Windows Basics

The Microsoft Windows operating system is designed to be used as either a stand-alone or a networked environment; however, for this discussion you will assume a networked setup only. In the Windows world, securing access to resources, objects, and other components is handled through many mechanisms, but there are some things that are common to both setups.

You need to know how access to resources such as file shares and other items is managed. Windows uses a model that can be best summed up as defining who gets access to what resources. For example, a user gets access to a file share or printer.


In any operating system, the item that is most responsible for controlling access to the system is the user object. In Windows, the fundamental object that is used to determine access is the user account. User accounts are used in Windows for everything from accessing file shares to running services that allow software components to execute with the proper privileges and access.

Processes in Windows are run under one of the following user contexts:

Local Service A user account with higher than normal access to the local system but only limited access to the network.
Network Service A user account with normal access to the network but only limited access to the local system. System A super-user style account that has nearly unlimited access to the local system.
Current User The currently logged-in user, who can run applications and tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Administrator account.


Groups are used by operating systems such as Windows and Linux to grant access to resources as well as to simplify management. Groups are effective administration tools that enable management of multiple users. A group can contain a large number of users that can then be managed as a unit. This approach allows you to assign access to a resource such as a shared folder to a group instead of each user individually, saving substantial time and effort. You can configure your own groups as you see fit on your network and systems, but most vendors such as Microsoft include a number of predefined groups that you can use or modify as needed. There are several default groups in Windows:

Anonymous Logon Designed to allow anonymous access to resources; typically used when accessing a web server or web applications.

Batch Used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files.

Creator Group Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory.

Creator Owner The person who created the file or directory is a member of this group. Windows 2000, and later, uses this group to automatically grant access permissions to the creator of a file or directory.

Everyone All interactive, network, dial-up, and authenticated users are members of thisgroup. This group is used to give wide access to a system resource.

Interactive Any user logged on to the local system has the Interactive identity, which allows only local users to access a resource.

Network Any user accessing the system through a network has the Network identity, which allows only remote users to access a resource.

Restricted Users and computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.

Self Refers to the object and allows the object to modify itself.

Service Any service accessing the system has the Service identity, which grants access to processes being run by Windows 2000, and later, services.

System The Windows 2000, and later, operating system has the System identity, which isused when the operating system needs to perform a system-level function.

Terminal Server User Allows Terminal Server users to access Terminal Server applications and to perform other necessary tasks with Terminal Services.

Security Identifiers

A very important idea for you to grasp is that of the security identifier (SID). Each user account in Windows has a SID, which is a combination of characters that looks like the following:


Services and Ports of Interest

When moving into the enumeration phase, you should know those ports and services that are commonly used and what type of information they can offer to you as an attacker. You should expect during your scanning phase to uncover a number of ports. Here are a few that you should make sure you pay close attention to:

TCP 53 This port is used for DNS Zone transfers, the mechanism through which the DNS system keeps servers up to date with the latest zone data.
TCP 135 This port is used during communications between client-server applications, such as allowing Microsoft Outlook to communicate with Microsoft Exchange.
TCP 137 This port associated with NetBIOS Name Service (NBNS) is a mechanism designed to provide name resolution services involving the NetBIOS protocol. The service allows NetBIOS to associate names and IP addresses of individuals systems and services. It is important to note that this service is a natural and easy target for many attackers.

TCP 139 NetBIOS Session Service, also known as SMB over NetBIOS, lets you manage connections between NetBIOS-enabled clients and applications and is associated with port TCP 139. The service is used by NetBIOS to establish connections and tear them down when they are no longer needed.
TCP 445 SMB over TCP, or Direct Host, is a service designed to improve network access and bypass NetBIOS use. This service is available only in versions of Windows starting at Windows 2000 and later. SMB over TCP is closely associated with TCP 445.
UDP 161 and 162 SNMP is a protocol used to manage and monitor network devices and hosts. The protocol is designed to facilitate messaging, monitoring, auditing, and other capabilities. SNMP works on two ports: 161 and 162. Listening takes place on 161 and traps are received on 162.
TCP/UDP 389 Lightweight Directory Access Protocol (LDAP) is used by many applications; two of the most common are Active Directory and Exchange. The protocol is used to exchange information between two parties. If the TCP/UDP 389 port is open, it indicates that one of these or a similar product may be present.
TCP/UDP 3268 Global Catalog Service associated with Microsoft’s Active Directory and runs on port 3368, on Windows 2000 systems, and later. Service is used to locate information within Active Directory.
TCP 25 Simple Mail Transfer Protocol (SMTP) is used for the transmission of messages in the form of e-mail across networks. By standard, the SMTP protocol will be accessible on TCP 25.

Commonly Exploited Services

The Windows OS is popular with both users and attackers for various reasons, but for now let’s focus on attackers and what they exploit.

Windows has long been known for running a number of services by default, each of which opens up a can of worms for a defender and a target of opportunity for an attacker. Each service on a system is designed to provide extra features and capabilities to the system such as file sharing, name resolution, and network management, among others. Windows
can have around 30 or so services running by default, not including the ones that individual applications may install.

NULL Sessions

A powerful feature as well as a potential liability is something known as the NULL session. This feature is used to allow clients or endpoints of a connection to access certain types of information across the network. NULL sessions are not anything new and in fact have been part of the Windows operating system for a considerable amount of time for completely legitimate purposes; the problem is that they are also a source of potential abuse as well.

Basically a NULL session is something that occurs when a connection is made to a Windows system without credentials being provided. This session is one that can only be made to a special location called the interprocess communication (IPC), which is an administrative share. In normal practice, NULL sessions are designed to facilitate a connection between systems on a network to allow one system to enumerate the process and shares on the other. Information that may be obtained during this process includes:
■ List of users and groups
■ List of machines
■ List of shares
■ Users and host SIDs


You used SuperScan earlier to do scanning, but this scanner is more than a one-trick pony and can help you with your NetBIOS exploration. In addition to SuperScan’s documented abilities to scan TCP and UDP ports, perform ping scans, and run whois and tracert , it has a formidable suite of features designed to query a system and return useful information. SuperScan offers a number of useful enumeration utilities designed for extracting information such as the following from a Windows-based host:
■ NetBIOS name table
■ NULL session
■ MAC addresses
■ Workstation type
■ Users
■ Groups
■ Remote procedure call (RPC) endpoint dump
■ Account policies
■ Shares
■ Domains
■ Logon sessions
■ Trusted domains
■ Services

The PsTools Suite

Standing tall next to our other tools is a suite of Microsoft tools designed to extract various kinds of information and perform other tasks involving a system. The tools in the PsTools suite allow you to manage remote systems as well as the local system.

The tools included in the suite, downloadable as a package, are as follows:
PsExec Executes processes remotely
PsFile Displays files opened remotely
PsGetSid Displays the SID of a computer or a user
PsInfo Lists information about a system
PsPing Measures network performance
PsKill Kills processes by name or process ID
PsList Lists detailed information about processes
PsLoggedOn Lets you see who’s logged on locally and via resource sharing (full source is included)
PsLogList Dumps event log records
PsPasswd Changes account passwords
PsService Views and controls services
PsShutdown Shuts down and optionally reboots a computer
PsSuspend Suspends processes
PsUptime Shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)