In May 2022 Microsoft has fixed a vulnerability related to certificate logon to Active Directory. As a non-privileged user you could escalate privileges by impersonating a Domain Controller, as you can join machines to the domain and thus control the dnsHostName attribute. Microsoft fixed this in an indirect way: Since last May, Windows Certification Authority…
Tag: Active Directory
Defused That SAN Flag!
In May, Microsoft has fixed a bug that allowed normal users to impersonate Domain Controllers. This bug allowed non-privileged users to obtain a logon certificate issued to a domain controller, because users can write to the Active Directory attribute dnsHostNameof a computer they have joined to the domain. If a machine can enroll for a…
How to Add a Subject Alternative Name Safely
I am writing about that PKI stuff again. I am running out of ideas for catchy introductions. So, here is a new post with old code! In Active Directory a UPN is mapped to a user automatically if it matches a user’s LDAP attribute userPrincipalName (and a DNS SAN is mapped to dnsHostName). A Windows…
Rogue Certificate Challenge: No Hardware Tokens, No Linux, Just a Web Server with Certificate Mapping.
I am back to my favorite security research: How to abuse certificates in a Windows / Active Directory environment! If an Active Directory integrated certification authority sign a certificate with a custom Subject Alternative Name of your choosing, you can impersonate any administrator in an AD forest. I’ve published two blog posts about how to…
Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)
I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article…
Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!
My writeup – how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle – created by @mrb3n813 and @lkys37en – was the first box on HTB that had my favorite Windows Server Role – the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user – amanda –…
Automatic Mapping of Logon Certificates to Users in Active Directory
This post has originally been published to my other / ‘archive’ website in 2014, first as a PDF, later converted to a HTML article. I am publishing it here on my WordPress blog in April 2022, using its original publication date – as it predates most of the other articles in my PKI UPN AD…
Diffusion of iTechnology in Corporations (or: Certificates for iPhones)
[Jump to technical stuff] Some clichés are true. One I found confirmed often is about how technologies are adopted within organizations: One manager meets another manager at a conference / business meeting / CIO event. Manager X show off the latest gadget and/or brags about presents a case-study of successful implementation of Y. Another manager…
elkemental Force 