Windows 10 security question: How do miscreants use these for post-hack persistence?

guest · Dec 6, 2018

Windows 10 security question: How do miscreants use these for post-hack persistence?
Infosec duo worked out how to remotely set their own answers
December 6, 2018
https://www.theregister.co.uk/2018/12/06/windows_10_security_questions_remotely_defined_answers/

Black Hat Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”.

Part of the problem is that Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions, limiting users to picking one of Microsoft’s six.

The Windows registry, said Baz and Sela, stores items such as the local machine and service users’ passwords within the well-known LSA Secrets entry
"[...] So if you have full access to the registry on the machine, it’s really not that difficult to get the key with which you can rewrite LSA Secrets.”

"Windows stores hashes of the old passwords. [...] You can use an undocumented API and reinstate the hash that was active just before you changed it. Effectively I’m doing a password change and nobody is going to notice that,” [...]
Click to expand...

"When everyone's dog is named Fluffy - Abusing the brand-new security questions in Windows 10 to gain domain-wide persistence" (PDF): https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-Baz-When-Everyones-Dog-Is-Named-Fluffy.pdf

EASTER · Dec 6, 2018

The more they change things, the more folks discover things are not so changed after all.

LSA Secrets goes back to Windows 98 if not mistaken. Cool find by those mad hatters

Log in or Sign up

Windows 10 security question: How do miscreants use these for post-hack persistence?

guest Guest

EASTER Registered Member

Log in or Sign up

Windows 10 security question: How do miscreants use these for post-hack persistence?

guest Guest

EASTER Registered Member

Useful Searches