| Operating System Names | Version Number |
|---|---|
| Windows NT 4 | 4.0 |
| Windows 2000 | 5.0 |
| Windows XP | 5.1 |
| Windows Server 2003, 2003 R2 | 5.2 |
| Windows Vista, Server 2008 | 6.0 |
| Windows 7, Server 2008 R2 | 6.1 |
| Windows 8, Server 2012 | 6.2 |
| Windows 8.1, Server 2012 R2 | 6.3 |
| Windows 10, Server 2016, Server 2019 | 10.0 |
File Structure
The directory structure of the boot partition is as follows:
C:/ File Structure
| Directory | Function |
|---|---|
| Perflogs | Can hold Windows performance logs but is empty by default. |
| Program Files | On 32-bit systems, all 16-bit and 32-bit programs are installed here. On 64-bit systems, only 64-bit programs are installed here. |
| Program Files (x86) | 32-bit and 16-bit programs are installed here on 64-bit editions of Windows. |
| ProgramData | This is a hidden folder that contains data that is essential for certain installed programs to run. This data is accessible by the program no matter what user is running it. |
| Users | This folder contains user profiles for each user that logs onto the system and contains the two folders Public and Default. |
| Default | This is the default user profile template for all created users. Whenever a new user is added to the system, their profile is based on the Default profile. |
| Public | This folder is intended for computer users to share files and is accessible to all users by default. This folder is shared over the network by default but requires a valid network account to access. |
| AppData | Per user application data and settings are stored in a hidden user subfolder (i.e., cliff.moore\AppData). Each of these folders contains three subfolders. The Roaming folder contains machine-independent data that should follow the user’s profile, such as custom dictionaries. The Local folder is specific to the computer itself and is never synchronized across the network. LocalLow is similar to the Local folder, but it has a lower data integrity level. Therefore it can be used, for example, by a web browser set to protected or safe mode. |
| Windows | The majority of the files required for the Windows operating system are contained here. |
| System, System32, SysWOW64 | Contains all DLLs required for the core features of Windows and the Windows API. The operating system searches these folders any time a program asks to load a DLL without specifying an absolute path. |
| WinSxS | The Windows Component Store contains a copy of all Windows components, updates, and service packs. |
dir c:\ /atree c:\ /f | moreFile System
There are 5 types of Windows file systems: FAT12, FAT16, FAT32, NTFS, and exFAT.
Files and folders inherit the NTFS permissions of their parent folder for ease of administration, so administrators do not need to explicitly set permissions for each file and folder, as this would be extremely time-consuming
Integrity Control Access Control List (icacls)
We can list out the NTFS permissions on a specific directory by running either icacls from within the working directory or icacls C:\Windows against a directory not currently in.
icacls c:\windowsInheritance:
(CI): container inherit(OI): object inherit(IO): inherit only(NP): do not propagate inherit(I): permission inherited from parent container Permissions:F: full accessD: delete accessN: no accessM: modify accessRX: read and execute accessR: read-only accessW: write-only access
icacls c:\users /grant joe:frevoked using the command icacls c:\users /remove joe.
A full listing of icacls command-line arguments and detailed permission settings can be found here.
NTFS vs. Share Permissions
The Server Message Block protocol (SMB) is used in Windows to connect shared resources like files and printers. It is used in large, medium, and small enterprise environments. See the image below to visualize this concept:
Share permissions
| Permission | Description |
|---|---|
Full Control | Users are permitted to perform all actions given by Change and Read permissions as well as change permissions for NTFS files and subfolders |
Change | Users are permitted to read, edit, delete and add files and subfolders |
Read | Users are allowed to view file & subfolder contents |
NTFS Basic permissions
| Permission | Description |
|---|---|
Full Control | Users are permitted to add, edit, move, delete files & folders as well as change NTFS permissions that apply to all allowed folders |
Modify | Users are permitted or denied permissions to view and modify files and folders. This includes adding or deleting files |
Read & Execute | Users are permitted or denied permissions to read the contents of files and execute programs |
List folder contents | Users are permitted or denied permissions to view a listing of files and subfolders |
Read | Users are permitted or denied permissions to read the contents of files |
Write | Users are permitted or denied permissions to write changes to a file and add new files to a folder |
Special Permissions | A variety of advanced permissions options |
NTFS special permissions
| Permission | Description |
|---|---|
Full control | Users are permitted or denied permissions to add, edit, move, delete files & folders as well as change NTFS permissions that apply to all permitted folders |
Traverse folder / execute file | Users are permitted or denied permissions to access a subfolder within a directory structure even if the user is denied access to contents at the parent folder level. Users may also be permitted or denied permissions to execute programs |
List folder/read data | Users are permitted or denied permissions to view files and folders contained in the parent folder. Users can also be permitted to open and view files |
Read attributes | Users are permitted or denied permissions to view basic attributes of a file or folder. Examples of basic attributes: system, archive, read-only, and hidden |
Read extended attributes | Users are permitted or denied permissions to view extended attributes of a file or folder. Attributes differ depending on the program |
Create files/write data | Users are permitted or denied permissions to create files within a folder and make changes to a file |
Create folders/append data | Users are permitted or denied permissions to create subfolders within a folder. Data can be added to files but pre-existing content cannot be overwritten |
Write attributes | Users are permitted or denied to change file attributes. This permission does not grant access to creating files or folders |
Write extended attributes | Users are permitted or denied permissions to change extended attributes on a file or folder. Attributes differ depending on the program |
Delete subfolders and files | Users are permitted or denied permissions to delete subfolders and files. Parent folders will not be deleted |
Delete | Users are permitted or denied permissions to delete parent folders, subfolders and files. |
Read permissions | Users are permitted or denied permissions to read permissions of a folder |
Change permissions | Users are permitted or denied permissions to change permissions of a file or folder |
Take ownership | Users are permitted or denied permission to take ownership of a file or folder. The owner of a file has full permissions to change any permissions |
| Keep in mind that NTFS permissions apply to the system where the folder and files are hosted |
Windows Defender Firewall Considerations
It is also important to note that when a Windows system is part of a workgroup, all netlogon requests are authenticated against that particular Windows system’s SAM database. When a Windows system is joined to a Windows Domain environment, all netlogon requests are authenticated against Active Directory
Windows Defender Firewall Profiles:
PublicPrivateDomain
Using smbclient to list available shares
smbclient -L SERVER_IP -U htb-studentConnecting to the Company Data share
smbclient '\\SERVER_IP\Company Data' -U htb-studentMounting to the Share
sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //ipaddoftarget/"Company Data" /home/user/Desktop/sudo apt-get install cifs-utilsThe net share command allows us to view all the shared folders on the system.
We didn’t manually share C:. The most important drive with the most critical files on a Windows system is shared via SMB at install. This means anyone with the proper access could remotely access the entire C:\ of each Windows system on a network.
Viewing Share access logs in Event Viewer
Event Viewer is another good place to investigate actions completed on Windows
Windows Services and Processes
Important Stuff (Might come into use)
- Get Info about OS:
Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber- By default, remote access is not allowed on Windows operating systems.
- Many other Remote Desktop(than mstsc.exe) client applications exist, some of which are listed in this Microsoft article called Remote Desktop clients.