Category: Cyber

I built it, I protected it, and I hacked it. I have been implementing and supporting Windows Public Key Infrastructures. Finally I turned to the red side.

Lord of the SID: How to Add the objectSID Attribute to a Certificate Manually

In May 2022 Microsoft has fixed a vulnerability related to certificate logon to Active Directory. As a non-privileged user you could escalate privileges by impersonating a Domain Controller, as you can join machines to the domain and thus control the dnsHostName attribute. Microsoft fixed this in an indirect way: Since last May, Windows Certification Authority…

Read More

Dystopic Diffraction – ChatGPT and Poetry

I have been creating Found Poetry from search terms, from spam comments, from my own articles. I’ve followed strict rules and constraints. The stricter, the better. I am removing my consciousness as a human being from the creative process (Not my subconsciousness though!). Turning myself into a paper shuffling office clerk, feeding prompts to an…

Read More

Defused That SAN Flag!

In May, Microsoft has fixed a bug that allowed normal users to impersonate Domain Controllers. This bug allowed non-privileged users to obtain a logon certificate issued to a domain controller, because users can write to the Active Directory attribute dnsHostNameof a computer they have joined to the domain. If a machine can enroll for a…

Read More

How to Add a Subject Alternative Name Safely

I am writing about that PKI stuff again. I am running out of ideas for catchy introductions. So, here is a new post with old code! In Active Directory a UPN is mapped to a user automatically if it matches a user’s LDAP attribute userPrincipalName (and a DNS SAN is mapped to dnsHostName).  A Windows…

Read More

Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article…

Read More

Secure Poetry: “I have been quite confident”

A poem from snippets of two postings on cybersecurity. Trying to carve words out of jargon. Details on the creative process at the bottom of the post.   I have been quite confident I have been inspired In this simple way to find both options take note of an extra stealth factor I hardly ever…

Read More

Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!

How can you read files encrypted with Windows’s Encrypting File System if you neither have access to the owner’s encryption certificate and key and nor that of a legit data recovery agent (DRA) … but if you are a local administrator? This work is still inspired by the hackthebox machine Helpline. You were able to…

Read More

Parse Certificates Stored in the Windows Registry

You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutil seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by…

Read More

Infinity

New Year’s Eve 2019 seems infinitely far in the past. It was the first day news about this mysterious disease had been published in my country. Yet it seems infinitely far away at that time, somewhere in China. Today we see something glowing at the end of a weird long corridor. Despite horrible news, I…

Read More

Technology and Technics. Flolloping Floopily.

Once I started to create spam poetry and search term poetry, and I believed it was original. Then I discovered that great poets of the virtual scrapyard had come before me. Finally, I found serious articles about so-called Found Poetry and I found poets publishing their spam poetry in earnest. I learned about the Sokal…

Read More

Gödel’s Proof

Gödel’s proof is the (meta-)mathematical counterpart of the paradoxical statement This sentence is false. In his epic 1979 debut book Gödel, Escher, Bach Douglas Hofstadter intertwines computer science, math, art, biology with a simplified version of the proof. In 2007 he revisits these ideas in I Am a Strange Loop. Hofstadter writes: … at age…

Read More

The RSA Algorithm

You want this: Encrypt a message to somebody else – using information that is publicly available. Somebody else should then be able to decrypt the message, using only information they have; nobody else should be able to read this information. The public key cryptography algorithm RSA does achieve this. This article is my way of…

Read More

Locating Domain Controllers and Spoofing Active Directory DNS Servers

Last year, hackthebox let me test something I have always found fascinating – and scary: You can impersonate any user in a Windows Active Directory Forest if you have control over the certificate templates of an AD-integrated Windows Public Key Infrastructure: Add extended key usages for smartcard logon to the template, enroll for the certificate,…

Read More

Echo Unreadable Hex Characters in Windows: forfiles

How to transfer small files to a locked-down Windows machine? When there is no option to copy, ftp, or http GET a file. When powershell is blocked so that you can only use Windows cmd commands? My first choice would be to use certutil: certutil is a built-in tool for certificate and PKI management. It…

Read More

Ethereal @ hackthebox: Certificate-Related Rabbit Holes

This post is related to the ‘insanely’ difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware – It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me – as somebody who…

Read More

Certificates and PKI. The Prequel.

Some public key infrastructures run quietly in the background since years. They are half forgotten until the life of a signed file has come to an end – but then everything is on fire. In contrast to other seemingly important deadlines (Management needs this until XY or the world will come to an end!) this…

Read More

Modbus Server on Raspberry Pi as Babelfish for UVR16x2

Our main data logger is the Control and Monitoring Interface of the freely programmable controller UVR16x2. There are two pieces of hardware you need for logging – the actual control unit and the logger connected to the controller via the CAN bus. This ‘architecture’ might be due to historical reasons, but I like the separation…

Read More

Unintended 2nd Order SQL Injection

Why I am not afraid of the AI / Big Data / Cloud powered robot apocalypse. SQL order injection means to run custom SQL queries through web interfaces because the input to the intended query is not sanitized, like appending the infamous ‘ OR ‘1’=’1 to a user name or search term. It is 2nd…

Read More

A Color Box. Lost in Translation

It was that time again. The Chief Engineer had rebuilt the technical room from scratch. Each piece of heavy equipment had a new place, each pipe and wire was reborn in a new incarnation (German stories here.) The control system was turned upset down as well, and thus the Data Kraken was looking at its…

Read More

Cyber Something

You know you have become a dinosaur when you keep using outdated terminology. Everybody else uses the new buzz word, but you just find it odd. But someday it will creep also into your active vocabulary. Then I will use the tag cyber something, like stating that I work with cyber-physical systems. But am I…

Read More

Hacking

I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind – in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu. I have been hacking…

Read More

Cloudy Troubleshooting (2)

Unrelated to part 1 – but the same genre. Actors this time: File Cloud: A cloud service for syncing and sharing files. We won’t drop a brand name, will we? Client: Another user of File Cloud. [Redacted]: Once known for reliability and as The Best Network. Dark Platform: Wannabe hackers’ playground. elkement: Somebody who sometimes just wants to be an…

Read More

Infinite Loop: Theory and Practice Revisited.

I’ve unlocked a new achievement as a blogger, or a new milestone as a life-form. As a dinosaur telling the same old stories over and over again. I started drafting a blog post, as I always do since a while: I do it in my mind only, twist and turn in for days or weeks…

Read More

Where Are the Files? [Winsol – UVR16x2]

Recently somebody has asked me where the log files are stored. This question is more interesting then it seems. We are using the freely programmable controller UVR16x2 (and its predecessor) UVR1611) … .. and their Control and Monitoring Interface – CMI: The CMI is a data logger and runs a web server. It logs data…

Read More

Cloudy Troubleshooting

Actors: Cloud: Service provider delivering an application over the internet. Client: Business using the Cloud Telco: Service provider operating part of the network infrastructure connecting them. elkement: Somebody who always ends up playing intermediary. ~ Client: Cloud logs us off ever so often! We can’t work like this! elkement: Cloud, what timeouts do you use?…

Read More