HackerTrans
TopNewTrendsCommentsPastAskShowJobs

harmon

no profile record

Submissions

Rapid7 lays off 18% of employees

bizjournals.com
6 points·by harmon·قبل 3 سنوات·0 comments

comments

harmon
·قبل 10 أشهر·discuss
Fine, Kerberoasting abuses TGS-REPs which are colloquially referred to as TGS tickets or TGSs*. You know what I meant.
harmon
·قبل 10 أشهر·discuss
> It's wild to me that this could happen just from solving the puzzle that allows the user's account to use the user's privileges (only) on the service... ?

Yes, it is an unfortunate design decision in the Microsoft implementation of the Kerberos protocol.

To interact with Active Directory and perform privileged actions, a service needs an Active Directory account that it can leverage for authenticated actions. This is colloquially referred to as a "service account", but it is not a special account type, it is just a regular Active Directory user or computer account designated for exclusive use by a service. Sometimes administrators will save time by registering a service under their own Domain Admin user account instead of creating a designated account for a service. This effectively makes their user account the service account. In other cases, extensive privileges may be required by a service (e.g. for network access control services, asset discovery services, vulnerability scanners, etc) and administrators find it easier to just create a Domain Admin (high privilege) account for that service than to do fine grained permissioning. This creates a dangerous situation where if an attacker can kerberoast the account associated with the service, they can immediately take possession of a high privilege account that can be used anywhere within the Active Directory environment.

> Since it's cryptographic signing, wouldn't this require reversing the hash?

Yes, you would need to brute-force it.

> Does any valid inverse of the hash work, or only the actual password that happened to get hashed?

Theoretically yes, any valid inverse of the hash would work, but to my knowledge there aren't any hash collisions for the NT hash algorithm. Practically speaking, this means that only the user's password would yield the correct hash.
harmon
·قبل 10 أشهر·discuss
If you have the user's credentials then you can indeed connect to the service as you normally would. The advantages of performing this attack are:

1. You can obtain the service account's password, and the service account may be provisioned with more privileges than the user's account that you compromised. This allows for privilege escalation beyond simply accessing the service. For example, perhaps the service account has administrative access on other machines, or it is used for multiple services, or it is a Domain Admin in which case you can completely compromise the domain.

2. TGS tickets used to request access to a service are cryptographically signed with the password hash of the service account. Services use this to confirm ticket validity. In most cases, this means that if you can derive the service account password, you can forge TGS tickets that claim to be associated with arbitrary domain users. Instead of accessing the service as a low privilege user, you can now access the service as an Enterprise Admin or another high privilege account which could enable access to more resources or administrative access to the machine. This is called a Silver Ticket attack.
harmon
·قبل 10 أشهر·discuss
Managed and group managed service account passwords are typically 240 characters long and rotate every 30 days. It is highly unlikely that an attacker can crack these.
harmon
·قبل 10 أشهر·discuss
This article is somewhat incorrect. Kerberoasting abuses Ticket Granting Service tickets (TGSs, which are used to request access to a registered service in Active Directory), not Ticket Granting Tickets (TGTs, which are used to prove identity to a Domain Controller and request TGSs). However, the general attack described is still correct.

TGS are (AES or RC4) encrypted with the NT password hash of the service account they are associated with. If you have a weak service account password, then TGS can be cracked to obtain the service account's password. A lot of times admins will create service accounts that have way more permissions than required (e.g. they make them a DA) which can lead to an immediate privilege escalation. Sometimes they also use regular user accounts for service registration instead of designated service accounts, and user accounts tend to have weaker passwords. To make it worse, any low privilege Active Directory account can request a TGS for any service, even if they are not allowed to access that service.

Even if the service account is lower privilege, this can enable a silver ticket attack. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberatt...

There are multiple mitigations for this:

1. Use managed or group managed service accounts instead of manually managed ones where possible. This ensures that account passwords are long, strong, and rotated regularly. If you are going to provision service accounts manually, give them very strong passwords.

2. Apply the principle of least privilege and only assign service accounts the privileges they need. Avoid placing them in high privilege groups.

3. Disable RC4 in your environment if possible via Group Policy.

4. Monitor for RC4 ticket requests. AES-encrypted tickets are the default these days. https://adsecurity.org/?p=3458

5. Create a honeypot service account: https://adsecurity.org/?p=3513

There is a somewhat similar attack against TGTs called ASREPRoasting: https://book.hacktricks.wiki/en/windows-hardening/active-dir...
harmon
·السنة الماضية·discuss
As these tariffs are objectively likely to drive up costs, hurt user demand, and lower revenue for the company, I would argue that they have a duty to their shareholders and other stakeholders to push back against them and not be neutral. It is an action driven by business concerns rather than politics.

Also yes, taxes are listed as a separate line item.
harmon
·قبل سنتين·discuss
As I understand it, you can only write off a business's expenses against that business's income, not income from other sources. For example, if you have a W2 income source and you have this business generating losses, you can't take your business losses or write offs and apply them to your W2 income, so you wouldn't really be saving any money as there would be no revenue to write off expenses against. You would need to get the business to generate revenue for this to be a viable idea.

The only case that I am aware of where you can take business losses / write offs and apply them to other income sources is in real estate, and only under very specific circumstances. This is one reason why high income individuals love things like short term rentals which is one circumstance in which this is possible.
harmon
·قبل 3 سنوات·discuss
I agree, honestly I feel a much better solution to this problem would be to extend the same tax advantages that you allude to when talking about a personal company to W2 employees.

Provision a home office? All of those expenses should be tax deductible.

BYOD? You should be able to expense a portion of the costs.

Pay for internet and power? You should be able to deduct a percentage of costs.

Have a work related meal? Tax deductible.

Drive your car to work? You should be able to deduct your mileage or depreciate your vehicle.

Pay for public transit passes to get to work? Tax deductible.

Etc, etc
harmon
·قبل 3 سنوات·discuss
Mass surveillance is out of control as you say, and I am a strong proponent of reigning in warrantless wiretaps and governmental overreach. However, as many people have stated, a pen register (which requires a warrant) against a specific individual suspected of a crime where there is a MASSIVE amount of evidence suggesting that the suspect is guilty has nothing to do with mass surveillance. This is targeted, narrowly scoped surveillance of a specific suspect and is precisely what law enforcement should be doing.
harmon
·قبل 3 سنوات·discuss
So I used to be in a very similar boat as you: I was depressed while working towards a STEM degree in college and ended up almost failing out with a 2.X GPA. I didn't see a path forward, and there was only one entity that was willing to hire me to do "real" work (for basically minimum wage). Like you, I thought I was totally fucked. Turns out, I wasn't. I spent the next 7 years working incredibly hard at that job. I taught myself software development skills in a similar manner as you out of personal interest. Eventually I was skilled enough to make major contributions at work and transitioned into a developer role. I continued studying and also took some remedial courses at a local university to prove that I could get A's if I tried. I then applied to a Master's program with glowing recommendations from my employer, a proven professional track record of success, and the transcripts from the local university. I was sure the admissions people would laugh and toss my application right into the trash. Guess what? I got into a great program! I'm now working in my dream role at a tech company, I got the opportunity to go back and prove to myself that I could succeed academically, and I learned a lot while in the program. You are already at a prestigious company as a full stack dev, so your road could be A LOT shorter than mine. I will give you the following advice based on my experience:

1. Realistically you are doing well. You are already in a great role; it sounds like you may just be struggling a bit. You mentioned feeling overwhelmed: have you reached out to your manager or a more senior engineer on your team for help? I bet they would be able to identify any weak points that you have which you could fix with self-directed learning (which it sounds like you are experienced at). Has anyone made a comment on your performance? If not, is it possible that some of your feelings are driven by imposter syndrome? The fact that you were hired despite your academic record suggests that you are certainly a competent dev.

2. No one likes hearing this, but you need to be patient. You only recently began your professional career (whereas I am in my mid 30s), and it will take time to build up the reputation and the track record to offset your past. By "time" I mean probably a few years minimum. Don't be deterred by this though, as these few years will be periods of heavy growth. I should also note that when I say it will take time to offset past performance, I am speaking purely from an academic perspective. From a professional perspective, you left your academic record behind when you got your first job, so I wouldn't spend time dwelling on it.

3. I agree that getting a Master's degree may be helpful, if for no other reason than it sounds like you may have a chip on your shoulder about your academic record. If you are serious about going back to school, take the following actions:

* Work. Fucking. Hard. Build a track record of success in your role.

* Get a portfolio of projects together that you can show off.

* Continue your self-directed learning and fill in gaps in understanding yourself. Work with your manager / seniors to identify these.

* Succeed in some sort of graded endeavor that you can use to display that you are serious and diligent: take courses somewhere and get A's; take coursework on Coursera or something else and get a certificate; get an industry certification or two; do research and put out a paper; etc. Basically you want to show the program that you can succeed academically and that you won't flake out if they admit you.

If you want to chat about your situation further, I'm happy to do so out of band.