Pen Testing Windows

This topic contains 19 replies, has 7 voices, and was last updated by  Anonymous 7 years, 11 months ago.

  • Author
  • #7104

    Hi all,

    So I got some time in my company test lab and not really done much windows pen testing.

    Does anyone have good resource or tools for windows services like

    ms sql
    or any other ?

    So I can learn more about them as nessue flags lots of problems but I am not sure how to verify them epically with smb and ldap.


  • #44211

    craft clever phishing email
    attach a pdf or excel sheet with embeded flash object which sets up a reverse shell connection
    Wait for them to open it 😀
    Drop backdoors

    Proceed with recon! 😀

    I keed I keed.  Depends on your goal.  With the Windows attacks, much of them have been due to 3rd party software not being patched rather than an actual flaw in Windows.

    With SQL many times the built in SA account isn’t properly secured or utilizes the same admin password as say the local admin of the computer.  If they are old versions of Windows (XP/2003) then you have more options.  If they are newer versions (7/2008) then you will have your work cut out for you.  If they have been hardened, it will be that much tougher.

  • #44212

    This is lab setup so it has lot of problem some of the problem listed include

    default password for mysql
    I tried to test for this using mysql ip -u root -p mysql but i get error cant connect or something.

    smb null session
    ldap null base search access
    smb null session
    smb uses sid to enumerate
    smb lsaqueryinformationpolicy function

  • #44213

    mysql might not be configured to allow root access from anywhere…  Might only allow from localhost (thus via a local webapp, or something)

  • #44214

    Jamie.R, I would highly recommend that you see about doing PWB and OSCP.

    Tools for everything there are readily available in BackTrack, may even be nmap scripts for it 🙂


  • #44215

    That is a good point hayabusa but if that the case if nessus reports mysql using default credentials how can you confirm this as you cant really report an issue to client without being sure it is an issue.

    I plan on doing OSCP but it just getting the money sadly my company wont pay for me as they prefer to train in house but I am trying to progress my training myself but as I am only junior don’t get paid that much.

    It is on my list of things to do 😛

  • #44216

    Jamie.R – in that case, you’d need to look for SQL- or command-injection to be able to pass root’s login via a web app.  I recall having to do EXACTLY that, when I was helping beta test for the US Cyber challenge, a couple of summers ago.

  • #44217

    Cool will look into that does anyone have any good links for leaving more about windows ? I mean I have used windows for about 14 years at home but not really in a business environment so have not dealt with domain controllers and stuff like that.

  • #44218

    A few guidelines from you original question:

    smb – look for missing patches and public exploits. you can also dictionary attack smb for credentials. i’d start with username “administrator” 😉 You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.

    ldap – if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.

    ms sql – look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.

    snmp – again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.

    I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.

  • #44219

    Cool thanks for that any good link to things like smb and ldap and stuff ? Yah install AD might be worthwhile task.

  • #44220

    Win XP in a domain environment, with a default Sec Policy, will cache up to 5 passwords I think.  I have to look at my lab DC.  But yeah XP even with SP3 is still a pretty good target.  Now if the Sys admin in the domain is doing it write, Windows Firewall is enabled so many of the attacks might not work. 

    Also I think by default MS SQL will not allow network connections until you go into the config and turn it on.  MySQL may do the same thing.

    Just because Nessus says it so, doesn’t mean it is.  Get the MSSQL Management tool, this will allow you to test for connections.  Also NMAP has a nifty script to locate systems broadcasting services such as DNS, SQL and other types.

    nmap -P0 –script=broadcast

    It will run a series of broadcast scripts.  If you want to see the details y ou can view them in the nmap/scripts folder.  There is also one for listening for Dropbox LAN sync broadcasts >D

    Sorry if I got off topic a bit 😀

  • #44221


    what’s the best way to learn about domains is it good idea set one up can this be done for free ? any other useful information on testing windows or tools be really great thanks.

  • #44222

    Jamie.R, you if want a go at my challenge, drop by #intern0t on and we’ll set you up for the CTF which is currently running 🙂

  • #44223

    I think the system admin/network admin stuff is incredibly important to be a good pentester, so you definitely should learn all about AD. There are a few options:

    – Start working helpdesk or sys/network admin roles
    – Get your MCITP
    – Spend $200 and get a subscription to MSDN so you can download and play with every piece of software MS makes. Then, set up your own AD domain, exchange server, sql server etc. etc. etc.

    I really believe the network work is huge, simply because if you pop a box on a network, will you know where to go next? Would you know how to pull data off a sql server? Would you know how to export email off an exchange server? Just a few simple things, but can be incredibly valuable to a client because getting domain admin might not mean as much to them as stealing the CEO’s email.

  • #44224

    MCITP What does this cover is it only active directory or is it more like Microsoft admin course ?

  • #44225

    It’s heavy on AD but there are other areas of focus as well.

  • #44226

    cd1zz pointed you to some very good directions; for a real world scenario I will add searching for shares and trying to access them – you will be amazed how many misconfigurations exist.
    For ldap: after you enumerate the juicy stuff, you can try again a dictionary attack on the user names discovered, even if the account lock-out is in place you might get lucky and guess a password with a dictionary attack.

  • #44227

    Cool I will try look into all these things and let you know how i get on.

  • #44228

    If you want to tinker with AD for free Microsoft have quite a few pre-configured VHDs for Microsoft Virtual Server.

    I’ve used these in the past, mainly the Exchange servers for evaluation and testing. With the standalone 2008/2003 servers you can easily create an AD environment just by running the command DCPROMO from RUN. A simple wizard will configure AD on your server.


  • #44229

    Cool thanks for the link will have to take a look at that.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?