Because Windows supports UNC I was trying this api
GetNamedSecurityInfoA function (aclapi.h) - Win32 apps | Microsoft Docs
on the live.sysinternals.com website. The Error messages and speed in which the error messages are returned is also interesting.
Its UNC objectname is just \\live.sysinternals.com
so if you wanted to run debugview on a customers/user’s machine without having to ship it, then just use \\live.sysinternals.com\tools\Dbgview.exe
So if the hidden admin shares are enabled on a machine, which they used to be by default on 2000 and 2003 server, you could access a server hard drive or workstation hard drive over a network with ease, with an admin account.
I havent tested any newer windows servers yet but accessing a server\workstation inside a network can be as easy as just using
\\ComputerName\c$\
and a windows box connected to the internet with out proper internet security is as easy as
\\www.capesoft.com\c$\
The Reg key to enable this on a windows Pro or Enterprise machine (Home appears to be disabled/possibly missing dll functionality) is:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- DWORD(32 bit): LocalAccountTokenFilterPolicy = 1
Also needs UAC switched off (admittedly rare but you might get lucky),
an enabled Built-In Administrator account which is something added to windows workstations connected to windows servers, but you can get Linux Samba server to perform the Active Directory Controller and do it that way, plus you get the source code with Linux!
Administrative share - Wikipedia
Other attack vectors on a windows machine include its registry, which I havent tried yet, but these screen shots document the errors I get when attempting to connect to different things using a C11 app and the GetNamedSecurityInfoA api.
Connecting to an Admin Share on a windows home device over the network
LMShare object type
Error 53 ERROR_BAD_NETPATH 53 (0x35) The network path was not found.
UNC path to sysinternals online admin share
LMShare object
Error 53 ERROR_BAD_NETPATH 53 (0x35) The network path was not found.
UNC path to sysinternals debugview
File Object
Error 1 (very fast popping up this error) ERROR_INVALID_FUNCTION 1 (0x1) Incorrect function.
Hidden folder on local drive
LMshare
Error 2310 is not listed by Microsoft, so dont know what it means.
A known file in a Hidden Folder on local drive
File object
I get the security info I need so now I can change some of its security properties! Voila.
Now obviously windows has the benefit, like Linux of deploying files in known locations, even HW manufacturers release updates which can be exploited for very short periods of time, like when the update is actually running in some situations.
Likewise misconfigurations are also a hackers best friend and windows despite having the rollback facility, dont make it that easy to roll back reg settings as anyone who has installed and then uninstalled software will know when trawling through their registry finding left over keys and values.
Now I havent tried connecting to the registry locally, across an internal network or over the internet yet, but with the registry, I wonder if I could add a registry entry that uses UNC to pull an exe off another device/workstation connected to the internal network or off a website over the internet much like we can run debugview on a machine using the UNC path to their webserver as shown above.
How to Access or Modify StartUp Items in the Window Registry - PowerShell Team (microsoft.com)
And how many people monitor their registry settings?
I dont know of any AV product that monitors the registry, thats not to say that it doesnt happen with some AV software and certainly removing reg settings entries when removing viruses does occur, but considering it took over a year to reverse engineer Stuxnet before the AV companies decided if it was a virus or not, there seems to be a window of opportunity that exists for some hackers.
And Shodan just makes acquiring the potential targets even quicker and easier!
Who needs a port scanner when you have Shodan?