SlideShare a Scribd company logo

The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

A
Asaf Hecht

Passwordless and SSO solutions have become extremely popular, mostly due to their ability to balance convenience and security. But are they bulletproof? Join us to learn how these technologies have changed the attack surface. Using Windows Hello and Browser SSO in Hybrid Azure environments, the presenter will demonstrate successful attack methods and provide actionable mitigation techniques.

Technology
1 of 61
Download to read offline
Asaf Hecht Security Research Team Leader, @Hechtov
2 Name: Asaf Hecht Role: Security Research Team Leader @ CyberArk Labs M.Sc degree in Software and Information Systems Engineering Author of open source tools Presented at RSA US, BlackHat EU, Infosec and Impact conferences Submitted 17 patent pending ideas Twitter: @Hechtov
How to Start 3
4 A Word on CyberArk Labs Researching from the red side Goal: have better defenses
5 CyberArk Labs Website https://labs.cyberark.com/
6 Threat Research Blog https://www.cyberark.com/resources/threat-research-blog
GitHub – Open Sources For All https://github.com/cyberark BlobHunter DllSpy ACLight SkyWrapper Ketshash Shimit Examples for the tools: Kubesploit 7
Starting The Journey
Modern Environments 9
How Users See It 10 Password Password Password Password Password A key A key A key A key A key Secret pattern Password Password
How Attackers See It 11
The Current Promising Trends 12 Passwordless SSO
Adding SSO 13 SSO One password to rule them all
How Attackers See It 14 SSO One password to rule them all
Adding Passwordless Technologies 15 SSO Face recognition, Fingerprint, Pin code with TPM, etc. Passwordless
How Attackers See It 16 SSO Face recognition, Fingerprint, Pin code with TPM, etc. Passwordless Does it help? What can the attacker still do?
Time to dive into the details
18 Passwordless Trend Microsoft leads with Windows Hello
19 Windows Hello - Background Windows Hello -> Password-less authentication
20 Windows Hello - Background Windows Hello for Business vs Windows Hello (Local Device)
Windows Hello - Background key-based and certificate-based authentication Password Authentication + 21
22 Windows Hello - Background With Hello – new AD Attribute for the users: msDS-KeyCredentialLink
23 Windows Hello - Background Public Key is stored on the AD Private Key is stored inside the TPM (Trusted Platform Module)
24 Windows Hello - Background The Private Key is protected in the TPM with: PIN, face recognition, biometric, etc.
25 Windows Hello - Background Windows Hello MFA A key or certificate tied to a physical device Something that the person knows (a PIN) Something that the person is (biometrics) or * The private key never leaves the device when using TPM
26 Windows Hello – Network Login Process Entering PIN Face Recognition AD Unlocking the Private Key from the TPM Private Key is used for starting Kerberos TGT and NTLM on the endpoint The user can access other resources 3 1 1 2 4 5 * Users still have passwords, but with Hello they authenticate against the Public Key
27 What Attackers Can Still Do Most of all the Active Directory attacks still work!! THE REASON: Windows Hello just changes the first authentication step, after that it’s still Kerberos and NTLM in on-prem environments Pass the Hash Over-Pass the Hash Pass the Ticket
28 Demo - Pass the Ticket Attack with Windows Hello is on
Exploiting Windows Hello for Business – Previous Work Michael Grafnetter (@MGrafnetter) did great research in this area Attack vectors: – Injecting custom NGC (Next-Gen Credentials) keys – Old TPM versions contain vulnerability that weaken Windows Hello’s key strength – CVE-2017-15361 (A.K.A ROCA) – Unused and orphaned public keys that still in the account’s properties 29
Injecting a Windows Hello key into the user Injecting Custom NGC (Next-Gen Credentials) Keys: – Generate an RSA key pair – Create NGC Blob from RSA Public Key – Write the NGC Blob to Active Directory – Authenticate Using PKINIT Prerequisite: – Write permissions on target user account => means post-exploitation 30
CVE-2017-15361 A.K.A ROCA Vulnerability 31 Source: https://securityaffairs.co/wordpress/64401/breaking-news/roca-vulnerability-cve-2017-15361.html
Exploiting Windows Hello for Business – previous work 32 Source: https://www.darkreading.com/application-security/microsoft-issues-advisory-for-windows-hello-for-business/d/d-id/1336514 Windows Hello’s keys of users and devices that were removed might still be useful!
Bypassing Face Recognition with External USB Camera 33 Stay tuned… The research will be published at Black Hat US conference
34 Browser SSO in Hybrid Environments
35 Hybrid Environment Cloud Domain Controller (Active Directory) IAM/SSO solution (on-premises agent) Federation solution (ADFS) Synchronization solution (Azure AD Connect) On-premises network:
36 Hybrid Environment with Azure Azure Cloud Domain Controller (Active Directory) Synchronization solution (Azure AD Connect) On-premises network:
Joined Device in an On-Prem Active Directory 37 Hybrid Device Join Domain Controller (Active Directory) On-premises network: Azure Active Directory Joined Device in an Azure Active Directory device object in Azure AD device account in the AD
38 Example for an AD and AAD joined device
39 Advantages of Being Hybrid SSO Single Sign On Logon once with your on-prem authentication Access the cloud services and online apps One of the main advantages in Hybrid Environment:
40 Browser SSO – Chrome Extension for Windows * In Edge browser the SSO is built-in natively
41 Azure Browser SSO – Applications View
OAuth provides authorization and provide access to resources OIDC is based on OAuth Adding Authentication for SSO Super Popular! Background on Modern Authentication and Authorization 42
Background on Modern Authentication and Authorization OAuth2 Access Tokens Refresh Token Application OAuth is very popular in modern cloud environments, online apps and hybrid connectivity 43
In Azure Browser SSO Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token) 44
In Azure Browser SSO Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token) 45
46 In Azure Browser SSO Stored in the TPM If no TPM -> in the Registry Stored in Lsass In the CloudAP (an authentication package) Stored in the browser and DPAPI Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token)
Stored in Lsass In the CloudAP (an authentication package) Regular user rights can be used for exploitation and extraction of the SSO tokens! Local admin can exploit and extract it! 47 In Azure Browser SSO Stored in the TPM If no TPM -> in the Registry Stored in the browser and DPAPI Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token)
48 Attacking Azure Browser SSO Local administrator privileges Attacker can extract the PRT and the derived key from the machine Access Azure AD connected resources Regular user privileges Attacker can request regular refresh tokens (like the user)
NEW Attack - Pass The PRT Local administrator privileges Extract the PRT and the derived key from the machine Access any Azure AD connected resource 49
Mimikatz can be used to attack Azure Browser SSO Great research work was done in this field by Benjamin Delpy @gentilkiwi and Dirk-jan Mollema @_dirkjan 50
Another Weakness in OAuth Apps – BlackDirect Vulnerability
OAuth Application Configuration Example URLs that are whitelisted for getting OAuth tokens 52
OAuth 2.0 – Flow Example USER https://login.microsoftonline.com/common/oauth2/authorize? response_type=token& client_id=abc...& resource=office& redirect_uri=https://office.com/ https://office.com/ AUTHORIZATION SERVER The browser sends HTTP request to the Authorization Server for creating access token to the Resource Server 3 The user browses to https://office.com 1 Office.com redirect the user to the authorization server for getting his access token 2 The authorization server creates an access token for the resource server and redirects the client’s browser to the whitelisted given redirect URI 4 The browser (the client) sends the access token to the resource server to get his data 5 The resource server returns the client’s data 6 THE CLIENT 53
BlackDirect Vulnerability – Attack Flow https://login.microsoftonline.com/common/oauth2/authorize? response_type=token& client_id=abc...& resource=office& redirect_uri=https://compromised-subdomain.office.com/ USER https://office.com/ AUTHORIZATION SERVER THE CLIENT The browser sends HTTP request to the Authorization Server for creating access token to the Resource Server 3 The user browses to https://compromised-subdomain.office.com 1 compromised-subdomain.office.com redirect the user to the authorization server for getting his access token 2 The authorization server creates an access token for the resource server and redirects the client’s browser to the whitelisted given redirect URI 4 The browser (the client) sends the access token to the fake resource server 5 ATTACKER https://compromised- subdomain.office.com/ The Attacker gets the client’s data from the real resource server 6 7 54
BlackDirect Discovery in Azure OAuth Apps 55 https://fix.sa.lcs.dynamics.com https://fix.uae.lcs.dynamics.com https://s2.support.ext.azure.com https://s1.support.ext.azure.com https://westus-maas-he.az-westus-maas.cloudsimple.com https://env-cs-westus-devtest-03.qa.cloudsimple.us https://env-cs-westus-devtest-30.qa.cloudsimple.us https://env-cs-westus-devtest-80.cloudsimple.us https://env-cs-westus-devtest-25.qa.cloudsimple.us https://env-cs-westus-devtest-67.qa.cloudsimple.us https://env-cs-westus-devtest-31.qa.cloudsimple.us https://ccinsights-globalservice-prod.azurewebsites.net https://oneproject-prod-global-m00.op.trafficmanager.net https://demoaccount1.catalog-int.clouddatahub-int.net https://demoaccount2.catalog-int.clouddatahub-int.net Subdomains management Not simple as you might have thought Real examples for possible subdomain takeovers:
We published a scanning tool: – Website: https://black.direct/ – 203 companies scanned their Azure Apps for BlackDirect Results – an average: – 894 OAuth Applications per company – About 6 vulnerable URLs per company! – 3.5 vulnerable apps per company! Example for a big electronic vendor: – 3863 OAuth Applications – 237 Vulnerable URLs – 97 Vulnerable Applications OAuth and BlackDirect Popularity Blog post : https://www.cyberark.com/resources/threat-research-blog/blackdirect-microsoft-azure-account-takeover 56
The End is only the Beginning
Apply What You Have Learned Today Next week you should: – Make sure all your SSO and Passworldless solutions are: Implemented according to their best practices and install their last updates In the first three months following this presentation you should: – Secure your privilege accounts, including local admins, sensitive apps, remote access procedures – If the security fundamentals will be compromised SSO and Passworldless aren’t going to help Within six months you should: – Perform a periodic scans for the mentioned threats: – Remove unused Hello keys, go through the login logs, scan yourself against BlackDirect, etc. 58
Next Webinars by CyberArk Labs 59 Kubernetes Security Microsoft Teams Vulnerability
Summary We reviewed real-life threats in the field of Passwordless, SSO and OAuth More details are available online – check them out Follow the best practices when implementing technologies Ensure the security fundamentals are in place, like protecting the access points of your network and your privileged accounts 60
GREAT! ANY Q? Feel free to contact me Twitter: @Hechtov To learn more about CyberArk Labs, visit: Https://labs.cyberark.com/

Recommended

PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 

Recommended

PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)Sam Bowne
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windowsArpan Raval
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The EnterprisePriyanka Aash
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Tripwire
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Ch03 Protecting Systems
Ch03 Protecting SystemsCh03 Protecting Systems
Ch03 Protecting SystemsInformation Technology
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
System hacking
System hackingSystem hacking
System hackingCAS
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkIJERA Editor
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 

More Related Content

What's hot

BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windowsArpan Raval
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101Arpan Raval
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The EnterprisePriyanka Aash
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Tripwire
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
System hacking
System hackingSystem hacking
System hackingCAS
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkIJERA Editor
 

What's hot (20)

BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
 
Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The Enterprise
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Ch03 Protecting Systems
Ch03 Protecting SystemsCh03 Protecting Systems
Ch03 Protecting Systems
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
 
System hacking
System hackingSystem hacking
System hacking
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
 

Similar to The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!All Things Open
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterAbdessabour Arous
 
Azure Sphere - GAB 2019
Azure Sphere - GAB 2019Azure Sphere - GAB 2019
Azure Sphere - GAB 2019Mirco Vanini
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential ManagementVMware Tanzu
 

Similar to The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht (20)

Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Securing API data models
Securing API data modelsSecuring API data models
Securing API data models
 
Azure Sphere - GAB 2019
Azure Sphere - GAB 2019Azure Sphere - GAB 2019
Azure Sphere - GAB 2019
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 

Recently uploaded

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 

Recently uploaded (20)

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 

The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht

  • 1. Asaf Hecht Security Research Team Leader, @Hechtov
  • 2. 2 Name: Asaf Hecht Role: Security Research Team Leader @ CyberArk Labs M.Sc degree in Software and Information Systems Engineering Author of open source tools Presented at RSA US, BlackHat EU, Infosec and Impact conferences Submitted 17 patent pending ideas Twitter: @Hechtov
  • 4. 4 A Word on CyberArk Labs Researching from the red side Goal: have better defenses
  • 7. GitHub – Open Sources For All https://github.com/cyberark BlobHunter DllSpy ACLight SkyWrapper Ketshash Shimit Examples for the tools: Kubesploit 7
  • 10. How Users See It 10 Password Password Password Password Password A key A key A key A key A key Secret pattern Password Password
  • 12. The Current Promising Trends 12 Passwordless SSO
  • 14. How Attackers See It 14 SSO One password to rule them all
  • 15. Adding Passwordless Technologies 15 SSO Face recognition, Fingerprint, Pin code with TPM, etc. Passwordless
  • 16. How Attackers See It 16 SSO Face recognition, Fingerprint, Pin code with TPM, etc. Passwordless Does it help? What can the attacker still do?
  • 17. Time to dive into the details
  • 19. 19 Windows Hello - Background Windows Hello -> Password-less authentication
  • 20. 20 Windows Hello - Background Windows Hello for Business vs Windows Hello (Local Device)
  • 21. Windows Hello - Background key-based and certificate-based authentication Password Authentication + 21
  • 22. 22 Windows Hello - Background With Hello – new AD Attribute for the users: msDS-KeyCredentialLink
  • 23. 23 Windows Hello - Background Public Key is stored on the AD Private Key is stored inside the TPM (Trusted Platform Module)
  • 24. 24 Windows Hello - Background The Private Key is protected in the TPM with: PIN, face recognition, biometric, etc.
  • 25. 25 Windows Hello - Background Windows Hello MFA A key or certificate tied to a physical device Something that the person knows (a PIN) Something that the person is (biometrics) or * The private key never leaves the device when using TPM
  • 26. 26 Windows Hello – Network Login Process Entering PIN Face Recognition AD Unlocking the Private Key from the TPM Private Key is used for starting Kerberos TGT and NTLM on the endpoint The user can access other resources 3 1 1 2 4 5 * Users still have passwords, but with Hello they authenticate against the Public Key
  • 27. 27 What Attackers Can Still Do Most of all the Active Directory attacks still work!! THE REASON: Windows Hello just changes the first authentication step, after that it’s still Kerberos and NTLM in on-prem environments Pass the Hash Over-Pass the Hash Pass the Ticket
  • 28. 28 Demo - Pass the Ticket Attack with Windows Hello is on
  • 29. Exploiting Windows Hello for Business – Previous Work Michael Grafnetter (@MGrafnetter) did great research in this area Attack vectors: – Injecting custom NGC (Next-Gen Credentials) keys – Old TPM versions contain vulnerability that weaken Windows Hello’s key strength – CVE-2017-15361 (A.K.A ROCA) – Unused and orphaned public keys that still in the account’s properties 29
  • 30. Injecting a Windows Hello key into the user Injecting Custom NGC (Next-Gen Credentials) Keys: – Generate an RSA key pair – Create NGC Blob from RSA Public Key – Write the NGC Blob to Active Directory – Authenticate Using PKINIT Prerequisite: – Write permissions on target user account => means post-exploitation 30
  • 31. CVE-2017-15361 A.K.A ROCA Vulnerability 31 Source: https://securityaffairs.co/wordpress/64401/breaking-news/roca-vulnerability-cve-2017-15361.html
  • 32. Exploiting Windows Hello for Business – previous work 32 Source: https://www.darkreading.com/application-security/microsoft-issues-advisory-for-windows-hello-for-business/d/d-id/1336514 Windows Hello’s keys of users and devices that were removed might still be useful!
  • 33. Bypassing Face Recognition with External USB Camera 33 Stay tuned… The research will be published at Black Hat US conference
  • 34. 34 Browser SSO in Hybrid Environments
  • 35. 35 Hybrid Environment Cloud Domain Controller (Active Directory) IAM/SSO solution (on-premises agent) Federation solution (ADFS) Synchronization solution (Azure AD Connect) On-premises network:
  • 36. 36 Hybrid Environment with Azure Azure Cloud Domain Controller (Active Directory) Synchronization solution (Azure AD Connect) On-premises network:
  • 37. Joined Device in an On-Prem Active Directory 37 Hybrid Device Join Domain Controller (Active Directory) On-premises network: Azure Active Directory Joined Device in an Azure Active Directory device object in Azure AD device account in the AD
  • 38. 38 Example for an AD and AAD joined device
  • 39. 39 Advantages of Being Hybrid SSO Single Sign On Logon once with your on-prem authentication Access the cloud services and online apps One of the main advantages in Hybrid Environment:
  • 40. 40 Browser SSO – Chrome Extension for Windows * In Edge browser the SSO is built-in natively
  • 41. 41 Azure Browser SSO – Applications View
  • 42. OAuth provides authorization and provide access to resources OIDC is based on OAuth Adding Authentication for SSO Super Popular! Background on Modern Authentication and Authorization 42
  • 43. Background on Modern Authentication and Authorization OAuth2 Access Tokens Refresh Token Application OAuth is very popular in modern cloud environments, online apps and hybrid connectivity 43
  • 44. In Azure Browser SSO Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token) 44
  • 45. In Azure Browser SSO Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token) 45
  • 46. 46 In Azure Browser SSO Stored in the TPM If no TPM -> in the Registry Stored in Lsass In the CloudAP (an authentication package) Stored in the browser and DPAPI Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token)
  • 47. Stored in Lsass In the CloudAP (an authentication package) Regular user rights can be used for exploitation and extraction of the SSO tokens! Local admin can exploit and extract it! 47 In Azure Browser SSO Stored in the TPM If no TPM -> in the Registry Stored in the browser and DPAPI Session Key -> per PRT, device Derived Key -> required for getting Refresh Token Transport Key -> per device (on registration) Gets a PRT (Primary Refresh Token) Access Tokens Applications On an Azure AD Joined Device: Refresh Tokens User logs on PRT Cookie (JWT token)
  • 48. 48 Attacking Azure Browser SSO Local administrator privileges Attacker can extract the PRT and the derived key from the machine Access Azure AD connected resources Regular user privileges Attacker can request regular refresh tokens (like the user)
  • 49. NEW Attack - Pass The PRT Local administrator privileges Extract the PRT and the derived key from the machine Access any Azure AD connected resource 49
  • 50. Mimikatz can be used to attack Azure Browser SSO Great research work was done in this field by Benjamin Delpy @gentilkiwi and Dirk-jan Mollema @_dirkjan 50
  • 51. Another Weakness in OAuth Apps – BlackDirect Vulnerability
  • 52. OAuth Application Configuration Example URLs that are whitelisted for getting OAuth tokens 52
  • 53. OAuth 2.0 – Flow Example USER https://login.microsoftonline.com/common/oauth2/authorize? response_type=token& client_id=abc...& resource=office& redirect_uri=https://office.com/ https://office.com/ AUTHORIZATION SERVER The browser sends HTTP request to the Authorization Server for creating access token to the Resource Server 3 The user browses to https://office.com 1 Office.com redirect the user to the authorization server for getting his access token 2 The authorization server creates an access token for the resource server and redirects the client’s browser to the whitelisted given redirect URI 4 The browser (the client) sends the access token to the resource server to get his data 5 The resource server returns the client’s data 6 THE CLIENT 53
  • 54. BlackDirect Vulnerability – Attack Flow https://login.microsoftonline.com/common/oauth2/authorize? response_type=token& client_id=abc...& resource=office& redirect_uri=https://compromised-subdomain.office.com/ USER https://office.com/ AUTHORIZATION SERVER THE CLIENT The browser sends HTTP request to the Authorization Server for creating access token to the Resource Server 3 The user browses to https://compromised-subdomain.office.com 1 compromised-subdomain.office.com redirect the user to the authorization server for getting his access token 2 The authorization server creates an access token for the resource server and redirects the client’s browser to the whitelisted given redirect URI 4 The browser (the client) sends the access token to the fake resource server 5 ATTACKER https://compromised- subdomain.office.com/ The Attacker gets the client’s data from the real resource server 6 7 54
  • 55. BlackDirect Discovery in Azure OAuth Apps 55 https://fix.sa.lcs.dynamics.com https://fix.uae.lcs.dynamics.com https://s2.support.ext.azure.com https://s1.support.ext.azure.com https://westus-maas-he.az-westus-maas.cloudsimple.com https://env-cs-westus-devtest-03.qa.cloudsimple.us https://env-cs-westus-devtest-30.qa.cloudsimple.us https://env-cs-westus-devtest-80.cloudsimple.us https://env-cs-westus-devtest-25.qa.cloudsimple.us https://env-cs-westus-devtest-67.qa.cloudsimple.us https://env-cs-westus-devtest-31.qa.cloudsimple.us https://ccinsights-globalservice-prod.azurewebsites.net https://oneproject-prod-global-m00.op.trafficmanager.net https://demoaccount1.catalog-int.clouddatahub-int.net https://demoaccount2.catalog-int.clouddatahub-int.net Subdomains management Not simple as you might have thought Real examples for possible subdomain takeovers:
  • 56. We published a scanning tool: – Website: https://black.direct/ – 203 companies scanned their Azure Apps for BlackDirect Results – an average: – 894 OAuth Applications per company – About 6 vulnerable URLs per company! – 3.5 vulnerable apps per company! Example for a big electronic vendor: – 3863 OAuth Applications – 237 Vulnerable URLs – 97 Vulnerable Applications OAuth and BlackDirect Popularity Blog post : https://www.cyberark.com/resources/threat-research-blog/blackdirect-microsoft-azure-account-takeover 56
  • 57. The End is only the Beginning
  • 58. Apply What You Have Learned Today Next week you should: – Make sure all your SSO and Passworldless solutions are: Implemented according to their best practices and install their last updates In the first three months following this presentation you should: – Secure your privilege accounts, including local admins, sensitive apps, remote access procedures – If the security fundamentals will be compromised SSO and Passworldless aren’t going to help Within six months you should: – Perform a periodic scans for the mentioned threats: – Remove unused Hello keys, go through the login logs, scan yourself against BlackDirect, etc. 58
  • 59. Next Webinars by CyberArk Labs 59 Kubernetes Security Microsoft Teams Vulnerability
  • 60. Summary We reviewed real-life threats in the field of Passwordless, SSO and OAuth More details are available online – check them out Follow the best practices when implementing technologies Ensure the security fundamentals are in place, like protecting the access points of your network and your privileged accounts 60
  • 61. GREAT! ANY Q? Feel free to contact me Twitter: @Hechtov To learn more about CyberArk Labs, visit: Https://labs.cyberark.com/