Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Shwmae bypasses biometric protection.
At the recent DEF CON a new tool called Shwmae was introduced, which is able to bypass the protection of the Windows Hello system — a biometric authentication system developed by Microsoft. Shwmae is intended for use by users who have received privileged access to the system.
Shwmae presented a report on how to bypass Windows Hello protection remotely, without having to physically interact with the user's device. In the hands of attackers, the tool allows you to extract and use keys, certificates, and other protected data that normally remain inaccessible.
If no additional parameters are specified, the program runs in enumeration mode by default and provides specific opportunities for attacking the system. You can also explicitly enable this mode by using the enum command. In enumeration mode, the program displays a list of all available Windows Hello containers, and then displays a list of all registered Windows Hello keys and security features for each container. If the computer does not have a TPM module (a special chip for data protection), the program will create a hash of the PIN code, which you can then try to crack offline using the hashcat tool.
The biometric protector associated with face or fingerprint recognition is decrypted automatically, which makes it particularly vulnerable to attacks. However, other protectors, such as PIN and Recovery, require additional effort to decrypt, which makes Shwmae particularly dangerous in the hands of an experienced attacker.
Another important feature of Shwmae is the ability to work with PRT (Primary Refresh Token). You can use the tool to generate and update PRTs using keys registered in Windows Hello. If Cloud Trust authentication is enabled in the target organization, the tool allows you to decrypt the Cloud TGT (Ticket Granting Ticket), which gives an attacker the ability to authenticate in the corporate network with user rights, opening up ample opportunities for further attacks on internal resources.
In WebAuthn mode, Shwmae allows you to create a web server to intercept and proxy WebAuthn requests from an attacking host. An attacker can install a web server on a compromised device that will accept requests from the attacking browser and use the compromised login credentials via Passkey authentication. This feature is particularly dangerous because it allows an attacker to use someone else's credentials without physical access to the victim's device.
Dump mode allows you to extract private keys protected by Windows Hello, but only when they are stored in software, and not at the hardware level. Leaking such keys can lead to loss of control over accounts and data, which poses a serious security risk.
Last, but not least, is the Sign mode, which allows an attacker to sign any data using the selected Windows Hello key. In this scenario, fake digital signatures are possible, which makes this mode potentially dangerous for abuse in various scenarios.
Source
At the recent DEF CON a new tool called Shwmae was introduced, which is able to bypass the protection of the Windows Hello system — a biometric authentication system developed by Microsoft. Shwmae is intended for use by users who have received privileged access to the system.
Shwmae presented a report on how to bypass Windows Hello protection remotely, without having to physically interact with the user's device. In the hands of attackers, the tool allows you to extract and use keys, certificates, and other protected data that normally remain inaccessible.
If no additional parameters are specified, the program runs in enumeration mode by default and provides specific opportunities for attacking the system. You can also explicitly enable this mode by using the enum command. In enumeration mode, the program displays a list of all available Windows Hello containers, and then displays a list of all registered Windows Hello keys and security features for each container. If the computer does not have a TPM module (a special chip for data protection), the program will create a hash of the PIN code, which you can then try to crack offline using the hashcat tool.
The biometric protector associated with face or fingerprint recognition is decrypted automatically, which makes it particularly vulnerable to attacks. However, other protectors, such as PIN and Recovery, require additional effort to decrypt, which makes Shwmae particularly dangerous in the hands of an experienced attacker.
Another important feature of Shwmae is the ability to work with PRT (Primary Refresh Token). You can use the tool to generate and update PRTs using keys registered in Windows Hello. If Cloud Trust authentication is enabled in the target organization, the tool allows you to decrypt the Cloud TGT (Ticket Granting Ticket), which gives an attacker the ability to authenticate in the corporate network with user rights, opening up ample opportunities for further attacks on internal resources.
In WebAuthn mode, Shwmae allows you to create a web server to intercept and proxy WebAuthn requests from an attacking host. An attacker can install a web server on a compromised device that will accept requests from the attacking browser and use the compromised login credentials via Passkey authentication. This feature is particularly dangerous because it allows an attacker to use someone else's credentials without physical access to the victim's device.
Dump mode allows you to extract private keys protected by Windows Hello, but only when they are stored in software, and not at the hardware level. Leaking such keys can lead to loss of control over accounts and data, which poses a serious security risk.
Last, but not least, is the Sign mode, which allows an attacker to sign any data using the selected Windows Hello key. In this scenario, fake digital signatures are possible, which makes this mode potentially dangerous for abuse in various scenarios.
Source
