Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
• Attack Kill Chain
Attack Kill Chain
• “Login Data” file contains our passwords:
%AppData%LocalGoogleChromeUser DataDefaultLogin Data
• SQLite file format
Chromium Project:
https://chromium.googlesource.com/chromium/src/+/master/components/os_crypt/os_crypt_win.cc
https://www.usenix.org/legacy/event/woot10/tech/full_papers/Burzstein.pdf
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
• Steal user1 gmail creds residing in the chrome
browser
• Attacker logged-on on user2 (domain admin)
machine
• User1 gmail’s password:
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Upcoming SlideShare
Loading in …5
×

Protecting browsers’ secrets in a domain environment

2,313 views

Published on

All popular browsers allow users to store sensitive data such as credentials for online and cloud services (such as social networks, email providers, and banking) and forms data (e.g. Credit card number, address, phone number) In Windows environment, most browsers (and many other applications) choose to protect these secrets by using Window Data Protection API (DPAPI), which provides an easy method to encrypt and decrypt secret data. Lately, Mimikatz, a popular pentest/hacking tool, was updated to include a functionality that allows highly-privileged attackers to decrypt all of DPAPI secrets. In this talk, I will analyze the Mimikatz Anti-DPAPI attack targeting the Domain Controller (DC) which puts all DPAPI secrets in peril and show how it can be defeated with network monitoring.

Published in: Software
  • Be the first to comment

Protecting browsers’ secrets in a domain environment

  1. 1. • Attack Kill Chain
  2. 2. Attack Kill Chain
  3. 3. • “Login Data” file contains our passwords: %AppData%LocalGoogleChromeUser DataDefaultLogin Data • SQLite file format
  4. 4. Chromium Project: https://chromium.googlesource.com/chromium/src/+/master/components/os_crypt/os_crypt_win.cc
  5. 5. https://www.usenix.org/legacy/event/woot10/tech/full_papers/Burzstein.pdf
  6. 6. https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
  7. 7. • Steal user1 gmail creds residing in the chrome browser • Attacker logged-on on user2 (domain admin) machine
  8. 8. • User1 gmail’s password:

×