Understanding Operating Systems: We all say more about operating systems when we discuss scanning and enumeration, but for now, we are interested in laying out the fundamentals of each of the standard Oss on the market today. Remember Achilles from Greek mythology? The here who got shot in the heel and died because of it? Granted, this is an oversimplification of the entire story, but the point is when attacking or pen testing a client’s network you must find the Achilles heel.
We are not necessarily going to continually hammer away at a world-class firewall solution to attempt to attack a back-end database server directly. We are going to find that one unpatched client system or the web server running an old internet information Services (IIS) version. What does all this banter have to do with operating systems? Operating systems offer some common vulnerability if not appropriately configured by the administrator, and as surprising as it may seem, quite a few organizations are running a fresh-out-of-the-box copy of an OS.
Microsoft Windows: Although there are many different operating systems, in all likelihood it will be a flavor of Microsoft’s Windows OS that you will test against. There is another Oss in the wild that have a certain amount of enterprise market presence, but Microsoft was the installed OS of choice for over 90 percent of the market. That’s a pretty big target! With the release of Windows 10, Microsoft has set the goal of getting their operating system on over a billion desktops.
Note: – Windows has tackled the issue of user account versus administrative account functionality for quite some time. Most users used to log in as local administrators 90 percent of the time just because user account actions were so limited. User Account Control (UAC), which was introduced in Windows Vista, is Microsoft’s answer to this issue.
Let’s take a look at some common vulnerabilities of this market dominator:
- Patches, patches, and more patches. Microsoft, being an OS juggernaut, continually compiles and distributes patches and services packs for its operating systems. But those spots may not get installed on the system that needs them most. As strange as it may seem, constant updating may in itself become a problem. It is not uncommon for a patch or update to be applied and introduce other issues that may be worse than the original.
- Major version releases and support termination impact Windows products. Yes, I have friends who still love their Windows 98 machines. What this translates into is a system with multiple vulnerabilities just due to age, primarily if the manufacturer no longer supports that policy.
- Attempts at consumer friendliness have been a tough road for Microsoft. What this means is most installations deploy default configurations and are not hardened. For example, ports that a user may never use are left sitting open just in case a program requires them in the future.
- Administrator accounts remain a tempting target. Admittedly, Microsoft has taken some practical steps in protecting users from unwanted or suspicious code execution, but quite a few systems exist that are consistently running admin accounts without any kind of execution filtering or user account control.
- Passwords also remain a weak point and a tempting target in the Windows world. Weak admin account passwords are common on windows computer and networks; although Group Policy controls these passwords in an enterprise environment, there are ways to circumvent these requirements, and many system admins do just that.
- Disabling Windows Firewall and virus protection software is an ongoing issue for Windows OS. The Notification Center does notify the user of the lack of virus protection or a disabled firewall, but that’s as far as it goes. Granted, it’s not something that can be mandated easily, so proper virus protection remains vulnerability in the Windows category.
NOTE: – More a scanning consideration but also a potential vulnerability, Windows’ default behavior is to respond to scans of open ports—as opposed to Linux, which defaults to no response at all. This will be addressed further when we explore scanning and enumeration.
| sybex |