The Renaissance of NTLM Relay Attacks: Everything You Need to Know – Source: securityboulevard.com https://ciso2ciso.com/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard #socialengineering #ActiveDirectory #BloodHound #ntlmrelay #research #redteam

LDAP Tool Box Service Desk 0.6.2 released!

LDAP Tool Box Service Desk is a web application for administrators and support teams. It allows to browse accounts in an LDAP directory, view and update their password and security status.

News on OW2 : https://projects.ow2.org/view/ldaptoolbox/ltb-service-desk-0-6-2-released/
Release on GitHub : https://github.com/ltb-project/service-desk/releases/tag/v0.6.2
Download : https://ltb-project.org/download.html

Is today #FediHire Friday? Sure looks like it!

What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large environment. Interested in relocating outside of the US. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively.

My main focus the last few years has been rebuilding and modernizing a struggling certificate management team. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack, getting a handle on our web PKI consumption, and making massive improvements to our certificate lifecycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My background in understanding deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've been training and teaching junior and mid-level engineers both practical PKI concepts and our specific enterprise requirements. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can do their best.

Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

PMs open if you want to talk details. Boosts/reshares appreciated.

I'm a bit embarrassed
#TIL the passwords are stored in #ActiveDirectory without a Salt (on the domain controller).

I'm still in shock. For all my career (30+ years) storing salted and hashed passwords has been the standard (or at least I thought so)

For non-#Cybersecurity security people an explanation:
The term Salt means that each password is extended by some random data. When calculating the hash (a mathematical function which can't be reversed) this Salt is included. As the Salt is different every time a password is set or changed it guaranties that even if people choose the same password that the hash differs. Without the salt the same password would have the same hash, so attackers would instantly know which accounts have the same password. Making it much easier for them.

Actually, it is even worse. If the password was used and cracked before it is likely in a list of cracked hashes. So you don't need to crack any hashes. You can simply look it up.

E.g the NTLM hash 8AC2859EC4AF435BA6AD116B0690A904

Looking it up at https://ntlm.pw/ reveals the password "ZaqwsX7679bgHrty!"

Brute forcing it would take billions of years, but a simple lookup reveals it in milliseconds

Sharing this post from earlier this week about NTLM. https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/. You should NOT wait until you start moving to Server 2025 to start on this. The LDAP Channel Binding audit alert was back ported to all the way to Server 2019. Enable this, see what WILL break and start fixing! #infosec #activedirectory

I flubbed my password while unlocking the work computer this morning. It has been sitting here spinning for at least 5 minutes now, completely unusable until it finally announces my failure and lets me try again.

"Enterprise OS," my butt.

While everyone is getting fired up about cyber security awareness month, want to really really encourage folks to make sure you are doing the fundamentals correct. Anyone can do it! Here is a good example, https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a?preview=true. Drive this #ActiveDirectory #ldap to completion by enabling channel binding and signing in your environment. This is a great improvement and you can validate in the audit logs to see if any connections will have issues. #infosec

#Shellprogramming skills are pretty portable between #Linux, #BSD, and #macOS, but some of the underpinnings of macOS are non-standard. It helps to remind yourself that macOS is not a standard #BSD #Unix variant; Apple's #Darwin based systems do a lot of embrace-and-extend under the hood. Here's a practical example that comes up often in the enterprise.

Most #Linux systems export the current user's login name to the LOGNAME environment variable (often via sourcing /etc/profile) and may also export the user's default shell from the user's #GECOS record in /etc/passwd to the preferred shell (set by an application or the user) as the SHELL environment variable. The canonical way to get access to the user's default shell on most Unix-like systems is by parsing /etc/password or another NSS database with the getent utility, e.g. getent passwd "$LOGNAME" | cut -d: -f7.

There are other means to do this on Linux too, but macOS doesn't provide this common #POSIX compatible userspace utility. Instead, Darwin relies on opendirectory(8) for storing and accessing GECOS records, requiring other tools to retrieve the information. You can query a user's GECOS record on Darwin like so:

# directly from the Open Directory service, local or remote
dscl . -read "/Users/$(id -un)" shell | awk '/^shell:/ {print $2}'

# from the directory service's cache on the local system
dscacheutil -q user -a uid "$(id -u)" | awk '/^shell:/ {print $2}'

Be aware that there are other ways to do this, too, but old school utilities like whoami have been deprecated in favor of id -un, and finger as implemented on most systems (e.g. via [x]inetd, or reading various #dotfiles from users' directories locally or over the network) is considered a security risk.

In containers, especially with non-standard shells, or with centralized #IAM using #LDAP or #ActiveDirectory, you may have to match the local #userID to a remote #LDIF record to before grepping for the data you need. In addition, nsswitch.conf, PAM modules, NIS+, or other less-common data sources may need to be consulted and each will generally have specific utilities for looking up the stored or cached information that is equivalent to what's normally provided in the 7th GECOS field for each user on standard Linux and Unix systems.

As always, your mileage may vary based on use case or implementation details. On the plus side, problems are rarely insoluble when you know where to dig for a solution!

#Ubuntu 24.04.1 #LTS Is Now Available for Download, Here’s What’s New
This release introduces #ActiveDirectory integration and enables upgrades from Ubuntu 22.04 LTS (Jammy Jellyfish) systems.
The next point release, Ubuntu 24.04.2 LTS, is planned for February 2025. It will be a more exciting release as it will be powered by #Linux kernel 6.11 and Mesa 24.2 graphics stacks from the upcoming Ubuntu 24.10 (Oracular Oriole) release, due out in October 2024.
https://9to5linux.com/ubuntu-24-04-1-lts-is-now-available-for-download-heres-whats-new

When we demand security by default, do we also mean #Microsoft Active Directory? This is a vulnerability scan of a default Windows Server 2019 AD setup in my homelab and yeah, it's pretty bad. #cybersecurity #ActiveDirectory

So, I'm considering taking some risks and leaning into setting up AD and domain on my home network, with my homelab.

I'm concerned about what risks I should watch out for, and things I should keep in mind while setting it up and configuring it. My only hands on experience with setting that stuff up, was in a lab setting for one of my classes for school, and it was a very basic overview, and didn't cover the security risk side of things.

I don't really have a huge need or reason to do this, largely just curious about the setup and management of a dozen or so computers on a small network like this.

Also concerned about configuring my network shares for Android devices that exist on the network, that access the shares for media streaming as well.

Microsoft: März-Updates können Windows Server lahmlegen

Microsoft hat bestätigt, dass die Sicherheitsupdates aus dem März Windows Server mit Active Directories lahmlegen können.

https://www.heise.de/news/Microsoft-Maerz-Updates-koennen-Windows-Server-lahmlegen-9661470.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Join us at InfoSec Jupyterthon 2024.

This online event, to be held on February 15-16, 2024, serves as an opportunity for infosec analysts and engineers to meet and engage with security practitioners using notebooks in their daily work. It is organized by our friends at Open Threat Research, together with folks from the Microsoft Threat Intelligence community.

Some of the topics to be covered in this year’s talks include:

Analyzing Active Directory with Bloodhound CE, Jupyter, and Python

Graphing ransomware & data leak sites trends with Plotly

Threat hunting in three dimensions

Guardians of Identity: OKTA’s underworld

Hacking proprietary protocols with pandas

Predicting Windows binary download links with Jupyter notebooks

Comparison of collaboration methods between MSTICpy and Splunk SIEM

Building a community around notebooks for DFIR and SecOps

Building data-driven security tools with Streamlit

Red teaming LLMs with Jupyter notebooks

Automating adversary emulation

Applying machine learning for C2 beaconing detection

https://www.microsoft.com/en-us/security/blog/2024/01/29/join-us-at-infosec-jupyterthon-2024/

A nice writeup about the process of parsing the msDS-KeyCredentialLink value (ShadowCredentials attack)​

https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack

In my current project(spring boot, java 17) i have to secure a rest-api so that only members of a certain active directory group can use the endpoints. I have not used spring security or active directory / ldap before. We should i start my research? Are there any good tutorials on this? #java #spring #springboot #springsecurity #ldap #activedirectory

#Microsoft announced today that it would change the name of its #Azure #ActiveDirectory (#AzureAD) enterprise identity service to Microsoft #EntraID by the end of the year.
#Entra Internet Access is used to secure public-facing web services, allowing admins to restrict visitors through Conditional Access. Entra Private Access is #VPN-like service that allows remote access to internal, private #corporate resources.
https://www.bleepingcomputer.com/news/microsoft/microsoft-rebrands-azure-active-directory-to-microsoft-entra-id/

Late to the #introduction game, it I guess rather late then never.

I am a mid-30's security-minded #activedirectory and #identity admin from central Germany. Father of one. Spare time is usually family time.

I guess this also needs the obligatory: Opinions are my own and do net reflect my employer's in any way.