Say Hello to your new cache flow!
During security assessments, the credential cache can be a goldmine on Microsoft environments. Pentesters already are familiar with MSCache (DCC2 hashes), which could be a fast track to a privileged account or even a domain administrator. However, these hashes have been removed when using WHFB (Windows Hello for Business) and Entra ID. The question then arises on what is left for attackers to extract in such environments.
In this talk we will try to take advantage of the CachedData used on an Entra ID environment
The presentation will be conducted as follow: - Quick intro
-
A primer on Windows Hello (not WH for Business) and password retrieval (this is not a new research : https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/)
-
Description of the authentication process on Microsoft Entra-ID and the Primary Refresh Token mecanisms (just so everybody would be able to follow) : introducing PRT / session key and various attacks to reuse a stolen PRT
-
Introduction to cloudAP.dll, the authentication package living within lsass process
- Deep dive into CacheData for offline authentication :
The file responsible for offline authentication is located at c:\Windows\system32\config\systemprofile\AppData\local\microsoft\windows\CloudAPCache\AzureAD<unique_hash>\Cache\CacheData\
- When using a password : Reverse engineering of authentication in order to understand how the file is encrypted with the user’s password. Tools to bruteforce it. After decrypting the PRT and session keys stored in the CacheData, reusing it on another device.
- When using Windows Hello For Business : Reverse engineering the authentication process with a PIN code. Details on how authentication works on both TPM-protected system and non TPM-protected system. Tools to bruteforce when no TPM is involved. Decrypting the PRT and session keys stored in the CacheData, reusing it on another device.
- Conclusion : Opening to further research (DPAPI-NG etc…) and questions