DEF CON 32 - Abusing Windows Hello Without a Severed Hand

DEF CON 32 - Abusing Windows Hello Without a Severed Hand - Ceri Coburn, Dirk jan Mollema

Рет қаралды 16,999

Күн бұрын

Windows Hello is touted by Microsoft as the modern de facto authentication scheme on Windows platforms, supporting authentication and encryption backed by biometrics. In a world that is quickly accelerating towards a passwordless existence, what new threats do we face in this complex landscape? We will take a deep dive into the inner working of Windows Hello. Via the release of a new tool, it will be demonstrated how an attacker on a fully compromised Windows host can leverage secrets backed by Windows Hello biometrics without needing the biometric data that protects them. We will also show how the hardware protections of Windows Hello and its accompanying Primary Refresh Tokens can be defeated, making it possible to use Windows Hello for identity persistency and PRT stealing, in some cases even without Administrator access on the host.

Пікірлер

@ФеофанЭтополедолжнобытьзаполне 3 ай бұрын

2024 @ Having signature' timestamps but ignoring them completely That's what you get for letting AI write code for you.

@bosschichi 3 ай бұрын

Did they use the 9.dat container for backdoor purposes later?

@ReineDedeurwaerder-Sulmo-rz9cz 3 ай бұрын

Where are the magiik mush-room (Walsh!)

@newmonengineering 3 ай бұрын

I have said since JWT came out, its not a good security method at all. If you can sniff the network you can capture JWT tokens and use them in the header requests. We need to move to a browser only protocol for authentication. The browser needs to send its own security key on a seperate port to the webserver and the browser needs to verify the domain name matches b4 sending anything to prevent fake urls used in pfishing attacks. It will require all browsers and web servers to adopt this but it would be significantly more secure then just sending a header /cookie within the https request.

@Circe-wz3kg 3 ай бұрын

well said

@svettnabb 3 ай бұрын

What? If you can sniff the network and steal tokens either the traffic is unencrypted, you have system level access, or you have broken the encryption. Sending on another port would not solve any of this.

@Circe-wz3kg 3 ай бұрын

@@svettnabb thanks activating my critical thinking skills. You are right, the port absolutely makes no difference if the traffic is unencrypted.

@svettnabb 3 ай бұрын

@@Circe-wz3kg- The proxy abuse could be solved with DH and pinned certificates, especially using http/3, but this brings some other issues, but it's not impossible solve.

@Hellbutt 3 ай бұрын

I have no idea what any of this means but I agree

@MireyaGriese 3 ай бұрын

Thanks for the analysis! I have a quick question: My OKX wallet holds some USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). Could you explain how to move them to Binance?

@Murarius43 3 ай бұрын

Nice bait

@asuwemheenoch2178 3 ай бұрын

Bait used to be believable

@chrisbrownlovesrihanna 27 күн бұрын

Thanks for calling out the joke guys.