00:03:02,029 [No audio] 60 00:03:02,054 --> 00:03:03,069 Defender 61 00:03:03,094 --> 00:03:05,098 [No audio] 62 00:03:05,122 --> 00:03:09,616 Advanced Threat Protection 63 00:03:09,640 --> 00:03:14,465 [No audio] 64 00:03:14,497 --> 00:03:18,787 and we can't see the whole, oh, there we go, MsSense.exe. 65 00:03:18,843 --> 00:03:35,345 [No audio] 66 00:03:35,370 --> 00:03:37,920 Now this is a Text Document. Of course, we would 67 00:03:37,920 --> 00:03:39,990 make it a real exe, but I'm just doing this for 68 00:03:40,380 --> 00:03:43,830 explanation purposes, just to demonstrate it. So we 69 00:03:43,830 --> 00:03:48,690 see that the service is in C:\Program Files\Windows 70 00:03:48,690 --> 00:03:50,550 Defender Advanced Threat Protection, and then we 71 00:03:50,550 --> 00:03:54,510 have our MsSense.exe, executable. But if we 72 00:03:54,510 --> 00:03:57,900 did not quote this path, if we accidentally 73 00:03:57,900 --> 00:04:01,440 created the service without a quoted path, and 74 00:04:01,890 --> 00:04:05,160 the operating system would go to C and under C, he 75 00:04:05,160 --> 00:04:09,300 would find a Program folder, he would actually 76 00:04:09,300 --> 00:04:12,540 choose that before following across the space, so 77 00:04:12,540 --> 00:04:15,570 that by creating our own Program folder, we would 78 00:04:15,570 --> 00:04:18,149 short circuit what Windows would normally do, and 79 00:04:18,149 --> 00:04:20,430 Windows would then go look at Windows for a 80 00:04:20,430 --> 00:04:22,529 Windows Defender Advanced Threat Protection 81 00:04:22,529 --> 00:04:25,800 underneath Program. He finds it and he runs the 82 00:04:25,800 --> 00:04:28,380 executable. Well, this executable is something we 83 00:04:28,380 --> 00:04:31,110 put into place, and it's our own program, and of 84 00:04:31,110 --> 00:04:33,330 course, it's probably going to be malicious. So 85 00:04:33,330 --> 00:04:37,260 this is a way that we can leverage a weakness of 86 00:04:37,560 --> 00:04:41,490 services when you don't use quoted paths. So the 87 00:04:41,490 --> 00:04:44,250 moral the story is if you always quote your paths 88 00:04:44,250 --> 00:04:47,070 that have spaces in them, this vulnerability does 89 00:04:47,070 --> 00:04:49,110 not exist. So that's just one of the 90 00:04:49,110 --> 00:04:52,170 vulnerabilities that we find with services, and 91 00:04:52,170 --> 00:04:54,660 even if you do have your services set up properly, 92 00:04:54,660 --> 00:04:56,820 it's possible that the services themselves could 93 00:04:56,820 --> 00:04:59,970 be legacy. They could be misconfigured. You could 94 00:05:00,000 --> 00:05:02,760 have clear text information being passed or being 95 00:05:02,760 --> 00:05:05,940 stored. So services not only have to be 96 00:05:05,940 --> 00:05:08,490 installed properly and set up properly, but they 97 00:05:08,490 --> 00:05:11,250 also need to make sure that they're operating 98 00:05:11,250 --> 00:05:15,570 properly and not operating in an older or insecure 99 00:05:15,570 --> 00:05:19,230 mode. Likewise, whenever you install applications, 100 00:05:19,350 --> 00:05:21,660 it's possible that an administrator could install 101 00:05:21,660 --> 00:05:24,330 applications that anyone can read and write from, 102 00:05:24,540 --> 00:05:26,940 which results in unsecure file and folder 103 00:05:26,940 --> 00:05:30,090 permissions, or even if it's installed properly, 104 00:05:30,330 --> 00:05:33,480 it's very possible that you could change 105 00:05:33,480 --> 00:05:37,920 permissions so that too many users can read from 106 00:05:37,920 --> 00:05:40,980 and write to a particular folder or a collection 107 00:05:40,980 --> 00:05:43,765 of folders. So you want to make sure that you restrict 108 00:05:43,789 --> 00:05:46,440 the folder permissions or as an attacker, 109 00:05:46,530 --> 00:05:49,950 you want to find folder permissions that are 110 00:05:49,950 --> 00:05:53,400 more generous than they actually need to be. If 111 00:05:53,400 --> 00:05:56,610 you can place an executable that someone will run, 112 00:05:56,910 --> 00:05:59,940 putting a keylogger anywhere in the system can be 113 00:06:00,005 --> 00:06:03,425 a tremendous benefit. Keyloggers record every 114 00:06:03,450 --> 00:06:06,750 keystroke, and that's an easy-easy way if you can 115 00:06:06,775 --> 00:06:09,985 place one to find people's user IDs and passwords. 116 00:06:10,020 --> 00:06:12,210 If you can see exactly what they type, then you 117 00:06:12,210 --> 00:06:15,120 can basically interpret what they've typed in to 118 00:06:15,120 --> 00:06:17,220 user ID and password fields, and then you can 119 00:06:17,220 --> 00:06:20,430 capture that information and use it for your own 120 00:06:20,430 --> 00:06:25,020 purposes. A schedule task, another opportunity to 121 00:06:25,020 --> 00:06:27,750 run the programs that you want. An attacker could 122 00:06:27,750 --> 00:06:30,840 add new tasks to run persistently with elevated 123 00:06:30,840 --> 00:06:35,040 privileges. If you can add something to the system 124 00:06:35,136 --> 00:06:37,896 scheduler, then you typically can get, you know, 125 00:06:38,519 --> 00:06:41,579 a lot of bang for your buck. Typically can go 126 00:06:41,730 --> 00:06:45,810 up in privilege, as well as having it run without 127 00:06:45,810 --> 00:06:47,910 you having to do anything. You can just say, 'Hey, I 128 00:06:47,910 --> 00:06:50,130 want this thing to run at 1 o'clock every single 129 00:06:50,130 --> 00:06:52,410 morning or every weekday or every weekend morning'. 130 00:06:52,680 --> 00:06:55,290 In that way, you only have to place the payload, 131 00:06:55,410 --> 00:06:57,960 you don't have to come back and kick it off on 132 00:06:57,960 --> 00:07:02,280 demand, and lastly, just as with Linux, we have 133 00:07:02,280 --> 00:07:05,010 the kernel, the core portion of the operating 134 00:07:05,010 --> 00:07:08,340 system, Windows has a kernel as well, and as time 135 00:07:08,340 --> 00:07:11,760 goes on, more and more exploits are found against 136 00:07:11,760 --> 00:07:14,730 vulnerabilities in the kernel, and if your kernel 137 00:07:14,730 --> 00:07:16,950 does not remain patched, in other words, every 138 00:07:16,950 --> 00:07:20,910 time Microsoft sends an update to patch the system 139 00:07:20,910 --> 00:07:23,730 against security, that kernel becomes less and 140 00:07:23,730 --> 00:07:27,390 less secure because there's more opportunities for 141 00:07:27,450 --> 00:07:31,110 anyone and attacker or a pen tester to launch an 142 00:07:31,110 --> 00:07:34,620 exploit against a newly found vulnerability or 143 00:07:34,652 --> 00:07:36,662 maybe it's not an even newly found vulnerability. 144 00:07:36,780 --> 00:07:40,648 Any unpatched vulnerability is an opportunity 145 00:07:40,672 --> 00:07:42,270 for that system to be attacked. 146 00:07:42,294 --> 00:07:54,206 [No audio]