Posts Tagged ‘DefCon32’
[DefCon32] Redefining V2G: How to Use Your Vehicle as a Game Controller
Modern vehicles, intricate networks of computers on wheels, offer more than mobility—they can become game controllers. Timm Lauser and Jannis Hamborg, researchers from P3 Group, present Vehicle-to-Game (V2G), a Python-based project that transforms cars into Bluetooth gamepads. By leveraging the CAN bus or OBD2 port, V2G maps vehicle inputs like steering or pedals to game controls, blending automotive hacking with playful innovation.
Timm and Jannis, driven by curiosity about vehicle networks, developed V2G to run on laptops or Raspberry Pi Zero WH, requiring reverse-engineering of CAN messages or UDS diagnostics. Their work, accessible via a public GitHub repository, invites enthusiasts to explore car interfaces while highlighting the accessibility of automotive security research.
Understanding Vehicle Networks
Timm explains vehicle architectures, where CAN buses and diagnostic ports like OBD2 facilitate communication between ECUs. V2G intercepts signals from components like the steering wheel or accelerator, translating them into gamepad inputs. This requires understanding proprietary CAN messages, often unique to each vehicle model.
Their Volkswagen ID.3 demo showcases real-time mapping of driving inputs to game controls, illustrating the project’s practicality.
Building the V2G Framework
Jannis details V2G’s implementation, using Python to interface with CAN buses via affordable hardware. The framework supports Bluetooth gamepad emulation, allowing cars to control games like racing simulators. Reverse-engineering CAN signals, though labor-intensive, is achievable with tools like CAN-utils, making V2G adaptable to various vehicles.
The open-source release encourages community contributions, with QR codes linking to the repository for further development.
Creative Applications and Challenges
Beyond gaming, V2G sparks interest in automotive interfaces, such as heads-up display integration. Timm and Jannis explore connecting to in-car screens via adapters, though cost remains a barrier. Flight simulator mapping, suggested by an audience member, highlights V2G’s versatility for unconventional inputs.
Challenges include model-specific CAN protocols and hardware costs, but the project lowers barriers for hobbyists and researchers.
Implications for Automotive Security
While playful, V2G underscores the accessibility of vehicle networks, a double-edged sword for security. Exposed interfaces like OBD2 ports are potential attack vectors, urging manufacturers to secure diagnostic communications. Timm and Jannis advocate responsible exploration, fostering learning without compromising safety.
Links:
[DefCon32] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
Email addresses, seemingly mundane, harbor complexities that can unravel security controls. Gareth Heyes, a security researcher at PortSwigger, exposes how arcane RFC standards governing email parsing enable attackers to bypass access controls. By crafting RFC-compliant email addresses, Gareth demonstrates spoofing domains, accessing internal systems, and executing blind CSS injection. His toolkit, integrated with Burp Suite, automates these attacks, revealing vulnerabilities in applications and libraries.
Gareth’s exploration, rooted in parser discrepancies, shows how seemingly valid emails can route to unintended destinations, undermining Zero Trust architectures. His methodology and open-source tools empower researchers to probe email-handling systems, urging developers to fortify defenses against these subtle yet potent attacks.
The Chaos of Email RFCs
Gareth begins with the convoluted RFCs defining email syntax, which allow exotic encodings like Unicode overflows and encoded words. These standards, often misunderstood, lead to parser inconsistencies. For example, an email ending in @example.com might route elsewhere due to mishandled Unicode or Punycode, breaking domain-based authorization.
Case studies illustrate real-world exploits, including bypassing employee-only registrations and accessing internal systems by exploiting parser flaws.
Exploiting Parser Discrepancies
Using tools like Hackverter and Turbo Intruder, Gareth automates the generation of malicious email addresses. His Punycode fuzzer, for instance, substitutes placeholders with random characters, uncovering exploitable parser behaviors. A notable exploit involved GitHub’s handling of null characters, found via Turbo Intruder, leading to unauthorized access.
These techniques transform harmless inputs into payloads that misroute emails or inject CSS, compromising application security.
Defensive Strategies
Gareth advocates filtering encoded words and verifying email addresses before use, even from trusted SSO providers. Relying solely on domains for authorization is perilous, as demonstrated by his exploits. Regular expression sanitization and strict validation can mitigate risks, ensuring emails route as intended.
He references influential blog posts by researchers like Pep Villa, emphasizing community knowledge-sharing to bolster defenses.
Tools and Future Research
Gareth’s toolkit, including a Burp Suite wordlist and a vulnerable Joomla Docker instance, enables researchers to replicate his attacks. A Web Security Academy CTF further hones skills in email splitting. He encourages exploring additional parser vulnerabilities, such as those in mailer libraries, to uncover new attack vectors.
Links:
[DefCon32] Sshamble: Unexpected Exposures in the Secure Shell
The Secure Shell (SSH), a cornerstone of secure communication, powers a vast array of systems beyond traditional POSIX environments, from network devices to Windows file transfer tools. HD Moore and Rob King, security researchers at Rumble, Inc., delve into the lesser-known implementations of SSH, uncovering surprising vulnerabilities. Their presentation introduces “Sshamble,” an open-source tool designed to probe SSH services, revealing weaknesses in diverse implementations. With OpenSSH dominating 80% of deployments, HD and Rob explore the long tail of alternative servers, exposing flaws like null byte password acceptance in honeypots and key mismanagement.
Their journey, sparked by the XZ backdoor investigation, reveals tens of thousands of vulnerable SSH instances. By analyzing server behaviors and handshake anomalies, Sshamble empowers researchers to identify and exploit misconfigurations, urging a reevaluation of SSH’s assumed security.
The Landscape of SSH Implementations
HD outlines SSH’s evolution from a remote shell to a ubiquitous transport protocol, second only to TLS. While OpenSSH prevails, alternatives like Dropbear and niche libraries in devices and forges introduce variability. Their research uncovers servers accepting invalid credentials or mangled requests, often indicative of honeypots or flawed implementations. For instance, many honeypots accept null byte passwords, a trait absent in legitimate OpenSSH setups.
This diversity, while functional, creates an attack surface ripe for exploitation, as non-standard servers deviate from expected security models.
Sshamble: A Tool for Discovery
Rob introduces Sshamble, a versatile tool that scans SSH services across specified ports, performing handshakes to detect anomalies. It identifies honeypots by exploiting behaviors like accepting any public key or malformed passwords. The tool’s open-source release on GitHub encourages community contributions, enhancing its ability to catalog and test SSH implementations.
Demonstrations show Sshamble pinpointing vulnerable servers, including those misconfigured to accept arbitrary credentials, highlighting the need for rigorous server validation.
Exploiting SSH Weaknesses
HD details specific vulnerabilities, such as key generation issues in libraries and servers that bypass standard authentication. While client-side tools like PuTTY were not the focus, server-side flaws dominate, with some implementations ignoring protocol specifications. These gaps allow attackers to bypass authentication or inject malicious data, compromising systems.
The XZ backdoor, though not directly exploitable, inspired their broader exploration, revealing systemic issues in SSH ecosystems.
Mitigating SSH Risks
Rob emphasizes hardening SSH deployments through strict configuration and regular audits. Disabling null byte passwords, enforcing strong key management, and monitoring handshake behaviors mitigate risks. Sshamble aids defenders by identifying weak implementations, urging organizations to standardize on robust servers like OpenSSH.
The talk concludes with a call for ongoing research into SSH’s evolving attack surface, leveraging tools like Sshamble to bolster defenses.
Links:
[DefCon32] The Hack, the Crash, and Two Smoking Barrels
The automotive industry’s rush to pack vehicles with connectivity exposes a glaring cybersecurity gap. Thomas Sermpinis, a security researcher at Upstream Security, navigates this “underworld” of car manufacturing, where tight deadlines and complacent engineering sideline security. His narrative, punctuated by real-world exploitations and a live ECU demo, exposes vulnerabilities in vehicle architectures and advocates for systemic change.
Thomas, leveraging his expertise in embedded systems, recounts discovering zero-day flaws and convincing skeptical engineers of their severity—sometimes by engaging brakes mid-drive. His stories highlight the tension between innovation and safety, contrasting mainstream manufacturers with a smaller OEM’s robust security design.
Automotive Architecture Vulnerabilities
Thomas outlines vehicle architectures, where ECUs (Electronic Control Units) manage critical functions like braking and steering. Legacy designs, reliant on CAN bus protocols, lack encryption, making them susceptible to injection attacks. He demonstrates exploiting a zero-day to manipulate an ECU, showcasing real-time risks like unauthorized control.
Mainstream OEMs, driven by cost, lag in adopting secure protocols like Automotive Ethernet, leaving vehicles exposed to remote attacks.
Engaging Engineers and Industry
A pivotal moment in Thomas’s journey involves a live demo, where an engineer experiences a brake lock triggered by a flaw. This visceral proof shifts perspectives, underscoring the need for security prioritization. He critiques the “good enough” mentality fueled by capitalism, where budgets trump safety.
His modular toolkit, Caribou Next, a fork of Caring Caribou, enables standardized attacks across vehicles, highlighting systemic weaknesses.
Lessons from a Secure OEM
Thomas contrasts mainstream failures with a small manufacturer, likely Tesla, whose IT-centric approach yields a centralized, secure architecture. By treating vehicles as software platforms, this OEM implements robust encryption and authentication, resisting common exploits.
This model, though not universal, offers a blueprint for industry-wide improvements, emphasizing proactive security integration.
Raising Awareness and Future Steps
Thomas urges collaboration between researchers, OEMs, and regulators to enforce security standards. Emerging technologies like secure CAN transceivers show promise, but adoption lags. His demos, shared responsibly, aim to spark interest in automotive hacking, driving awareness to protect lives.
Links:
[DefCon32] Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows
In a world where physical barriers seem to shield sensitive data, Samy Kamkar reveals how light and sound betray secrets. A renowned security researcher, Samy introduces a laser-based eavesdropping technique that captures keystrokes through glass windows, targeting air-gapped systems. His accessible approach, requiring minimal technical expertise, leverages physics to extract signals from noise, demonstrating vulnerabilities in seemingly secure environments.
Samy, known for past innovations like the MySpace worm, explores side-channel attacks rooted in historical TEMPEST research by the NSA and KGB. By directing lasers at reflective surfaces, he captures vibrations from typing or audio, decoding them into actionable data. This method, blending optical and radio signal processing, exposes the fragility of physical security in modern systems.
Physics of Signal Leakage
Samy demystifies how energy forms—light, sound, vibration—travel through air, undermining air-gapped systems. Electrical signals emit electromagnetic waves, capturable via radio or optical methods. His laser microphone, pointed at a window, detects minute vibrations from keystrokes or ambient sound, converting them into audible signals.
Historical attacks, like the KGB’s 1940s “The Thing” device, inform his approach. By combining affordable components like lasers and photodiodes, Samy reconstructs clear audio, demonstrating the technique’s accessibility.
Keystroke Recovery and Analysis
Using tools like FFmpeg and GNU Radio, Samy processes laser reflections to isolate keystroke sounds. Each key produces distinct acoustic signatures, which frequency analysis decodes, especially when paired with language models. For instance, 100–200 keystrokes suffice to infer typed content in English, akin to cracking a substitution cipher.
Demonstrations show a laptop’s reflective surface betraying typed text, with software recovering input at 10x speed. This highlights the technique’s real-world feasibility, even in noisy environments.
Mitigations and Challenges
Samy addresses noise reduction, a key challenge, by shifting processing to the radio domain, leveraging GNU Radio’s filtering capabilities. Potential defenses include anti-reflective coatings or white noise generators, though these are costly or impractical. He encourages exploring further signal processing improvements, such as advanced denoising algorithms.
The technique’s low cost—using consumer-grade lasers—makes it a potent threat, urging organizations to reassess physical security for sensitive systems.
Broader Implications for Security
Samy’s work extends beyond keyboards, suggesting vulnerabilities in any vibrating surface. He calls for community research into side-channel mitigations, emphasizing that “unhackable” claims invite scrutiny. His open-source tools, shared for experimentation, empower defenders to test and secure their environments.
Links:
[DefCon32] Reverse Engineering MicroPython Frozen Modules
In the realm of embedded systems, MicroPython empowers developers to deploy Python-based solutions on microcontrollers, fueling applications from industrial automation to DEF CON’s #badgelife projects. Wesley McGrew, a Senior Cyber Fellow at MartinFederal, unveils the intricacies of reverse-engineering MicroPython’s frozen modules—compiled code embedded in firmware. Unlike CPython, MicroPython’s unique bytecode and lack of tailored tools pose challenges for analysts. Wesley’s presentation guides enthusiasts through extracting and decoding these modules using Ghidra, offering a pathway to uncover their functionality without debug symbols.
Wesley’s expertise in reverse engineering and offensive security informs his approach, blending technical precision with practical demonstrations. He emphasizes that frozen modules, designed for efficiency, are not secure storage for secrets, especially as his methods expose their contents. This exploration not only aids badge hackers but also underscores the fragility of firmware-based protections.
Navigating Firmware with Ghidra
Wesley begins by addressing the challenge of locating frozen modules within firmware images. Using Ghidra, a powerful disassembler, he identifies module structures, strings, and object data without relying on debug symbols. MicroPython’s architecture, distinct from CPython, compiles modules into bytecode stored in flash memory, often alongside firmware updates.
He demonstrates parsing these structures, extracting raw code, and reconstructing non-frozen modules. This process, while manual, reveals the module’s purpose, from badge interactions to industrial controls, making it accessible for CTF enthusiasts and security researchers.
Decoding MicroPython Bytecode
Delving deeper, Wesley details MicroPython’s bytecode, a compact format optimized for microcontrollers. Unlike CPython’s well-documented opcodes, MicroPython’s require custom analysis. He walks through reading opcodes, mapping their functionality, and reconstructing logic, using a badge-life example to illustrate real-world applications.
This granular approach empowers analysts to understand module behavior, exposing vulnerabilities or unintended features. Wesley cautions against using frozen modules for obfuscation, as physical access to firmware—via flash dumps or over-the-air updates—renders them transparent.
Practical Implications and Community Tools
Wesley highlights the broader impact for badge-life communities, where MicroPython powers interactive devices. His techniques enable hackers to explore CTF challenges ethically, enhancing learning without disrupting competitions. He references resources like The Ghidra Book by Chris Eagle and Kara Nance, recommending it for mastering Ghidra’s capabilities.
While automation of extraction remains complex due to variable data structures, Wesley’s methods lay groundwork for future tools, fostering community-driven advancements in firmware analysis.
Ethical Considerations and Future Directions
Emphasizing responsible use, Wesley advises against exploiting these techniques to spoil CTFs or proprietary systems. Instead, he encourages playful exploration within ethical boundaries, leveraging open-source tools to advance MicroPython security. His work underscores the need for robust firmware protections, as physical access undermines current safeguards.
Links:
[DefCon32] SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level
Despite advancements in database security, SQL injection persists through novel vectors. Paul Gerste, a security researcher, introduces protocol-level smuggling attacks, bypassing prepared statements by targeting database wire protocols. His research at [redacted], leveraging vulnerable driver libraries, demonstrates how attackers can inject malicious (No)SQL statements, leading to authentication bypasses, data leaks, and remote code execution.
Paul reimagines HTTP request smuggling for binary protocols, desynchronizing applications and databases. By manipulating message boundaries, attackers insert unauthorized queries, exploiting flaws in protocols like MySQL and PostgreSQL. His findings extend beyond databases, impacting message queues and caching systems, revealing a pervasive attack surface.
The talk explores real-world implications across programming languages and frameworks, offering insights into mitigating these threats and inspiring further protocol research.
Protocol Smuggling Mechanics
Paul illustrates how wire protocols, using length-based message fields, are susceptible to manipulation. By crafting oversized payloads, attackers trigger integer overflows, disrupting message parsing. A Go-based HTTP handler, assumed secure with prepared statements, falls to this attack, allowing query injection.
Demonstrations show desynchronization, where malicious messages execute as legitimate queries, bypassing application-layer defenses.
Real-World Applicability
Testing across languages like Python, Java, and Node.js, Paul finds varying resilience. Frameworks with strict input validation fare better, but many database drivers remain vulnerable. He identifies MySQL’s driver as particularly prone, with four-byte length fields enabling large payload exploits.
Caching systems and message queues, like Redis and RabbitMQ, exhibit similar flaws, broadening the attack’s scope.
Mitigation Strategies
Paul proposes robust input validation and size limits to thwart smuggling. Developers must prioritize protocol-level checks, avoiding assumptions about memory-safe languages. Integer overflows, often overlooked, enable these attacks, necessitating renewed scrutiny.
He advocates auditing driver libraries and enforcing strict message boundaries to restore database integrity.
Future Research Directions
Paul encourages exploring two-byte length fields, which ease exploitation, and delimiter-based protocols for alternative vulnerabilities. Large payload techniques could bypass framework restrictions, warranting further investigation.
His tools, shared for pentesting, empower researchers to probe additional protocols, ensuring comprehensive security.
Links:
[DefCon32] Listen to the Whispers: Web Timing Attacks that Actually Work
Timing attacks, long dismissed as theoretically potent yet practically elusive, gain new life through innovative techniques. James Kettle bridges the “timing divide,” transforming abstract concepts into reliable exploits against live systems. By amplifying signals and mitigating noise, Kettle unveils server secrets like masked misconfigurations, blind injections, hidden routes, and untapped attack surfaces.
Traditional hurdles—network jitter and server noise—once rendered attacks unreliable. HTTP/2’s concurrency, enhanced by Kettle’s single-packet method, synchronizes requests in one TLS record, eliminating jitter. Coalescing headers via sacrificial PING frames counters sticky ordering, making attacks “local” regardless of distance.
Server noise, from load variances to cloud virtualization, demands signal amplification: repeating headers for cumulative delays or denial-of-service tactics like nested XML entities. Repetition exploits caching, reducing variability; trimming requests minimizes unnecessary processing.
Parameter Discovery and Control Flow Insights
Kettle adapts Param Miner for time-based parameter/header guessing, uncovering hidden features on thousands of bug bounty sites. Timing reveals parameters altering responses subtly, like JSON-validated headers or cache keys signaling web cache poisoning risks.
Control flow changes, such as exceptions, emerge vividly. A Web Application Firewall (WAF) bypass exemplifies: repeated “exec” parameters trigger prolonged analysis, escalating to denial-of-service; excess parameters expose max-header limits, enabling evasion.
IP spoofing headers like “True-Client-IP” induce DNS caching delays, confirmed via pingbacks. Non-caching variants suggest third-party geo-lookups, bypassing with hostnames.
Server-Side Injection Vulnerabilities
Timing excels at blind injections in non-sleep-capable languages. Serde JSON injections manifest as microsecond differentials; combining with client-side reflections infers standalone processing, aiding exploitation.
Blind Serde parameter pollution contrasts reserved/unreserved characters, yielding exploits. Doppelgangers—non-blind equivalents—guide understanding, turning detections into impacts.
SQL injections via sleep evade WAFs but overlap existing tools; timing shines where sleep fails, though exploitation demands deep target insight.
Scoped Server-Side Request Forgery Detection
Overlooked for years, scoped SSRF—proxies accessing only target subdomains—defies DNS pingbacks. Timing detects via DNS caching or label-length timeouts: valid hostnames delay; invalids accelerate or prolong.
Automating exploration, Kettle probes subdomains directly and via proxies, flagging discrepancies like missing headers. Exploits span firewall bypasses, internal DNS resolutions uncovering staging servers, pre-launch consoles, and frontend circumventions.
Frontend impersonation leverages trusted internal headers for authentication bypasses, exploitable via proxies, direct backend access, or smuggling. Timing guesses header names, enabling severe breaches.
Links:
EN_DEFCON32MainStageTalks_004_005.md
[DefCon32] Breaking Secure Web Gateways for Fun and Profit
Secure Web Gateways (SWGs), integral to enterprise Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks, promise robust defenses against web threats. Vivek Ramachandran and Jeswin Mathai expose architectural flaws in these systems, introducing “Last Mile Reassembly Attacks” that evade detection across major vendors. Their findings underscore the limitations of network-level analysis in confronting modern browser capabilities.
SWGs intercept SSL traffic for malware scanning, threat prevention, URL filtering, and data loss prevention (DLP). Yet, as browsers evolve into sophisticated compute environments, attackers exploit client-side processing to reassemble threats post-proxy. Ramachandran highlights how SWGs lack context on DOM changes, events, and user interactions, operating blindly on flat traffic. Cloud constraints—file size limits (15-50 MB) and incomplete archive scanning—exacerbate vulnerabilities, often forcing blanket policies.
Vendors’ service level agreements (SLAs) claim 100% prevention of known malware, but these attacks shatter such guarantees. Pricing models ($2-4 per user/month) prioritize efficiency over exhaustive analysis, leaving gaps in protocol support and file handling.
Unmonitored Channels and Hiding in Plain Sight
Mathai demonstrates unmonitored protocols like WebRTC, WebSockets, gRPC, and Server-Sent Events smuggling malware undetected. These channels, essential for real-time apps, bypass interception; blocking them degrades user experience. Demos show seamless downloads of known malicious files via these vectors, indistinguishable from standard HTTP.
Further evasion involves embedding payloads in HTML, CSS, JavaScript, or SVG, extracting them client-side for reconstruction. SWGs scan individual resources but miss browser-side assembly. Encryption/decryption and encoding/decoding (e.g., Base64, UUencode) transform binaries in memory, dropping unencrypted files without triggering content disposition headers.
Last Mile Reassembly Techniques
Core to their research, Last Mile Reassembly fragments files into chunks—straight splits, reverses, randomized sizes, or mixes—fetched via multiple requests and reassembled via JavaScript. SWGs analyze fragments independently, failing to detect malice. Extending to WebAssembly modules constructing documents (e.g., malicious Excel) locally, no file download occurs from the proxy’s view.
File uploads reverse this: insiders fragment sensitive data, sending as form submissions evading DLP rules. Overlapping fragments mimic historical network attacks, fully bypassing inspections.
Phishing sites, converted to MHTML archives and smuggled via reassembly, repaint via canvas, reusing known malicious pages undetected. SWGs fingerprint server-side but overlook client-side rendering.
Architectural Challenges and Vendor Responses
SWGs’ server-side nature precludes real-time browser syncing or per-tab emulation, unscalable amid millions of events. Ramachandran argues for browser-integrated security to access rich data, contrasting cloud-centric models’ economic allure with practical failures.
Vendor engagements yielded mixed results: some acknowledged issues and pursued fixes; others claimed partial detection or disengaged. Open-sourcing 25 bypasses at browser.security empowers testing, urging vendors to address rather than block the site.
Their toolkit facilitates red-team simulations, exposing SLAs’ fragility. Enterprises must rethink web threat defenses, prioritizing client-side visibility over network proxies.
Links:
[DefCon32] Abusing Windows Hello Without a Severed Hand
In the realm of cybersecurity, exploring vulnerabilities in authentication mechanisms often reveals unexpected pathways for exploitation. Ceri Coburn and Dirk-jan Mollema delve into the intricacies of Windows Hello, Microsoft’s passwordless technology, highlighting how attackers can manipulate its components without relying on physical biometric data. Their presentation uncovers the architecture of Windows Hello, from key storage providers to protectors and keys, demonstrating real-world abuses that challenge the system’s perceived robustness.
Coburn begins by outlining the foundational elements of Windows Hello, emphasizing its role in generating keys for operating system logins, passkeys, and third-party applications. The distinction between Windows Hello and Windows Hello for Business lies primarily in the latter’s focus on certificate-based authentication for Active Directory environments. Both utilize key storage providers (KSPs), which serve as APIs for cryptographic operations. Traditional providers include software-based ones, TPM-backed platforms, and smart card integrations, but Windows Hello introduces the Passport KSP, acting as a proxy to these existing systems.
The Passport KSP comprises two services: the NGC service for application communication via RPC and the NGC controller service for metadata storage under the local service account, accessible only with system-level privileges. Each user enrollment creates a unique container folder identified by a GUID, housing protectors, key metadata, and recovery options. Protectors represent authentication methods like PINs or biometrics, encrypting intermediate PINs that unlock enrolled keys. These intermediate PINs—split into signing, decryption, and external variants—remain constant across protectors, allowing bypasses once accessed.
Unprivileged Attacks and Primary Refresh Tokens
Shifting focus, Mollema addresses attacks feasible without administrative privileges, centering on Primary Refresh Tokens (PRTs) in Windows Hello for Business scenarios. PRTs function as single sign-on tokens, requested via JSON Web Tokens (JWTs) signed by device certificates, ensuring trust from Entra (formerly Azure AD). When using Windows Hello, these requests incorporate data signed by private keys, including nonces to prevent replays.
A critical flaw arises from the ability to generate assertions without prompting for PINs or biometrics post-login, as keys are cached in sessions. Mollema demonstrates crafting “golden assertions” with extended validity, though Microsoft mitigated this by enforcing nonces server-side in May 2024. Nonetheless, within a five-minute window, attackers can request new PRTs on rogue devices, bypassing TPM protections and enabling persistence for up to 90 days.
This technique exploits RDP scenarios where PRTs on non-TPM devices expose credentials. Even with virtualization-based security or LSA protections, such attacks persist, underscoring the need for device compliance monitoring and restrictions on RDP to non-TPM systems.
Privileged Exploitation of Containers and Protectors
Under privileged access, Coburn dissects container structures, revealing metadata in .dat files detailing user SIDs, backing KSPs, and recovery keys. Protectors encrypt intermediate PINs differently: PIN protectors use PBKDF2 derivation for software KSPs or hex conversion for TPM unsealing. Biometric protectors, surprisingly, rely on system DPAPI keys, enabling reversal without actual biometrics via Vault decryption.
Recovery protectors, exclusive to business scenarios, involve Azure-encrypted blobs requiring MFA claims, yet their storage outside protector folders poses risks. Pre-boot and deprecated companion device protectors receive brief mentions, with further research needed.
Abuses include brute-forcing software-backed PINs via Hashcat masks, exploiting known lengths for rapid cracks—seconds for eight digits. TPM-backed PINs resist better, though four-digit variants succumb in months due to anti-hammering.
Key Types and Persistence Implications
Enrolled keys leverage intermediate PINs: vault keys decrypt local passwords in consumer setups, entry keys handle business enrollments and passkeys, and external keys support third-party apps like Okta FastPass. Software-backed keys allow extraction off-device, amplifying risks.
Mollema extends this to PRT theft, using cached keys for assertions on different devices, even without TPMs, facilitating identity persistence. Reported vulnerabilities led to CVE assignments, with server-side enforcements post-July 2023.
Endpoint mitigations include Windows Hello Extended Session Security (ESS), rewriting containers in JSON under secure processes. Detections monitor NGC metadata access, alerting on non-controller processes.
Their tools—Shay for Hello abuses and ROADtools for Azure AD—aid offensive and defensive efforts, drawing from blogs by Teal and others.