We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
Today our Advanced Windows Security Expert, Michael Grafnetter presented Exploiting Windows Hello for Business during the Briefing at Black Hat Europe 2019 in London.
Find the description, slides, and tools below!
Exploiting Windows Hello for Business
In Windows 10 and Windows Server 2016, Microsoft has introduced a new feature called Windows Hello for Business (WHfB), that allows password-less authentication in Active Directory-based environments and thus aims to reduce the risk of password theft. It is built on top of well-known industry standards, including Kerberos PKINIT, JWT, WS-Trust or FIDO2 and relies heavily on advanced cryptographic mechanisms like TPM key attestation or token binding. Unfortunately, WHfB is overly complicated, lacks proper management tools and its documentation is missing many important technical details. It is, therefore, a black box for most administrators, security auditors, and pentesters.
While analyzing the current WHfB implementation in Windows, we have identified several new attack vectors that might lead to privilege escalation and persistence. Our most important discovery is a new type of persistent Active Directory backdoor that, to our knowledge, is not detected by current security solutions and audit procedures. Moreover, even companies that do not actively use WHfB might be affected by this threat.
We have also discovered that following Microsoft’s mitigation guide for a previously known vulnerability would not only leave Active Directory vulnerable, but it could also introduce yet another security issue into the system. These practically exploitable vulnerabilities might result in Active Directory user impersonation without requiring any special Active Directory permissions.
During this talk, we were also demonstrating our new toolset that can be used to scan corporate environments for the aforementioned vulnerabilities and to resolve any issues found. It also provides a much-required visibility into Windows Hello for Business usage in Active Directory.
The software presented is available HERE
Michael’s presentation slides can be found HERE
On the next day of Black Hat Europe, on December 5th, Michael demonstrated his open-source Directory Services Internals (DSInternals) PowerShell module during the Arsenal session.
DSInternals PowerShell Module
The DSInternals PowerShell Module exposes many internal and undocumented security-related features of Active Directory. It is included in FireEye’s Commando VM and its cmdlets can be used in the following scenarios:
– Active Directory password auditing that discovers accounts sharing the same passwords or having passwords in a public database like HaveIBeenPwned.
– Offline ntds.dit file manipulation, password resets, group membership changes, SID History injection and enabling/disabling accounts.
– Bare-metal recovery of domain controllers from just IFM backups (ntds.dit + SYSVOL).
– Online password hash dumping through the Directory Replication Service Remote Protocol (MS-DRSR).
– Domain or local account password hash injection, either through the Security Account Manager Remote Protocol (MS-SAMR) or by directly modifying the database.
– LSA Policy modification through the Local Security Authority Remote Protocol (MS-LSAD / LSARPC).
– Extracting credential roaming data and DPAPI domain backup keys, either online through directory replication and LSARPC, or offline from ntds.dit files.
Michael’s presentaion slides can be found HERE.
About Black Hat
Black Hat is one of the most technical information security series of events in the world.
For more than 20 years, Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
During the event you have a chance to participate in training classes, Arsenal Sessions, Briefings and Review Boards.
If you have any questions, please drop us a message via our contact form.
Do you want to receive the geekiest cybersecurity solutions, tools, and tricks, straight to your inbox?
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
