Bypassing Local Windows Authentication to Defeat Full Disk Encryption

Full Disk Encryption
• A scheme for protecting data at rest. Encrypts an entire disk or volume.
• Mitigates the impact of a threat with physical access; generally does not provide protection against remote adversaries.
• Encrypts everything, often including the OS.

Microsoft BitLocker
• BitLocker is Microsoft's proprietary full-disk encryption feature.
• Built into all professional/enterprise versions of Windows since Vista.
• Uses the system's Trusted Platform Module (TPM) to store the master encryption key.

What is a TPM?
• A TPM is a hardware module responsible for performing cryptographic operations, performing attestation, and storing secrets.
• It has fairly general APIs, so how it is used is mostly up to applications.
• Example applications include remote attestation, and storing encryption keys.

Storing Secrets on a TPM
• A TPM contains several Platform Configuration Registers (PCRs).
• Starting with the BIOS (which is assumed to be trusted), the next part of the boot process (e.g. the MBR) is hashed and this value is stored in the a PCR.
• Each stage of the boot process is responsible for hashing the next and storing it in a PCR.

Storing Secrets on a TPM
• A boot, the TPM has a zero in all PCR registers.
• Whenever the TPM is told to update a register r with a value v, it always sets: r = HASH (r | v)
• So PCR values can never get set directly, only appended to. Arbitrary PCR values cannot be spoofed.
• This means a set of values in the PCRs can only be replicated by having that same boot chain.

Storing Secrets on a TPM
• When the TPM stores a secret key, that key can be sealed. When a key is sealed, the TPM references the current value of the PCRs.
• An API call to unseal that key will fail unless the current PCR values match the original values from when the key was sealed.
• So effectively, only the original boot process will be able to retrieve that secret key.

Transparent BitLocker
• BitLocker, in addition to the TPM, can optionally require a PIN or a key saved on a USB drive.
• However, it’s recommended configuration works transparently. It seals the secret key in the TPM and only BitLocker can retrieve it.
• Your computer boots up to a login screen as usual, with no indication that FDE is enabled.

Attacks Given Physical Access
• Known Hardware Attacks
            – Attack the TPM (grounding control pins)
            – Do a cold-boot attack to get the key from RAM
• Attack an early part of the boot chain
            – Flash the BIOS/EFI with a custom image
            – Look for a defect in the BIOS, MBR, or boot loader

• Or see we can attack the OS itself and see if Windows will give us the key...

Booting Up With BitLocker

Local Windows Authentication
• The Local Security Authority (LSA) manages authentication, usually using a Security Subsystem Provider (SSP).
• For a client-domain authentication, the Kerberos SSP exchanges messages with the Domain Controller (DC).
            – When attacking FDE, we have physical access. So we control the network and can run a “mock” DC.

Windows Domain Authentication
• Requests a session ticket (TGT) from the DC.
            – The TGT includes a secret key S, encrypted by the DC with the saved user password. Login screen decrypts S using the typed password.

Windows Domain Authentication
• TGT and S are used to request a service ticket T from the DC for the target service (in this case, the local workstation).
            – The local workstation verifies T

Machine Passwords
• When a workstation first joins a domain...
            – A secret key is generated, called the machine password.
            – This password is sent to the DC, so they have a shared secret for future communication.
• To grant access to the workstation, the login process must present a valid service ticket T.
            – This ticket is signed using the machine password.
            – Which we don't have...

If the DC uses the wrong machine password

The Local Credentials Cache
• A user can login when the DC isn’t available
            – Like when you’re using your laptop at a conference during someone’s talk…
• The cache is usually updated whenever the workstation sees the credentials are changed.
            – So it's updated when you successfully login and were authenticating against the DC.
            – Also updated when you change your domain password.

Too Bad We Can't Change the Password On the Login Screen

Password Reset

Poisoned Credentials Cache

Poisoned Credentials Cache

What Now?
• Dump the BitLocker key from kernel memory
            – As long as the domain account is a local admin
            – Although at this point you already have access to all the local user files, so it's pretty moot.
• Just dig through personal data
            – Saved passwords, Outlook emails, source code…
            – Drop in a trojan / backdoor, or whatever other malware you like.

System Configurations Effected
• Applies to any computer with:
            – BitLocker without pre-boot authentication
            – Attached to a domain
            – With a least one person having logged in with a domain account.
• Tested on Windows Vista, Windows 7, and Windows 8.1, Windows 10.
            – (Also Windows XP and Windows 2000)

How Else Does This Attack Apply?
• This isn't really BitLocker specific. More generally, this is an authentication bypass for domain accounts.
• If someone is logged in, locks their screen, and steps away, you could use this to unlock the PC.
            – Someone on their laptop at a coffee shop.
            – A computer in an office.

Impact and Mitigation
• This is 100% reliable attack, software-only, low sophistication, and takes a matter of seconds.
• You could use BitLocker with pre-boot authentication (i.e. using a PIN or USB key)
• You could use a BIOS password on boot
• Microsoft is releasing an update to address the issue. Expected release is November 10.
– ACK to the Microsoft Security Response Center

Reflections: Why Does This Work?
• The protocol for password changes was written in RFC 3244 for Windows 2000, publish in 2002.
• At that point, local access was total access. Local access wasn’t a valid threat model during protocol design.
• But local access is precisely the threat model under which FDE is applicable.

Black Hat Sound Bytes
• A defect in Windows domain authentication means BitLocker Full Disk Encryption can be bypassed; the attack is fast and non-technical.
• Microsoft is releasing a patch for the issue (expected November 10). Make sure all your workstations are up-to-date!
• Threat models change; when they do, you need to re-evaluate previous security choices.

How Bitcoin Mining/Block Rewards Work

Many people new to Bitcoin in 2018 are just buying and holding it, but quite a few are getting involved with Bitcoin mining.

In this guide we're going to explain how Bitcoin mining rewards work, covering with what a block reward, how it's calculated/created, and how money is split between mining pools/individual miners.

There are two aspects of mining where you get money, the block reward and transaction fees. The block reward part is often called 'coinbase', so you may see these terms used interchangably - not to be confused with the Coinbase exchange. Both of these rewards are given in Bitcoin.

What are Block Rewards?

A Bitcoin block is 1MB in size, and Bitcoin transactions are stored inside these blocks (each time someone sends Bitcoin, a new transaction is added). If a miner mines a new block, they're given a reward in the form of the block reward (coinbase). This is the main incentive for Bitcoin miners, as the block reward is 12.5 BTC as of writing this, or around $150,000, a significant amount of money.

The block reward is halved every 210,000 blocks, which is approximately every 4 years. You can see Bitcoin's code for this here. When Bitcoin was created the Block reward used to be 50 Bitcoin, and is now 12.5 BTC. This decrease in block reward means that over time less and less new Bitcoin are created, which combined with increased demand is theorised to keep pushing Bitcoin's price up - so in principle the USD value of the block reward should be similar in 10 years time. When the block reward has halfed 64 times, the block reward becomes 0.

This block reward has to be claimed by miners, where they add it as the first transaction on a block. It has no inputs, but has an output to the miner's wallet address. Here is an example on Block Explorer (it should be the first transaction in the list).

What are Transaction Fee Rewards?

When sending Bitcoin, a fee needs to be paid by users - called a transaction fees. This exists to incentivise miners to include transactions in mined blocks. It's effectively a bidding war to get your transaction into a block, where whoever pays the highest fee is processed first. A side effect of high demand for sending Bitcoin is more transactions being sent, and higher fees.

This transaction fee is given to miners, so essentially - the more congested the Bitcoin network, the more money miners earn. This fee is essentially an extra payment sent with any Bitcoin transaction, and can be worked out by subtracting the outputs from the inputs of a transaction. As the block reward (coinbase) reduces over time, if Bitcoin price doesn't increase at the same rate - these fees can provide an incentive for miners to continue mining.

How do pools distribute rewards?

So when you start mining, you might have a dream of getting say 13-14 BTC in a week. You need to be aware that there is a huge number of people competing to create new blocks. By creating a new mining pool by yourself, the chance of getting this block reward is extremely low - although if you did get it by chance, you'd get a significant reward. Instead, most miners join an existing mining pool - where they'd get a more steady income rather than having to wait years for a block reward to themself. Mining pools are large groups of miners, where if any one of them creates a new block - the reward is shared based on how much work each miner contributed.

Work is defined in hash power or hashrate, which in general means how many guesses can be made per second for the required hash. The split between miners differs between mining pools, we're going to use Slushpool as an example in this guide - but you can see how other pools work here.

How does Slushpool distribute rewards?

Slushpool, which has 11.1% of Bitcoin's total hashpower at the time of writing this (January 25th 2018), distributes rewards based on its miners submitting proof of the work they're doing. For example if the goal is a hash that consists of 18 zeros, a miner can submit any time after they've found the first 8 - which would prove that they've done work to get this far.They'd need to get all 18 zeros to win the block, but it would at least prove the miner is putting the effort in - and so they should be rewarded for it. The split is counted by the amount of work they have proved vs the total work proven by all the miners in the pool.

Lets step back a moment though, now that we know how much work everyone's done - how is the reward distributed? The block reward for the miner who was lucky enough to find it would be very large, a lot more than the miner will see as a return from the pool in the short term. What stops the miner taking that reward and leaving as if they were in their own pool? Well the blocks are pre-built by the pool. Everything except the nonce (the value in the block that miners change to get a hash with a certain amount of preceding zeros) must stay the same. One would assume that the pool can then just verify the nonce, and rewards wouldn't be awarded if the user changes the address (as the hash won't pass when being verified by the pool) - incentivising miners to follow the pool's rules (although we are yet to find documentation on this).

How are Rewards Split Between Pools?

This part is nice and simple. Whichever pool guesses a Block's hash first wins the Block reward. The more hashing power a pool has, the higher the probability that the pool will succeed. Extend this over a long period of time, then the reward split between pools should be similar to the share each pool has of total hashpower. Slushpool for example, which currently has 11.1% of hashpower - should receive around 11.1% of block rewards and 11.1% of transaction fees.

Reverse Engineering

Reverse Engineering is the conversion of information from a low-level format, usually readable only by a computer, into a higher level format, which is easily readable by humans. Typical examples of reverse engineering tools are disassemblers and decompilers, which translate an object file produced by some compiler into an ASCII representation.

The reverse engineer can reuse the obtained code in his own programs or change an existing (already compiled) program to perform in other ways. He can use the knowledge obtained from reverse engineering to improve application programs, also known as bugs. But the most important is that one can get extremely useful ideas by observing how other programmers work and think, thus improve his skills and knowledge!

What comes in our minds when we hear RE, is cracking. Cracking is as old as the programs themselves. To crack a program, means to trace and use a serial number or any other kind of registration data, needed for the proper operation of a program. Therefore, if a shareware program (freely distributed, but with some difficulties, like crippled functions, nag screens or limited capabilities) needs a valid registration data, a reverse engineer can give that information by decompiling a particular part of the program.

In the past, many software companies have blamed others for doing RE in their products and stealing technology and knowledge. Reverse engineering is not limited to computer applications, the same happens with a car, weapons, hi-fi elements etc.

Reference: https://beginners.re/RE4B-EN.pdf

How To Apt-Get Update, Upgrade, Dist-Upgrade, Full-Upgrade and Their Similarities and Diffirencies

deb based distributions provides apt or apt-get to manage packages interactively and from network repositories. While updating packages update, upgrade or dist-upgrade can be used. But what is the difference between these two commands. In this tutorial we will look this issue.

Update

The real update operation will be down with upgrade command. This command will download packages and upgrade accordingly. So upgrade command will be run after update command. We should have root privileges in order to complete update operation so we will use sudo before upgrade command.

Upgrade

The real update operation will be down with upgrade command. This command will download packages and upgrade accordingly. So upgrade command will be run after update command. We should have root privileges in order to complete update operation so we will use sudo before upgrade command.

    upgrade is used to install the newest versions of all packages
    currently installed on the system from the sources enumerated in
    /etc/apt/sources.list. Packages currently installed with new
    versions available are retrieved and upgraded; under no
    circumstances are currently installed packages removed, or packages
    not already installed retrieved and installed. New versions of
    currently installed packages that cannot be upgraded without
    changing the install status of another package will be left at
    their current version. An update must be performed first so that
    apt-get knows that new versions of packages are available.

Dist-Upgrade

dist-upgrade command is very similar to upgrade command. This command will upgrade too but during upgrade there will be some prompts related with package configuration. In dist-upgrade this questions will be answered automatically by apt which will make our upgrade operation more easy and intelligent.

    dist-upgrade in addition to performing the function of upgrade,
    also intelligently handles changing dependencies with new versions
    of packages; apt-get has a "smart" conflict resolution system, and
    it will attempt to upgrade the most important packages at the
    expense of less important ones if necessary. So, dist-upgrade
    command may remove some packages. The /etc/apt/sources.list file
    contains a list of locations from which to retrieve desired package
    files. See also apt_preferences(5) for a mechanism for overriding
    the general settings for individual packages.

Full-Upgrade

full-upgrade  is the same as dist-upgrade so we can use both command interchangeable.