I am back to my favorite security research: How to abuse certificates in a Windows / Active Directory environment! If an Active Directory integrated certification authority sign a certificate with a custom Subject Alternative Name of your choosing, you can impersonate any administrator in an AD forest. I’ve published two blog posts about how to…
Tag: Cybersecurity
Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)
I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article…
Secure Poetry: “I have been quite confident”
A poem from snippets of two postings on cybersecurity. Trying to carve words out of jargon. Details on the creative process at the bottom of the post. I have been quite confident I have been inspired In this simple way to find both options take note of an extra stealth factor I hardly ever…
Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!
How can you read files encrypted with Windows’s Encrypting File System if you neither have access to the owner’s encryption certificate and key and nor that of a legit data recovery agent (DRA) … but if you are a local administrator? This work is still inspired by the hackthebox machine Helpline. You were able to…
Parse Certificates Stored in the Windows Registry
You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutil seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by…
The RSA Algorithm
You want this: Encrypt a message to somebody else – using information that is publicly available. Somebody else should then be able to decrypt the message, using only information they have; nobody else should be able to read this information. The public key cryptography algorithm RSA does achieve this. This article is my way of…
Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux
This is about a serious misconfiguration of a Windows Public Key Infrastructure integrated with Active Directory: If you can edit certificate templates, you can impersonate the Active Directory Forests’s Enterprise Administrator by logging on with a client certificate. You have a persistent credential that will also survive the reset of this admin’s password. In the…
Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files
Another great machine has been retired on hackthebox.eu – Helpline by @egre55! Here is my ‘silly’ unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone – if you wait for a legit user to just look at the file. This is unlikely…
Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution
Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily. Trying to ping all hosts in a subnet Linux for i in $(seq 1 254); do host=192.168.0.$i;…
Ethereal @ hackthebox: Certificate-Related Rabbit Holes
This post is related to the ‘insanely’ difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware – It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me – as somebody who…
Unintended 2nd Order SQL Injection
Why I am not afraid of the AI / Big Data / Cloud powered robot apocalypse. SQL order injection means to run custom SQL queries through web interfaces because the input to the intended query is not sanitized, like appending the infamous ‘ OR ‘1’=’1 to a user name or search term. It is 2nd…
Cyber Something
You know you have become a dinosaur when you keep using outdated terminology. Everybody else uses the new buzz word, but you just find it odd. But someday it will creep also into your active vocabulary. Then I will use the tag cyber something, like stating that I work with cyber-physical systems. But am I…
Hacking
I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind – in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu. I have been hacking…
Infinite Loop: Theory and Practice Revisited.
I’ve unlocked a new achievement as a blogger, or a new milestone as a life-form. As a dinosaur telling the same old stories over and over again. I started drafting a blog post, as I always do since a while: I do it in my mind only, twist and turn in for days or weeks…
The Orphaned Internet Domain Risk
I have clicked on company websites of social media acquaintances, and something is not right: Slight errors in formatting, encoding errors for special German characters. Then I notice that some of the pages contain links to other websites that advertize products in a spammy way. However, the links to the spammy sites are embedded in…
Give the ‘Thing’ a Subnet of Its Own!
To my surprise, the most clicked post ever on this blog is this: Network Sniffing for Everyone: Getting to Know Your Things (As in Internet of Things) … a step-by-step guide to sniff the network traffic of your ‘things’ contacting their mothership, plus a brief introduction to networking. I wanted to show how you can…
What I Never Wanted to Know about Security but Found Extremely Entertaining to Read
This is in praise of Peter Gutmann‘s book draft Engineering Security, and the title is inspired by his talk Everything You Never Wanted to Know about PKI but were Forced to Find Out. Chances are high that any non-geek reader is already intimidated by the acronym PKI – sharing the links above on LinkedIn I have been…
Cyber Security Satire?
I am a science fiction fan. In particular, I am a fan of movies featuring Those Lonesome Nerds who are capable of controlling this planet’s critical infrastructure – from their gloomy basements. But is it science fiction? In the year Die Hard 4.0 has been released a classified video – showing an electrical generator dying…
elkemental Force 