# In a Nutshell

Windows, with a market share of over 70% as of 2021, is a prime target for attackers due to its widespread use by individuals and businesses. Over the past 15 years, it has faced numerous severe vulnerabilities, such as MS08-067 (Conficker) and MS17-010 (EternalBlue), many of which have publicly available exploit code, making them easier to exploit.

The fragmented nature of Windows OS versions contributes to its vulnerabilities; for instance, issues in Windows 7 may not exist in Windows 10. All Windows systems share common characteristics due to their development in C, making them susceptible to buffer overflows and arbitrary code execution. Additionally, Windows is often not securely configured by default, requiring proactive security measures, and newly discovered vulnerabilities are not always promptly patched by Microsoft, leaving many systems unprotected.

Frequent releases of new Windows versions mean organizations often delay upgrades, leaving older, vulnerable systems in use. Windows is also susceptible to cross-platform vulnerabilities like SQL injection and physical attacks, such as theft or malicious peripheral devices.

{% embed url="<https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067>" %}

{% embed url="<https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>" %}

## Types of Vulnerabilities

<table data-header-hidden><thead><tr><th width="224"></th><th></th></tr></thead><tbody><tr><td><strong>Information Disclosure</strong></td><td>Allows an attacker to access confidential data.</td></tr><tr><td><strong>Buffer Overflows</strong></td><td>Caused by programming errors, allowing attackers to write data beyond the allocated buffer, corrupting memory.</td></tr><tr><td><strong>Remote Code Execution</strong></td><td>Enables an attacker to execute code remotely on the target system.</td></tr><tr><td><strong>Privilege Escalation</strong></td><td>Allows an attacker to elevate their privileges after an initial compromise.</td></tr><tr><td><strong>Denial of Service</strong></td><td>Enables an attacker to consume system resources (CPU, RAM, network, etc.), preventing normal system function.</td></tr></tbody></table>

These vulnerabilities are not exhaustive.

## Frequently Exploited Services

MS Windows includes native services and protocols that can be configured to run on a host. These services, like SMB, RDP, and PowerShell, can offer potential access points for attackers if not properly secured. As a pentester, it's crucial to understand these services, how they function, and their vulnerabilities, as they can be exploited to gain unauthorized access to a target system. This knowledge helps identify and mitigate risks, strengthening the security posture of the target.

<table><thead><tr><th width="212">Protocol/Service</th><th width="141">Ports</th><th>Purpose</th></tr></thead><tbody><tr><td>Microsoft IIS</td><td>TCP 80/443</td><td>Web server for hosting websites and applications</td></tr><tr><td>WebDAV (Web Distributed Authoring and Versioning)</td><td>TCP 80/443</td><td>Remote file management over HTTP/HTTPS</td></tr><tr><td>SMB/CIFS</td><td>TCP 445</td><td>File sharing, printer sharing, and network communication</td></tr><tr><td>RDP</td><td>TCP 3389</td><td>Remote desktop access to Windows systems</td></tr><tr><td>WinRM</td><td>TCP 5986/443</td><td>Remote management of Windows systems using PowerShell</td></tr></tbody></table>