Windows Basics
The Many Different Versions of Windows
Windows Desktop OS
Operating System Version Number
Windows 1.0 1.04
Windows 2.0 2.11
Windows 3.0 3
Windows NT 3.1 3.10.528
Windows for Workgroups 3.11 3.11
Windows NT Workstation 3.5 3.5.807
Windows NT Workstation 3.51 3.51.1057
Windows 95 4.0.950
Windows NT Workstation 4.0 4.0.1381
Windows 98 4.1.1998
Windows 98 Second Edition 4.1.2222
Windows Me 4.90.3000
Windows 2000 Professional 5.0.2195
Windows XP 5.1.2600
Windows Vista 6.0.6000
Windows 7 6.1.7600
Windows 8.1 6.3.9600
Windows 10 10.0.10240
Windows Server OS
Windows NT 3.51 NT 3.51
Windows NT 3.5 NT 3.50
Windows NT 3.1 NT 3.10
Windows 2000 NT 5.0
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows NT 4.0 NT 4.0
Windows NT 4.0 Server
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Terminal Server Edition
Windows Server 2003 NT 5.2
Windows Small Business Server 2003
Windows Server 2003 Web Edition
Windows Server 2003 Standard Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Datacenter Edition
Windows Storage Server
Windows Server 2003 R2 NT 5.2
Windows Small Business Server 2003 R2
Windows Server 2003 R2 Web Edition
Windows Server 2003 R2 Standard Edition
Windows Server 2003 R2 Enterprise Edition
Windows Server 2003 R2 Datacenter Edition
Windows Compute Cluster Server 2003 (CCS)
Windows Storage Server
Windows Home Server
Windows Server 2008 NT 6.0
Windows Server 2008 Standard
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Server 2008 for Itanium-based Systems
Windows Server Foundation 2008
Windows Essential Business Server 2008
Windows HPC Server 2008
Windows Small Business Server 2008
Windows Storage Server 2008
Windows Web Server 2008
Windows Server 2008 R2 NT 6.1
Windows Server 2008 R2 Foundation
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 for Itanium-based Systems
Windows Web Server 2008 R2
Windows Storage Server 2008 R2
Windows HPC Server 2008 R2
Windows Small Business Server 2011
Windows MultiPoint Server 2011
Windows Home Server 2011
Windows MultiPoint Server 2010
Windows Server 2012 NT 6.2
Windows Server 2012 Foundation
Windows Server 2012 Essentials
Windows Server 2012 Standard
Windows Server 2012 Datacenter
Windows MultiPoint Server 2012
Windows Server 2012 R2 NT 6.3
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Standard
Windows Server 2012 R2 Datacenter
Windows Server 2016 2016 NT 10.0
Operating System Settings
Drivers
You hear a lot of talk about drivers in the Windows ecosystem, but not in Linux. That is because in Linux the drivers are open-sourced and included in the kernel, for most part. These drivers might be produced by nice programmers or they could be developed by the hardware-producer themselves. That's why it is so easy and fast to install new hardware on Linux. If it is compatible that is. Drivers are software lets the OS communicate with the hardware. Like networks cards, graphics card, printers. To list all the drivers on the machine use the following command:
driverquery
Some drivers can contains vulnerabilities that can be used for privilege escalation.
Registry
Windows registry is a hierarchical database that stores low-level settings used by the OS or any other application that uses it. The SAM (Security account manager) uses it, along with a lot of other stuff. There is not really any equivalent for the Registry in Linux. Most configurations are done in text-files in Linux. You can usually find the under/etc.
In Linux you usually just sudo-edit a config-file in/etc. In Windows you open regedit and you can see the whole hierarchy. The registry is built with Key-value pairs.
Windows Directory Structure
C:\Program Files
32-bit architecture: All app (both 16-bit and 32-bit) are installed in this folder.
64-bit architecture: 64-bit apps are installed in this folder.
C:\Program Files (x86)
Appears on 64-bit editions of Windows. 32-bit and 16-bit apps are by default installed in this folder, even though 16-bit apps do not run on 64-bit Windows.
C:\ProgramData
Contains program data that are expected to be accessed by computer programs regardless of the user account in the context of which they run. For example, an app may store specific information needed to operate DVD recorders or image scanners connected to a computer, because all users use them. Windows itself uses this folder. For example, Windows Defender stores its virus definitions in \ProgramData\Microsoft\Windows Defender. Programs do not have permission to store files in this folder, but have permission to create subfolders and store files in them. The organization of the files is at the discretion of the developer.
C:\Users (C:\Documents and Settings in Windows XP)
User profile folders. This folder contains one subfolder for each user that has logged onto the system at least once. In addition, it has two other folders: "Public" and "Default" (Hidden). It also has two folder like-items called "Default User" (an NTFS junction point to "Default" folder) and "All Users" (a NTFS symbolic link to "C:\ProgramData").
C:\Windows, C:\System, C\System32, C:\SysWOW64
Windows itself is installed into this folder. These folders store dynamic-link library (DLL) files that implement the core features of Windows and Windows API. Any time a program asks Windows to load a DLL file and do not specify a path, these folders are searched after app's own folder is searched.[5] "System" stores 16-bit DLLs and is normally empty on 64-bit editions of Windows. "System32" stores either 32-bit or 64-bit DLL files, depending on whether the Windows edition is 32-bit or 64-bit. "SysWOW64" only appears on 64-bit editions of Windows and stores 32-bit DLLs.
C:\WinSxS
This folder is officially called "Windows component store" and constitutes the majority of Windows. A copy of all Windows components, as well as all Windows updates and service packs is stored in this folder. Starting with Windows 7 and Windows Server 2008 R2, Windows automatically scavenges this folder to keep its size in check. For security reasons and to avoid the DLL Hell issue, Windows enforces very stringent requirements on how the files in this folder are organized.
Windows Network
There are two ways to structure a Windows network. One using a server-client model called Domain and the other is through a peer-to-peer like model called Workgroup.
Workgroup Domain
A workgroup is based on the idea of peer-to-peer network and not server-client network. In a domain network you have a domain controller and a client workstation. It is usually used for smaller networks because it becomes harder to manage a workgroup network with more than than a dozen computers. In a workgroup environment each computer is in charge of its own security settings, there is no single server in charge of all the security settings for the workgroup. This is good because you don't have one single point of failure, but is also bad because you have to trust the users to configure their machines securely. If a computer is part of a workgroup it cannot be part of a domain.
Windows Domain
On Windows domain all users, computers, printers and other security principals are registered with a central database located on one or more domain controllers. The person in control over the domain controller is in control of the network. As a hacker you'll want to gain access the the domain controller with administrator privileges, that is how you take control over the network.
If you have hacked a machine and you want to know if it is part of either a Workgroup or a Domain you can do the following: Go to Control panel > System. If it says Workgroup under the Computer name, domain and workgroup settings it means that the machine is connected to a workgroup, and not a domain.
Domain controller
The domain controller manages all the security aspects of the interaction between user and domain and responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs a line-of-business application loaded onto a device. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain. There are usually a least two computers configured to be domain-controllers, for redundancy.
Active directory
From Windows 2000 and on the Active directory service has been used for maintaining the central database of users and configurations. From Windows Server 2008 and on Active Directory became an umbrella title for a broad range of directory-based identity-related services.
Kerberos
Kerberos is a network authentication protocol that is the default authentication method in Windows 2000 and later. When a user logs in to the domain Active Directory uses Kerberos to authenticate the user. Active Directory will check to see if the client is in its database, if it is it will generate a secret key by hashing the password of the user found in the database and send back to messages to the computer. Message A: TGS Session Key encrypted using the secret key of the user and Message B: A Ticket-Granting-Ticket (TGT) which includes the client ID, network address, ticket validity period and the TGS session key encrypted using the secret key of the TGS.
Once the computer receives both messages A and B it will attempt to decrypt message A with the secret key generated from the password entered by the user. If the user entered password does not match the password in the AD database, the client's secret key will be different and thus unable to decrypt message A. With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key. This session key is used for further communications with the TGS.
SMB
SMB stands for Server Message Block and is used for providing shared access to files, printers, and serial ports and miscellaneous communications between devices on a network. SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. One section of the SMB protocol specifically deals with access to filesystems, where clients may make requests to a file server. The other sections of the SMB protocol specialize in inter-process communication (IPC). The Inter-Process Communication (IPC) share, or ipc$, is a network share on computers running Microsoft Windows. This virtual share is used to facilitate communication between processes and computers over SMB, often to exchange data between computers that have been authenticated.
User privileges
LocalSystem (NT AUTHORITY\SYSTEM)
The LocalSystem account is a predefined, completely trusted local account used by the service control manager. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs, which means it is apart of groups that have access to most system objects.
Administrator
Administrator is a built-in account on Windows. It is the user with the highest privileges. It is a well-known Windows account and SID (Security ID). It's best practice is to disable the account, create a new account and add that newly created account to the administrators group. You can add a user to the Local Administrators group through Command Prompt with the following command:
net user localgroup administrator Username /add
Normal user
The normal user obviously have less privileges than the Administrator. You can create a new user on the local computer through Command Prompt with the following command:
net user Username UserPass /add
Windows Web Server
IIS
IIS stands for Internet Information Services. It is usually included in most Windows versions, except for Home editions. IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. IIS will be used to host internal and external web services over ports 80 and 443.
ASP
ASP stands for Active Server Pages and is the server-side scripting engine for IIS. ASP uses server-side scripting to generate content that is sent to the client's web browser. The ASP interpreter reads and executes all script code between <% and %> tags, the result of which is content generation. These scripts were written using VBScript, JScript, or PerlScript.