1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Abusing Windows Hello Without a Severed Hand

Abusing Windows Hello Without a Severed Hand

Presented at DEF CON 32 (2024), Aug. 9, 2024, 3 p.m. (45 minutes).

Windows Hello is touted by Microsoft as the modern de facto authentication scheme on Windows platforms, supporting authentication and encryption backed by biometrics. In a world that is quickly accelerating towards a passwordless existence, what new threats do we face in this complex landscape? We will take a deep dive into the inner working of Windows Hello. Via the release of a new tool, it will be demonstrated how an attacker on a fully compromised Windows host can leverage secrets backed by Windows Hello biometrics without needing the biometric data that protects them. We will also show how the hardware protections of Windows Hello and its accompanying Primary Refresh Tokens can be defeated, making it possible to use Windows Hello for identity persistency and PRT stealing, in some cases even without Administrator access on the host. - [link](https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/) - [link](https://github.com/tijldeneut/dpapilab-ng) - [link](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) - [link](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/) - [link](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)

Presenters:

  • Dirk-jan Mollema - Security Researcher at Outsider Security
    Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft's Most Valuable Researchers multiple times.
  • Ceri Coburn - Red Team Operator and Offensive Security Dev at Pen Test Partners
    After a 20 year career within the software development space, Ceri was looking for a new challenge and moved into pen testing back in 2019. During that time he has created and contributed to several open source offensive tools such as Rubeus, BOFNET and SweetPotato and on the odd occasion contributed to projects on the defensive side too. After speaking at DEF CON 31 for the first-time last year, he is now back for more. He currently works as a red team operator and offensive security dev at Pen Test Partners.

Similar Presentations: