Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
• Attack Kill Chain
Attack Kill Chain
• “Login Data” file contains our passwords:
%AppData%LocalGoogleChromeUser DataDefaultLogin Data
• SQLite file format
Chromium Project:
https://chromium.googlesource.com/chromium/src/+/master/components/os_crypt/os_crypt_win.cc
https://www.usenix.org/legacy/event/woot10/tech/full_papers/Burzstein.pdf
https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
• Steal user1 gmail creds residing in the chrome
browser
• Attacker logged-on on user2 (domain admin)
machine
• User1 gmail’s password:
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
Protecting browsers’ secrets in a domain environment
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
Going Purple : From full time breaker to part time fixer: 1 year later
Next
Upcoming SlideShare
Going Purple : From full time breaker to part time fixer: 1 year later
Next
Download to read offline and view in fullscreen.

6

Share

Protecting browsers’ secrets in a domain environment

Download to read offline

All popular browsers allow users to store sensitive data such as credentials for online and cloud services (such as social networks, email providers, and banking) and forms data (e.g. Credit card number, address, phone number) In Windows environment, most browsers (and many other applications) choose to protect these secrets by using Window Data Protection API (DPAPI), which provides an easy method to encrypt and decrypt secret data. Lately, Mimikatz, a popular pentest/hacking tool, was updated to include a functionality that allows highly-privileged attackers to decrypt all of DPAPI secrets. In this talk, I will analyze the Mimikatz Anti-DPAPI attack targeting the Domain Controller (DC) which puts all DPAPI secrets in peril and show how it can be defeated with network monitoring.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Protecting browsers’ secrets in a domain environment

  1. 1. • Attack Kill Chain
  2. 2. Attack Kill Chain
  3. 3. • “Login Data” file contains our passwords: %AppData%LocalGoogleChromeUser DataDefaultLogin Data • SQLite file format
  4. 4. Chromium Project: https://chromium.googlesource.com/chromium/src/+/master/components/os_crypt/os_crypt_win.cc
  5. 5. https://www.usenix.org/legacy/event/woot10/tech/full_papers/Burzstein.pdf
  6. 6. https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics
  7. 7. • Steal user1 gmail creds residing in the chrome browser • Attacker logged-on on user2 (domain admin) machine
  8. 8. • User1 gmail’s password:
  • zwned

    Jul. 12, 2016
  • darkr4y

    Jul. 11, 2016
  • slachiewicz

    Jul. 7, 2016
  • codedebug

    Jun. 24, 2016
  • ssuserad616d

    Jun. 24, 2016
  • MinhTrietPhamTran

    Jun. 23, 2016

All popular browsers allow users to store sensitive data such as credentials for online and cloud services (such as social networks, email providers, and banking) and forms data (e.g. Credit card number, address, phone number) In Windows environment, most browsers (and many other applications) choose to protect these secrets by using Window Data Protection API (DPAPI), which provides an easy method to encrypt and decrypt secret data. Lately, Mimikatz, a popular pentest/hacking tool, was updated to include a functionality that allows highly-privileged attackers to decrypt all of DPAPI secrets. In this talk, I will analyze the Mimikatz Anti-DPAPI attack targeting the Domain Controller (DC) which puts all DPAPI secrets in peril and show how it can be defeated with network monitoring.

Views

Total views

3,198

On Slideshare

0

From embeds

0

Number of embeds

156

Actions

Downloads

54

Shares

0

Comments

0

Likes

6

×