|
CLAM DOWN posted:This Exchange vuln rules https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ quote:This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin quote:If we perform a SMB to HTTP (or HTTP to HTTP) relay attack (using LLMNR/NBNS/mitm6 spoofing) we can relay the authentication of a user in the same network segment to Exchange EWS and use their credentials to trigger the callback From nothing to domain admin as long as you're on the same network as an athenticated user? :vancouverhousefire:
|
#
?
Feb 6, 2019 18:33
|
|
|
|
| # ? May 12, 2024 20:08 |
|
|
That's some crazy poo poo. Good find.
|
|
#
?
Feb 6, 2019 18:36
|
|
|
Truga posted:exclusive locking in general is a big old clusterfuck on windows. "no, you can't play/open/close/delete/write/copy this resource or file. someone, somewhere has it open" And you need to use sysinternals to get something like "fuser"
|
|
#
?
Feb 6, 2019 18:57
|
|
|
hobbesmaster posted:And you need to use sysinternals to get something like "fuser" I’ve always assumed there was some MFC-era app hidden in a system folder that would do this, and that I’d just never found it.
|
|
#
?
Feb 6, 2019 19:00
|
|
|
ChubbyThePhat posted:That's some crazy poo poo. Good find. The best part is Microsoft saying “please wait on our patch”. Ok, Microsoft.
|
|
#
?
Feb 6, 2019 20:10
|
|
|
Has anyone worked with an F5 WAF device? We have a client that wants us to configure theirs and I've never done it before. I was hoping to find a VM image or something before I start screwing around with their box. Anyone know where I could find one or some documentation? edit: I checked the F5 website and it seems all they have is a changelog for the WAF devices and no manuals unless I'm missing something. SnatchRabbit fucked around with this message at 21:13 on Feb 6, 2019 |
|
#
?
Feb 6, 2019 20:52
|
|
|
Does your client have an F5 support account you can use? It's dumb and annoying, but it's extremely common for vendors to put all their documentation and virtual appliances and whatnot behind a login.
|
|
#
?
Feb 6, 2019 21:11
|
|
|
F5 devices by far have some of the worst logging in the world.
|
|
#
?
Feb 6, 2019 21:48
|
|
|
Maybe true about logging but I really like the idea of waf detection at the tls termination rather than having it fully routed through their “cloud”
|
|
#
?
Feb 6, 2019 21:57
|
|
|
SnatchRabbit posted:Has anyone worked with an F5 WAF device? We have a client that wants us to configure theirs and I've never done it before. I was hoping to find a VM image or something before I start screwing around with their box. Anyone know where I could find one or some documentation? I've worked with wafs enough to know it takes longer than a week to train it.
|
|
#
?
Feb 6, 2019 22:02
|
|
|
Anyone using linux on Azure? I've turned on the System Assigned Managed Identity for some VMs on launch. It's like giving the VM a IAM instance role in AWS, as far as I understand. On boot, cloud-init runs, and adds the SSH Public Key I specified and adds it to authorized_keys for the user I specified. However, it also converts the Managed Identity keypair to ssh format, and also adds that to authorized_keys. This doesn't make any sense to me, the key pair is just for the software on the VM to authenticate to Azure APIs, not for stuff to gain shell access to the VM, right? I feel like I'm losing my mind because both Azure support and the cloud-init project don't seem to recognize that this is a problem.
|
|
#
?
Feb 6, 2019 23:05
|
|
|
D. Ebdrup posted:Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V? I don't think that exclusive to Windows. When I have VirtualBox virtual machines running on my Ubuntu 16 computer I am unable to start any KVM virtual machines. I haven't tested if it were possible to start them the other way around.
|
|
#
?
Feb 7, 2019 19:44
|
|
|
Saukkis posted:I don't think that exclusive to Windows. When I have VirtualBox virtual machines running on my Ubuntu 16 computer I am unable to start any KVM virtual machines. I haven't tested if it were possible to start them the other way around. The difference is that, because of the way Hyper-V operates, it's always running regardless of if you're actually using it. If you stop those Virtualbox VMs, you can start your KVM VMs, and vice versa. If Hyper-V is even installed on a Windows machine you can't use Virtualbox or anything else without entirely disabling it. You can't just stop your Hyper-V session and start up something else.
|
|
#
?
Feb 7, 2019 19:51
|
|
|
The iOS release with FaceTime fixed is available now
|
|
#
?
Feb 7, 2019 19:52
|
|
|
wolrah posted:The difference is that, because of the way Hyper-V operates, it's always running regardless of if you're actually using it. Once the Hyper-V Role is installed, the OS you are presented with at the console is actually running inside Hyper-V hence if it's installed, you're always using it.
|
|
#
?
Feb 7, 2019 20:44
|
|
|
Saukkis posted:I don't think that exclusive to Windows. When I have VirtualBox virtual machines running on my Ubuntu 16 computer I am unable to start any KVM virtual machines. I haven't tested if it were possible to start them the other way around.
|
|
#
?
Feb 7, 2019 20:58
|
|
|
the real answer for win10 blocking it is credentialguard
|
|
#
?
Feb 8, 2019 16:59
|
|
|
Subjunctive posted:I’ve always assumed there was some MFC-era app hidden in a system folder that would do this, and that I’d just never found it.
|
|
#
?
Feb 9, 2019 08:40
|
|
|
If you have half an hour to an hour (plus however much memory is needed for the tab explosion), may I suggest you read about CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment and how they're using FreeBSD (built mostly on C, C++ and some assembly) plus a modified RISC-chip to do a bunch of neat things including fine-grained capability-based security (yes, capabilities from the 70s!), mitigating out-of-bounds speculative reads (not just the ones Intel, ARM and AMD have patched in their microcode, either), and explicit minimizing of privileges on the whole base system plus PostgreSQL. All of it combines to make a what they call a "complete memory-safe UNIX system that is practical for general use".
|
|
#
?
Feb 12, 2019 21:50
|
|
|
My preferred password manager is now alerting for a Trojan. I'm guessing the guy running it had his dev pipeline compromised at some point. Whats the recommended password manager for multiple desktops and mobile. I'd prefer something fully encrypted with my own key, but am willing to be reasonable for quality of life improvements.
|
|
#
?
Feb 12, 2019 22:04
|
|
|
If you want full encryption, keep another one in a safe with otp codes. E: There's a small chance that they've cooked up some scheme to obscure memory, and that's what's getting flagged. Perhaps its been modified by something else, too. Are you comfortable sharing the name of it? dougdrums fucked around with this message at 22:44 on Feb 12, 2019 |
|
#
?
Feb 12, 2019 22:12
|
|
|
FunOne posted:My preferred password manager is now alerting for a Trojan. I'm guessing the guy running it had his dev pipeline compromised at some point. Whats the recommended password manager for multiple desktops and mobile. Which one is that?
|
|
#
?
Feb 12, 2019 23:05
|
|
|
https://twitter.com/VFEmail/status/1095038701665746945
|
|
#
?
Feb 13, 2019 00:46
|
|
|
A perfect example of why at least one of the copies making up your backup scheme needs to be offline.
|
|
#
?
Feb 13, 2019 01:57
|
|
|
RBAC your poo poo y'all. It shouldn't be that easy for somebody to delete your entire company.
|
|
#
?
Feb 13, 2019 03:16
|
|
|
Guy Axlerod posted:Which one is that? Safe-In-Cloud, its a lesser known desktop/mobile app pair. I like it because it isn't total loving poo poo, I don't HAVE to use a Chrome extension, and my password database is in my cloud provider, not theirs. Tried LastPass, holy hell, how is that the recommended service for most people?
|
|
#
?
Feb 13, 2019 15:41
|
|
|
FunOne posted:Tried LastPass, holy hell, how is that the recommended service for most people? It's not. KeePass and 1Password are the ones I've seen recommended here recently.
|
|
#
?
Feb 13, 2019 15:48
|
|
|
FunOne posted:Safe-In-Cloud, its a lesser known desktop/mobile app pair. I like it because it isn't total loving poo poo, I don't HAVE to use a Chrome extension, and my password database is in my cloud provider, not theirs. It never was?
|
|
#
?
Feb 13, 2019 16:51
|
|
|
where do you all find these services?!
|
|
#
?
Feb 13, 2019 17:35
|
|
|
Andohz posted:It's not. KeePass and 1Password are the ones I've seen recommended here recently. People also seem to like Bitwarden, although I haven't tried that one.
|
|
#
?
Feb 13, 2019 17:44
|
|
|
I don't understand the question. Google?
|
|
#
?
Feb 13, 2019 17:44
|
|
|
wolrah posted:A perfect example of why at least one of the copies making up your backup scheme needs to be offline. It's really hard to rm -rf your tapes when they're stored in a file cabinet across town. Like, it should be a standard backup/disaster recovery scenario to ask "If an attacker found my keepass keyring and had root access to everything, and did an rm -rf, how would I recover from that?"
|
|
#
?
Feb 14, 2019 06:23
|
|
|
I'm considering using Passwordstate for the IT dept at work, to get away from USB sticks, safes and outdated printouts. Anyone got good/bad experiences, or alternatives?
|
|
#
?
Feb 14, 2019 08:41
|
|
|
evobatman posted:I'm considering using Passwordstate for the IT dept at work, to get away from USB sticks, safes and outdated printouts. Anyone got good/bad experiences, or alternatives? Centrify, Azure HSM and KMS, 1Password
|
|
#
?
Feb 14, 2019 09:27
|
|
|
FunOne posted:Safe-In-Cloud, its a lesser known desktop/mobile app pair. I like it because it isn't total loving poo poo, I don't HAVE to use a Chrome extension, and my password database is in my cloud provider, not theirs. I've been using SafeInCloud and it works great across browsers (safari/chrome/firefox) and all of my devices (ios/android) and computers (win/mac) and the db is stored on my cloud. I tried several programs a LONG time ago so I cannot compare it but I haven't yet found a reason to try anything else. I'm open to alternatives if there is a reason I should stop using it. One negative is no Edge integration but I use it as rarely as possible. I use the standalone app when necessary.
|
|
#
?
Feb 14, 2019 11:08
|
|
|
Methylethylaldehyde posted:It's really hard to rm -rf your tapes when they're stored in a file cabinet across town. I would thank jesus that they didn't do the needful instead: https://twitter.com/VFEmail/status/1095021927972909056?s=20
|
|
#
?
Feb 14, 2019 11:40
|
|
|
dougdrums posted:I would thank jesus that they didn't do the needful instead: Looks like they used some undisclosed exploit to shovel out the tunnel from the backup server. My first question is why the backup server was reachable from the Internet, let alone allowing it access to the Internet.
|
|
#
?
Feb 14, 2019 12:09
|
|
|
Yeah I had way to much time yesterday to read about it, and it seems the motive was to destroy some info after it was retrieved, without giving away what the target was. He said something to the effect of, "I don't know how they had the password to every vm." Of course they probably did not have the password/keys to every vm so whatever it was had to really be worth it.
|
|
#
?
Feb 14, 2019 12:31
|
|
|
Proteus Jones posted:My first question is why the backup server was reachable from the Internet, let alone allowing it access to the Internet. How do we know that I t was directly reachable from the internet? They could have pivoted from something else they compromised, no?
|
|
#
?
Feb 14, 2019 12:33
|
|
|
|
| # ? May 12, 2024 20:08 |
|
|
That still qualifies as reachable from the internet though. I keep the backups for my business in a deposit box. I remeber one place where they just had a zip file on the dc and were like, "yeah of course we keep backups!" I think some places have some confusion between backups in case you gently caress up some configuration and backups in case your poo poo gets wiped by an attacker/fire/mother nature. dougdrums fucked around with this message at 12:42 on Feb 14, 2019 |
|
#
?
Feb 14, 2019 12:38
|
|