Today our Advanced Windows Security Expert, Michael Grafnetter presented Exploiting Windows Hello for Business during the Briefing at Black Hat Europe 2019 in London.
Find the description, slides, and tools below!
Exploiting Windows Hello for Business
In Windows 10 and Windows Server 2016, Microsoft has introduced a new feature called Windows Hello for Business (WHfB), that allows password-less authentication in Active Directory-based environments and thus aims to reduce the risk of password theft. It is built on top of well-known industry standards, including Kerberos PKINIT, JWT, WS-Trust or FIDO2 and relies heavily on advanced cryptographic mechanisms like TPM key attestation or token binding. Unfortunately, WHfB is overly complicated, lacks proper management tools and its documentation is missing many important technical details. It is, therefore, a black box for most administrators, security auditors, and pentesters.
While analyzing the current WHfB implementation in Windows, we have identified several new attack vectors that might lead to privilege escalation and persistence. Our most important discovery is a new type of persistent Active Directory backdoor that, to our knowledge, is not detected by current security solutions and audit procedures. Moreover, even companies that do not actively use WHfB might be affected by this threat.
We have also discovered that following Microsoft’s mitigation guide for a previously known vulnerability would not only leave Active Directory vulnerable, but it could also introduce yet another security issue into the system. These practically exploitable vulnerabilities might result in Active Directory user impersonation without requiring any special Active Directory permissions.
During this talk, we were also demonstrating our new toolset that can be used to scan corporate environments for the aforementioned vulnerabilities and to resolve any issues found. It also provides a much-required visibility into Windows Hello for Business usage in Active Directory.
The software presented is available HERE
Michael’s presentation slides can be found HERE
On the next day of Black Hat Europe, on December 5th, Michael demonstrated his open-source Directory Services Internals (DSInternals) PowerShell module during the Arsenal session.
DSInternals PowerShell Module
The DSInternals PowerShell Module exposes many internal and undocumented security-related features of Active Directory. It is included in FireEye’s Commando VM and its cmdlets can be used in the following scenarios:
– Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned.
– Offline ntds.dit file manipulation, password resets, group membership changes, SID History injection and enabling/disabling accounts.
– Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
– Online password hash dumping through the Directory Replication Service Remote Protocol (MS-DRSR).
– Domain or local account password hash injection, either through the Security Account Manager Remote Protocol (MS-SAMR) or by directly modifying the database.
– LSA Policy modification through the Local Security Authority Remote Protocol (MS-LSAD / LSARPC).
– Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication and LSARPC, or offline from ntds.dit files.
Michael’s presentaion slides can be found HERE.
About Black Hat
Black Hat is one of the most technical information security series of events in the world.
For more than 20 years, Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
During the event you have a chance to participate in training classes, Arsenal Sessions, Briefings and Review Boards.
If you have any questions, please drop us a message via our contact form.