This document discusses vulnerabilities in login authentication methods and password storage in Windows 8. It begins with an introduction to alternative authentication methods introduced in Windows 8 to address usability issues with passwords on touchscreens. It then covers classic attacks on Windows password storage, such as extracting hashed passwords and cracking them with rainbow tables or GPUs. It also discusses bypassing login authentication through techniques like editing password hashes in the SAM file from an external operating system. The document focuses on new authentication methods in Windows 8 like PIN codes and picture passwords, analyzing their vulnerabilities. It concludes with recommendations for mitigating discussed vulnerabilities.
Vulnerabilities in login authentication methods and password storage in Windows 8
1. Vulnerabilities in login authentication methods and
password storage in Windows 8
John-Andre Bjorkhaug
Gjovik University College
March 2014
Today, with the rise of touchscreen devices, like tablets, smartphones and even laptops with
touchscreens, users might find it to cumbersome to type in regular passwords. Typing for example
a eight character password containing both regular letters, numbers and even symbols takes too
much time and is often not so easy for for the average user, on a touchscreen keyboard. The
companies developing these devices have taken the problem under consideration, and have come
up with alternative authentication methods replacing the password, for example biometrics, PINs,
gestures and so on. This paper will focus on the different methods used for logon authentication
in the Microsoft Windows 8 and 8.1 operating system, since this now is appearing on more and
more touchscreen devices. This paper starts with an introduction, explaining some of the new
features of Windows 8. Then there is an introduction to works that are related to this paper.
Following is a section about classic attacks on passwords in Windows, techniques for bypassing
login authentication, and how passwords can be extracted in clear-text. Then it is time to dive in
to Windows 8, and the new methods for login authentication and their vulnerabilities. The paper
ends with a conclusion with some suggestions to techniques that can be used to mitigate some of
the vulnerability discussed throughout this paper.
Categories and Subject Descriptors: D.4.6 [Security and Protection ]: Invasive software—
Operating system security
General Terms: security
Additional Key Words and Phrases: operating system security, passwords, authentication, PIN
1. INTRODUCTION
Today, devices with touchscreens, like smartphones, tablets and laptops, are get-
ting more and more usual, and operating systems like Android and iOS have been
dominating for some years. Using text-based passwords, containing for example
both upper and lower cases, numbers and even symbols takes too much time and
is often not so easy for for the average user, using touchscreen softkeyboards. The
companies developing these devices have taken the problem under consideration,
and have come up with alternative authentication methods replacing the password,
for example biometrics, PINs, gestures and so on. PIN codes and the regular ges-
ture password used on different touch devices for years, have a very small password
space, compared to a good old text-based password. In Windows 8, Microsoft pre-
sented some new native methods for logging in to a Windows system, the use of a a
four digit PIN code, the so called picture password, and fingerprint. A four digit PIN
code, says itself that it is not very secure, a picture password can be very secure,
if implemented correctly. Even though Microsoft Windows have been available in
different forms on different touch devices for many years, a lot happened when they
2. Vulnerabilities in login authentication methods and password storage in Windows 8 · 2
made Windows 8. This version of Windows runs just as good, on touch devices,
and on desktop computers. You have the possibility to use the good old desktop
for use on laptops and desktop computers, and the new tile interface called Modern
UI 1
which is better fitted for touch devices. Recently there have also been a rise
in both laptops and desktop computers with touch screen. Microsoft Windows 8
was released in August 2012, and was available to the general public in the end of
October the same year. Windows 8.1 came out in October 2013, with small changes
compared to 8 [ZDNet 2014]. Actually, 8.1 can in many ways be looked at like more
of a servicepack than a full OS upgrade. Windows 8 can be said to have been of the
biggest changes, at least visually, since Windows 95 replaced Windows 3.11, but at
least Windows 8 was very Windows 7 like, when not using the new tile interface.
Since Windows 8 is relatively new, there is still some children’s diseases, and both
the operating system and the users still need to mature a bit. In addition to adding
Modern UI for use on devices with a touchscreen, Microsoft also included several
authentication methods, to make the operating system even more user friendly on
touch device. In addition to the good old password, methods like PIN code and
Picture password have been included from Windows 8. The reason for this is so the
user don’t have to type in passwords like ”Tr0ub4dor” [xkcd 2013] on the devices’
limited software keyboard, where for example the use of the ”shift” key is rather
cumbersome. This new login authentication methods have introduced quite a bit
of new vulnerabilities in to the login authentication in Windows, in addition to the
once that have been there for years.
This paper will discuss both old and new login authentication methods, and their
vulnerabilities. All tests performed in this paper have been done on a VMWare
Virtual machine and a Dell Venue 11 Pro tablet, both running Windows 8
This paper is organized as follows. Section 1 is the introduction you now are
reading. Section 2 gives an introduction to works that are related to this paper.
Section 3 is about classic attacks on passwords in Windows, techniques for bypassing
login authentication, and how passwords can be extracted in clear-text. Section 4
gives details about the new authentication methods used for logging in Windows 8,
and their vulnerabilities. The paper ends with section 5, the conclusion with some
suggestions to techniques that can be used to mitigate some of the vulnerability
discussed throughout this paper.
2. RELATED WORK
Most books covering ethical hacking and penetration testing have a section about
extracting and cracking LM and NTLM hashes, for example the ”Hacking Exposed”
series [McClure et al. 2009]. The ”new” authentication forms for Windows, picture
passwords and PIN code is not so much written about yet seen in context with
Windows, but the paper ”On the Security of Picture Gesture Authentication” by
Ziming Zhao et.al. [Zhao et al. 2013] describes a rather comprehensive research on
picture passwords, describing an empirical analysis of picture gesture authentication
from more than 10,000 pictures passwords. This paper focus more on how the login
mechanism works together with the rest of the operating system. When it comes
to PIN codes, there have been some statistically research done among others by
1Many still call the interface by its earlier name Metro
3. Vulnerabilities in login authentication methods and password storage in Windows 8 · 3
Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the
company ”Datagentics” [DataGenetics 2012]. Also, much of the content in this
paper is relatively new, and only discussed in blog belonging to the smart guys who
find vulnerabilities, and write exploits. Like for example the blog of the Russian
company Passcape [Passcape 2014], and the French security researcher Benjamin
Delpy aka ”gentilkiwi” [Delpy 2014a].
3. CLASSICAL LOGIN AUTHENTICATION VULNERABILITIES IN WINDOWS
Before going into the vulnerabilities that is new to Windows 8, because of the new
login authentication methods, the good old vulnerabilities in the login mechanism
and passwords storage, that are still valid for Windows 8.x, will be discussed.
Fig. 1. Password login screen in Windows 8.1, with the choice of login method below the input
field.
3.1 Password hashing
In Microsoft Windows, a cryptographic hash of the password is stored in a file called
”SAM” (Security Accounts Manager), which is stored in %systemroot% system32
config SAM. This file is a part of the registry, and in an officially undocumented
binary format [Hagen 2014]. In the Windows registry the SAM is placed under
the key HKEY LOCAL MACHINESAM. Both of these locations are locked
even for the administrator while the operating system is running, but it is possible
to extract the hashes for example from the registry on a running system with
the help of DLL-injection into the LSASS (Local Security Authority Subsystem
Service) process, with tools like for example pwdump, fgdump, Cain & Abel and
mimikatz, which we will discuss more later. Other places to extract hashes from is
among others from a shadow copy of the SAM file. Readers which is interested in
knowing more about what can be find in the LSASS process, is recommended to
read [Passcape 2011].
There are two different hash algorithms, called ( LM) (LAN Manager) and NTLM
(NT LAN Manager). From Windows Vista and Server 2008, LM hash have been
the default disabled, but can be enabled for backwards compatibility. A LM hash
can be used for passwords up to 14 characters, and have a serious vulnerability.
The password is split in two halves, the first one seven characters and the second
one the rest of the password. For example a password of length 10 is split into
one hash calculated from the first seven characters, and one with the last three
characters. All letters are then capitalized. This is then cutting a password of
14 characters from 284
to 237
different combinations [McClure et al. 2009]. This
makes cracking of LM-hashes very fast, using for example Rainbow tables, which
4. Vulnerabilities in login authentication methods and password storage in Windows 8 · 4
is pre-calculated tables with passwords and hashes. This paper will not go any
further into the cracking of LM-hashes, since this is out of scope for the paper.
For more information see for example [McClure et al. 2009]. When it comes to
NTLM hashes, there is a much bigger keyspace, but Rainbow tables are still a
very effective method for cracking these hashes, because there is no salting of the
hash. The problem is that with NTLM’s large keyspace, tables get very space
consuming. One of the largest publicly available rainbow tables for NTLM today,
is a table covering upper and lower cases, the numbers 0-9 and space, for passwords
with length 1 to 7 characters. This table is a little over 1TB big. Compared with a
rainbow table for LM hash, which covers all symbols on the keyboard, and password
length 1 to 7 characters, which in reality means 1-14 since the password is split in
two, which is 34GB [Freerainbowtables 2014]. The term salting the hash means
that a random value is added to the password before the hash algorithm is run,
and by that creating different hashes when the same password is hashed twice.
The password hashing mechanism in for example Linux salts its hashes. Salting
the hash mitigates attacks like rainbow tables [McClure et al. 2009]. Lately there
have also been very popular to use the GPU 2
, on graphic cards to increase the
speed of cracking cryptographic hashes. Since these are much more effective on the
simple mathematical operations used in hashing than regular CPU’s. According
to Jeremy Gosney 3
, one of the worlds top experts in password cracking, with a
regular graphic card like the AMD RadeonTM
HD 7970, it will will be possible to
brute-force NTLM hashes at approximately 20 billion passwords per second. With
a cluster of graphic cards, like for this can be multiplied by the number of graphic
cards. One down thing with building machines for password cracking with graphic
cards is that it gets rather expensive. In February 2014 an AMD RadeonTM
HD
7970 costs approximately NOK3000 in Norway. But why build your own password
cracking machine, when Amazon EC2 offers multiple graphic cards in their cloud
computers, which can be rented for as low as $2 per hour [Amazon 2014]. It is
very common to use large dictionaries, to shorten the time to crack a password.
Today, when there have a numerous leaks with large password databases, there is no
problem for adversaries to create very effective dictionaries. The biggest password
leak up till now is the leak of over 32,000,000 user accounts from the game producer
RockYou in 2009 [Skullsecurity 2011].
Cracking password hashes can be done for example with tools like the following:
—John The Ripper
—L0phtCrack
—Cain & Abel
—Ophcrack
—OclHashCat
—Tools from ElcomSoft
If a computer is compromised, the NTLM hashes are extracted, and the adversary
isn’t able to crack the password, the hash can still be useful. The hash can be used
2Graphic Processing Unit
3Twitter conversation between me and him
5. Vulnerabilities in login authentication methods and password storage in Windows 8 · 5
in a so called pass-the-hash attack, where the hash is used for authentication to
other systems connected to the same network as the adversary and using same
password as the compromised system, inter-system password re-use [Wolthusen
2014]. This can be done with tools like for example mimikatz and modifications of
the psexec tool, which is included in the penetration testing framework Metasploit
[Rapid7 2011]. This is an very effective attack in a Windows environment where
the same administrator password is used on multiple computers, and have been
used on numerous penetration tests by the author of this paper, which a very high
successful rate. Up until the Windows 8.1 and Windows 2012 R2, it was only
possible to run limited resources with the use the pass-the-hash attack, but here
Microsoft implemented a security feature in Remote Desktop Protocol (RDP) called
Restricted Admin, which actually makes it possible to connect to an RDP service
using the pass-the-hash attack [Falde 2013] [Ronin 2014] [Lowe 2013]. As most
other attacks on passwords in Windows, this can also be done with mimikatz, but
also with a more known and recognized application called FreeRDP, which is an
open implementation of the RDP protocol [Ronin 2014].
3.2 Clear text password extraction
In the recent years it have also gotten publicly known that because of feature in
Windows called WDigest, it is possible to extract passwords in cleartext from mem-
ory, using tools like mimikatz [Delpy 2014b] [Delpy 2011], or Windows Credential
Editor [Amplia 2013]. WDigest is a DLL which that was first added in Windows
XP, and used to authenticate users against HTTP Digest authentication and Sim-
ple Authentication Security Layer exchange. These two authentications methods
requires a plain-text password to be able to function. To extract passwords from
WDigest, the adversary need to access a computer that is turned on and logged in,
but how many average users lock their computer when they go to the toilet? Similar
vulnerabilities also apply to other features that was implemented from Windows
NT 6 (Windows Vista and Windows Server 2008). Like for example when Single
Sign On (SSO) to Remote Desktops is enabled (tspkg) [Delpy 2014d], if a Microsoft
Live account (LiveSSP4
) is used [Delpy 2012], and for the use with Kerberos SSP.
Actually in Windows 8.1 wdigest and tspkg is default disabled, but when SSO for
websites or RDP is enabled, wdigest and tspkg is too. The password stored in mem-
ory for all these scenarios are actually encrypted, but with such a bad method that
it is very easy to decrypt it. The standard Windows function LsaProtectMemory
is used for encryption, and LsaUnotectMemory for decryption [Pilkington 2012].
More methods for extracting passwords in clear-text will follow, when we later
discuss some new vulnerabilities in Windows 8.
3.3 Bypassing login authentication
The techniques discussed earlier assumes that the adversary already have access to
the victim system, either by being a user of a multiuser system, which want to forge
the identify of other users of the same system, or an adversary that have gotten
access to a system which is powered on and already logged in. But what if the
system is shut down, or locked? Let’s discuss some classical options to bypass the
4Security Support Provider
6. Vulnerabilities in login authentication methods and password storage in Windows 8 · 6
login authentication in Windows. Some of these attacks have been known all the
way back to Windows XP, but are still not fixed in Windows 8.1.
Password reset
Probably the most known and most used Windows login bypass is the use of a
bootable media, to edit the SAM file. This trick is very simple, but it can leave
easily found traces that an adversary have accessed the system. This trick works
by booting the system with another operating system, most often a small Linux
distribution and edit the SAM-file, which was discussed earlier. This works like
a charm since Windows isn’t running. With tools like for example Offline NT
Password and Registry editor developed by Peter Nordahl Hagen [Hagen 2014], it
is possible to things like:
—Change or clear a users password
—Enable disabled accounts
—Create new users
—Remove users
—Change a users group
To access a system without leaving any easy to find traces, the adversary could
create a new user, add it to the ”admin” group, log in to the system and at the end
delete the newly added user.
msv1 0.dll patching at boot-time
If creating a new user is not desired, patching the DLL file ”msv1.0.dll” can be a
nice option. This DLL is called by the Local Security Authority (LSA), which is
mentioned earlier, and processes login data collected by the Credential Providers
5
, for the Winlogon process [Microsoft 20xx]. At boot-time, this can be done using
tools like Kon-Boot [thelead82 2013]. This application silently bypass the login
authentication on any modern Windows operating system, by pathcing msv1 0.dll
when it is loaded into memory. The pathching causes the password-check to always
return true, which causes all accounts to not require a password, and will overwrite
any old passwords. The way this tool is used is to boot the computer from a some
kind of external medium, CD, DVD, USB stick etc., a Kon-Boot boot screen will
then be displayed while the tool is working. Then, when the Windows login screen
is visible, select the one want to log in as, and log in without any password. When
the computer then is rebooted, the victim logs in like he have always done, with
his good old password.
As a site note, it is also available for Apple OS X, but working in a different way.
msv1 0.dll patching with Firewire
IEEE 1394, commonly known as Firewire, is another interesting case, when it come
to bypassing Windows login authentication. The vulnerability with Firewire is that
it have direct access to the physical memory addresses, making it possible to patch
the msv1 0.dll, just as mention earlier, but this time at run-time. This attack was
5Credential Providers replaced the more known GINA from Windows Vista [Griffin 2007]
7. Vulnerabilities in login authentication methods and password storage in Windows 8 · 7
first demonstrated using a modified iPod running Linux and a script called win-
lockpwn in 2008 [Spylogic 2008]. Either the iPod-Linux or the winlockpwn tool
are updated anymore, but thanks to Carsten Maartmann-Moe, a new tool called
Inception was released in 2011[Maartmann-Moe 2011], based on winlockpwn. Most
new computers today don’t have a firewire port, but for an adversary, in many cases
this is not a problem. Firewire ports can be bought as PCMCIA cards, and when
these are inserted into the computer’s PCMCIA port, the drivers will be installed
by them self, even if the computer is locked. An interesting thing here is that the
Firewire attack can also be used when the harddisk in the computer is encrypted
with for example BitLocker, if the computer is not shut down, but only locked.
As another site note, Inceptioon is also able to bypass password on Apple OS X
and Ubuntu.
Utilman bypass
This again is a very old and quite known trick, and it actually have been recom-
mended by Microsoft to use this technique to bypass a forgotten password. This
technique was possible already in Windows 2000, so why this is still possible in
Windows 8.1, is a mystery. This technique takes advantage of a utility called Util-
man, which is used for the accessibility features magnifier, narrator and on-Screen
Keyboard. This utility is available at the login screen in all newer Windows version,
and can be opened by pressing the Windows button together with the letter U. The
problem with this, is that if the system is booted with for example a Linux Live-CD,
and the adversary can access the files on the harddisk, he can remove or change the
name of the file ”utilman.exe”, which is located in %systemroot%system32, and
then copy ”cmd.exe” to ”utilman.exe”. When the system then is rebooted, and the
login screen once again appear, the adversary can press Win+U, and a command
prompt window running with system privileges will pop-up. See Figure 3. The file
”sethc.exe”, which also is located in %systemroot%system32, can be exploited
in a very similar way. This file is used for the ”Sticky keys” feature of Windows,
and it will run if the user presses the ”shift” key five times in a row. If cmd.exe
is copied to sethc.exe, and the ”shift” key is pressed five times at the login screen,
the command prompt will again pop-up. [Dieterle 2014]. If a command prompt
isn’t good enough for the adversary, he can add users, change passwords, delete
users and so on using Windows’ net commands, since the prompt shell is running
as a ”system” user. For example create a user with netuser/addevilhacker∗ /foot-
noteThe * will ask the user to set the password and add it to the ”administrator”
group with netlocalgroupadministrators/addevilhacker.
Login screensaver
Another not so known trick, which works for Windows 7 and Windows 8.x, and is
in a way related to the utilman.exe bypass is to enable a screensaver at the login
screen, but instead of a screensaver for example cmd.exe is opened. This can be
done by adding the following REG SZ values to the registry key HKEY USERS
.Default ControlPanel Desktop [Superuser 2012]:
SCRNSAVE.EXE = C: WINDOWSSYSTEM32LOGON.SCR
ScreenSaveActive = 1
8. Vulnerabilities in login authentication methods and password storage in Windows 8 · 8
ScreenSaveIsSecure = 0
ScreenSaveTimeOut = 10 (time before screensaver starts in seconds)
Then, at the login screen, after for example 10 seconds, the cmd.exe windows will
pop up with system privileges.
Now, let us finish the old stuff, and cough up something new(ish).
4. PRESENTING: WINDOWS 8
Finally, the the essentials of this paper. Login authentication methods that are
new in Windows 8. Starting with some background material about the ”root of all
evil”, the Data Protection Application Programming Interface and Windows Vault
and the Windows Vault.
4.1 Data Protection Application Programming Interface and Windows Vault
First a little about the DPAPI, which is very difficult to find some official infor-
mation about. Books like ”Windows Internal”, which is most cases answers almost
anything about the internals of Windows, doesn’t contain any information about
the Windows Vault and the Data Protection Application Programming Interface
(DPAPI). The only information available from Microsoft is the public interface to
DPAPI, no internal details are published. Can it be because of the serious vulner-
abilities in these features of Windows? Although there have been multiple tries on
reverse engineering the The best source is from the Russian company ”Passcape”
[Passcape 2012a], and the paper ”Recovering Windows Secrets and EFS Certifi-
cates Offline” [Burzstein and Picod 2010] by Elie Burztein et.al, which presents a
complete reverse engineering project of DPAPI. Together with this paper, Burztein
et.al. also released an application called DPAPick, which can be used to decrypt
offline DPAPI secrets. This paper is highly recommended if the reader wants to
learn the detailed internals of DPAPI.
From Windows 2000, Microsoft included a special data protection interface, called
Data Protection Application Programming Interface, DPAPI for short. This inter-
face is used for easy store sensitive data on a disk under Windows. And currently
DPAPI is used in many Windows applications and subsystems, and handling tasks
like the file encryption system, wireless network key storage, Internet Explorer,
Outlook, Skype, Credential Manger, Microsoft Vault and so on. Each encrypted
unit is called a ”blob”. The DPAPI is considered very easy to use for encryption
(CryptProtectData) and decryption (CryptUnprotectData) of data, and therefore
very popular among programmers. The Russian company Passcape was the first
to release software capable of decrypting and extracting data which had been en-
crypted with DPAPI on a live system.
In theory, DPAPI sounds very secure. It uses highly known and proven cryp-
tographic algorithms. Windows 7 for example uses AES256 encryption in CBC
mode, SHA512 for hashing, and PBKDF2 as password-based key derivation rou-
tine. There is no available information of the cryptographic algorithms used in
Windows 8.x, but we can assume they are the same as in Windows 7. This sounds
secure, but there are vulnerabilities. The operating system need to be able to read
data from the DPAPI, without any dialogue with the user. Therefore the keys to
decrypt the DPAPI is placed in so the keys must be in memory, after they are
decrypted of a master key file. This is what tools like the ones from Passcape, and
9. Vulnerabilities in login authentication methods and password storage in Windows 8 · 9
mimikatz uses to extract login passwords from a running system with Windows,
which will be discussed in the following sections. Up until Windows 8, it was only
possible to extract data about the currently logged in user on the actual system
using DPAPI. With DPAPI-NG in Windows 8, it is possible to decrypt and extract
data from all users, and even if the files used by DPAPI is extracted and imported
into another system. As mentioned, Windows Vault uses DPAPI to encrypt and
store passwords used by applications in Windows and by Windows itself. Windows
Vault was introduced in Windows 7, as a replacement to Credential Manager which
was in use in earlier version of Windows. The Windows Vault is what is used by
the PIN, Picture password, and fingerprint login authentication.
4.2 PIN codes and it’s vulnerabilities
The main thing to be worried about when it comes to PIN codes as login authenti-
cation in Windows 8, is that Microsoft only give you the option to use four digits.
This reduces the keyspace drastically, and if human choose the passwords, there is
a pretty big chance it will be relatively easy to guess. Especially if he adversary
have some knowledge about the victim. One can wonder why on earth Microsoft
limited PIN codes to four digits. There have been significant research done on
the security on PIN codes. Researching the statistics of PIN codes extracted from
password leaks like the one from RockYou, mentioned earlier, have ended up in
some interesting facts about PIN codes. Research have been done among others
by Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and
the company Datagentics [DataGenetics 2012]. Below is a table showing the 20
most used PIN codes, from a statistical analysis done on 3,400,000 PIN codes by
Datagentics in 2012 [DataGenetics 2012]
Nr PIN Frequency
1 1234 10.713%
2 1111 6.016%
3 0000 1.881%
4 1212 1.197%
5 7777 0.745%
6 1004 0.616%
7 2000 0.613%
8 4444 0.526%
9 2222 0.516%
10 6969 0.512%
11 9999 0.451%
12 3333 0.419%
13 5555 0.395%
14 6666 0.391%
15 1122 0.366%
16 1313 0.304%
17 8888 0.303%
18 4321 0.293%
19 2001 0.290%
20 1010 0.285%
10. Vulnerabilities in login authentication methods and password storage in Windows 8 · 10
Enough about general PIN code vulnerabilities. The rest of this section actually
apply not only to the use of PIN codes in Windows 8, it also applies to Picture
password and in some degree to the fingerprint login. It is discussed in this section,
because this papers handles PIN codes first. Information and vulnerabilities that
only applies to picture passwords and fingerprints, are discussed in later sections. In
2012 it became publicly known that Windows 8 stores login passwords in an easily
recoverable way when PIN or picture password is in use. This is because they
are stored in the Windows Vault, which uses DPAPI, which was discussed earlier
in this paper. Using a tool from Passcode it was possible to easily extract them
users passwords in clear-text [Passcape 2012c]. On the 8th of January 2014, I came
in contact with Benjamin Delpy aka ”gentilkiwi” on Twitter, the man behind the
open-source tool mimikatz, and asked him questions on how this was done. A few
hours later he had included this in his tool and included this feature in mimikatz.
Some days later Mr Delpy published a post on his blog describing how this was
done [Delpy 2014e].
The extraction of both the regular password, PIN code, and picture password
coordinates using mimikatz are shown below.
Running mimikatz privilege::debug token::elevate vault::list exit Note that some
non-interesting lines are removed from the output to save space in this paper.
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C"
.## ^ ##. (Mar 2 2014 22:44:55)
## / ## /* * *
## / ## Benjamin DELPY ‘gentilkiwi ‘ ( benjamin@gentilkiwi .com )
’## v ##’ http :// blog.gentilkiwi.com/mimikatz (oe.eo)
’#####’ with 14 modules * * */
mimikatz(commandline) # privilege :: debug
Privilege ’20’ OK
mimikatz(commandline) # token :: elevate
Token Id : 0
User name :
SID name : NT AUTHORITYSYSTEM
<snip >
....
<snip >
mimikatz(commandline) # vault :: list
Vault : {4 bf4c442 -9b8a -41a0 -b380 -dd4a704ddb28}
<snip >
....
<snip >
0. Picture Password Credential
<snip >
....
<snip >
11. Vulnerabilities in login authentication methods and password storage in Windows 8 · 11
*** Picture Password ***
User : venueJohn Doe
Password : Password00
Picture password (grid is 150*100)
[0] line (x = 17 ; y = 5) -> (x = 33 ; y = 65)
[1] point (x = 70 ; y = 21)
[2] point (x = 80 ; y = 20)
1.PIN Logon Credential
<snip >
....
<snip >
*** Pin Logon ***
User : venueJohn Doe
Password : Password00
PIN Code : 2580
2.PIN Logon Credential
<snip >
....
<snip >
*** Pin Logon ***
User : venueJane Doe
Password : TopSecret123!
PIN Code : 1234
<snip >
....
<snip >
When combining mimikatz with Kon-Boot, which was mentioned earlier, it is
possible to bypass login authentication, and extract login credentials for all users of
the system. This is also valid when the computer and user is members of a domain
in Active Directory. So even the adversary doesn’t get access to domain resources
when using authentication bypass tools like Kon-Boot or the Inception Firewire
attack, he can compromise a domain account with the following steps:
(1) Bypass authentication with for example Kon-Boot or Inception
(2) Extract passwords from the Vault using mimikatz
(3) Reboot computer
(4) Log in with valid credentials obtained in previous steps
(5) Jackpot! The adversary have access to the victims domain resources
It is also very interesting to know that password vault is global, so once logged in
to a system as an administrator, the user can extract login credentials for all users
of the system.
Instead of bypassing the login with tools like Kon-Boot, mimikatz can also be
run in the system privileged cmd.exe from the ”Utilman authentication bypass”
attack, as shown in figure 3.
12. Vulnerabilities in login authentication methods and password storage in Windows 8 · 12
Fig. 2. cmd.exe running as utilman.exe on the Windows 8.1 login screen
4.3 Picture password and it’s vulnerabilities
Picture passwords is a new login authentication method in Windows 8, based on
the gesture authentication previously in use both on Android and iOS devices with
touchscreen. The way this method works is that the user defines three gestures,
used for authentication. The three gestures can either be a single point, a circle or
a line, on a 100 by 150 grid. In the mimikatz output in the above section about
PIN codes, the coordinates for the different gestures on the picture in 3 are shown.
The line (1) goes from top to bottom of The Terminator’s shotgun, the first dot
(2) is the left glass of his sunglasses, and the second dot (3) is the right glass.
If Microsoft fix these issues, the picture password methods looks very promis-
ing, with a high number of possible combinations, and easy to use on touchscreen
devices.
As mentioned under the section about PINs, the vault-attack is the same when
using a picture password.
Also, there exists a couple of not so technical attacks on touch screen devices,
both for PIN and picture password. The Smudge attack is a method to find the
gesture pattern used to unlock touchscreen devices using this form of authentication.
This attack relies on detecting the smudge, left on the screen from grease from the
users fingers. Using proper lighting, camera settings and image processing software,
both a gesture and a PIN code can, in many cases, be recovered. This attack was
13. Vulnerabilities in login authentication methods and password storage in Windows 8 · 13
Fig. 3. The picture password login screen, with coordinates.
first made publicly known by a research team from the University of Pennsylvania,
at the 4th USENIX conference on Offensive technologies [Aviv et al. 2010]. The
smudge attack is in many ways similar to number keypads that have some numbers
more worn than others, which in many cases can make it possible for an adversary
to see commonly used digits. Another vulnerability both PIN codes and picture
passwords might be more exposed to is shoulder surfing [Long and Mitnick 2011],
since it is much easier to see the gesture on a picture, than the characters typed on
a keyboard.
4.4 Fingerprints and it’s vulnerabilities
From Windows 8.1, Windows got native support for fingerprint login authentication
[Microsoft 2013]. Knowing this, and how PIN and Picture password function stores
its credentials, I was curious on how this was done with fingerprints. Not able to find
any information about this, I once again asked Benjamin Delpy on the 20th January.
The 23th, he also had implemented this in mimikatz [Delpy 2014f]. It turns out
that, as suspected, the fingerprint login, stores its information in the same way as
PIN and picture password, in the Vault. And therefore, it is also possible to extract
the login passwords when fingerprint is in use. When having more knowledge on
the subject, I was able to find that Passcode already implemented this in their
commercial ”Windows Vault Explorer” in 2012 [Passcape 2012b]. In addition, off
course the fingerprint authentication in Windows is vulnerable to all the classical
attacks on fingerprint readers, like for example fingerprint printed on a paper,
latex fingers etc. This can be seen in for example the Discovery Channel show
Mythbusters episode 59 ”Crimes and Myth-Demeanors 2” [Mythbusters 2006].
14. Vulnerabilities in login authentication methods and password storage in Windows 8 · 14
4.5 Multi-factor login authentication and it’s vulnerabilities
On the 23.February, Benjamin Delpy once again proved his skills, and released a
new feature in his mimikatz. It was now possible to extract the the PIN code used
when a smart card is used instead of a password for authentication as Windows
login [Delpy 2014c]. According to Mr Delpy, this is valid when the native Windows
support for smartcards are used. Because of the lack of equipment to test the
extraction of PIN codes, this have not been experimented with for this paper.
There haven’t been released much information about this attack yet, so there isn’t
much information about how it is done publicly available, but it can be assumed it
works very similar to the extraction of password when PIN and picture password
is used, see Figure 4.
Fig. 4. A smartcards PIN code extracted with the use of mimikatz [Delpy 2014c]
5. CONCLUSION
Many of the attacks mentioned in this paper is like they are from a Hollywood
spy movie, but this is the reality. Microsoft have some strange vulnerabilities in
their login authentication, which there is no simple explanation for why they still
are there. Both myself and others have tried to get in touch with the Microsoft
security team, to get answers on why these techniques are still possible, but with
not luck. People that are into computer security, like probably the reader if this
paper is, tend to be aware of the risks to their computer, but the average man does
not think of this.
One of the most important security measurements for computers and other
computer-like devices, is the use of Full Disk Encryption (FDE). This will pre-
vent an adversary to access data on the computers harddisk, and in that also
prevent an adversary to bypass the login to the operating system. From Windows
7, Microsoft included a FDE method called BitLocker, which is very easy to set
up, and simple to use. The user of the computer will not notice the existence of
15. Vulnerabilities in login authentication methods and password storage in Windows 8 · 15
BitLocker, except by a very slight decrease in performance [Hardware 2010]. If
FDE is not an options, of some reason, security measures like for example BIOS
password or harddisk passwords can also be used. BIOS password does not prevent
an adversary from removing the harddisk out of a computer, and retrieve either
the password hashes from the SAM file, or the Windows Vault from the vault files.
What it prevents is for example the use of tools like Kon-Boot, or some other live-
CDs/DVDs/pendrives capable of either reset passwords or extract hashes, when
the adversary isn’t able to remove the disk. Harddisk password, also known as
ATA-passwords, is something for itself. It is by some company policies considered
just as good as FDE, but this is not disc encryption, it is just using a part of the
ATA standard for harddisks, and it does in many cases exist a master password,
which overwrites the one set by the user [ISEE0XDEADDISKS 2008]. Firewire
attacks bypasses all protection of the harddisk, if a user have locked a logged in
system. To mitigate this, the Firewire and/or PCMCIA port must be disabled in
a way, or automatic PCMCIA driver installation should be disabled.
The final conclusion to this paper must be, never leave you computer unattended!
REFERENCES
Amazon. 2014. Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Accessed : 21.feb.2014.
Amplia. 2013. Winows credential manager. http://www.ampliasecurity.com/research/windows-
credentials-editor/. Accessed : 6.mar.2014.
Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks
on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive
technologies. USENIX Association, 1–7.
Bonneau, J., Preibusch, S., and Anderson, R. 2012. A birthday present every eleven wallets?
the security of customer-chosen banking pins. In Financial Cryptography and Data Security.
Springer, 25–40.
Burzstein, E. and Picod, J. M. 2010. Recovering windows secrets and efs certificates offline.
In Proc. of the 4th USENIX Conference on Offensive Technologies. Berkeley, USA: USENIX
Association.
DataGenetics. 2012. Pin analysis. http://www.datagenetics.com/blog/september32012/. Ac-
cessed : 7.jan.2014.
Delpy, B. 2011. Re – pass the pass. http://blog.gentilkiwi.com/securite/re-pass-the-pass. Ac-
cessed : 24.feb.2014.
Delpy, B. 2012. Re - re – pass the pass. http://blog.gentilkiwi.com/securite/rere-pass-the-pass.
Accessed : 24.feb.2014.
Delpy, B. 2014a. Blog de gentil kiwi. http://blog.gentilkiwi.com. Accessed : 21.feb.2014.
Delpy, B. 2014b. mimikatz. http://blog.gentilkiwi.com/mimikatz. Accessed : 17.jan.2014.
Delpy, B. 2014c. mimikatz can now extract *pin code* of smartcards associated with lo-
gon sessions. https://twitter.com/gentilkiwi/status/437719635404673025/photo/1. Accessed
: 26.feb.2014.
Delpy, B. 2014d. Pass the pass. http://blog.gentilkiwi.com/securite/pass-the-pass. Accessed :
24.feb.2014.
Delpy, B. 2014e. Windows 8, code pin et mot de passe image.
http://blog.gentilkiwi.com/securite/mimikatz/windows-8-code-pin-mot-de-passe-image. Ac-
cessed : 23.jan.2014.
Delpy, B. 2014f. Windows 8, empreintes digitales.
http://blog.gentilkiwi.com/securite/mimikatz/windows-8-empreintes-digitales. Accessed :
24.jan.2014.
Dieterle, D. W. 2014. Basic Security Testing with Kali Linux, 1 ed. CreateSpace Independent
Publishing Platform.
16. Vulnerabilities in login authentication methods and password storage in Windows 8 · 16
Falde, K. 2013. Restricted admin mode for rdp in windows 8.1 2012 r2.
http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-
windows-8-1-2012-r2.aspx. Accessed : 18.feb.2014.
Freerainbowtables. 2014. Rainbow tables available. https://www.freerainbowtables.com/en/tables2/.
Accessed : 26.feb.2014.
Griffin, D. 2007. Create custom login experiences with credential providers for windows vista.
http://msdn.microsoft.com/en-us/magazine/cc163489.aspx. Accessed : 24.feb.2014.
Hagen, P. N. 2014. Offline nt password and registry editor. http://pogostick.net/ pnh/ntpasswd/.
Accessed : 23.feb.2014.
Hardware, T. 2010. System encryption: Bitlocker and truecrypt compared.
http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html. Ac-
cessed : 24.jan.2014.
ISEE0XDEADDISKS. 2008. List of hard disk ata master passwords.
http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/. Accessed
: 21.feb.2014.
Long, J. and Mitnick, K. 2011. No Tech Hacking: A Guide to Social Engineering, Dumpster
Diving, and Shoulder Surfing. Elsevier Science.
Lowe, M. 2013. New r̈estricted adminf̈eature of rdp 8.1 allows pass-the-hash.
https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-
hash/. Accessed : 18.feb.2014.
Maartmann-Moe, C. 2011. Inception. http://www.breaknenter.org/projects/inception/. Ac-
cessed : 18.feb.2014.
McClure, S., Scambray, J., Kurtz, G., and Kurtz. 2009. Hacking exposed: network security
secrets and solutions. McGraw-Hill.
Microsoft. 2013. What’s new in biometrics in windows 8.1.
http://technet.microsoft.com/library/dn344916.aspx. Accessed : 24.jan.2014.
Microsoft. 20xx. Msv1 0 authentication package. http://msdn.microsoft.com/en-
us/library/windows/desktop/aa378753(v=vs.85).aspx. Accessed : 24.feb.2014.
Mythbusters. 2006. Fingerprint scanners are unbeatable. http://www.discovery.com/tv-
shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm. Accessed :
18.feb.2014.
Passcape. 2011’. Lsa secrets in windows.
http://www.passcape.com/index.php?setLang=2§ion=blog&cmd=details&id=15. Ac-
cessed : 21.feb.2014.
Passcape. 2012a. Dpapi secrets. security analysis and data recovery in dpapi (part
1). http://www.passcape.com/index.php?section=blog&cmd=details&id=20. Accessed :
21.feb.2014.
Passcape. 2012b. Security breach in windows 7 and windows 8 biometric authentica-
tion. http://www.passcape.com/index.php?section=blog&cmd=details&id=31. Accessed :
23.jan.2014.
Passcape. 2012c. Windows 8 stores logon passwords in plain-text.
http://www.passcape.com/index.php?section=blog&cmd=details&id=27. Accessed :
7.jan.2014.
Passcape. 2014. Passcape. http://www.passcape.com. Accessed : 21.feb.2014.
Pilkington, M. 2012. Protecting privileged domain accounts: Disabling encrypted
passwords. http://digital-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain-
accounts-disabling-encrypted-passwords. Accessed : 24.feb.2014.
Rapid7. 2011. Microsoft windows authenticated administration utility.
http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec command. Accessed :
18.feb.2014.
Ronin. 2014. Passing the hash with remote. http://www.kali.org/penetration-testing/passing-
hash-remote-desktop/. Accessed : 18.feb.2014.
Skullsecurity. 2011. Passwords. https://wiki.skullsecurity.org/Passwords. Accessed :
21.feb.2014.
17. Vulnerabilities in login authentication methods and password storage in Windows 8 · 17
Spylogic. 2008. What is digest authentication? http://www.spylogic.net/2008/05/winlockpwn-
more-then-a-partytrick/. Accessed : 20.feb.2014.
Superuser. 2012. How to get a screensaver at the windows 7 login screen?
http://superuser.com/questions/107200/how-to-get-a-screensaver-at-the-windows-7-login-
screen. Accessed : 26.feb.2014.
thelead82. 2013. Kon-boot for windows. http://www.thelead82.com/products-win.html. Ac-
cessed : 17.jan.2014.
Wolthusen, S. D. 2014. Lecture slides imt4541 foundations in information security.
xkcd. 2013. Password strength. https://xkcd.com/936/. Accessed : 24.jan.2014.
ZDNet. 2014. The history of windows: A timeline. http://www.zdnet.com/the-history-of-
windows-a-timeline-7000025145/. Accessed : 18.feb.2014.
Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of picture gesture authen-
tication. In Proceedings of the 22nd USENIX conference on Security. USENIX Association,
383–398.