THM – Windows Exploitation Basics – Part 17
This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there.
Table Of Contents
Windows file system and permissions explained
What is the file system?
It Is the method and data structure that an operating system uses to keep track of files on a disk or partition. Without a filesystem, information would be one large body of data with no way to know the beginning or the end.
Windows file system structure is:
- Logical drives (Ex: Local disk C)
- Folders (default folders like documents, downloads, music)
- Files
Folders located on the C drive and their role:
- PerfLogs – Stores the system issues and other reports regarding performance
- ProgramFiles – The location where program install unless changed by user
- ProgramFiles(x86) – The location where program install unless changed by user
- Users – User created data and generated data (Saving a file on your desktop)
- Windows – Contains the code to run the operating system and some utility tools
File permissions
File permissions can be set by an admin or privileged account. Permissions can be applied to:
- Users
- Groups
Permissions that can be set:
- Full control
- Modify
- Read & execute
- List folders content
- Read
- Write
- Special permissions
Full control – allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files.
Modify – allows the user/users/group/groups to modify, read, write, and execute files.
Read & execute – allows the user/users/group/groups to read and execute files.
List folder contents – allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder.
Read – only allows the user/users/group/groups to read files.
Write – allows the user/users/group/groups to write data to the specified folder (automatically set when “Modify” right is checked).
You can only allow or deny permissions for users and groups.
No not set “full control” permission on a folder, because that allows the user to set permissions and take ownership of the folder themselves (without action of an administrator/privileged user).
Understanding the authentication process
What is authentication?
Authentication is the process of verifying the identity of a person (or an object or a service). When you authenticate a person, the goal is to verify that the person is not an imposter.
Local authentication
Done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps track of the security policies and the accounts that are on a computer system. It also maintains information about all aspects of local security on a computer.
Types of Active Directory
Two types of AD:
- On-premise active directory(AD)
- Azure Active Directory (AAD)
Authentication on on-premise Active Directory
On-premise AD has a record of all the users, PCs and servers and authenticates the users signing in (Network logon). Once signed in, AD also governs what the users are, and are not, allowed to do or access (authorization).
In an on-premise AD environment the authentication can be made using these protocols:
- NTLM
- LDAP /LDAPS
- KERBEROS
NTLM / NTLM2
NTLM uses a challenge-response sequence of messages between a client and a server system. NTLM provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authentication network connection.
LDAP / LDAPS
Main difference between LDAP and LDAPS is that LDAPS support encryption. The credential are therefore not sent in plain text across the network.
Domain Controller (DC) can be considered a database of users, groups, computers and so on (contains information about objects). Using LDAP / LDAPS the users workstation sends the credentials using an API to the domain controller in order to validate them and be able to log in.
KERBEROS
Another way to authenticate is using Kerberos. Uses a symmetric-key cryptography and requires trusted third-party authorization to verify user identities. The authentication process is similar to the below:
Authentication on Azure Active Directory
AAD is a secure online authentication store, which contain users and groups. Users have a username and a password which are used when you sign into an application that uses AAD for authentication.
Example: All of the Microsoft Cloud services use Azure Active Directory for authentication: Office 365, Dynamics 365 and Azure.
AAD support following authentication method:
- SAML (Security assertion markup language)
- OAUTH 2.0
- OpenID Connect
SAML (Security Assertion Markup Language)
SAML is a type of SSO (Single sign-on) standard. Defines a set of rules/ protocols that allow users to access web application with a single login. Made possible because those application (referred to as service providers) all trust the system that verify users identities (referred to as identify providers).
Service Providers – These are the systems and applications that users access throughout the day.
Identity Providers – This would be the system that performs user authentication.
OAUTH 2.0
OAuth 2.0 is a standard that apps use to provide client application with access.
OAuth 2.0 spec has four important roles.
- The authorization server, which is the server that issues the access token.
- The resource owner, normally your application’s end-user, that grants permission to access the resource server with an access token.
- The client, which is the application that requests the access token, and then passes it to the resource server.
- The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.
OpenID Connect
OpenID Connect is authentication standard built on top of OAuth 2.0. Adds an additional toke called an ID token.
For that it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is about user authentication.
Types of servers
What is a server?
A server is hardware of software equipment that provides functionality for other software or devices.
Types of servers
A server can be used for a variety of actions or things. Most common:
- Domain controller
- File server
- Web server
- FTP server
- Mail server
- Database server
- Proxy server
- Application server
Domain Controller – Might be one of the most important servers because in an AD or AAD infrastructure we can control users, groups, restrict actions, improve security, and many more of other computers and servers.
File Server – File servers provide a great way to share files across devices on a network.
Web Server– It serves static or dynamic content to a Web browser by loading a file from a disk and serving it across the network to a user’s Web browser.
FTP Server – Makes possible moving one or more files securely between computers while providing file security and organization as well as transfer control.
Mail Server – Mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.
Database Server – A database server is a computer system that provides other computers with services related to accessing and retrieving data from one or multiple databases.
Proxy Server – This server usually sits between a client program and an external server to filter requests, improve performance, and share connections.
Application Server – They’re usually used to connect the database servers and the users.
