| ||
We have divided this chapter into three major sections:
Unauthenticated Attacks Starting only with the knowledge of the target system gained in Chapters 2 and 3, this section covers remote network exploits.
Authenticated Attacks Assuming that one of the previously detailed exploits succeeds, the attacker will now turn to escalating privilege if necessary, gaining remote control of the victim, extracting passwords and other useful information, installing back doors, and covering tracks.
Windows Security Features This last section provides catchall coverage of built-in OS countermeasures and best practices against the many exploits detailed in previous sections.
Before we begin, it is important to reiterate that this chapter will assume that much of the all-important groundwork for attacking a Windows system has been laid: target selection (Chapter 2) and enumeration (Chapter 3). As you saw in Chapter 2, port scans and banner grabbing are the primary means of identifying Windows boxes on the network. Chapter 3 showed in detail how various tools used over the SMB "null session" can yield troves of information about Windows users, groups, and services. We will leverage the copious amount of data gleaned from both these chapters to gain easy entry to Windows systems in this chapter.
This chapter will not exhaustively cover the many tools available on the Internet to execute these tasks . We will highlight the most elegant and useful (in our humble opinions ), but the focus will remain on the general principles and methodology of an attack. What better way to prepare your Windows systems for an attempted penetration?
One glaring omission here is application security. Probably the most critical Windows attack methodologies not covered in this chapter are web application hacking techniques. OS-layer protections are often rendered useless by such application-level attacks. This chapter covers the operating system, including the built-in web server in IIS, but does not touch application securitywe leave that to Hacking Exposed: Web Applications (McGraw-Hill/Osborne, 2002; http://www.webhackingexposed.com).
Note | For those interested in in-depth coverage of the Windows security architecture from the hacker's perspective, new security features, and more detailed discussion of Windows security vulnerabilities and how to fix themincluding the newest IIS, SQL, and TermServ exploitspick up Hacking Exposed: Windows Server 2003 (McGraw-Hill/Osborne, 2003; http://www.winhackingexposed.com). |