Penetration Testing Using Windows Features - Niall Caffrey

okay so as she said my name is n Caffrey I'm just going to be talking to you about how we can use a few Windows features that you may or may not already know about and how we can use them for penetration testing so just a quick run true of what we're going to be talking about first off just a quick introductory slide of who I am what I'm all about then we're going to going on to Windows subsystem for Linux how we can use this as a a test Environ as an environment that we can use for penetration testing we're going to then talk about Windows sandbox how we can use that for reverse

engineering Windows subsystem for Android and no feature that they have and how we can use that for emulation of Android applications and just a quick thing on what good are these for us and why we may want to use them instead of VMware or virtual or Android Studio even and then there's a few other random features that bit of honorable mentions there as well so first off P I'm an ethical hacker I'm one of the senior Consultants at EDG I've been there for eight years now started 2015 I was went straight from college into pentesting so if if there's any students here who want to get into pentesting that is a a vir way to get in

you can't just go straight from college and straight in in my a bit of spare time and as part of my work I do a bit of security research as well I am a gamer as well I love single player RPGs mostly bers gay Tre cyber punk I'm really looking forward to that now next week I'm also just a general all around mod as well as most of us are there are there are my social media accounts I'm bet I don't really much on Mason at all it's there if you want if you want to follow me on it I do tweet a small bit but not that much so again if you want to follow me on it to go feel

free so first up Windows subsystem for Linux what is it so it was first released back in about 2016 by Microsoft and at first it was really just a way to emulate Linux binaries on Windows you couldn't do much it for pen testing or network testing or anything like that but about two or three years later they released this WSL 2 so this one was a full virtual machine you can run any mo most po gnu or Linux distributions that are available can we just run directly in Windows without needing to install virtual box or VMware or hyper or hyperv or any other virtualization s software they use would not typically be using so what OS can we install so by

default we can install some of the popular distributions we have R to is the default one if you go to install it we also have Debian and a few of the de B to long-term suppos or osers as well there's a few Enterprise distributions as well that we can use does or Linux open Susa as well is avail able there for for use and uh for because we're all hackers there a security Focus distribut so C lenux rolling is actually one of the officially supported ones by Microsoft as part of WSL there are other ones you can install and you and get from the Microsoft store or from GitHub or tutorials I've seen plenty of tutorials where using power OS

and how to install that there actually there's a new one called atina OS it's a new penetration distribution as well thata is available through the Microsoft store you can install it from there and I've seen other tutorials just talking about how to get any any Unix distribution at all and how you can just export that and import it into WSL and run it there so Cali Linux the one was familiar with as pentesters it's a distribution officially done by Cali so every single update to Cali all the rolling updates will be brought are brought into this one as well it's the same as the cloud versions so it's it's a blank distribution all tools can

be installed in it from The Meta packages or from the repositories if if you want to so before we go a bit any further there are some downsides and limitations to wsr so out of the box it doesn't come with a bridged adapter it's that use Network only does not create USB support out of the box either you can pass through USB sticks and anything but USB adapters you can't get working straight out of the box with it so for testing penetration testing if these features are needed for a test if you need a bridge adapter for to open up a part if you need to connect a Wi-Fi adapter or a Bluetooth adapter then

you're better off using a normal VM true virtual box VM where any of those any Auto on of testing you can just use WSL for personally I'm I am using it on a daily basis it is my go-to machine R VM for penetration testing so moving on so C have added by default WSL is a command line interface only comp Kali themselves have decided to add a desktop environment to that so they've created Winx there's three modes for you can go Window mode which will which will use VNC and we'll just open up a desktop environment that you can you can run all the all the normal GUI applications from that they have seamless mode as

well which this will just basically create an overlap between Cali and windows so you can see there the C the normal Cali taskbars they're open with the s menu and you can access all gii applications from there downside to the seamless mode if you have a window open full screen and windows it gets cut off from the task bar up at the top but again you can unlock if you want to you can unlock the Tas Spar and get around that and then there's enhanced session mode so this was designed for systems that are running on on it just uses native protocols and clients for Windows and it's basically a an just an RDP window into

C so do in general comes with some built-in Integrations with the Windows operating system so to make make use of you can access the file systems from either machine in in the each machine so you can access Cali under the Cali file system from Windows the Windows File system from Cali a few windows binaries that you and commands that you can run from inside Cali as as well so what does that look like you can see here on the on the left is what what the file system will look like in Windows you can open Windows Explorer on in Windows 11 on the on in the shortcuts you can just access Linux and I'll bring up all of the all of the

WSL distributions you have and just access the file system from there in Cali they just Auto mounted in/ MNT by default Windows have decided to add more features to it though so this is kind of winex doesn't run great at the moment because of this but it can still work but Windows have have introduced wlg they call it so it's a part to run gii applications the aim is to have just an integrated desktop experience so any tools in Cali to run a GUI we can just access straight from Windows again what what will this look like in the start menu we can just browse to the C the Cali folder that we have there and just access every single

tool that has a gii from there we can use this Windows search menu just to search for any till that's in Cali and run it from there Windows terminal that is this is just a TA that is a in all wind on all windows 11 by default they've brought this in as the default terminal instead of to run po shell and command front in it so this is designed and preconfigured to run with all of the things such as WSL and it does introduce features like Quake mode anyone who doesn't know what Quake mode is back in the original Quake you can press the back Teck button to open it console window and put in sheets for

the game so again you can just Windows key and backtick and you can open Powershell out from anywhere in Windows operating system as a shortcut so that's just a bit about WSL so let's just show you a bit of actual testing using it so here's a not sure how visible that is use but here is is running nmap and masan against al mutal website just to show we can perform normal Network scanning from the from inside this environment which we couldn't back when it was first released we can do some application testing so here we have dog also doing some directory enumeration again against al mutual and it's this is a c LX this is the application in Cali Linux that

it's running but is accessed from Windows and is part of integrated into the Windows operating system environment again go up and Firefox we can access from from again these are running inside Cali but we have the full desktop experience normal desktop experience in windows with these tools and it's not just tools installed by default in that we can use we can use non default tools as well such as blood hand which going to be is just installed from the repositories this will also we can also run tools like this in again in Windows from Linux so just moving on now to Windows sandbox so what is it and how can we use this both T

thing so window box this is a lightweight desktop environment it was it's designed by Microsoft to run any apps you want in complete isolation it was released in May 2019 update so it'll run Windows o Windows 11 or Windows 10 depending on which OS your host machine is run anything installed inside it is sandboxed and just one's completely separate from your machine everything in it is is temporary so as soon as you close it everything gets deleted so it's in essence for for us and for penetration testing a lightweight disposable Windows watching machine what can we use this for for testing so tick line testing reverse engineering we can use it as a as a

place to install the binaries of we're testing in there instead of on our host machine if we have to do configuration revie use as a test pantas we can just log into the car for the accounts the world performing the review of in this machine instead of in our host machine any new tools or exploit scrips that we come across as pantas we can try them out inside this inside this environment instead of running them in a host machine or building up a a a full on VM that could take a few minutes to boot up depending on how how much memory or consumption that we're giving it so it can be configured using uh just

a normal XML file given an extension. WSB and you can configure any settings all that you want in it so this here is an example of the the kind of XML that it looks for and in this particular example I have set it to disabled V virtual GPU disable all network access I've given it two host folders on my host machine one is just a AOS engineering folder that has a few couple of TOS in it and the other one is just a downloads folder so we can access any any files are downloaded in Windows soundbox and then it'll just open Windows Explorer so if we run this we can just run this XML file by double clicking on

it in Windows and it'll open up our environment here ready to go with the with the folder that we've mapped as the read only folder so how can we use this now well we can actually install some of the tools very quickly we can install Ida free or immunity debug in within minutes and have them running and then we can go from there and start using them so we can use immunity debuger to fully debug and reverse rever engineering uh an executable file in this case I'm just using B server we can use Ida free as well Ida Pro if you have the license for I don't we can use that if we want to do some Dark Net

Framework reverse engineering we can use something like DN SP if we wanted to we if you if you prefer command line tools we can use V so before we move on just a quick reminder that this this is a security feature that Windows added to help protect against malware and malicious files but it can become an Avenue of attack so 20 in 20120 a reverse engineer called yonas leard I probably butched that sorry but he disclo publicly disclosed uh zero dat in the activation of Windows stand box itself so he found that if hyperv was already installed on a Windows server and you activated Windows sandbox any user could write to the system 22 folder in Windows which should

not be able to so just a bit of reminder these things wello security features they can become Avenues of attack okay so the next thing wsa Windows subsystem for Android it is very similar to WSL but it's for Android systems it gives us a full Andro emul fully emulated Android environment by default it does make use of the Amazon app store which is a bit of a let down I don't know why they didn't try and get Google's help with it so the default installation you can just install it yourself at any time on Windows 11 by just installing the Amazon App Store that will install wsa so the default is very limited for penetration testing you have to any

applications have to be installed from either the App Store Amazon app store or SID loed side loading the APK using ad and of course there's no root access in those images either just like the Google Play images from Android Studio so how can we get customize this now for penetration test draw ways we can do it draw scripts available in GitHub if you if you have if you want to that will give you root access in wsa along with install in Google Play Store some of them do make use of Magis some of them are broken at the moment some are fixes but it we need to be wary of using these for because they will sometimes ask for

administrator permissions to actually want so we need to be careful about running anything like this for from from GTO so to default installation and how we need to configure this so how do we get access t for certificates or proxies there's no G there's no actual launcher image there's no there's no Android desktop that we can access so we can use ADB does ADB command to set local proxy Global proxy we can use them we can install certificates using ADB shell we can actually there's actually a Microsoft official Android launcher for some reason that is available from Google on the Google Play Store that we can use we if we get the APK from that we can install that if we in

if we use any of the GitHub scripts they they will have installed Google Play Store by default most of them so we can install the just anything straight from there we can use proxy Droid if we have rout access so again what will this look like first now so again we can access any of the Android applications St from Windows without having to boot up and emulator we can use we can use a launch launcher as well this here is the Microsoft launcher that we have in I installed it's the most likely to work a wsa because of Windows we can just any applications we run we'll just run side by side with Windows desktop applications for a fully

integrated environment so how can how can we test these we can just proxy the applications as normal true but as we would with a normal Android emulator we can use objection to interact with the applications as as we would with any other emulators we can use ad shell and get access to the file system as we would with anything else so what good are these features for us to use why would we want to use these instead of VMware or virtual box to begin with do it a lot faster and use way less resources than any of the than that the amount of times my laptop has started going nuts with thean because I've been running VMS and emulators

on I've never had that experience when running when using WSL l do is as I showed there is built-in integration between Windows the Windows operating system and these features these platforms and they can be used to by if you want to bypass any corporate policies that block you from using VMware or V box if your company makes use of Aero VMS they won't those VMS themselves block you from installing VM of V box so you'll need to make use of hyperv or W you can use WSL a client I was talking to used to run a pentesting team but they wouldn't let him install virtual rocks or VMware to get a Cali environment on his on his

laptop he got around this by using wsa to car a few honorable mentions as well so Windows does have a package man itself you may not don't know if you know about it you use Wing from the command PR or Powershell and install any different programs you will use one from it November last year Microsoft introduced Dev tunnels to give you to allow developers to share Local web services across the internet just at the start of SE member in V Visual Studio code they released the August update which allowed for built-in port for so you can run any any locally running services on your laptop can be shared over the internet not just web services any services at

all that you have running lowly you can now share over the Internet with I believe certificates trusted by Microsoft I believe I'd have I have to look into that myself a bit more I I've only just come across V Visual Studio update with that so I haven't actually got had a chance to do much research into it any questions on

any anyone at all

so to resources it uses hardly any so the virtual box will use cut say you give it 8 gigs of RAM it'll use up to 8 gigs of RAM this does use as a fraction of that it's I've never seen it go over in all the time I've used it I've never seen it go over like 200 Meg two 300 Meg RAM and that's just posing from what the testing I've done with you may end up running a much more computer Compu of intense resource or program that it the resource usage may go up with that but personally I haven't experienced any cases where it's gone up over two or 300 Megs right

anyone else don't be shy come on any any questions at all I'll take that as a [Music] none