In addition to domain user authentication, Windows also provides the option to use Machine / Computer Authentication. In Windows environments, when a domain user authenticates to a wireless access point using PEAP with MSCHAPv2 the resulting challenge response hash is derived from the NTLM hash of the domain user’s password. The culmination of this research is the crack.sh service, which guarantees the recovery of an NTLM hash for any given MSCHAPv2 challenge response hash (regardless of password complexity). The MSCHAPv2 protocol has been around for a long time and has some severe cryptographic flaws, as demonstrated by Moxie Marlinspike and David Hulton in one of my all time favorite DEF CON talks here. One of the most common inner authentication methods used in Windows environments is MSCHAPv2. PEAP is a tunneled authentication protocol, which means that an SSL tunnel is first established with the RADIUS server (known as Phase 1) in order to protect the credential material sent during authentication (Phase 2). Those familiar with enterprise wireless networks will likely be familiar with the Protected Extensible Authentication Protocol (PEAP). Older versions of Windows may also be affected but have not been tested. The vulnerability was confirmed to be present on domain joined Windows 10 hosts. There should have been a video here but your browser does not seem to support it. In addition, as silver tickets can be forged for privileged users, this attack can also be leveraged to elevate privileges to that of local administrator on the device. An example of this is to create a silver ticket for the CIFS service of the laptop in order to authenticate over SMB as the SYSTEM user and gain unrestricted access to the hard disk.Īs the attack can be performed from a locked device, it can be utilised to bypass BitLocker full disk encryption and gain access to the devices file system. Once recovered, this NTLM hash combined with the domain SID can be used to forge Kerberos silver tickets to impersonate a privileged user and compromise the host. ![]() This challenge response hash can then be submitted to crack.sh to recover the NTLM hash of the computer account in less than 24 hours. By default, domain joined Windows workstations allow access to the network selection UI from the lock screen.Īn attacker with physical access to a locked device with WiFi capabilities (such as a laptop or a workstation) can abuse this functionality to force the laptop to authenticate against a rogue access point and capture a MSCHAPv2 challenge response hash for the domain computer account.
0 Comments
Leave a Reply. |