Skip to content

Latest commit

 

History

History
56 lines (31 loc) · 3.24 KB

eu-19-Grafnetter-Exploiting-Windows-Hello-for-Business-2.pdf.md

File metadata and controls

56 lines (31 loc) · 3.24 KB
Raw

Michael Grafnetter CQURE: Identity, Cloud & Security Architect CQURE Academy: Trainer MCT, CEI, MCSA [email protected]

@CQUREAcademy @MGrafnetter

Exploiting Windows Hello for Business December 4th, 2019 Black Hat Europe 2019, London

· Windows Hello for Business 101 (without PR buzz) · Injecting Custom NGC Keys · ROCA + WHfB: The Untold Story · Auditing AD Key Credentials

Windows Hello for Business 101 (AKA Microsoft Passport)

· On Premises Key Trust · On Premises Certificate Trust · Hybrid Azure AD Joined Key Trust · Hybrid Azure AD Joined Certificate Trust · Azure AD Join Single Sign-on

· msDS-KeyCredentialLink Syntax: DN-Binary This attribute contains key material and usage information. · msDS-KeyCredentialLink-BL This attribute is the backlink for msDS-KeyCredentialLink.

NGC FIDO STK FEK BitlockerRecovery AdminKey

Next-Gen Credentials Fast IDentity Online Key Session Transport Key File Encryption Key (Undocumented) BitLocker Recovery Key (Undocumented) PIN Reset Key (Undocumented)

Injecting Custom NGC Keys

· Windows Server 2016+ Domain Controller · KDC Certificate · Write permissions on target account => post-exploitation

· IDL_DRSReadNgcKey · IDL_DRSWriteNgcKey

B:828:0002000020000190065033EC29A68773DCA32901B8325A6AAFAC28A1 91A36BD252EB2DA992C86C20000260621F078080487E3698A2726DEF7FD4C2 ACD3CBCE758D6FCFAB1699822C8D891B010352534131000800000300000000 0100000000000000000000010001AD7FED3ED0F133AC5BB1B90853E3526EE3 BBBC5510C0FED1F46B481843549BA384A54EAC5C21BABF513D900CC6FA30DB 1CCC91E3B02D0969D982C197891C1BC034EAABE701923F2016E23420897F64 BEACCD2E7BA27DC5D84CF785C968F6F533FA6CB301A563929282A1756781AE D52A55C6755131F2A9892D74E47308AA6998C2C1621EFE0EC561907AA9C4CC D09EC00F55FC6E547EFA2854B5D95C53D66BA2EDDA27CFF2BA188E365B69FF BE3E85507B05CF6DFAC9880CAFBA5D0E03AAA91CAABC57175722BA39998618 531A925702789BD61D206E6EBED8204A6545589E78EE37DA31396C60EED88B 228244136C444B3916B5F2888F068BC2B44D048BF2FD010004010100050010 0006030D7D8B6305ED4FA578ED5289B3E8E8020007010008000870E4CC68AD 35D50108000970E4CC68AD35D501:CN=John Doe,OU=Employees,DC=adatum,DC=com

Typical Members: · ADFS · Azure AD Connect

ROCA + WHfB: The Untold Story

New Device Registration Service Events · 3038 ­ Windows Hello Weak Key Blocked · 3039 ­ Windows Hello Weak Key Allowed

Public Exponent: 65537 Modulus: d6589a6fe210490583c1dcd57e3579ab24979d9b1a7118e3553dedcff a5cf5abd41cf6c19cbbe598ce6f9140541e8ff8a778bd5caadd8d038a 49785a4d9031c98e26783e824ba3cf00d86c112a9a5c65a5acf2b077e 365d947bd41a437e7034cc00a77550b2ea8cec18c1f7516da4dc13177 e1de1d32fbbdde1e1fd7395aab71a8f302b985a64248c3a239e6943ae afa9a8b591ae499f31723f7dc8a22a6d197445056da4df9d13443db4a 6201d52d82795a2f2ffa2f75b6f2605e213609a39df33f26e023d83d9 c4bddd4879e234407833ba38460cbc66d9d31cdf2c5b3a042f321da7f 2140ecc4a5a190306ed51fe0ea5273dd83d5338b2554abd3738a06a5

Auditing AD Key Credentials

Final Thoughts

· Start auditing msDS-KeyCredentialLink values. · Check pre-existing keys for ROCA. · Keep up-to-speed with new security features. · Go password-less!

Thank you!

If you have questions you can email me at [email protected]

Michael Grafnetter CQURE: Identity, Cloud & Security Architect CQURE Academy: Trainer MCT, CEI, MCSA [email protected]

@CQUREAcademy @MGrafnetter