Vulnerabilities in login authentication methods and password storage in Windows 8

Vulnerabilities in login authentication methods andpassword storage in Windows 8

John-Andre Bjorkhaug

Gjovik University College

March 2014

Today, with the rise of touchscreen devices, like tablets, smartphones and even laptops with

touchscreens, users might find it to cumbersome to type in regular passwords. Typing for examplea eight character password containing both regular letters, numbers and even symbols takes too

much time and is often not so easy for for the average user, on a touchscreen keyboard. The

companies developing these devices have taken the problem under consideration, and have comeup with alternative authentication methods replacing the password, for example biometrics, PINs,

gestures and so on. This paper will focus on the different methods used for logon authentication

in the Microsoft Windows 8 and 8.1 operating system, since this now is appearing on more andmore touchscreen devices. This paper starts with an introduction, explaining some of the new

features of Windows 8. Then there is an introduction to works that are related to this paper.

Following is a section about classic attacks on passwords in Windows, techniques for bypassinglogin authentication, and how passwords can be extracted in clear-text. Then it is time to dive in

to Windows 8, and the new methods for login authentication and their vulnerabilities. The paperends with a conclusion with some suggestions to techniques that can be used to mitigate some of

the vulnerability discussed throughout this paper.

Categories and Subject Descriptors: D.4.6 [Security and Protection ]: Invasive software—

Operating system security

General Terms: security

Additional Key Words and Phrases: operating system security, passwords, authentication, PIN

1. INTRODUCTION

Today, devices with touchscreens, like smartphones, tablets and laptops, are get-ting more and more usual, and operating systems like Android and iOS have beendominating for some years. Using text-based passwords, containing for exampleboth upper and lower cases, numbers and even symbols takes too much time andis often not so easy for for the average user, using touchscreen softkeyboards. Thecompanies developing these devices have taken the problem under consideration,and have come up with alternative authentication methods replacing the password,for example biometrics, PINs, gestures and so on. PIN codes and the regular ges-ture password used on different touch devices for years, have a very small passwordspace, compared to a good old text-based password. In Windows 8, Microsoft pre-sented some new native methods for logging in to a Windows system, the use of a afour digit PIN code, the so called picture password, and fingerprint. A four digit PINcode, says itself that it is not very secure, a picture password can be very secure,if implemented correctly. Even though Microsoft Windows have been available indifferent forms on different touch devices for many years, a lot happened when they

Vulnerabilities in login authentication methods and password storage in Windows 8 · 2

made Windows 8. This version of Windows runs just as good, on touch devices,and on desktop computers. You have the possibility to use the good old desktopfor use on laptops and desktop computers, and the new tile interface called ModernUI 1 which is better fitted for touch devices. Recently there have also been a risein both laptops and desktop computers with touch screen. Microsoft Windows 8was released in August 2012, and was available to the general public in the end ofOctober the same year. Windows 8.1 came out in October 2013, with small changescompared to 8 [ZDNet 2014]. Actually, 8.1 can in many ways be looked at like moreof a servicepack than a full OS upgrade. Windows 8 can be said to have been of thebiggest changes, at least visually, since Windows 95 replaced Windows 3.11, but atleast Windows 8 was very Windows 7 like, when not using the new tile interface.Since Windows 8 is relatively new, there is still some children’s diseases, and boththe operating system and the users still need to mature a bit. In addition to addingModern UI for use on devices with a touchscreen, Microsoft also included severalauthentication methods, to make the operating system even more user friendly ontouch device. In addition to the good old password, methods like PIN code andPicture password have been included from Windows 8. The reason for this is so theuser don’t have to type in passwords like ”Tr0ub4dor” [xkcd 2013] on the devices’limited software keyboard, where for example the use of the ”shift” key is rathercumbersome. This new login authentication methods have introduced quite a bitof new vulnerabilities in to the login authentication in Windows, in addition to theonce that have been there for years.

This paper will discuss both old and new login authentication methods, and theirvulnerabilities. All tests performed in this paper have been done on a VMWareVirtual machine and a Dell Venue 11 Pro tablet, both running Windows 8

This paper is organized as follows. Section 1 is the introduction you now arereading. Section 2 gives an introduction to works that are related to this paper.Section 3 is about classic attacks on passwords in Windows, techniques for bypassinglogin authentication, and how passwords can be extracted in clear-text. Section 4gives details about the new authentication methods used for logging in Windows 8,and their vulnerabilities. The paper ends with section 5, the conclusion with somesuggestions to techniques that can be used to mitigate some of the vulnerabilitydiscussed throughout this paper.

2. RELATED WORK

Most books covering ethical hacking and penetration testing have a section aboutextracting and cracking LM and NTLM hashes, for example the ”Hacking Exposed”series [McClure et al. 2009]. The ”new” authentication forms for Windows, picturepasswords and PIN code is not so much written about yet seen in context withWindows, but the paper ”On the Security of Picture Gesture Authentication” byZiming Zhao et.al. [Zhao et al. 2013] describes a rather comprehensive research onpicture passwords, describing an empirical analysis of picture gesture authenticationfrom more than 10,000 pictures passwords. This paper focus more on how the loginmechanism works together with the rest of the operating system. When it comesto PIN codes, there have been some statistically research done among others by

1Many still call the interface by its earlier name Metro


Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], and thecompany ”Datagentics” [DataGenetics 2012]. Also, much of the content in thispaper is relatively new, and only discussed in blog belonging to the smart guys whofind vulnerabilities, and write exploits. Like for example the blog of the Russiancompany Passcape [Passcape 2014], and the French security researcher BenjaminDelpy aka ”gentilkiwi” [Delpy 2014a].

3. CLASSICAL LOGIN AUTHENTICATION VULNERABILITIES IN WINDOWS

Before going into the vulnerabilities that is new to Windows 8, because of the newlogin authentication methods, the good old vulnerabilities in the login mechanismand passwords storage, that are still valid for Windows 8.x, will be discussed.

Fig. 1. Password login screen in Windows 8.1, with the choice of login method below the input

field.

3.1 Password hashing

In Microsoft Windows, a cryptographic hash of the password is stored in a file called”SAM” (Security Accounts Manager), which is stored in %systemroot% \system32\config \SAM . This file is a part of the registry, and in an officially undocumentedbinary format [Hagen 2014]. In the Windows registry the SAM is placed underthe key HKEY LOCAL MACHINE\SAM . Both of these locations are lockedeven for the administrator while the operating system is running, but it is possibleto extract the hashes for example from the registry on a running system withthe help of DLL-injection into the LSASS (Local Security Authority SubsystemService) process, with tools like for example pwdump, fgdump, Cain & Abel andmimikatz, which we will discuss more later. Other places to extract hashes from isamong others from a shadow copy of the SAM file. Readers which is interested inknowing more about what can be find in the LSASS process, is recommended toread [Passcape 2011].

There are two different hash algorithms, called ( LM) (LAN Manager) and NTLM(NT LAN Manager). From Windows Vista and Server 2008, LM hash have beenthe default disabled, but can be enabled for backwards compatibility. A LM hashcan be used for passwords up to 14 characters, and have a serious vulnerability.The password is split in two halves, the first one seven characters and the secondone the rest of the password. For example a password of length 10 is split intoone hash calculated from the first seven characters, and one with the last threecharacters. All letters are then capitalized. This is then cutting a password of14 characters from 284 to 237 different combinations [McClure et al. 2009]. Thismakes cracking of LM-hashes very fast, using for example Rainbow tables, which


is pre-calculated tables with passwords and hashes. This paper will not go anyfurther into the cracking of LM-hashes, since this is out of scope for the paper.For more information see for example [McClure et al. 2009]. When it comes toNTLM hashes, there is a much bigger keyspace, but Rainbow tables are still avery effective method for cracking these hashes, because there is no salting of thehash. The problem is that with NTLM’s large keyspace, tables get very spaceconsuming. One of the largest publicly available rainbow tables for NTLM today,is a table covering upper and lower cases, the numbers 0-9 and space, for passwordswith length 1 to 7 characters. This table is a little over 1TB big. Compared with arainbow table for LM hash, which covers all symbols on the keyboard, and passwordlength 1 to 7 characters, which in reality means 1-14 since the password is split intwo, which is 34GB [Freerainbowtables 2014]. The term salting the hash meansthat a random value is added to the password before the hash algorithm is run,and by that creating different hashes when the same password is hashed twice.The password hashing mechanism in for example Linux salts its hashes. Saltingthe hash mitigates attacks like rainbow tables [McClure et al. 2009]. Lately therehave also been very popular to use the GPU 2, on graphic cards to increase thespeed of cracking cryptographic hashes. Since these are much more effective on thesimple mathematical operations used in hashing than regular CPU’s. Accordingto Jeremy Gosney 3, one of the worlds top experts in password cracking, with aregular graphic card like the AMD RadeonTM HD 7970, it will will be possible tobrute-force NTLM hashes at approximately 20 billion passwords per second. Witha cluster of graphic cards, like for this can be multiplied by the number of graphiccards. One down thing with building machines for password cracking with graphiccards is that it gets rather expensive. In February 2014 an AMD RadeonTM HD7970 costs approximately NOK3000 in Norway. But why build your own passwordcracking machine, when Amazon EC2 offers multiple graphic cards in their cloudcomputers, which can be rented for as low as $2 per hour [Amazon 2014]. It isvery common to use large dictionaries, to shorten the time to crack a password.Today, when there have a numerous leaks with large password databases, there is noproblem for adversaries to create very effective dictionaries. The biggest passwordleak up till now is the leak of over 32,000,000 user accounts from the game producerRockYou in 2009 [Skullsecurity 2011].

Cracking password hashes can be done for example with tools like the following:

—John The Ripper

—L0phtCrack

—Cain & Abel

—Ophcrack

—OclHashCat

—Tools from ElcomSoft

If a computer is compromised, the NTLM hashes are extracted, and the adversaryisn’t able to crack the password, the hash can still be useful. The hash can be used

2Graphic Processing Unit3Twitter conversation between me and him


in a so called pass-the-hash attack, where the hash is used for authentication toother systems connected to the same network as the adversary and using samepassword as the compromised system, inter-system password re-use [Wolthusen2014]. This can be done with tools like for example mimikatz and modifications ofthe psexec tool, which is included in the penetration testing framework Metasploit[Rapid7 2011]. This is an very effective attack in a Windows environment wherethe same administrator password is used on multiple computers, and have beenused on numerous penetration tests by the author of this paper, which a very highsuccessful rate. Up until the Windows 8.1 and Windows 2012 R2, it was onlypossible to run limited resources with the use the pass-the-hash attack, but hereMicrosoft implemented a security feature in Remote Desktop Protocol (RDP) calledRestricted Admin, which actually makes it possible to connect to an RDP serviceusing the pass-the-hash attack [Falde 2013] [Ronin 2014] [Lowe 2013]. As mostother attacks on passwords in Windows, this can also be done with mimikatz, butalso with a more known and recognized application called FreeRDP, which is anopen implementation of the RDP protocol [Ronin 2014].

3.2 Clear text password extraction

In the recent years it have also gotten publicly known that because of feature inWindows called WDigest, it is possible to extract passwords in cleartext from mem-ory, using tools like mimikatz [Delpy 2014b] [Delpy 2011], or Windows CredentialEditor [Amplia 2013]. WDigest is a DLL which that was first added in WindowsXP, and used to authenticate users against HTTP Digest authentication and Sim-ple Authentication Security Layer exchange. These two authentications methodsrequires a plain-text password to be able to function. To extract passwords fromWDigest, the adversary need to access a computer that is turned on and logged in,but how many average users lock their computer when they go to the toilet? Similarvulnerabilities also apply to other features that was implemented from WindowsNT 6 (Windows Vista and Windows Server 2008). Like for example when SingleSign On (SSO) to Remote Desktops is enabled (tspkg) [Delpy 2014d], if a MicrosoftLive account (LiveSSP4) is used [Delpy 2012], and for the use with Kerberos SSP.Actually in Windows 8.1 wdigest and tspkg is default disabled, but when SSO forwebsites or RDP is enabled, wdigest and tspkg is too. The password stored in mem-ory for all these scenarios are actually encrypted, but with such a bad method thatit is very easy to decrypt it. The standard Windows function LsaProtectMemoryis used for encryption, and LsaUnotectMemory for decryption [Pilkington 2012].

More methods for extracting passwords in clear-text will follow, when we laterdiscuss some new vulnerabilities in Windows 8.

3.3 Bypassing login authentication

The techniques discussed earlier assumes that the adversary already have access tothe victim system, either by being a user of a multiuser system, which want to forgethe identify of other users of the same system, or an adversary that have gottenaccess to a system which is powered on and already logged in. But what if thesystem is shut down, or locked? Let’s discuss some classical options to bypass the

4Security Support Provider


login authentication in Windows. Some of these attacks have been known all theway back to Windows XP, but are still not fixed in Windows 8.1.

Password resetProbably the most known and most used Windows login bypass is the use of abootable media, to edit the SAM file. This trick is very simple, but it can leaveeasily found traces that an adversary have accessed the system. This trick worksby booting the system with another operating system, most often a small Linuxdistribution and edit the SAM-file, which was discussed earlier. This works likea charm since Windows isn’t running. With tools like for example Offline NTPassword and Registry editor developed by Peter Nordahl Hagen [Hagen 2014], itis possible to things like:

—Change or clear a users password

—Enable disabled accounts

—Create new users

—Remove users

—Change a users group

To access a system without leaving any easy to find traces, the adversary couldcreate a new user, add it to the ”admin” group, log in to the system and at the enddelete the newly added user.

msv1 0.dll patching at boot-timeIf creating a new user is not desired, patching the DLL file ”msv1.0.dll” can be anice option. This DLL is called by the Local Security Authority (LSA), which ismentioned earlier, and processes login data collected by the Credential Providers5, for the Winlogon process [Microsoft 20xx]. At boot-time, this can be done usingtools like Kon-Boot [thelead82 2013]. This application silently bypass the loginauthentication on any modern Windows operating system, by pathcing msv1 0.dllwhen it is loaded into memory. The pathching causes the password-check to alwaysreturn true, which causes all accounts to not require a password, and will overwriteany old passwords. The way this tool is used is to boot the computer from a somekind of external medium, CD, DVD, USB stick etc., a Kon-Boot boot screen willthen be displayed while the tool is working. Then, when the Windows login screenis visible, select the one want to log in as, and log in without any password. Whenthe computer then is rebooted, the victim logs in like he have always done, withhis good old password.As a site note, it is also available for Apple OS X, but working in a different way.

msv1 0.dll patching with FirewireIEEE 1394, commonly known as Firewire, is another interesting case, when it cometo bypassing Windows login authentication. The vulnerability with Firewire is thatit have direct access to the physical memory addresses, making it possible to patchthe msv1 0.dll, just as mention earlier, but this time at run-time. This attack was

5Credential Providers replaced the more known GINA from Windows Vista [Griffin 2007]


first demonstrated using a modified iPod running Linux and a script called win-lockpwn in 2008 [Spylogic 2008]. Either the iPod-Linux or the winlockpwn toolare updated anymore, but thanks to Carsten Maartmann-Moe, a new tool calledInception was released in 2011[Maartmann-Moe 2011], based on winlockpwn. Mostnew computers today don’t have a firewire port, but for an adversary, in many casesthis is not a problem. Firewire ports can be bought as PCMCIA cards, and whenthese are inserted into the computer’s PCMCIA port, the drivers will be installedby them self, even if the computer is locked. An interesting thing here is that theFirewire attack can also be used when the harddisk in the computer is encryptedwith for example BitLocker, if the computer is not shut down, but only locked.As another site note, Inceptioon is also able to bypass password on Apple OS Xand Ubuntu.

Utilman bypassThis again is a very old and quite known trick, and it actually have been recom-mended by Microsoft to use this technique to bypass a forgotten password. Thistechnique was possible already in Windows 2000, so why this is still possible inWindows 8.1, is a mystery. This technique takes advantage of a utility called Util-man, which is used for the accessibility features magnifier, narrator and on-ScreenKeyboard. This utility is available at the login screen in all newer Windows version,and can be opened by pressing the Windows button together with the letter U. Theproblem with this, is that if the system is booted with for example a Linux Live-CD,and the adversary can access the files on the harddisk, he can remove or change thename of the file ”utilman.exe”, which is located in %systemroot%\system32\, andthen copy ”cmd.exe” to ”utilman.exe”. When the system then is rebooted, and thelogin screen once again appear, the adversary can press Win+U, and a commandprompt window running with system privileges will pop-up. See Figure 3. The file”sethc.exe”, which also is located in %systemroot%\system32\, can be exploitedin a very similar way. This file is used for the ”Sticky keys” feature of Windows,and it will run if the user presses the ”shift” key five times in a row. If cmd.exeis copied to sethc.exe, and the ”shift” key is pressed five times at the login screen,the command prompt will again pop-up. [Dieterle 2014]. If a command promptisn’t good enough for the adversary, he can add users, change passwords, deleteusers and so on using Windows’ net commands, since the prompt shell is runningas a ”system” user. For example create a user with netuser/addevilhacker∗ /foot-noteThe * will ask the user to set the password and add it to the ”administrator”group with netlocalgroupadministrators/addevilhacker.

Login screensaverAnother not so known trick, which works for Windows 7 and Windows 8.x, and isin a way related to the utilman.exe bypass is to enable a screensaver at the loginscreen, but instead of a screensaver for example cmd.exe is opened. This can bedone by adding the following REG SZ values to the registry key HKEY USERS\.Default\ ControlPanel\ Desktop [Superuser 2012]:

SCRNSAVE.EXE = C:\ WINDOWS\SYSTEM32\LOGON.SCRScreenSaveActive = 1


ScreenSaveIsSecure = 0ScreenSaveTimeOut = 10 (time before screensaver starts in seconds)

Then, at the login screen, after for example 10 seconds, the cmd.exe windows willpop up with system privileges.

Now, let us finish the old stuff, and cough up something new(ish).

4. PRESENTING: WINDOWS 8

Finally, the the essentials of this paper. Login authentication methods that arenew in Windows 8. Starting with some background material about the ”root of allevil”, the Data Protection Application Programming Interface and Windows Vaultand the Windows Vault.

4.1 Data Protection Application Programming Interface and Windows Vault

First a little about the DPAPI, which is very difficult to find some official infor-mation about. Books like ”Windows Internal”, which is most cases answers almostanything about the internals of Windows, doesn’t contain any information aboutthe Windows Vault and the Data Protection Application Programming Interface(DPAPI). The only information available from Microsoft is the public interface toDPAPI, no internal details are published. Can it be because of the serious vulner-abilities in these features of Windows? Although there have been multiple tries onreverse engineering the The best source is from the Russian company ”Passcape”[Passcape 2012a], and the paper ”Recovering Windows Secrets and EFS Certifi-cates Offline” [Burzstein and Picod 2010] by Elie Burztein et.al, which presents acomplete reverse engineering project of DPAPI. Together with this paper, Burzteinet.al. also released an application called DPAPick, which can be used to decryptoffline DPAPI secrets. This paper is highly recommended if the reader wants tolearn the detailed internals of DPAPI.

From Windows 2000, Microsoft included a special data protection interface, calledData Protection Application Programming Interface, DPAPI for short. This inter-face is used for easy store sensitive data on a disk under Windows. And currentlyDPAPI is used in many Windows applications and subsystems, and handling taskslike the file encryption system, wireless network key storage, Internet Explorer,Outlook, Skype, Credential Manger, Microsoft Vault and so on. Each encryptedunit is called a ”blob”. The DPAPI is considered very easy to use for encryption(CryptProtectData) and decryption (CryptUnprotectData) of data, and thereforevery popular among programmers. The Russian company Passcape was the firstto release software capable of decrypting and extracting data which had been en-crypted with DPAPI on a live system.

In theory, DPAPI sounds very secure. It uses highly known and proven cryp-tographic algorithms. Windows 7 for example uses AES256 encryption in CBCmode, SHA512 for hashing, and PBKDF2 as password-based key derivation rou-tine. There is no available information of the cryptographic algorithms used inWindows 8.x, but we can assume they are the same as in Windows 7. This soundssecure, but there are vulnerabilities. The operating system need to be able to readdata from the DPAPI, without any dialogue with the user. Therefore the keys todecrypt the DPAPI is placed in so the keys must be in memory, after they aredecrypted of a master key file. This is what tools like the ones from Passcape, and


mimikatz uses to extract login passwords from a running system with Windows,which will be discussed in the following sections. Up until Windows 8, it was onlypossible to extract data about the currently logged in user on the actual systemusing DPAPI. With DPAPI-NG in Windows 8, it is possible to decrypt and extractdata from all users, and even if the files used by DPAPI is extracted and importedinto another system. As mentioned, Windows Vault uses DPAPI to encrypt andstore passwords used by applications in Windows and by Windows itself. WindowsVault was introduced in Windows 7, as a replacement to Credential Manager whichwas in use in earlier version of Windows. The Windows Vault is what is used bythe PIN, Picture password, and fingerprint login authentication.

4.2 PIN codes and it’s vulnerabilities

The main thing to be worried about when it comes to PIN codes as login authenti-cation in Windows 8, is that Microsoft only give you the option to use four digits.This reduces the keyspace drastically, and if human choose the passwords, there isa pretty big chance it will be relatively easy to guess. Especially if he adversaryhave some knowledge about the victim. One can wonder why on earth Microsoftlimited PIN codes to four digits. There have been significant research done onthe security on PIN codes. Researching the statistics of PIN codes extracted frompassword leaks like the one from RockYou, mentioned earlier, have ended up insome interesting facts about PIN codes. Research have been done among othersby Joseph Bonneau et.al. at the Cambridge University [Bonneau et al. 2012], andthe company Datagentics [DataGenetics 2012]. Below is a table showing the 20most used PIN codes, from a statistical analysis done on 3,400,000 PIN codes byDatagentics in 2012 [DataGenetics 2012]

Nr PIN Frequency1 1234 10.713%2 1111 6.016%3 0000 1.881%4 1212 1.197%5 7777 0.745%6 1004 0.616%7 2000 0.613%8 4444 0.526%9 2222 0.516%10 6969 0.512%11 9999 0.451%12 3333 0.419%13 5555 0.395%14 6666 0.391%15 1122 0.366%16 1313 0.304%17 8888 0.303%18 4321 0.293%19 2001 0.290%20 1010 0.285%


Enough about general PIN code vulnerabilities. The rest of this section actuallyapply not only to the use of PIN codes in Windows 8, it also applies to Picturepassword and in some degree to the fingerprint login. It is discussed in this section,because this papers handles PIN codes first. Information and vulnerabilities thatonly applies to picture passwords and fingerprints, are discussed in later sections. In2012 it became publicly known that Windows 8 stores login passwords in an easilyrecoverable way when PIN or picture password is in use. This is because theyare stored in the Windows Vault, which uses DPAPI, which was discussed earlierin this paper. Using a tool from Passcode it was possible to easily extract themusers passwords in clear-text [Passcape 2012c]. On the 8th of January 2014, I camein contact with Benjamin Delpy aka ”gentilkiwi” on Twitter, the man behind theopen-source tool mimikatz, and asked him questions on how this was done. A fewhours later he had included this in his tool and included this feature in mimikatz.Some days later Mr Delpy published a post on his blog describing how this wasdone [Delpy 2014e].

The extraction of both the regular password, PIN code, and picture passwordcoordinates using mimikatz are shown below.

Running mimikatz privilege::debug token::elevate vault::list exit Note that somenon-interesting lines are removed from the output to save space in this paper.

.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C".## ^ ##. (Mar 2 2014 22:44:55)## / \ ## /* * *## \ / ## Benjamin DELPY ‘gentilkiwi ‘ ( [email protected] )’## v ##’ http :// blog.gentilkiwi.com/mimikatz (oe.eo)’#####’ with 14 modules * * */

mimikatz(commandline) # privilege ::debugPrivilege ’20’ OK

mimikatz(commandline) # token :: elevateToken Id : 0User name :SID name : NT AUTHORITY\SYSTEM

<snip >....<snip >

mimikatz(commandline) # vault ::list

Vault : {4bf4c442 -9b8a -41a0 -b380 -dd4a704ddb28}

<snip >....<snip >

0. Picture Password Credential

<snip >....<snip >


*** Picture Password ***User : venue\John DoePassword : Password00Picture password (grid is 150*100)[0] line (x = 17 ; y = 5) -> (x = 33 ; y = 65)[1] point (x = 70 ; y = 21)[2] point (x = 80 ; y = 20)

1.PIN Logon Credential

<snip >....<snip >

*** Pin Logon ***User : venue\John DoePassword : Password00PIN Code : 2580

2.PIN Logon Credential

<snip >....<snip >

*** Pin Logon ***User : venue\Jane DoePassword : TopSecret123!PIN Code : 1234

<snip >....<snip >

When combining mimikatz with Kon-Boot, which was mentioned earlier, it ispossible to bypass login authentication, and extract login credentials for all users ofthe system. This is also valid when the computer and user is members of a domainin Active Directory. So even the adversary doesn’t get access to domain resourceswhen using authentication bypass tools like Kon-Boot or the Inception Firewireattack, he can compromise a domain account with the following steps:

(1) Bypass authentication with for example Kon-Boot or Inception

(2) Extract passwords from the Vault using mimikatz

(3) Reboot computer

(4) Log in with valid credentials obtained in previous steps

(5) Jackpot! The adversary have access to the victims domain resources

It is also very interesting to know that password vault is global, so once logged into a system as an administrator, the user can extract login credentials for all usersof the system.

Instead of bypassing the login with tools like Kon-Boot, mimikatz can also berun in the system privileged cmd.exe from the ”Utilman authentication bypass”attack, as shown in figure 3.


Fig. 2. cmd.exe running as utilman.exe on the Windows 8.1 login screen

4.3 Picture password and it’s vulnerabilities

Picture passwords is a new login authentication method in Windows 8, based onthe gesture authentication previously in use both on Android and iOS devices withtouchscreen. The way this method works is that the user defines three gestures,used for authentication. The three gestures can either be a single point, a circle ora line, on a 100 by 150 grid. In the mimikatz output in the above section aboutPIN codes, the coordinates for the different gestures on the picture in 3 are shown.The line (1) goes from top to bottom of The Terminator’s shotgun, the first dot(2) is the left glass of his sunglasses, and the second dot (3) is the right glass.

If Microsoft fix these issues, the picture password methods looks very promis-ing, with a high number of possible combinations, and easy to use on touchscreendevices.

As mentioned under the section about PINs, the vault-attack is the same whenusing a picture password.

Also, there exists a couple of not so technical attacks on touch screen devices,both for PIN and picture password. The Smudge attack is a method to find thegesture pattern used to unlock touchscreen devices using this form of authentication.This attack relies on detecting the smudge, left on the screen from grease from theusers fingers. Using proper lighting, camera settings and image processing software,both a gesture and a PIN code can, in many cases, be recovered. This attack was


Fig. 3. The picture password login screen, with coordinates.

first made publicly known by a research team from the University of Pennsylvania,at the 4th USENIX conference on Offensive technologies [Aviv et al. 2010]. Thesmudge attack is in many ways similar to number keypads that have some numbersmore worn than others, which in many cases can make it possible for an adversaryto see commonly used digits. Another vulnerability both PIN codes and picturepasswords might be more exposed to is shoulder surfing [Long and Mitnick 2011],since it is much easier to see the gesture on a picture, than the characters typed ona keyboard.

4.4 Fingerprints and it’s vulnerabilities

From Windows 8.1, Windows got native support for fingerprint login authentication[Microsoft 2013]. Knowing this, and how PIN and Picture password function storesits credentials, I was curious on how this was done with fingerprints. Not able to findany information about this, I once again asked Benjamin Delpy on the 20th January.The 23th, he also had implemented this in mimikatz [Delpy 2014f]. It turns outthat, as suspected, the fingerprint login, stores its information in the same way asPIN and picture password, in the Vault. And therefore, it is also possible to extractthe login passwords when fingerprint is in use. When having more knowledge onthe subject, I was able to find that Passcode already implemented this in theircommercial ”Windows Vault Explorer” in 2012 [Passcape 2012b]. In addition, offcourse the fingerprint authentication in Windows is vulnerable to all the classicalattacks on fingerprint readers, like for example fingerprint printed on a paper,latex fingers etc. This can be seen in for example the Discovery Channel showMythbusters episode 59 ”Crimes and Myth-Demeanors 2” [Mythbusters 2006].


4.5 Multi-factor login authentication and it’s vulnerabilities

On the 23.February, Benjamin Delpy once again proved his skills, and released anew feature in his mimikatz. It was now possible to extract the the PIN code usedwhen a smart card is used instead of a password for authentication as Windowslogin [Delpy 2014c]. According to Mr Delpy, this is valid when the native Windowssupport for smartcards are used. Because of the lack of equipment to test theextraction of PIN codes, this have not been experimented with for this paper.There haven’t been released much information about this attack yet, so there isn’tmuch information about how it is done publicly available, but it can be assumed itworks very similar to the extraction of password when PIN and picture passwordis used, see Figure 4.

Fig. 4. A smartcards PIN code extracted with the use of mimikatz [Delpy 2014c]

5. CONCLUSION

Many of the attacks mentioned in this paper is like they are from a Hollywoodspy movie, but this is the reality. Microsoft have some strange vulnerabilities intheir login authentication, which there is no simple explanation for why they stillare there. Both myself and others have tried to get in touch with the Microsoftsecurity team, to get answers on why these techniques are still possible, but withnot luck. People that are into computer security, like probably the reader if thispaper is, tend to be aware of the risks to their computer, but the average man doesnot think of this.

One of the most important security measurements for computers and othercomputer-like devices, is the use of Full Disk Encryption (FDE). This will pre-vent an adversary to access data on the computers harddisk, and in that alsoprevent an adversary to bypass the login to the operating system. From Windows7, Microsoft included a FDE method called BitLocker, which is very easy to setup, and simple to use. The user of the computer will not notice the existence of


BitLocker, except by a very slight decrease in performance [Hardware 2010]. IfFDE is not an options, of some reason, security measures like for example BIOSpassword or harddisk passwords can also be used. BIOS password does not preventan adversary from removing the harddisk out of a computer, and retrieve eitherthe password hashes from the SAM file, or the Windows Vault from the vault files.What it prevents is for example the use of tools like Kon-Boot, or some other live-CDs/DVDs/pendrives capable of either reset passwords or extract hashes, whenthe adversary isn’t able to remove the disk. Harddisk password, also known asATA-passwords, is something for itself. It is by some company policies consideredjust as good as FDE, but this is not disc encryption, it is just using a part of theATA standard for harddisks, and it does in many cases exist a master password,which overwrites the one set by the user [ISEE0XDEADDISKS 2008]. Firewireattacks bypasses all protection of the harddisk, if a user have locked a logged insystem. To mitigate this, the Firewire and/or PCMCIA port must be disabled ina way, or automatic PCMCIA driver installation should be disabled.

The final conclusion to this paper must be, never leave you computer unattended!

REFERENCES

Amazon. 2014. Amazon ec2 pricing. http://aws.amazon.com/ec2/pricing/. Accessed : 21.feb.2014.

Amplia. 2013. Winows credential manager. http://www.ampliasecurity.com/research/windows-

credentials-editor/. Accessed : 6.mar.2014.

Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M. 2010. Smudge attacks

on smartphone touch screens. In Proceedings of the 4th USENIX conference on Offensive

technologies. USENIX Association, 1–7.

Bonneau, J., Preibusch, S., and Anderson, R. 2012. A birthday present every eleven wallets?

the security of customer-chosen banking pins. In Financial Cryptography and Data Security.Springer, 25–40.

Burzstein, E. and Picod, J. M. 2010. Recovering windows secrets and efs certificates offline.

In Proc. of the 4th USENIX Conference on Offensive Technologies. Berkeley, USA: USENIXAssociation.

DataGenetics. 2012. Pin analysis. http://www.datagenetics.com/blog/september32012/. Ac-cessed : 7.jan.2014.

Delpy, B. 2011. Re – pass the pass. http://blog.gentilkiwi.com/securite/re-pass-the-pass. Ac-

cessed : 24.feb.2014.

Delpy, B. 2012. Re - re – pass the pass. http://blog.gentilkiwi.com/securite/rere-pass-the-pass.

Accessed : 24.feb.2014.

Delpy, B. 2014a. Blog de gentil kiwi. http://blog.gentilkiwi.com. Accessed : 21.feb.2014.

Delpy, B. 2014b. mimikatz. http://blog.gentilkiwi.com/mimikatz. Accessed : 17.jan.2014.

Delpy, B. 2014c. mimikatz can now extract *pin code* of smartcards associated with lo-

gon sessions. https://twitter.com/gentilkiwi/status/437719635404673025/photo/1. Accessed

: 26.feb.2014.

Delpy, B. 2014d. Pass the pass. http://blog.gentilkiwi.com/securite/pass-the-pass. Accessed :

24.feb.2014.

Delpy, B. 2014e. Windows 8, code pin et mot de passe image.

http://blog.gentilkiwi.com/securite/mimikatz/windows-8-code-pin-mot-de-passe-image. Ac-

cessed : 23.jan.2014.

Delpy, B. 2014f. Windows 8, empreintes digitales.http://blog.gentilkiwi.com/securite/mimikatz/windows-8-empreintes-digitales. Accessed :

24.jan.2014.

Dieterle, D. W. 2014. Basic Security Testing with Kali Linux , 1 ed. CreateSpace Independent

Publishing Platform.


Falde, K. 2013. Restricted admin mode for rdp in windows 8.1 2012 r2.

http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-

windows-8-1-2012-r2.aspx. Accessed : 18.feb.2014.

Freerainbowtables. 2014. Rainbow tables available. https://www.freerainbowtables.com/en/tables2/.Accessed : 26.feb.2014.

Griffin, D. 2007. Create custom login experiences with credential providers for windows vista.http://msdn.microsoft.com/en-us/magazine/cc163489.aspx. Accessed : 24.feb.2014.

Hagen, P. N. 2014. Offline nt password and registry editor. http://pogostick.net/ pnh/ntpasswd/.Accessed : 23.feb.2014.

Hardware, T. 2010. System encryption: Bitlocker and truecrypt compared.

http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587-9.html. Ac-


ISEE0XDEADDISKS. 2008. List of hard disk ata master passwords.

http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/. Accessed: 21.feb.2014.

Long, J. and Mitnick, K. 2011. No Tech Hacking: A Guide to Social Engineering, Dumpster

Diving, and Shoulder Surfing. Elsevier Science.

Lowe, M. 2013. New r̈estricted admin̈feature of rdp 8.1 allows pass-the-hash.

https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-

hash/. Accessed : 18.feb.2014.

Maartmann-Moe, C. 2011. Inception. http://www.breaknenter.org/projects/inception/. Ac-cessed : 18.feb.2014.

McClure, S., Scambray, J., Kurtz, G., and Kurtz. 2009. Hacking exposed: network securitysecrets and solutions. McGraw-Hill.

Microsoft. 2013. What’s new in biometrics in windows 8.1.

http://technet.microsoft.com/library/dn344916.aspx. Accessed : 24.jan.2014.

Microsoft. 20xx. Msv1 0 authentication package. http://msdn.microsoft.com/en-

us/library/windows/desktop/aa378753(v=vs.85).aspx. Accessed : 24.feb.2014.

Mythbusters. 2006. Fingerprint scanners are unbeatable. http://www.discovery.com/tv-

shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm. Accessed :

18.feb.2014.

Passcape. 2011’. Lsa secrets in windows.http://www.passcape.com/index.php?setLang=2&section=blog&cmd=details&id=15. Ac-

cessed : 21.feb.2014.

Passcape. 2012a. Dpapi secrets. security analysis and data recovery in dpapi (part

1). http://www.passcape.com/index.php?section=blog&cmd=details&id=20. Accessed :

21.feb.2014.

Passcape. 2012b. Security breach in windows 7 and windows 8 biometric authentica-tion. http://www.passcape.com/index.php?section=blog&cmd=details&id=31. Accessed :

23.jan.2014.

Passcape. 2012c. Windows 8 stores logon passwords in plain-text.

http://www.passcape.com/index.php?section=blog&cmd=details&id=27. Accessed :

7.jan.2014.

Passcape. 2014. Passcape. http://www.passcape.com. Accessed : 21.feb.2014.

Pilkington, M. 2012. Protecting privileged domain accounts: Disabling encrypted

passwords. http://digital-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain-accounts-disabling-encrypted-passwords. Accessed : 24.feb.2014.

Rapid7. 2011. Microsoft windows authenticated administration utility.http://www.rapid7.com/db/modules/auxiliary/admin/smb/psexec command. Accessed :

18.feb.2014.

Ronin. 2014. Passing the hash with remote. http://www.kali.org/penetration-testing/passing-hash-remote-desktop/. Accessed : 18.feb.2014.

Skullsecurity. 2011. Passwords. https://wiki.skullsecurity.org/Passwords. Accessed :

21.feb.2014.


Spylogic. 2008. What is digest authentication? http://www.spylogic.net/2008/05/winlockpwn-

more-then-a-partytrick/. Accessed : 20.feb.2014.

Superuser. 2012. How to get a screensaver at the windows 7 login screen?http://superuser.com/questions/107200/how-to-get-a-screensaver-at-the-windows-7-login-

screen. Accessed : 26.feb.2014.

thelead82. 2013. Kon-boot for windows. http://www.thelead82.com/products-win.html. Ac-


Wolthusen, S. D. 2014. Lecture slides imt4541 foundations in information security.

xkcd. 2013. Password strength. https://xkcd.com/936/. Accessed : 24.jan.2014.

ZDNet. 2014. The history of windows: A timeline. http://www.zdnet.com/the-history-of-

windows-a-timeline-7000025145/. Accessed : 18.feb.2014.

Zhao, Z., Ahn, G.-J., Seo, J.-J., and Hu, H. 2013. On the security of picture gesture authen-

tication. In Proceedings of the 22nd USENIX conference on Security. USENIX Association,383–398.

Vulnerabilities in login authentication methods and password storage in Windows 8

Technology

microsoft windows

running windows

replaced windows

version of windows

windows system

new features of windows

new methods

dierent methods