takkaria 4 Posted ... Hi,not sure if there's already a thread on this exploit, I couldn't find one, if so please delete. It seems Windows 8 and up is leaking login credentials (windows username/live email and hashed password) and vpn credentials if you are using IPsec, PPTP, L2TP.For the exploit to work it's necessary to use Internet Explorer, Edge, or any application which use standard Windows API or Internet Explorer as a HTML renderer (Outlook, Explorer) and opening the prepared attack website. Here's a nice write-up on the exploit:https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834#.6gxx24w7xIncluded are tips on how to avoid the leak: Another way is to block all SMB traffic to the internet using Windows firewall. Just black all traffic to TCP port 137, 139 and 445 except to the destination IP ranges: 192.168.0.0/16 169.254.0.0/16 172.16.0.0/12 10.0.0.0/8 fd00::/8 fe80::/10 It's also mentioned that "Some VPN providers have been told about this issue and most of them has fixed it by blocking access to SMB ports or by blocking it locally in their client software."I tested with the newest experimental airvpn client and activated network lock and had credentials leak.It'd be nice if you guys could look into that until there's patch from MS. edit: the regedit fix seems to work fine, no leaks anymore on the test site Quote Share this post Link to post
Staff 9973 Posted ... Hello, this is a Windows bug that must be fixed by Microsoft. You can use your firewall in the meantime. Our client software can help but of course we can't be charged with the duty to fix any possible Windows or other systems vulnerability. We will never insert anti-malware functions in an OpenVPN wrapper and for the same reason it would be questionable to insert code to patch extremely specific OS vulnerabilities. Modularity is important. And apparently one should be quite idiot to be effectively exploited with this: you should use weak system password (otherwise the attacker can't rebuild your password from the hash), and use the same weak credentials on a variety of services around. Agreed that the average Windows user is not so smart, but in this case ValdikSS presumption (apparently) is that this user is unrealistically stupid. I tested with the newest experimental airvpn client and activated network lock and had credentials leak. You mean leak of HASH of your Windows system account password, right? Kind regards 2 RidersoftheStorm and zhang888 reacted to this Quote Share this post Link to post
takkaria 4 Posted ... Yes the hash of the system password is leaked, not the airvpn credentials! Sorry for the confusion! Quote Share this post Link to post
zhang888 1066 Posted ... The issue dates back to 1997 when LM and SMB were first introduced, and it is known to Microsoft ever since.When you try to connect to a remote SMB share, Windows will try to auth using your domain credentials first.This was done for usability in mind, so Microsoft classifies this behavior as an intended "feature" for years. The only new surface here is that you can now setup a Microsoft account for it, but from Windows 7 andabove the hashing algorithm is NTLM and not LM, which will take much longer to crack.This is one of the reasons why the hashes are not being cracked anymore when you attack Windows domains.A technique called "pass the hash" is used in order to enroll the hash for various AD resources. Microsoft accounts have also password complexity requirements when setting up the account. So this makesthe attack even harder to accomplish with 3 steps - phishing, victim use of IE/Edge/Outlook, NTLM cracking. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
OpenSourcerer 1435 Posted ... A quick test can be done with Valdik's WITCH 1 soupy reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
go558a83nk 362 Posted ... crap. my windows 10 machines don't use a microsoft account, just local user/pass. at least as far as I know. but that WITCH was able to tell me my login password in Edge. I edited the registry and that fixed it. Quote Share this post Link to post
Guest Posted ... crap. my windows 10 machines don't use a microsoft account, just local user/pass. at least as far as I know. but that WITCH was able to tell me my login password in Edge. I edited the registry and that fixed it. Edited the registry for what? Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length Quote Share this post Link to post
go558a83nk 362 Posted ... crap. my windows 10 machines don't use a microsoft account, just local user/pass. at least as far as I know. but that WITCH was able to tell me my login password in Edge. I edited the registry and that fixed it. Edited the registry for what? Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length The link in the OP has a registry edit that prevents the "leak". Quote Share this post Link to post