Exploiting Windows Hello for Business

The presentation discusses the importance of auditing the MSDS key credentialing attribute in Active Directory and the potential vulnerabilities associated with it.

• MSDS key credentialing attribute is important in Active Directory and should be audited, especially for sensitive accounts
• Pre-existing vulnerable keys should be deleted and devices patched
• Attackers may misuse this feature, so it is important to keep up to date with security implications
• Windows hello for business is a good technology, but precautions should be taken
• Raqqa vulnerability is a potential threat to Windows hello for business

The presenter attempted to bypass the limitations of the Active Directory users and computers management console and LDP tool to view the MSDS key credentialing data structure, but was unsuccessful. The attribute is a black box and difficult to interpret without proper tools.

In Windows 10 and Windows Server 2016, Microsoft has introduced a new feature called Windows Hello for Business (WHfB), that allows password-less authentication in Active Directory-based environments and thus aims to reduce the risk of password theft. It is built on top of well-known industry standards, including Kerberos PKINIT, JWT, WS-Trust or FIDO2 and relies heavily on advanced cryptographic mechanisms like TPM key attestation or token binding. Unfortunately, WHfB is overly complicated, lacks proper management tools and its documentation is missing many important technical details. It is, therefore, a black box for most administrators, security auditors, and pentesters. While analyzing the current WHfB implementation in Windows, we have identified several new attack vectors that might lead to privilege escalation and persistence. Our most important discovery is a new type of persistent Active Directory backdoor that, to our knowledge, is not detected by current security solutions and audit procedures. Moreover, even companies that do not actively use WHfB might be affected by this threat. We have also discovered that following Microsoft's mitigation guide for a previously known vulnerability would not only leave Active Directory vulnerable, but it could also introduce yet another security issue into the system. These practically exploitable vulnerabilities might result in Active Directory user impersonation without requiring any special Active Directory permissions. During this talk, we will also demonstrate our new toolset that can be used to scan corporate environments for the aforementioned vulnerabilities and to resolve any issues found. It also provides a much-required visibility into Windows Hello for Business usage in Active Directory.