On Wednesday 14th of April, Matthew Johnson, one of our senior security consultants released details of a new wireless-based attack dubbed "Airstrike".

The attack allows an attacker with physical access to a locked domain-joined workstation to abuse default functionality to capture credential material and ultimately break into the device. By default, domain-joined Windows workstations allow access to the network selection UI from the lock screen.

An attacker with physical access to a locked device with WiFI capabilities (such as a laptop or a workstation) can abuse this functionality to force the laptop to authenticate against a rogue access point and capture credential material for the domain computer account.

This captured data can then be submitted to the online cracking service "crack.sh" to recover the hash of the computer account in less than 24 hours.

Once recovered, this hash combined with the domain SID can be used to forge Kerberos silver tickets to impersonate a privileged user and compromise the host.

The example provided in the attack involves the creation of a Kerberos "silver ticket" that is used to access the CIFS service of the laptop. This can then be used to authenticate the laptop using SMB and gain unrestricted access to the hard disk.

As the attack can be performed from a locked device, it can be utilised to bypass BitLocker full disk encryption and gain access to the devices file system.

In addition, as "silver tickets" can be forged for privileged users, this attack can also be leveraged to elevate privileges to that of the local administrator on the device, resulting in local privilege escalation.

The attack was responsibly disclosed to Microsoft and fixed as part of the April "patch Tuesday" security update release. The vulnerability has been assigned "CVE-2021-28316".

 

Read more about the new wireless-based attack here. 

 

If you liked this article, you may also like:

The Missing Link conquers another CTF competition

Red Teaming and the origins of anonymous hacking

On the hunt: finding 8 vulnerabilities in 8 weeks

Author