Bypassing Strong Authentication... With

Passwords?!Adam Goodman

akgood@duosecurity.comPasswords13 - 2013-07-31

duosecurity.com

1

0. Kill The Password?

duosecurity.com

2

duosecurity.com

3

duosecurity.com

4

duosecurity.com

5

1. Bypassing Google’s 2-Factor Authentication

duosecurity.com

6

duosecurity.com

7

duosecurity.com

8

Google’s 2-Step Verification

duosecurity.com

9

Google’s 2-Step Verification

duosecurity.com

10

What About Non-Web-Based Logins?

Thick-Client Protocols‣ IMAP‣CalDAV‣XMPP‣ ...

Google Software (Interim Solution)‣Android‣Chrome

duosecurity.com

11

Application-Specific Passwords

duosecurity.com

12

Application-Specific Passwords

‣16 lowercase letters‣Randomly-Generated by Google‣ Individually Revokable‣Not intended to be memorized

sounds a bit like...duosecurity.com

13

ASPs vs. OAuth Tokens

‣ASPs have to be generated manually‣ASPs aren’t actually Application-Specific!

duosecurity.com

14

Not-So-Application-Specific

“Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.”

- Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1

duosecurity.com

15

Detour: Android Auto-Login

Also:‣Chromebooks‣Desktop versions of Chrome (if enabled in chrome://flags)‣ ...?

duosecurity.com16

Detour: Android Auto-Login

Worked even for the most sensitive parts ofhttps://accounts.google.com:‣2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en‣Account-Recovery Settings:https://accounts.google.com/b/0/UpdateAccountRecoveryOptions?hl=en&service=oz

duosecurity.com

17

So...

‣ASPs can link an Android device, and‣With auto-login, Android devices could - with no additional authentication - take over your account completely!

duosecurity.com

18

Let’s Figure Out How This Works...

Android HTTPS Interception, v1‣Real Device (Google Nexus S) with a custom default gateway‣Linux Desktop, running sslsniff‣ http://www.thoughtcrime.org/software/sslsniff/‣Custom CA certificate

duosecurity.com

19

Let’s Figure Out How This Works...

Android HTTPS Interception, v2‣Android Emulator‣ $ emulator -http-proxy localhost:8080 @avd_name‣Burp Suite Proxy‣ http://portswigger.net/burp/‣Custom CA certificate

duosecurity.com

20

duosecurity.com

21

Basic Workflow

‣POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm‣ Receive “Token”

‣POST to https://android.clients.google.com/auth‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ManageAccount”)

‣ Receive “MergeSession” URL‣Open the MergeSession URL; get instantly logged into your account!

duosecurity.com

22

Step 1

POST /auth HTTP/1.1Host: android.clients.google.com...

accountType=HOSTED_OR_GOOGLE&Email=akgood%40arbsec.org&has_permission=1&add_account=1&EncryptedPasswd=AFcb4...&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us&lang=en&sdk_version=17

duosecurity.com

23

Step 1

HTTP/1.1 200 OK...

SID=DQAAANwAAAVMG4uYt2HaF...Auth=DQAAAOAAAACRbLC5-dgM...services=goanna_mobile,apps,...Email=akgood@arbsec.orgToken=1/fXrv8D3fLP1mOBj3o1...GooglePlusUpgrade=1firstName=AdamlastName=Goodman

duosecurity.com

24

Step 1: EncryptedPasswd?

POST /auth HTTP/1.1Host: android.clients.google.com...

accountType=HOSTED_OR_GOOGLE&Email=akgood%40arbsec.org&has_permission=1&add_account=1&Passwd=xxxxxxxxxxxxxxxx&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us&lang=en&sdk_version=17

duosecurity.com

25

Step 2

POST /auth HTTP/1.1Host: android.clients.google.com...accountType=HOSTED_OR_GOOGLE&Email=akgood%arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1......&service=weblogin%3Acontinue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&source=android&androidId=3281f33679ccc6c6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b864bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en&sdk_version=17

duosecurity.com

26

Step 2

HTTP/1.1 200 OK...

Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP...&source=AndroidWebLoginExpiry=0

duosecurity.com

27

Simplified Workflow

‣POST to https://android.clients.google.com/auth‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ManageAccount”)

‣ Receive “MergeSession” URL

Go from Application-Specific Password to full account takeover with one API call!duosecurity.com

28

Timeline

‣2012/07/16: Duo researchers confirm presence of ASP weakness.‣2012/07/18: Issue reported to security@google.com.‣2012/07/20: Communication with Google Security Team clarifying the issue.‣2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team.‣2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces.‣2013/02/25: Public disclosure by Duo.

duosecurity.com

29

Google’s Fix

‣Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP)‣~Nothing else has changed

duosecurity.com

30

Multiple Discovery

‣http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security-issue.html‣http://connect.ncircle.com/ncircle/attachments/ncircle/VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf

duosecurity.com

31

Evaluation

duosecurity.com

32

2-step Verification Still Helps...

‣Phishing‣Password-sharing between services (with insecure password databases)

duosecurity.com

33

... But ASPs Can Be Stolen

HTTPS Man-In-The-Middle‣Thick-client applications are notoriously bad at checking SSL certificates:https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

Malware can grab stored passwords...‣Windows: Data Protection API‣ Encrypts data using a key derived from the user’s logon credential

‣ Any process running under the same user account can decrypt any DPAPI-protected data

‣OS X: Keychain‣ Stronger: per-application permissions

Plaintext...duosecurity.com

34

Case Study: Pidgin

‣Plain-Text Passwords!‣ https://developer.pidgin.im/wiki/PlainTextPasswords‣GTalk / “Hangouts” - (probably) low impact if compromised‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK

‣GMail - (probably) high impact if compromised‣ ... all of your other accounts on the internet?!

duosecurity.com

35

Not Just Application-Specific Passwords

‣Chrome on Windows / Mac / Linux has the same “auto-login” functionality‣ ... but it’s using OAuth2 now!

duosecurity.com

36

Workflow

‣POST to https://accounts.google.com/o/oauth2/token‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome)‣ receive access_token‣GET to https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1‣ send access_token in Authorization header‣ get “uberauth” token back‣Use “uberauth” token to construct a MergeSession URL

duosecurity.com

37

How Is The Refresh Token Stored?

from (e.g.) ~/Library/Application Support/Google/Chrome/Default/Preferences:

... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." }...

duosecurity.com

38

OAuth2 Won’t (automagically) Save You

Unexpected threat models:‣Access to your tabs/bookmarks/history/etc. vs access to your entire Google account!

duosecurity.com

39

2. Passing The Hash In Windows Networks... Even When

Passwords Are “Disabled”

(borrowing in part fromhttp://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf)

duosecurity.com

40

Local vs Domain Logins

‣Local‣ Password hashes are stored on your workstation

‣Domain‣ Password hashes stored on the Domain Controller

‣ Your workstation will cache them, sometimes

‣Both Local and Domain accounts can be administrators on your workstation

WorkstationWorkstation

Workstation

Other ServerDomain Controller

duosecurity.com

41

Authentication In Windows Networks

‣NTLM Authentication‣Kerberos‣ ...

duosecurity.com

42

NTLM Authentication

‣Challenge-Handshake Protocol‣Uses NTLM Hash of user’s password, not the password itself!‣ One-way hash function‣ No salting, no PBKDF2 ...‣Extremely pervasive in Windows ecosystems‣ RPCs‣ SMB mounts‣ ...

duosecurity.com

43

Pass-The-Hash

NTLM Authentication only requires the NTLM Hash!‣Gain local admin rights on a single workstation (somehow...)‣Extract NTLM Hashes‣Use them to compromise other machines in the network!

Workstation

Workstation

Domain Controller

Workstation

Other Server

duosecurity.com

44

What About Smart-Cards?

Public/Private Key-pair and Certificate stored on cryptographic hardware‣Private Key can “never” be extracted‣Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake)‣Windows can do Certificate-based user authentication

Sounds much better, right?

duosecurity.com

45

What About Smart-Cards?

“In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).”

- [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx

duosecurity.com

46

Evaluation

Smart-cards still can help...‣Weak Passwords‣Shared Passwords between accounts / systems

But Pass-The-Hash attacks can still be a threat!

duosecurity.com

47

3. Some Conclusions

duosecurity.com

48

Real-world ecosystems tend to have multiple, distinct authentication scenarios...... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ......in each scenario, we must carefully balance privileges with trust

duosecurity.com

49

Authentication Scenarios and Trust

Rights‣What is the maximum set of permissions that should be granted to a user?

Integrity Level‣How strongly has a user / client authenticated?

duosecurity.com

50

4. Amazon Web Services: Identity and Access Management (IAM)

duosecurity.com

51

Identity And Access Management (IAM)

‣A single AWS account can have multiple users‣Flexible Rights-Expression Language, based on:‣ Resources (e.g. EC2 Instances, DNS zones, ...)‣ Actions (e.g. start instance, stop instance, ...)‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...)

duosecurity.com

52

IAM Policy Example{ "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] }

Deny specific actions if a user didn’t use 2-factor authenticationduosecurity.com

53

2-Factor Authentication for API Clients

Amazon Secure Token Service‣Provide API credentials and a one-time-passcode to a specific endpoint‣Get a new set of temporary credentials back

duosecurity.com

54

Evaluation

AWS gives you all the tools to build strong, flexible authorization policies...

... but you have to actually build them!

AWS is intended for developers (and other savvy types)

duosecurity.com

55

Questions?

duosecurity.com

56