Vulnerabilities in login authentication methods and password storage in Windows 8

1,973 views
1,856 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,973
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Vulnerabilities in login authentication methods and password storage in Windows 8

  1. 1. Vulnerabilities in login authentication methods and password storage in Windows 8 John-Andre Bjorkhaug Gjovik University College March 2014 Today, with the rise of touchscreen devices, like tablets, smartphones and even laptops with touchscreens, users might find it to cumbersome to type in regular passwords. Typing for example a eight character password containing both regular letters, numbers and even symbols takes too much time and is often not so easy for for the average user, on a touchscreen keyboard. The companies developing these devices have taken the problem under consideration, and have come up with alternative authentication methods replacing the password, for example biometrics, PINs, gestures and so on. This paper will focus on the different methods used for logon authentication in the Microsoft Windows 8 and 8.1 operating system, since this now is appearing on more and more touchscreen devices. This paper starts with an introduction, explaining some of the new features of Windows 8. Then there is an introduction to works that are related to this paper. Following is a section about classic attacks on passwords in Windows, techniques for bypassing login authentication, and how passwords can be extracted in clear-text. Then it is time to dive in to Windows 8, and the new methods for login authentication and their vulnerabilities. The paper ends with a conclusion with some suggestions to techniques that can be used to mitigate some of the vulnerability discussed throughout this paper. Categories and Subject Descriptors: D.4.6 [Security and Protection ]: Invasive software— Operating system security General Terms: security Additional Key Words and Phrases: operating system security, passwords, authentication, PIN 1. INTRODUCTION Today, devices with touchscreens, like smartphones, tablets and laptops, are get- ting more and more usual, and operating systems like Android and iOS have been dominating for some years. Using text-based passwords, containing for example both upper and lower cases, numbers and even symbols takes too much time and is often not so easy for for the average user, using touchscreen softkeyboards. The companies developing these devices have taken the problem under consideration, and have come up with alternative authentication methods replacing the password, for example biometrics, PINs, gestures and so on. PIN codes and the regular ges- ture password used on different touch devices for years, have a very small password space, compared to a good old text-based password. In Windows 8, Microsoft pre- sented some new native methods for logging in to a Windows system, the use of a a four digit PIN code, the so called picture password, and fingerprint. A four digit PIN code, says itself that it is not very secure, a picture password can be very secure, if implemented correctly. Even though Microsoft Windows have been available in different forms on different touch devices for many years, a lot happened when they
  2. 2. Vulnerabilities in login authentication methods and password storage in Windows 8 · 2 made Windows 8. This version of Windows runs just as good, on touch devices, and on desktop computers. You have the possibility to use the good old desktop for use on laptops and desktop computers, and the new tile interface called Modern UI 1 which is better fitted for touch devices. Recently there have also been a rise in both laptops and desktop computers with touch screen. Microsoft Windows 8 was released in August 2012, and was available to the general public in the end of October the same year. Windows 8.1 came out in October 2013, with small changes compared to 8 [ZDNet 2014]. Actually, 8.1 can in many ways be looked at like more of a servicepack than a full OS upgrade. Windows 8 can be said to have been of the biggest changes, at least visually, since Windows 95 replaced Windows 3.11, but at least Windows 8 was very Windows 7 like, when not using the new tile interface. Since Windows 8 is relatively new, there is still some children’s diseases, and both the operating system and the users still need to mature a bit. In addition to adding Modern UI for use on devices with a touchscreen, Microsoft also included several authentication methods, to make the operating system even more user friendly on touch device. In addition to the good old password, methods like PIN code and Picture password have been included from Windows 8. The reason for this is so the user don’t have to type in passwords like ”Tr0ub4dor” [xkcd 2013] on the devices’ limited software keyboard, where for example the use of the ”shift” key is rather cumbersome. This new login authentication methods have introduced quite a bit of new vulnerabilities in to the login authentication in Windows, in addition to the once that have been there for years. This paper will discuss both old and new login authentication methods, and their vulnerabilities. All tests performed in this paper have been done on a VMWare Virtual machine and a Dell Venue 11 Pro tablet, both running Windows 8 This paper is organized as follows. Section 1 is the introduction you now are reading. Section 2 gives an introduction to works that are related to this paper. Section 3 is about classic attacks on passwords in Windows, techniques for bypassing login authentication, and how passwords can be extracted in clear-text. Section 4 gives details about the new authentication methods used for logging in Windows 8, and their vulnerabilities. The paper ends with section 5, the conclusion with some suggestions to techniques that can be used to mitigate some of the vulnerability discussed throughout this paper. 2. RELATED WORK Most books covering ethical hacking and penetration testing have a section about extracting and cracking LM and NTLM hashes, for example the ”Hacking Exposed” series [McClure et al. 2009]. The ”new” authentication forms for Windows, picture passwords and PIN code is not so much written about yet seen in context with Windows, but the paper ”On the Security of Picture Gesture Authentication” by Ziming Zhao et.al. [Zhao et al. 2013] describes a rather comprehensive research on picture passwords, describing an empirical analysis of picture gesture authentication from more than 10,000 pictures passwords. This paper focus more on how the login mechanism works together with the rest of the operating system. When it comes to PIN codes, there have been some statistically research done among others by 1Many still call the interface by its earlier name Metro
  3. 3. Vulnerabilities in login authentication methods and password storage in Windows 8 · 3 Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the company ”Datagentics” [DataGenetics 2012]. Also, much of the content in this paper is relatively new, and only discussed in blog belonging to the smart guys who find vulnerabilities, and write exploits. Like for example the blog of the Russian company Passcape [Passcape 2014], and the French security researcher Benjamin Delpy aka ”gentilkiwi” [Delpy 2014a]. 3. CLASSICAL LOGIN AUTHENTICATION VULNERABILITIES IN WINDOWS Before going into the vulnerabilities that is new to Windows 8, because of the new login authentication methods, the good old vulnerabilities in the login mechanism and passwords storage, that are still valid for Windows 8.x, will be discussed. Fig. 1. Password login screen in Windows 8.1, with the choice of login method below the input field. 3.1 Password hashing In Microsoft Windows, a cryptographic hash of the password is stored in a file called ”SAM” (Security Accounts Manager), which is stored in %systemroot% system32 config SAM. This file is a part of the registry, and in an officially undocumented binary format [Hagen 2014]. In the Windows registry the SAM is placed under the key HKEY LOCAL MACHINESAM. Both of these locations are locked even for the administrator while the operating system is running, but it is possible to extract the hashes for example from the registry on a running system with the help of DLL-injection into the LSASS (Local Security Authority Subsystem Service) process, with tools like for example pwdump, fgdump, Cain & Abel and mimikatz, which we will discuss more later. Other places to extract hashes from is among others from a shadow copy of the SAM file. Readers which is interested in knowing more about what can be find in the LSASS process, is recommended to read [Passcape 2011]. There are two different hash algorithms, called ( LM) (LAN Manager) and NTLM (NT LAN Manager). From Windows Vista and Server 2008, LM hash have been the default disabled, but can be enabled for backwards compatibility. A LM hash can be used for passwords up to 14 characters, and have a serious vulnerability. The password is split in two halves, the first one seven characters and the second one the rest of the password. For example a password of length 10 is split into one hash calculated from the first seven characters, and one with the last three characters. All letters are then capitalized. This is then cutting a password of 14 characters from 284 to 237 different combinations [McClure et al. 2009]. This makes cracking of LM-hashes very fast, using for example Rainbow tables, which
  4. 4. Vulnerabilities in login authentication methods and password storage in Windows 8 · 4 is pre-calculated tables with passwords and hashes. This paper will not go any further into the cracking of LM-hashes, since this is out of scope for the paper. For more information see for example [McClure et al. 2009]. When it comes to NTLM hashes, there is a much bigger keyspace, but Rainbow tables are still a very effective method for cracking these hashes, because there is no salting of the hash. The problem is that with NTLM’s large keyspace, tables get very space consuming. One of the largest publicly available rainbow tables for NTLM today, is a table covering upper and lower cases, the numbers 0-9 and space, for passwords with length 1 to 7 characters. This table is a little over 1TB big. Compared with a rainbow table for LM hash, which covers all symbols on the keyboard, and password length 1 to 7 characters, which in reality means 1-14 since the password is split in two, which is 34GB [Freerainbowtables 2014]. The term salting the hash means that a random value is added to the password before the hash algorithm is run, and by that creating different hashes when the same password is hashed twice. The password hashing mechanism in for example Linux salts its hashes. Salting the hash mitigates attacks like rainbow tables [McClure et al. 2009]. Lately there have also been very popular to use the GPU 2 , on graphic cards to increase the speed of cracking cryptographic hashes. Since these are much more effective on the simple mathematical operations used in hashing than regular CPU’s. According to Jeremy Gosney 3 , one of the worlds top experts in password cracking, with a regular graphic card like the AMD RadeonTM HD 7970, it will will be possible to brute-force NTLM hashes at approximately 20 billion passwords per second. With a cluster of graphic cards, like for this can be multiplied by the number of graphic cards. One down thing with building machines for password cracking with graphic cards is that it gets rather expensive. In February 2014 an AMD RadeonTM HD 7970 costs approximately NOK3000 in Norway. But why build your own password cracking machine, when Amazon EC2 offers multiple graphic cards in their cloud computers, which can be rented for as low as $2 per hour [Amazon 2014]. It is very common to use large dictionaries, to shorten the time to crack a password. Today, when there have a numerous leaks with large password databases, there is no problem for adversaries to create very effective dictionaries. The biggest password leak up till now is the leak of over 32,000,000 user accounts from the game producer RockYou in 2009 [Skullsecurity 2011]. Cracking password hashes can be done for example with tools like the following: —John The Ripper —L0phtCrack —Cain & Abel —Ophcrack —OclHashCat —Tools from ElcomSoft If a computer is compromised, the NTLM hashes are extracted, and the adversary isn’t able to crack the password, the hash can still be useful. The hash can be used 2Graphic Processing Unit 3Twitter conversation between me and him
  5. 5. Vulnerabilities in login authentication methods and password storage in Windows 8 · 5 in a so called pass-the-hash attack, where the hash is used for authentication to other systems connected to the same network as the adversary and using same password as the compromised system, inter-system password re-use [Wolthusen 2014]. This can be done with tools like for example mimikatz and modifications of the psexec tool, which is included in the penetration testing framework Metasploit [Rapid7 2011]. This is an very effective attack in a Windows environment where the same administrator password is used on multiple computers, and have been used on numerous penetration tests by the author of this paper, which a very high successful rate. Up until the Windows 8.1 and Windows 2012 R2, it was only possible to run limited resources with the use the pass-the-hash attack, but here Microsoft implemented a security feature in Remote Desktop Protocol (RDP) called Restricted Admin, which actually makes it possible to connect to an RDP service using the pass-the-hash attack [Falde 2013] [Ronin 2014] [Lowe 2013]. As most other attacks on passwords in Windows, this can also be done with mimikatz, but also with a more known and recognized application called FreeRDP, which is an open implementation of the RDP protocol [Ronin 2014]. 3.2 Clear text password extraction In the recent years it have also gotten publicly known that because of feature in Windows called WDigest, it is possible to extract passwords in cleartext from mem- ory, using tools like mimikatz [Delpy 2014b] [Delpy 2011], or Windows Credential Editor [Amplia 2013]. WDigest is a DLL which that was first added in Windows XP, and used to authenticate users against HTTP Digest authentication and Sim- ple Authentication Security Layer exchange. These two authentications methods requires a plain-text password to be able to function. To extract passwords from WDigest, the adversary need to access a computer that is turned on and logged in, but how many average users lock their computer when they go to the toilet? Similar vulnerabilities also apply to other features that was implemented from Windows NT 6 (Windows Vista and Windows Server 2008). Like for example when Single Sign On (SSO) to Remote Desktops is enabled (tspkg) [Delpy 2014d], if a Microsoft Live account (LiveSSP4 ) is used [Delpy 2012], and for the use with Kerberos SSP. Actually in Windows 8.1 wdigest and tspkg is default disabled, but when SSO for websites or RDP is enabled, wdigest and tspkg is too. The password stored in mem- ory for all these scenarios are actually encrypted, but with such a bad method that it is very easy to decrypt it. The standard Windows function LsaProtectMemory is used for encryption, and LsaUnotectMemory for decryption [Pilkington 2012]. More methods for extracting passwords in clear-text will follow, when we later discuss some new vulnerabilities in Windows 8. 3.3 Bypassing login authentication The techniques discussed earlier assumes that the adversary already have access to the victim system, either by being a user of a multiuser system, which want to forge the identify of other users of the same system, or an adversary that have gotten access to a system which is powered on and already logged in. But what if the system is shut down, or locked? Let’s discuss some classical options to bypass the 4Security Support Provider
  6. 6. Vulnerabilities in login authentication methods and password storage in Windows 8 · 6 login authentication in Windows. Some of these attacks have been known all the way back to Windows XP, but are still not fixed in Windows 8.1. Password reset Probably the most known and most used Windows login bypass is the use of a bootable media, to edit the SAM file. This trick is very simple, but it can leave easily found traces that an adversary have accessed the system. This trick works by booting the system with another operating system, most often a small Linux distribution and edit the SAM-file, which was discussed earlier. This works like a charm since Windows isn’t running. With tools like for example Offline NT Password and Registry editor developed by Peter Nordahl Hagen [Hagen 2014], it is possible to things like: —Change or clear a users password —Enable disabled accounts —Create new users —Remove users —Change a users group To access a system without leaving any easy to find traces, the adversary could create a new user, add it to the ”admin” group, log in to the system and at the end delete the newly added user. msv1 0.dll patching at boot-time If creating a new user is not desired, patching the DLL file ”msv1.0.dll” can be a nice option. This DLL is called by the Local Security Authority (LSA), which is mentioned earlier, and processes login data collected by the Credential Providers 5 , for the Winlogon process [Microsoft 20xx]. At boot-time, this can be done using tools like Kon-Boot [thelead82 2013]. This application silently bypass the login authentication on any modern Windows operating system, by pathcing msv1 0.dll when it is loaded into memory. The pathching causes the password-check to always return true, which causes all accounts to not require a password, and will overwrite any old passwords. The way this tool is used is to boot the computer from a some kind of external medium, CD, DVD, USB stick etc., a Kon-Boot boot screen will then be displayed while the tool is working. Then, when the Windows login screen is visible, select the one want to log in as, and log in without any password. When the computer then is rebooted, the victim logs in like he have always done, with his good old password. As a site note, it is also available for Apple OS X, but working in a different way. msv1 0.dll patching with Firewire IEEE 1394, commonly known as Firewire, is another interesting case, when it come to bypassing Windows login authentication. The vulnerability with Firewire is that it have direct access to the physical memory addresses, making it possible to patch the msv1 0.dll, just as mention earlier, but this time at run-time. This attack was 5Credential Providers replaced the more known GINA from Windows Vista [Griffin 2007]
  7. 7. Vulnerabilities in login authentication methods and password storage in Windows 8 · 7 first demonstrated using a modified iPod running Linux and a script called win- lockpwn in 2008 [Spylogic 2008]. Either the iPod-Linux or the winlockpwn tool are updated anymore, but thanks to Carsten Maartmann-Moe, a new tool called Inception was released in 2011[Maartmann-Moe 2011], based on winlockpwn. Most new computers today don’t have a firewire port, but for an adversary, in many cases this is not a problem. Firewire ports can be bought as PCMCIA cards, and when these are inserted into the computer’s PCMCIA port, the drivers will be installed by them self, even if the computer is locked. An interesting thing here is that the Firewire attack can also be used when the harddisk in the computer is encrypted with for example BitLocker, if the computer is not shut down, but only locked. As another site note, Inceptioon is also able to bypass password on Apple OS X and Ubuntu. Utilman bypass This again is a very old and quite known trick, and it actually have been recom- mended by Microsoft to use this technique to bypass a forgotten password. This technique was possible already in Windows 2000, so why this is still possible in Windows 8.1, is a mystery. This technique takes advantage of a utility called Util- man, which is used for the accessibility features magnifier, narrator and on-Screen Keyboard. This utility is available at the login screen in all newer Windows version, and can be opened by pressing the Windows button together with the letter U. The problem with this, is that if the system is booted with for example a Linux Live-CD, and the adversary can access the files on the harddisk, he can remove or change the name of the file ”utilman.exe”, which is located in %systemroot%system32, and then copy ”cmd.exe” to ”utilman.exe”. When the system then is rebooted, and the login screen once again appear, the adversary can press Win+U, and a command prompt window running with system privileges will pop-up. See Figure 3. The file ”sethc.exe”, which also is located in %systemroot%system32, can be exploited in a very similar way. This file is used for the ”Sticky keys” feature of Windows, and it will run if the user presses the ”shift” key five times in a row. If cmd.exe is copied to sethc.exe, and the ”shift” key is pressed five times at the login screen, the command prompt will again pop-up. [Dieterle 2014]. If a command prompt isn’t good enough for the adversary, he can add users, change passwords, delete users and so on using Windows’ net commands, since the prompt shell is running as a ”system” user. For example create a user with netuser/addevilhacker∗ /foot- noteThe * will ask the user to set the password and add it to the ”administrator” group with netlocalgroupadministrators/addevilhacker. Login screensaver Another not so known trick, which works for Windows 7 and Windows 8.x, and is in a way related to the utilman.exe bypass is to enable a screensaver at the login screen, but instead of a screensaver for example cmd.exe is opened. This can be done by adding the following REG SZ values to the registry key HKEY USERS .Default ControlPanel Desktop [Superuser 2012]: SCRNSAVE.EXE = C: WINDOWSSYSTEM32LOGON.SCR ScreenSaveActive = 1
  8. 8. Vulnerabilities in login authentication methods and password storage in Windows 8 · 8 ScreenSaveIsSecure = 0 ScreenSaveTimeOut = 10 (time before screensaver starts in seconds) Then, at the login screen, after for example 10 seconds, the cmd.exe windows will pop up with system privileges. Now, let us finish the old stuff, and cough up something new(ish). 4. PRESENTING: WINDOWS 8 Finally, the the essentials of this paper. Login authentication methods that are new in Windows 8. Starting with some background material about the ”root of all evil”, the Data Protection Application Programming Interface and Windows Vault and the Windows Vault. 4.1 Data Protection Application Programming Interface and Windows Vault First a little about the DPAPI, which is very difficult to find some official infor- mation about. Books like ”Windows Internal”, which is most cases answers almost anything about the internals of Windows, doesn’t contain any information about the Windows Vault and the Data Protection Application Programming Interface (DPAPI). The only information available from Microsoft is the public interface to DPAPI, no internal details are published. Can it be because of the serious vulner- abilities in these features of Windows? Although there have been multiple tries on reverse engineering the The best source is from the Russian company ”Passcape” [Passcape 2012a], and the paper ”Recovering Windows Secrets and EFS Certifi- cates Offline” [Burzstein and Picod 2010] by Elie Burztein et.al, which presents a complete reverse engineering project of DPAPI. Together with this paper, Burztein et.al. also released an application called DPAPick, which can be used to decrypt offline DPAPI secrets. This paper is highly recommended if the reader wants to learn the detailed internals of DPAPI. From Windows 2000, Microsoft included a special data protection interface, called Data Protection Application Programming Interface, DPAPI for short. This inter- face is used for easy store sensitive data on a disk under Windows. And currently DPAPI is used in many Windows applications and subsystems, and handling tasks like the file encryption system, wireless network key storage, Internet Explorer, Outlook, Skype, Credential Manger, Microsoft Vault and so on. Each encrypted unit is called a ”blob”. The DPAPI is considered very easy to use for encryption (CryptProtectData) and decryption (CryptUnprotectData) of data, and therefore very popular among programmers. The Russian company Passcape was the first to release software capable of decrypting and extracting data which had been en- crypted with DPAPI on a live system. In theory, DPAPI sounds very secure. It uses highly known and proven cryp- tographic algorithms. Windows 7 for example uses AES256 encryption in CBC mode, SHA512 for hashing, and PBKDF2 as password-based key derivation rou- tine. There is no available information of the cryptographic algorithms used in Windows 8.x, but we can assume they are the same as in Windows 7. This sounds secure, but there are vulnerabilities. The operating system need to be able to read data from the DPAPI, without any dialogue with the user. Therefore the keys to decrypt the DPAPI is placed in so the keys must be in memory, after they are decrypted of a master key file. This is what tools like the ones from Passcape, and
  9. 9. Vulnerabilities in login authentication methods and password storage in Windows 8 · 9 mimikatz uses to extract login passwords from a running system with Windows, which will be discussed in the following sections. Up until Windows 8, it was only possible to extract data about the currently logged in user on the actual system using DPAPI. With DPAPI-NG in Windows 8, it is possible to decrypt and extract data from all users, and even if the files used by DPAPI is extracted and imported into another system. As mentioned, Windows Vault uses DPAPI to encrypt and store passwords used by applications in Windows and by Windows itself. Windows Vault was introduced in Windows 7, as a replacement to Credential Manager which was in use in earlier version of Windows. The Windows Vault is what is used by the PIN, Picture password, and fingerprint login authentication. 4.2 PIN codes and it’s vulnerabilities The main thing to be worried about when it comes to PIN codes as login authenti- cation in Windows 8, is that Microsoft only give you the option to use four digits. This reduces the keyspace drastically, and if human choose the passwords, there is a pretty big chance it will be relatively easy to guess. Especially if he adversary have some knowledge about the victim. One can wonder why on earth Microsoft limited PIN codes to four digits. There have been significant research done on the security on PIN codes. Researching the statistics of PIN codes extracted from password leaks like the one from RockYou, mentioned earlier, have ended up in some interesting facts about PIN codes. Research have been done among others by Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and the company Datagentics [DataGenetics 2012]. Below is a table showing the 20 most used PIN codes, from a statistical analysis done on 3,400,000 PIN codes by Datagentics in 2012 [DataGenetics 2012] Nr PIN Frequency 1 1234 10.713% 2 1111 6.016% 3 0000 1.881% 4 1212 1.197% 5 7777 0.745% 6 1004 0.616% 7 2000 0.613% 8 4444 0.526% 9 2222 0.516% 10 6969 0.512% 11 9999 0.451% 12 3333 0.419% 13 5555 0.395% 14 6666 0.391% 15 1122 0.366% 16 1313 0.304% 17 8888 0.303% 18 4321 0.293% 19 2001 0.290% 20 1010 0.285%
  10. 10. Vulnerabilities in login authentication methods and password storage in Windows 8 · 10 Enough about general PIN code vulnerabilities. The rest of this section actually apply not only to the use of PIN codes in Windows 8, it also applies to Picture password and in some degree to the fingerprint login. It is discussed in this section, because this papers handles PIN codes first. Information and vulnerabilities that only applies to picture passwords and fingerprints, are discussed in later sections. In 2012 it became publicly known that Windows 8 stores login passwords in an easily recoverable way when PIN or picture password is in use. This is because they are stored in the Windows Vault, which uses DPAPI, which was discussed earlier in this paper. Using a tool from Passcode it was possible to easily extract them users passwords in clear-text [Passcape 2012c]. On the 8th of January 2014, I came in contact with Benjamin Delpy aka ”gentilkiwi” on Twitter, the man behind the open-source tool mimikatz, and asked him questions on how this was done. A few hours later he had included this in his tool and included this feature in mimikatz. Some days later Mr Delpy published a post on his blog describing how this was done [Delpy 2014e]. The extraction of both the regular password, PIN code, and picture password coordinates using mimikatz are shown below. Running mimikatz privilege::debug token::elevate vault::list exit Note that some non-interesting lines are removed from the output to save space in this paper. .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" .## ^ ##. (Mar 2 2014 22:44:55) ## / ## /* * * ## / ## Benjamin DELPY ‘gentilkiwi ‘ ( benjamin@gentilkiwi .com ) ’## v ##’ http :// blog.gentilkiwi.com/mimikatz (oe.eo) ’#####’ with 14 modules * * */ mimikatz(commandline) # privilege :: debug Privilege ’20’ OK mimikatz(commandline) # token :: elevate Token Id : 0 User name : SID name : NT AUTHORITYSYSTEM <snip > .... <snip > mimikatz(commandline) # vault :: list Vault : {4 bf4c442 -9b8a -41a0 -b380 -dd4a704ddb28} <snip > .... <snip > 0. Picture Password Credential <snip > .... <snip >
  11. 11. Vulnerabilities in login authentication methods and password storage in Windows 8 · 11 *** Picture Password *** User : venueJohn Doe Password : Password00 Picture password (grid is 150*100) [0] line (x = 17 ; y = 5) -> (x = 33 ; y = 65) [1] point (x = 70 ; y = 21) [2] point (x = 80 ; y = 20) 1.PIN Logon Credential <snip > .... <snip > *** Pin Logon *** User : venueJohn Doe Password : Password00 PIN Code : 2580 2.PIN Logon Credential <snip > .... <snip > *** Pin Logon *** User : venueJane Doe Password : TopSecret123! PIN Code : 1234 <snip > .... <snip > When combining mimikatz with Kon-Boot, which was mentioned earlier, it is possible to bypass login authentication, and extract login credentials for all users of the system. This is also valid when the computer and user is members of a domain in Active Directory. So even the adversary doesn’t get access to domain resources when using authentication bypass tools like Kon-Boot or the Inception Firewire attack, he can compromise a domain account with the following steps: (1) Bypass authentication with for example Kon-Boot or Inception (2) Extract passwords from the Vault using mimikatz (3) Reboot computer (4) Log in with valid credentials obtained in previous steps (5) Jackpot! The adversary have access to the victims domain resources It is also very interesting to know that password vault is global, so once logged in to a system as an administrator, the user can extract login credentials for all users of the system. Instead of bypassing the login with tools like Kon-Boot, mimikatz can also be run in the system privileged cmd.exe from the ”Utilman authentication bypass” attack, as shown in figure 3.
  12. 12. Vulnerabilities in login authentication methods and password storage in Windows 8 · 12 Fig. 2. cmd.exe running as utilman.exe on the Windows 8.1 login screen 4.3 Picture password and it’s vulnerabilities Picture passwords is a new login authentication method in Windows 8, based on the gesture authentication previously in use both on Android and iOS devices with touchscreen. The way this method works is that the user defines three gestures, used for authentication. The three gestures can either be a single point, a circle or a line, on a 100 by 150 grid. In the mimikatz output in the above section about PIN codes, the coordinates for the different gestures on the picture in 3 are shown. The line (1) goes from top to bottom of The Terminator’s shotgun, the first dot (2) is the left glass of his sunglasses, and the second dot (3) is the right glass. If Microsoft fix these issues, the picture password methods looks very promis- ing, with a high number of possible combinations, and easy to use on touchscreen devices. As mentioned under the section about PINs, the vault-attack is the same when using a picture password. Also, there exists a couple of not so technical attacks on touch screen devices, both for PIN and picture password. The Smudge attack is a method to find the gesture pattern used to unlock touchscreen devices using this form of authentication. This attack relies on detecting the smudge, left on the screen from grease from the users fingers. Using proper lighting, camera settings and image processing software, both a gesture and a PIN code can, in many cases, be recovered. This attack was
  13. 13. Vulnerabilities in login authentication methods and password storage in Windows 8 · 13 Fig. 3. The picture password login screen, with coordinates. first made publicly known by a research team from the University of Pennsylvania, at the 4th USENIX conference on Offensive technologies [Aviv et al. 2010]. The smudge attack is in many ways similar to number keypads that have some numbers more worn than others, which in many cases can make it possible for an adversary to see commonly used digits. Another vulnerability both PIN codes and picture passwords might be more exposed to is shoulder surfing [Long and Mitnick 2011], since it is much easier to see the gesture on a picture, than the characters typed on a keyboard. 4.4 Fingerprints and it’s vulnerabilities From Windows 8.1, Windows got native support for fingerprint login authentication [Microsoft 2013]. Knowing this, and how PIN and Picture password function stores its credentials, I was curious on how this was done with fingerprints. Not able to find any information about this, I once again asked Benjamin Delpy on the 20th January. The 23th, he also had implemented this in mimikatz [Delpy 2014f]. It turns out that, as suspected, the fingerprint login, stores its information in the same way as PIN and picture password, in the Vault. And therefore, it is also possible to extract the login passwords when fingerprint is in use. When having more knowledge on the subject, I was able to find that Passcode already implemented this in their commercial ”Windows Vault Explorer” in 2012 [Passcape 2012b]. In addition, off course the fingerprint authentication in Windows is vulnerable to all the classical attacks on fingerprint readers, like for example fingerprint printed on a paper, latex fingers etc. This can be seen in for example the Discovery Channel show Mythbusters episode 59 ”Crimes and Myth-Demeanors 2” [Mythbusters 2006].
  14. 14. Vulnerabilities in login authentication methods and password storage in Windows 8 · 14 4.5 Multi-factor login authentication and it’s vulnerabilities On the 23.February, Benjamin Delpy once again proved his skills, and released a new feature in his mimikatz. It was now possible to extract the the PIN code used when a smart card is used instead of a password for authentication as Windows login [Delpy 2014c]. According to Mr Delpy, this is valid when the native Windows support for smartcards are used. Because of the lack of equipment to test the extraction of PIN codes, this have not been experimented with for this paper. There haven’t been released much information about this attack yet, so there isn’t much information about how it is done publicly available, but it can be assumed it works very similar to the extraction of password when PIN and picture password is used, see Figure 4. Fig. 4. A smartcards PIN code extracted with the use of mimikatz [Delpy 2014c] 5. CONCLUSION Many of the attacks mentioned in this paper is like they are from a Hollywood spy movie, but this is the reality. Microsoft have some strange vulnerabilities in their login authentication, which there is no simple explanation for why they still are there. Both myself and others have tried to get in touch with the Microsoft security team, to get answers on why these techniques are still possible, but with not luck. People that are into computer security, like probably the reader if this paper is, tend to be aware of the risks to their computer, but the average man does not think of this. One of the most important security measurements for computers and other computer-like devices, is the use of Full Disk Encryption (FDE). This will pre- vent an adversary to access data on the computers harddisk, and in that also prevent an adversary to bypass the login to the operating system. From Windows 7, Microsoft included a FDE method called BitLocker, which is very easy to set up, and simple to use. The user of the computer will not notice the existence of
  15. 15. Vulnerabilities in login authentication methods and password storage in Windows 8 · 15 BitLocker, except by a very slight decrease in performance [Hardware 2010]. If FDE is not an options, of some reason, security measures like for example BIOS password or harddisk passwords can also be used. BIOS password does not prevent an adversary from removing the harddisk out of a computer, and retrieve either the password hashes from the SAM file, or the Windows Vault from the vault files. What it prevents is for example the use of tools like Kon-Boot, or some other live- CDs/DVDs/pendrives capable of either reset passwords or extract hashes, when the adversary isn’t able to remove the disk. Harddisk password, also known as ATA-passwords, is something for itself. It is by some company policies considered just as good as FDE, but this is not disc encryption, it is just using a part of the ATA standard for harddisks, and it does in many cases exist a master password, which overwrites the one set by the user [ISEE0XDEADDISKS 2008]. Firewire attacks bypasses all protection of the harddisk, if a user have locked a logged in system. To mitigate this, the Firewire and/or PCMCIA port must be disabled in a way, or automatic PCMCIA driver installation should be disabled. The final conclusion to this paper must be, never leave you computer unattended! REFERENCES Amazon. 2014. Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Accessed : 21.feb.2014. Amplia. 2013. Winows credential manager. http://www.ampliasecurity.com/research/windows- credentials-editor/. Accessed : 6.mar.2014. Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive technologies. USENIX Association, 1–7. Bonneau, J., Preibusch, S., and Anderson, R. 2012. A birthday present every eleven wallets? the security of customer-chosen banking pins. In Financial Cryptography and Data Security. Springer, 25–40. Burzstein, E. and Picod, J. M. 2010. Recovering windows secrets and efs certificates offline. In Proc. of the 4th USENIX Conference on Offensive Technologies. Berkeley, USA: USENIX Association. DataGenetics. 2012. Pin analysis. http://www.datagenetics.com/blog/september32012/. Ac- cessed : 7.jan.2014. Delpy, B. 2011. Re – pass the pass. http://blog.gentilkiwi.com/securite/re-pass-the-pass. Ac- cessed : 24.feb.2014. Delpy, B. 2012. Re - re – pass the pass. http://blog.gentilkiwi.com/securite/rere-pass-the-pass. Accessed : 24.feb.2014. Delpy, B. 2014a. Blog de gentil kiwi. http://blog.gentilkiwi.com. Accessed : 21.feb.2014. Delpy, B. 2014b. mimikatz. http://blog.gentilkiwi.com/mimikatz. Accessed : 17.jan.2014. Delpy, B. 2014c. mimikatz can now extract *pin code* of smartcards associated with lo- gon sessions. https://twitter.com/gentilkiwi/status/437719635404673025/photo/1. Accessed : 26.feb.2014. Delpy, B. 2014d. Pass the pass. http://blog.gentilkiwi.com/securite/pass-the-pass. Accessed : 24.feb.2014. Delpy, B. 2014e. Windows 8, code pin et mot de passe image. http://blog.gentilkiwi.com/securite/mimikatz/windows-8-code-pin-mot-de-passe-image. Ac- cessed : 23.jan.2014. Delpy, B. 2014f. Windows 8, empreintes digitales. http://blog.gentilkiwi.com/securite/mimikatz/windows-8-empreintes-digitales. Accessed : 24.jan.2014. Dieterle, D. W. 2014. Basic Security Testing with Kali Linux, 1 ed. CreateSpace Independent Publishing Platform.
  16. 16. Vulnerabilities in login authentication methods and password storage in Windows 8 · 16 Falde, K. 2013. Restricted admin mode for rdp in windows 8.1 2012 r2. http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in- windows-8-1-2012-r2.aspx. Accessed : 18.feb.2014. Freerainbowtables. 2014. Rainbow tables available. https://www.freerainbowtables.com/en/tables2/. Accessed : 26.feb.2014. Griffin, D. 2007. Create custom login experiences with credential providers for windows vista. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx. Accessed : 24.feb.2014. Hagen, P. N. 2014. Offline nt password and registry editor. http://pogostick.net/ pnh/ntpasswd/. Accessed : 23.feb.2014. Hardware, T. 2010. System encryption: Bitlocker and truecrypt compared. http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html. Ac- cessed : 24.jan.2014. ISEE0XDEADDISKS. 2008. List of hard disk ata master passwords. http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/. Accessed : 21.feb.2014. Long, J. and Mitnick, K. 2011. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Elsevier Science. Lowe, M. 2013. New ¨restricted admin¨feature of rdp 8.1 allows pass-the-hash. https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the- hash/. Accessed : 18.feb.2014. Maartmann-Moe, C. 2011. Inception. http://www.breaknenter.org/projects/inception/. Ac- cessed : 18.feb.2014. McClure, S., Scambray, J., Kurtz, G., and Kurtz. 2009. Hacking exposed: network security secrets and solutions. McGraw-Hill. Microsoft. 2013. What’s new in biometrics in windows 8.1. http://technet.microsoft.com/library/dn344916.aspx. Accessed : 24.jan.2014. Microsoft. 20xx. Msv1 0 authentication package. http://msdn.microsoft.com/en- us/library/windows/desktop/aa378753(v=vs.85).aspx. Accessed : 24.feb.2014. Mythbusters. 2006. Fingerprint scanners are unbeatable. http://www.discovery.com/tv- shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm. Accessed : 18.feb.2014. Passcape. 2011’. Lsa secrets in windows. http://www.passcape.com/index.php?setLang=2&section=blog&cmd=details&id=15. Ac- cessed : 21.feb.2014. Passcape. 2012a. Dpapi secrets. security analysis and data recovery in dpapi (part 1). http://www.passcape.com/index.php?section=blog&cmd=details&id=20. Accessed : 21.feb.2014. Passcape. 2012b. Security breach in windows 7 and windows 8 biometric authentica- tion. http://www.passcape.com/index.php?section=blog&cmd=details&id=31. Accessed : 23.jan.2014. Passcape. 2012c. Windows 8 stores logon passwords in plain-text. http://www.passcape.com/index.php?section=blog&cmd=details&id=27. Accessed : 7.jan.2014. Passcape. 2014. Passcape. http://www.passcape.com. Accessed : 21.feb.2014. Pilkington, M. 2012. Protecting privileged domain accounts: Disabling encrypted passwords. http://digital-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain- accounts-disabling-encrypted-passwords. Accessed : 24.feb.2014. Rapid7. 2011. Microsoft windows authenticated administration utility. http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec command. Accessed : 18.feb.2014. Ronin. 2014. Passing the hash with remote. http://www.kali.org/penetration-testing/passing- hash-remote-desktop/. Accessed : 18.feb.2014. Skullsecurity. 2011. Passwords. https://wiki.skullsecurity.org/Passwords. Accessed : 21.feb.2014.
  17. 17. Vulnerabilities in login authentication methods and password storage in Windows 8 · 17 Spylogic. 2008. What is digest authentication? http://www.spylogic.net/2008/05/winlockpwn- more-then-a-partytrick/. Accessed : 20.feb.2014. Superuser. 2012. How to get a screensaver at the windows 7 login screen? http://superuser.com/questions/107200/how-to-get-a-screensaver-at-the-windows-7-login- screen. Accessed : 26.feb.2014. thelead82. 2013. Kon-boot for windows. http://www.thelead82.com/products-win.html. Ac- cessed : 17.jan.2014. Wolthusen, S. D. 2014. Lecture slides imt4541 foundations in information security. xkcd. 2013. Password strength. https://xkcd.com/936/. Accessed : 24.jan.2014. ZDNet. 2014. The history of windows: A timeline. http://www.zdnet.com/the-history-of- windows-a-timeline-7000025145/. Accessed : 18.feb.2014. Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of picture gesture authen- tication. In Proceedings of the 22nd USENIX conference on Security. USENIX Association, 383–398.

×