SlideShare a Scribd company logo

ISF høstkonferanse 2014 - Windows 8 autentisering og passord

J
John-André Bjørkhaug
Technology
1 of 22
Download to read offline
Passordsikkerhet i Windows 8 John-André BjørkhaugSenior rådgiver informasjonssikkerhet john-andre.bjorkhaug@combitech.no
2 /me •John-André Bjørkhaug •BSc Electronics engineering •CERN (SCADA), NSM (Pentest), Evry (Pentest+Network) •Senior advisor information security @ Combitech •In progress: Master i informasjonssikkerhet student @ HiG •CCNP Security, LPT, CHFI, CEH, CPT, CEPT, CREA, Security+, etc. etc etc
Hvorfor studere autentisering i Windows 8 •Mange papers å skrive på en masterutdanning ... •"Foundations in information security" @ HiG •"Vulnerabilities in login authentication methods and password storage in Windows 8" •http://www.slideshare.net/JohnAndrBjrkhaug/bjorkhaug2014windows8 4
Pre-Windows 8 5
Klassiske passordsårbarheter [1] Hashes •Hash av passord er lagret i SAM database •Ingen salt (random data lagt til passord) •Brute-Force, Dictionary, Rainbowtable •LM (Opp til Windows Vista/2008) •Passord -> omgjort til store bokstaver og delt i 7+7 •Rainbowtable -> 14 tegns passord, alle tegn •NTLM •Rainbowtable -> 8 tegns passord, alle tegn •Kan brukes i «pass-the-hash» attack •Logger på enheter med samme passord vha hash over nettet (SMB) •Metasploit •Snakk med Per ! :-) 6
Klassiske passordsårbarheter [2] Omgå passord •Bytt passord vha offline editering av Registry •Linux boot CD (Peter Nordahl-Hagen) •Patch pålogging ved oppstart •KonBoot •Patch autentiseringsmekanisme i minne •FireWire (Inception, Carsten Maartmann-Moe) •PCI Express (DefCon 2014, Fitzpatrick/Crabill) •Utility manager, Utilman.exe (Win+u) •Sticky keys, sethc.exe (shift x 5) 7
Klassiske passordsårbarheter [3] "Klartekst"-lagring av passord •Innført i Windows XP •Wdigest •"Single sign on" mot HTTP (eks Sharepoint) •tspkg •"Single sign on" mot RDP (Remote Desktop) •LiveSSP, Kerberos +++ •Disablet i Windows 8, men enables hvis SSO blir benyttet •Kryptert med LsaProtectMemory, men dekrypteres lett med LsaUnprotectMemory<-fast nøkkel :-D •mimikatz fra Benjamin Delpy •Windows Credential Editor fra Amplia Security 8
Windows 8/8.1Nå med flere sårbarheter ;-) 9
Alt det gamle fungerer fortsatt!!! •Offline registry edit •NTLM, ingen salt -> Rainbowtables •Pass-the-Hash •Patching av autentiseringsmekansime, boot eller i minne •WDigest etc. •Utilman/Sethc •Microsoft: Hvorfor?
Touchscreen og passord •Skjermtastatur •Kronglete med 1337Pa$$W0rD!!# •iOS & Android •PIN •Mønster •PWND -> Shouldersurfing •Ansiktsgjennkjenning •Pwnd -> bilde •Fingerprint (iPhone 5, Galaxy S5) •Pwnd -> trelim •Windows 8 på mange forskjellige enheter nå 11 Bildet hentet fra: http://www.abica.co.uk/uncategorized/windows-8-business-personal-or-both/attachment/windows-8-devices/
Windows 8/8.1 •Picture password •PIN •Passord •Fingeravtrykk •Smartcard
DPAPI & Windows Vault [1] •Data Protection Application Programming Interface •Introdusert i Windows 2000 •Ingen detaljer offentliggjort av Microsoft •Enkel metode for å lagre sensitive data på disk •Outlook, Skype, Internet explorer, Credential manager, Microsoft Vault (erstatter Credential Manger fra Windows 7) etc etc •Windows 7 •AES256 encryption in CBC-mode •SHA512 for hashing •PBKDF2 for nøkkelgenerering i public key 13
DPAPI & Windows Vault [2] •Nøklerhentes fra master key file, og lagres i minne •Kan da hente ut passord ol. fra Vault •Pre-Windows 8: Kun innlogget bruker •FOM Windows 8: DPAPI-NG. Samme «database» for alle lokale brukere på samme maskin •PIN, Picture password og fingeravtrykk, gjør at passord blir lagret i Vault! 14
PIN •Maksimum 4 siffer ! •Statistikk: http://www.datagenetics.com/blog/september32012/ •Bruk av PIN gjør at både PIN og passord lagres i Vault •Fram til januar 2014, kun russiske Passcode med kommersiell "dyr" programvare kunne lese ut informasjon fra Vault 15
Gratis og opensource : Mimikatz Dump med mimikatz: Takk Benjamin Delpy!
Bildepassord •Shoulder surfing •Bruk av bildepassord gjør a både koordinater og passord lagres i Vault •Dump med mimikatz: 17 Bilde hentet fra: Bilde fra Terminator 2
Fingeravtrykk •Mythbusters •Latex •Papir •youtube.com/watch?v=lkvwhInv828 •Bruk av fingeravtrykk gjør at både fingeravtrykk og passord lagres i Vault •Dump med mimikatz: 18
19 Flerfaktorautentisering •Ved bruk av Smart kort, lagres PIN og passord i Vault •Dump med mimikatz fra Delpy ---------> 19
DEMO 20
Løsninger Full Disk Encryption Bitlocker BIOS passord Tastelås på enheter/skjermsparer Ikke bruk Firewire Lås PC kabinett (PCIe) Rope på Microsoft ...?
22 Spørsmål?
Kontakt meg •E-mail: john-andre.bjorkhaug@combitech.no john.bjorkhaug@gmail.com info@combitech.no •Twitter: @jabjorkhaug •Linkedin: linkedin.com/in/bjorkhaug •Telefon: 93 46 40 53

Recommended

Generating random primes
Generating random primesGenerating random primes
Generating random primes
John-André Bjørkhaug
 
Presentation english y-Banners
Presentation english y-BannersPresentation english y-Banners
Presentation english y-Banners
opportunitygroup
 
Vulnerabilities in login authentication methods and password storage in Windo...
Vulnerabilities in login authentication methods and password storage in Windo...Vulnerabilities in login authentication methods and password storage in Windo...
Vulnerabilities in login authentication methods and password storage in Windo...
John-André Bjørkhaug
 
The Hagelin M-209 cipher machine
The Hagelin M-209 cipher machineThe Hagelin M-209 cipher machine
The Hagelin M-209 cipher machine
John-André Bjørkhaug
 
ASURED presentation
ASURED presentationASURED presentation
ASURED presentation
Center of Excellence in Planning
 
(IMSI-)Catch me if you can
(IMSI-)Catch me if you can(IMSI-)Catch me if you can
(IMSI-)Catch me if you can
John-André Bjørkhaug
 
Fighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout RandomizationFighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout Randomization
John-André Bjørkhaug
 
Determination of some heavy metals possibly present in drinking stations foun...
Determination of some heavy metals possibly present in drinking stations foun...Determination of some heavy metals possibly present in drinking stations foun...
Determination of some heavy metals possibly present in drinking stations foun...
dfajdbsj
 

Recommended

Generating random primes
Generating random primesGenerating random primes
Generating random primes
John-André Bjørkhaug
 
Presentation english y-Banners
Presentation english y-BannersPresentation english y-Banners
Presentation english y-Banners
opportunitygroup
 
Vulnerabilities in login authentication methods and password storage in Windo...
Vulnerabilities in login authentication methods and password storage in Windo...Vulnerabilities in login authentication methods and password storage in Windo...
Vulnerabilities in login authentication methods and password storage in Windo...
John-André Bjørkhaug
 
The Hagelin M-209 cipher machine
The Hagelin M-209 cipher machineThe Hagelin M-209 cipher machine
The Hagelin M-209 cipher machine
John-André Bjørkhaug
 
ASURED presentation
ASURED presentationASURED presentation
ASURED presentation
Center of Excellence in Planning
 
(IMSI-)Catch me if you can
(IMSI-)Catch me if you can(IMSI-)Catch me if you can
(IMSI-)Catch me if you can
John-André Bjørkhaug
 
Fighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout RandomizationFighting buffer overflows with Address Space Layout Randomization
Fighting buffer overflows with Address Space Layout Randomization
John-André Bjørkhaug
 
Determination of some heavy metals possibly present in drinking stations foun...
Determination of some heavy metals possibly present in drinking stations foun...Determination of some heavy metals possibly present in drinking stations foun...
Determination of some heavy metals possibly present in drinking stations foun...
dfajdbsj
 
Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...
John-André Bjørkhaug
 
Kroma Tower Gateway Update 021414
Kroma Tower Gateway Update 021414Kroma Tower Gateway Update 021414
Kroma Tower Gateway Update 021414
PhilPRIME REAL ESTATE
 
The Algebra of Functions
The Algebra of FunctionsThe Algebra of Functions
The Algebra of Functions
Christopher Gratton
 
Probability 2 - Math Academy - JC H2 maths A levels
Probability 2 - Math Academy - JC H2 maths A levelsProbability 2 - Math Academy - JC H2 maths A levels
Probability 2 - Math Academy - JC H2 maths A levels
Math Academy Singapore
 
X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)
Nigel Simmons
 
Function Tables
Function TablesFunction Tables
Function Tables
apacura
 
5 1 complex numbers
5 1 complex numbers5 1 complex numbers
5 1 complex numbers
math123b
 
Probability 1 - Math Academy - JC H2 maths A levels
Probability 1 - Math Academy - JC H2 maths A levelsProbability 1 - Math Academy - JC H2 maths A levels
Probability 1 - Math Academy - JC H2 maths A levels
Math Academy Singapore
 
Writing Function Rules
Writing Function RulesWriting Function Rules
Writing Function Rules
Bitsy Griffin
 
The Complexity Of Primality Testing
The Complexity Of Primality TestingThe Complexity Of Primality Testing
The Complexity Of Primality Testing
Mohammad Elsheikh
 
Math academy-partial-fractions-notes
Math academy-partial-fractions-notesMath academy-partial-fractions-notes
Math academy-partial-fractions-notes
Math Academy Singapore
 
2 4 solving rational equations
2 4 solving rational equations2 4 solving rational equations
2 4 solving rational equations
math123b
 
Complex Numbers 1 - Math Academy - JC H2 maths A levels
Complex Numbers 1 - Math Academy - JC H2 maths A levelsComplex Numbers 1 - Math Academy - JC H2 maths A levels
Complex Numbers 1 - Math Academy - JC H2 maths A levels
Math Academy Singapore
 
Grunnleggende IT-forståelse
Grunnleggende IT-forståelseGrunnleggende IT-forståelse
Grunnleggende IT-forståelse
Kenneth Lykkås
 
Ransomware erfaringer 2021
Ransomware erfaringer 2021Ransomware erfaringer 2021
Ransomware erfaringer 2021
Marius Sandbu
 
Windows binærfiler
Windows binærfilerWindows binærfiler
Windows binærfiler
Oddvar Moe
 
Dømmekraft 1
Dømmekraft 1Dømmekraft 1
Dømmekraft 1
Eva Bratvold
 
10 ting
10 ting10 ting
10 ting
ermi2
 
TYVE TING
TYVE TINGTYVE TING
TYVE TING
ermi2
 

More Related Content

Viewers also liked

Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...
John-André Bjørkhaug
 
X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)
Nigel Simmons
 
Writing Function Rules
Writing Function RulesWriting Function Rules
Writing Function Rules
Bitsy Griffin
 
2 4 solving rational equations
2 4 solving rational equations2 4 solving rational equations
2 4 solving rational equations
math123b
 

Viewers also liked (13)

Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...Smart grid networks and security architecture: Threat analysis, threat scenar...
Smart grid networks and security architecture: Threat analysis, threat scenar...
 
Kroma Tower Gateway Update 021414
Kroma Tower Gateway Update 021414Kroma Tower Gateway Update 021414
Kroma Tower Gateway Update 021414
 
The Algebra of Functions
The Algebra of FunctionsThe Algebra of Functions
The Algebra of Functions
 
Probability 2 - Math Academy - JC H2 maths A levels
Probability 2 - Math Academy - JC H2 maths A levelsProbability 2 - Math Academy - JC H2 maths A levels
Probability 2 - Math Academy - JC H2 maths A levels
 
X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)X2 t01 01 arithmetic of complex numbers (2013)
X2 t01 01 arithmetic of complex numbers (2013)
 
Function Tables
Function TablesFunction Tables
Function Tables
 
5 1 complex numbers
5 1 complex numbers5 1 complex numbers
5 1 complex numbers
 
Probability 1 - Math Academy - JC H2 maths A levels
Probability 1 - Math Academy - JC H2 maths A levelsProbability 1 - Math Academy - JC H2 maths A levels
Probability 1 - Math Academy - JC H2 maths A levels
 
Writing Function Rules
Writing Function RulesWriting Function Rules
Writing Function Rules
 
The Complexity Of Primality Testing
The Complexity Of Primality TestingThe Complexity Of Primality Testing
The Complexity Of Primality Testing
 
Math academy-partial-fractions-notes
Math academy-partial-fractions-notesMath academy-partial-fractions-notes
Math academy-partial-fractions-notes
 
2 4 solving rational equations
2 4 solving rational equations2 4 solving rational equations
2 4 solving rational equations
 
Complex Numbers 1 - Math Academy - JC H2 maths A levels
Complex Numbers 1 - Math Academy - JC H2 maths A levelsComplex Numbers 1 - Math Academy - JC H2 maths A levels
Complex Numbers 1 - Math Academy - JC H2 maths A levels
 

Similar to ISF høstkonferanse 2014 - Windows 8 autentisering og passord

Similar to ISF høstkonferanse 2014 - Windows 8 autentisering og passord (6)

Grunnleggende IT-forståelse
Grunnleggende IT-forståelseGrunnleggende IT-forståelse
Grunnleggende IT-forståelse
 
Ransomware erfaringer 2021
Ransomware erfaringer 2021Ransomware erfaringer 2021
Ransomware erfaringer 2021
 
Windows binærfiler
Windows binærfilerWindows binærfiler
Windows binærfiler
 
Dømmekraft 1
Dømmekraft 1Dømmekraft 1
Dømmekraft 1
 
10 ting
10 ting10 ting
10 ting
 
TYVE TING
TYVE TINGTYVE TING
TYVE TING
 

ISF høstkonferanse 2014 - Windows 8 autentisering og passord

  • 1. Passordsikkerhet i Windows 8 John-André BjørkhaugSenior rådgiver informasjonssikkerhet john-andre.bjorkhaug@combitech.no
  • 2. 2 /me •John-André Bjørkhaug •BSc Electronics engineering •CERN (SCADA), NSM (Pentest), Evry (Pentest+Network) •Senior advisor information security @ Combitech •In progress: Master i informasjonssikkerhet student @ HiG •CCNP Security, LPT, CHFI, CEH, CPT, CEPT, CREA, Security+, etc. etc etc
  • 3. Hvorfor studere autentisering i Windows 8 •Mange papers å skrive på en masterutdanning ... •"Foundations in information security" @ HiG •"Vulnerabilities in login authentication methods and password storage in Windows 8" •http://www.slideshare.net/JohnAndrBjrkhaug/bjorkhaug2014windows8 4
  • 5. Klassiske passordsårbarheter [1] Hashes •Hash av passord er lagret i SAM database •Ingen salt (random data lagt til passord) •Brute-Force, Dictionary, Rainbowtable •LM (Opp til Windows Vista/2008) •Passord -> omgjort til store bokstaver og delt i 7+7 •Rainbowtable -> 14 tegns passord, alle tegn •NTLM •Rainbowtable -> 8 tegns passord, alle tegn •Kan brukes i «pass-the-hash» attack •Logger på enheter med samme passord vha hash over nettet (SMB) •Metasploit •Snakk med Per ! :-) 6
  • 6. Klassiske passordsårbarheter [2] Omgå passord •Bytt passord vha offline editering av Registry •Linux boot CD (Peter Nordahl-Hagen) •Patch pålogging ved oppstart •KonBoot •Patch autentiseringsmekanisme i minne •FireWire (Inception, Carsten Maartmann-Moe) •PCI Express (DefCon 2014, Fitzpatrick/Crabill) •Utility manager, Utilman.exe (Win+u) •Sticky keys, sethc.exe (shift x 5) 7
  • 7. Klassiske passordsårbarheter [3] "Klartekst"-lagring av passord •Innført i Windows XP •Wdigest •"Single sign on" mot HTTP (eks Sharepoint) •tspkg •"Single sign on" mot RDP (Remote Desktop) •LiveSSP, Kerberos +++ •Disablet i Windows 8, men enables hvis SSO blir benyttet •Kryptert med LsaProtectMemory, men dekrypteres lett med LsaUnprotectMemory<-fast nøkkel :-D •mimikatz fra Benjamin Delpy •Windows Credential Editor fra Amplia Security 8
  • 8. Windows 8/8.1Nå med flere sårbarheter ;-) 9
  • 9. Alt det gamle fungerer fortsatt!!! •Offline registry edit •NTLM, ingen salt -> Rainbowtables •Pass-the-Hash •Patching av autentiseringsmekansime, boot eller i minne •WDigest etc. •Utilman/Sethc •Microsoft: Hvorfor?
  • 10. Touchscreen og passord •Skjermtastatur •Kronglete med 1337Pa$$W0rD!!# •iOS & Android •PIN •Mønster •PWND -> Shouldersurfing •Ansiktsgjennkjenning •Pwnd -> bilde •Fingerprint (iPhone 5, Galaxy S5) •Pwnd -> trelim •Windows 8 på mange forskjellige enheter nå 11 Bildet hentet fra: http://www.abica.co.uk/uncategorized/windows-8-business-personal-or-both/attachment/windows-8-devices/
  • 11. Windows 8/8.1 •Picture password •PIN •Passord •Fingeravtrykk •Smartcard
  • 12. DPAPI & Windows Vault [1] •Data Protection Application Programming Interface •Introdusert i Windows 2000 •Ingen detaljer offentliggjort av Microsoft •Enkel metode for å lagre sensitive data på disk •Outlook, Skype, Internet explorer, Credential manager, Microsoft Vault (erstatter Credential Manger fra Windows 7) etc etc •Windows 7 •AES256 encryption in CBC-mode •SHA512 for hashing •PBKDF2 for nøkkelgenerering i public key 13
  • 13. DPAPI & Windows Vault [2] •Nøklerhentes fra master key file, og lagres i minne •Kan da hente ut passord ol. fra Vault •Pre-Windows 8: Kun innlogget bruker •FOM Windows 8: DPAPI-NG. Samme «database» for alle lokale brukere på samme maskin •PIN, Picture password og fingeravtrykk, gjør at passord blir lagret i Vault! 14
  • 14. PIN •Maksimum 4 siffer ! •Statistikk: http://www.datagenetics.com/blog/september32012/ •Bruk av PIN gjør at både PIN og passord lagres i Vault •Fram til januar 2014, kun russiske Passcode med kommersiell "dyr" programvare kunne lese ut informasjon fra Vault 15
  • 15. Gratis og opensource : Mimikatz Dump med mimikatz: Takk Benjamin Delpy!
  • 16. Bildepassord •Shoulder surfing •Bruk av bildepassord gjør a både koordinater og passord lagres i Vault •Dump med mimikatz: 17 Bilde hentet fra: Bilde fra Terminator 2
  • 17. Fingeravtrykk •Mythbusters •Latex •Papir •youtube.com/watch?v=lkvwhInv828 •Bruk av fingeravtrykk gjør at både fingeravtrykk og passord lagres i Vault •Dump med mimikatz: 18
  • 18. 19 Flerfaktorautentisering •Ved bruk av Smart kort, lagres PIN og passord i Vault •Dump med mimikatz fra Delpy ---------> 19
  • 20. Løsninger Full Disk Encryption Bitlocker BIOS passord Tastelås på enheter/skjermsparer Ikke bruk Firewire Lås PC kabinett (PCIe) Rope på Microsoft ...?
  • 22. Kontakt meg •E-mail: john-andre.bjorkhaug@combitech.no john.bjorkhaug@gmail.com info@combitech.no •Twitter: @jabjorkhaug •Linkedin: linkedin.com/in/bjorkhaug •Telefon: 93 46 40 53