Defused That SAN Flag!

In May, Microsoft has fixed a bug that allowed normal users to impersonate Domain Controllers. This bug allowed non-privileged users to obtain a logon certificate issued to a domain controller, because users can write to the Active Directory attribute dnsHostNameof a computer they have joined to the domain. If a machine can enroll for a … Continue reading Defused That SAN Flag!

How to Add a Subject Alternative Name Safely

I am writing about that PKI stuff again. I am running out of ideas for catchy introductions. So, here is a new post with old code! In Active Directory a UPN is mapped to a user automatically if it matches a user's LDAP attribute userPrincipalName (and a DNS SAN is mapped to dnsHostName).ย  A Windows … Continue reading How to Add a Subject Alternative Name Safely

Rogue Certificate Challenge: No Hardware Tokens, No Linux, Just a Web Server with Certificate Mapping.

I am back to my favorite security research: How to abuse certificates in a Windows / Active Directory environment! If an Active Directory integrated certification authority sign a certificate with a custom Subject Alternative Name of your choosing, you can impersonate any administrator in an AD forest. I've published two blog posts about how to … Continue reading Rogue Certificate Challenge: No Hardware Tokens, No Linux, Just a Web Server with Certificate Mapping.

Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article … Continue reading Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

My writeup - how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle - created by @mrb3n813 and @lkys37en - was the first box on HTB that had my favorite Windows Server Role - the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user - amanda - … Continue reading Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

Automatic Mapping of Logon Certificates to Users in Active Directory

This post has originally been published to my other / 'archive' website in 2014, first as a PDF, later converted to a HTML article. I am publishing it here on my WordPress blog in April 2022, using its original publication date - as it predates most of the other articles in my PKI UPN AD … Continue reading Automatic Mapping of Logon Certificates to Users in Active Directory

Diffusion of iTechnology in Corporations (or: Certificates for iPhones)

[Jump to technical stuff] Some clichรฉs are true. One I found confirmed often is about how technologies are adopted within organizations: One manager meets another manager at a conference / business meeting / CIO event. Manager X show off the latest gadget and/or brags about presents a case-study of successful implementation of Y. Another manager … Continue reading Diffusion of iTechnology in Corporations (or: Certificates for iPhones)