We will look at one last host in this chapter—a Microsoft Windows Server host—as it might appear on an internal network. We've focused on mostly UNIX-like hosts so far, and although the techniques we've covered can be applied to Windows hosts, there are important differences to consider.

Microsoft Windows started life as a desktop Operating System (OS), where its graphical user interface (GUI) was a main feature. Originally aimed at personal computer users rather than large corporations, Windows (in the form of Windows Server) is now used by organizations as the bedrock for Internet and connected services. Windows Server is used in both internal networks and for external services, such as a web or mail server, much like Linux or UNIX. Windows Server can be deployed headless—that is, without a GUI—and maintained solely via the command line using a scripting language called PowerShell.

Organizations run Windows Server, alongside desktop Windows-based workstations, arranged in a network known as a domain. Windows domains are designed to allow users at workstations to log in once to the network and seamlessly access resources, such as files and printers, without authenticating to different hosts each time.

Imagine thousands of users configured with different permissions to access all manner of network services. When it comes to hacking Windows and domains, you should not think solely in terms of a single host, but rather of a network comprising various ...