耶胡达·斯米尔诺夫_鱼钩、钓线与鱼饵网络钓鱼Windows Hello for Business.pdf

1、Yehuda SmirnovHOOK,LINE AND SINKER:PHISHING WINDOWS HELLO FOR BUSINESS Like learning&researching Windows,Active Directory,Azure and anything interesting Develop in C,C#,Python&Assembly Ex private investigator Like to surf&play tennisRED TEAM&SECURITY RESEARCHER ACCENTURE SECURITY ISRAELABOUT MEyudas

2、m_ on twitterYehuda Smirnov Like learning&researching Active Directory,Windows,Azure and anything interesting Develop in C,C#,Python&Assembly Ex private investigator Like to surf&play tennisABOUT MEyudasm_ on twitterYehuda Smirnov Intro to Windows Hello For Business(WHfB)Understanding WebAuthn API I

3、nvestigation Proxy Phishing MitigationsAGENDA Windows Hello for Business(WHfB from now on)is considered a phishing resistant authentication method.Discovered a method to phish Windows Hello for BusinessINTRODUCTIONWINDOWS HELLOWINDOWS HELLOWINDOWS HELLOWINDOWS HELLO-TPM The TPM-Trusted Platform Modu

4、le is a chip located on the motherboard/CPU,which stores cryptographic keys directly in the hardware.WINDOWS HELLO-TPMEnrollment-Windows Hello pin is hashed&stored in the TPMWINDOWS HELLO-TPMEnrollment-Windows Hello pin is hashed&stored in the TPMAuthentication-provide Windows Hello Pin,which is sen

5、t to the TPMWINDOWS HELLO-TPMEnrollment-Windows Hello pin is hashed&stored in the TPMAuthentication-provide Windows Hello Pin,which is sent to the TPMVerification-TPM verifies the pin by comparing the input PIN to the hash storedWINDOWS HELLO FOR BUSINESSWINDOWS HELLO FOR BUSINESSWINDOWS HELLO FOR B

6、USINESSWINDOWS HELLO FOR BUSINESSWINDOWS HELLO FOR BUSINESSWINDOWS HELLO FOR BUSINESSFIDO KEYS Fido Keys may act as a replacement for the TPMs role in the authentication Can store cryptographic keys on them Also called Yubi keys,physical authenticators,security keys,etc DEFAULT AUTHENTICATION After