Windows Poisoning(hacking and preventing)

Ahmet Göker
4 min readJan 29, 2022

--

Hey Amazing Hackers,

Welcome back to my blogpost. Today I want to cover some hacking techniques as well as preventing Windows machines, this blog is only for educational purposes not for malicious activities. You might be able to use it especially in CTF events so lets get started.

first of all, I want to start off with most common attacks on Windows.

While explaning such attacks I supposed to be your understand this if not please do a quick research :) (recommended)

LLMNR Poisoning

Description:

LLMNR or Link-Local-Multicast-Name-Reesolution poisoning is a very commonly used attack when it comes to running a penetration test against a local network. LLMNR and NBT-NS (netbios name service) attacks go hand-in-hand as they can be performed by the same tool

Tools: (usage)

  1. nmap -Pn -n -p 139.445 — script smb-enum-shares.nse 10.10.10.10
  2. responder
  3. smbclient //10.10.10.10/share

Solutions:

LLMNR can be turned off through the group policy editor, under “policy settings” menu under local Computer policy > computer configuration > administrative templates > network > dns client

AS-REP Roast

description:

AS-REP is an attack against kerberos for user accounts that do not require preauthentication. Pre-authentication, and is designed to prevent brute-force password quessing attack

Tools:

  1. rebeus.exe asreproast
  2. John

Solutions:

The obvious protections from this type of attack are to find and remove any instances of user accounts that are set to not require kerberos preauthentication.

ForceChange Password

Description:

If we have ExtendedRight on User-Force-Change-Password object type, we can reset the user’s password without knowing their current password.

Tools:

  1. ..\PowerView.ps1
  2. Set-DomainUserPassword- Identity User -verbose

Solutions:

It is recommended to do regular audits to check the delegations and group permissions in nested groups.

Password Spraying

Descriptions:

being able to access to the internal network host using the credentials

Tools:

  1. crackmapexec winrm ips -u users -p pass

Solutions:

Disable unwanted authentication services like WinRM and also restrict unauthorized remote desktop connection with the private instances.

RunForPrivilegeEsc.exe

Description:

There was a uncommon executable running as SYSTEM on the machine which was then reversed and analysed and manipulated for our benefits

Tools:

  1. dnsSpy

Solution:

Avoid using unsecurely coded applications with high privileges.

Pass The Ticket Attack

Description:

Pass-The-Ticket attacks take aim at kerberos much in the same was as Golden Ticket andn silver Ticket attacks, both of which exploit unfixable weaknesses in the authentication protocol.

Tools:

  1. ..\Rubeus.exe asktgt /user:<user>$ /rc4:<NTLM HASH> /ptt
  2. klist

Solutions:

Upon detecting a Pass-the-ticket attack, your response depends on the level of access the attack provided. If the compromised account from which the TGT or service ticket was stolen was a low privilege account with limited or no permissions outside of the compromised system, mitigation could be a simple as resetting the user’s Active Directory Password.

Abusing Vulnerable GPO

Descriptions:

Group policies are part of every AD. GP is designed to be able to change every system’s configuration, from list to most privileged layer. Since it is the fundamental in the network management process.

Tools:

  1. ..\SharpGPOAbuse.exe — AddComputerTask — taskname “Update” — Author DOMAIN\<USER> — command “cmd.exe” — Arguments “/c net user Administrator Password123 /domain” — GPOname “Additional DC configuration”

Solutions:

Attackers use mapping network mapping techniques as the first step of their attack, but this same technique can be also used for mitigation. You must know and reassess who has access to your GPO. You can use free tools such as Bloodhound, can help you understand who has acceess to a GPO and who inherits and access.

Abusing Domain Trust

Descriptions:

At a high level, a domain trust establishes the ability for users in one domain to authenticate to resources or act as a security principal in another domain,a trust does is link up the authentication systems of two domains and allows authentication traic to flow between them through a system principal name(SPN) of a resources that resides outside of the domain they are current in , their domain controller will return a special referral ticket.

Tools:

  1. mimikatz # lsadump::dcsync /user:<user>
  2. mimikatz # kerberos::golden /user:<user> /domain:<domain> /sid:<object security id> /rce:<ntlm hash> /id:<user-id>

solutions:

Remove local admin right from low privileged users in the domain, disable winrm service if not required and if the service is necessary, lock down critical enclaves with separate winRm accounts adn permissions.

Summarization:

So, we are done with this blog however, do not forget to check some articles and documentations about APT such as , Mittre attacks, windows Privilege escalation etc..

You will be able to understand when you get do these stuffs in practical that is the reason why ı have been saying to my audience just play around with CTF challenges, It does not matter if you are a beginner in fact if you keep saying this to yourself you will not be able to get motivation which is needed as being a security analyst nonetheless

Please do not forget to check my YT videos , I have been posting (CTF,network security, malware, scripts, linux and more)

I am just like you no one is better than other just of curiostiy plays role here and do not like be a script kiddie develop something and show it:)))

Ahmet Göker | malware researcher | network security | CTF player | | CE bachelor | Purple team | homeless hacker:) | technophile | computer freak

Linkedin: https://www.linkedin.com/in/ahmetgöker

Youtube: https://youtube.com/TurkishHoodie

--

--