Jump to content
Not connected, Your IP: 18.119.161.216
takkaria

Microsoft Live Account Credentials Leaking from Windows 8 and Above

Recommended Posts

Hi,

not sure if there's already a thread on this exploit, I couldn't find one, if so please delete.

 

It seems Windows 8 and up is leaking login credentials (windows username/live email and hashed password) and vpn credentials if you are using IPsec, PPTP, L2TP.

For the exploit to work it's necessary to use Internet Explorer, Edge, or any application which use standard Windows API or Internet Explorer as a HTML renderer (Outlook, Explorer) and opening the prepared attack website.

 

Here's a nice write-up on the exploit:

https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834#.6gxx24w7x

Included are tips on how to avoid the leak:

 

Another way is to block all SMB traffic to the internet using Windows firewall. 
Just black all traffic to TCP port 137, 139 and 445 except to the destination IP ranges:
192.168.0.0/16
169.254.0.0/16
172.16.0.0/12
10.0.0.0/8
fd00::/8
fe80::/10
 

 

It's also mentioned that "Some VPN providers have been told about this issue and most of them has fixed it by blocking access to SMB ports or by blocking it locally in their client software."

I tested with the newest experimental airvpn client and activated network lock and had credentials leak.

It'd be nice if you guys could look into that until there's patch from MS.

 

edit: the regedit fix seems to work fine, no leaks anymore on the test site

Share this post


Link to post

Hello,

 

this is a Windows bug that must be fixed by Microsoft. You can use your firewall in the meantime. Our client software can help but of course we can't be charged with the duty to fix any possible Windows or other systems vulnerability. We will never insert anti-malware functions in an OpenVPN wrapper and for the same reason it would be questionable to insert code to patch extremely specific OS vulnerabilities. Modularity is important.

 

And apparently one should be quite idiot to be effectively exploited with this: you should use weak system password (otherwise the attacker can't rebuild your password from the hash), and use the same weak credentials on a variety of services around. Agreed that the average Windows user is not so smart, but in this case ValdikSS presumption (apparently) is that this user is unrealistically stupid.

 

 

I tested with the newest experimental airvpn client and activated network lock and had credentials leak.

 

 

 

You mean leak of HASH of your Windows system account password, right?

 

Kind regards

Share this post


Link to post

The issue dates back to 1997 when LM and SMB were first introduced, and it is known to Microsoft ever since.

When you try to connect to a remote SMB share, Windows will try to auth using your domain credentials first.

This was done for usability in mind, so Microsoft classifies this behavior as an intended "feature" for years.

 

The only new surface here is that you can now setup a Microsoft account for it, but from Windows 7 and

above the hashing algorithm is NTLM and not LM, which will take much longer to crack.

This is one of the reasons why the hashes are not being cracked anymore when you attack Windows domains.

A technique called "pass the hash" is used in order to enroll the hash for various AD resources.

 

Microsoft accounts have also password complexity requirements when setting up the account. So this makes

the attack even harder to accomplish with 3 steps - phishing, victim use of IE/Edge/Outlook, NTLM cracking.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

Share this post


Link to post
Guest

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

 

Edited the registry for what?

 

 

Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length

Share this post


Link to post

 

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

 

Edited the registry for what?

 

 

Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length

 

The link in the OP has a registry edit that prevents the "leak".

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...