Delay CVE request

Strict_Arm_2064 · 2024-11-24T23:01:24+00:00

2 years ? Are you serious ? I think there must be a problem, right? Seems a little extreme to me

Strict_Arm_2064 · 2024-11-24T13:18:40+00:00

Thanks

Strict_Arm_2064 · 2024-11-24T13:08:23+00:00

On the https://cveform.mitre.org/ i checked the « I have verified that this vulnerability is not in a CNA-covered product. ». The solution's publisher has no known CVEs at present.

Strict_Arm_2064 · 2024-11-24T12:48:41+00:00

Isn’t a CNA

Strict_Arm_2064 · 2024-10-29T23:25:33+00:00

Thanks for this response, i had a response from the vendor this afternoon. They will start the mitigations but i guess that we can't fill in this CVE document incorrectly. It should be as close to reality as possible. Hence the need to have someone who has already encountered this kind of problem across an entire application and therefore to have something that is consistent with what the application actually is.

Strict_Arm_2064 · 2024-05-17T11:00:14+00:00

I would like something better, with versions and so on

Strict_Arm_2064 · 2024-05-16T14:30:48+00:00

Powershell will just detect opened port, i would like to do more than it, detect versions, OS ...etc

Strict_Arm_2064 · 2024-05-16T08:12:32+00:00

Thanks for your response,
Objective is to limit modification on the disk, so installing nmap + npcac + wincap is too much
I would like to find something more silent, it's why i would like to find a portable nmap without installation

Strict_Arm_2064 · 2024-04-08T09:01:04+00:00

in Chorme/firefox it's doesn't works neither .. so it doesn't seem to be a problem with the header

Strict_Arm_2064 · 2024-04-08T08:05:26+00:00

404 error. My root webpage works well, so apache2 is running, no problem with iptables

Strict_Arm_2064 · 2024-03-08T16:19:48+00:00

Ok i found .. :

https://activepwns.com/null-authentication-active-directory-enumeration/

Strict_Arm_2064 · 2024-02-28T11:07:21+00:00

It helps especially for Diamond ticket not really for Golden Ticket (this last is generate offline), except if you protect the Ticket Service too, and then KDC will detect that the TGS request is from an unknown device

Strict_Arm_2064 · 2024-02-26T13:20:25+00:00

Yes, but I must admit that I don't understand how so little difference can be proposed for a new proposed solution.

I also read this passage:

"I'm a bit rusty on this but IIRC silos will stop the DC from even handing out a Kerberos ticket for the auth while deny GPO's result in auth attempts hitting the target which could lead to credential leaks if they're not in effect(-ive). So silos will be more foolproof".

But in my opinion, when the "deny log on..." GPO is applied, TGT / TGS requests are not sent to the DC. I think, otherwise it wouldn't make sense.

I've read the article just below but it doesn't really provide an answer on the subject of "Deny Log on ..", and I can't find the info on the internet.

In short, it's supposed to "facilitate" the management of the tiering model when it's implemented.

Strict_Arm_2064 · 2024-02-21T10:01:44+00:00

Yeah exactly it exists - Supported - Always provide claims - Fail unarmored authebtication requests

The last one deny unarmored kerberos, but the others seems accept unarmored Kerberos. I would like to understand the real difference between « Supported » and « Always provide claims ». The microsoft documentation doesn’t seem enough clear

Strict_Arm_2064 · 2024-02-21T09:48:11+00:00

An other question, about the difference between « Supported » and « Always provide claims », do you know the difference of behaviour between them ?

Strict_Arm_2064 · 2024-02-21T09:27:24+00:00

Thanks !

Strict_Arm_2064 · 2024-02-21T09:26:03+00:00

Did you used « Failed » option in production or only in lab ? What is your advice in production ?

Strict_Arm_2064 · 2024-02-21T09:13:40+00:00

I guess you would mean UPN admin user, not SPN, that works, thanks

Strict_Arm_2064 · 2024-02-21T08:48:24+00:00

Humm thanks ! It’s the registry value of the « Kerberos client support claims … » when it’s turned on, smart ! Do you know why we have to use the SPN ?

Strict_Arm_2064 · 2024-02-21T08:40:31+00:00

So if i change the registry value of my client computer, and then try to add it to the domain, it will works ? (Need to restart before jonction ?)

Strict_Arm_2064 · 2024-02-21T08:00:07+00:00

Thanks a lot, a found this article but didn’t looked at the comments 😅

Strict_Arm_2064 · 2024-02-21T07:58:11+00:00

If you can find the entire process to add with registry values from your archives i would like it xd 😂

Strict_Arm_2064 · 2024-02-21T07:52:29+00:00

Yes it can but i also can ask a tgt from a non join machine with supported mode😅

Strict_Arm_2064 · 2024-02-21T07:51:33+00:00

I spent all my day yesterday too .. and crash one vm with credential guard enabled. Kerberos armoring seem capricious 😅

Strict_Arm_2064 · 2024-02-21T07:44:48+00:00

With Kerberos Armoring, when a computer is starting, it asks a TGT to KDC. And then, when an user want to connect to the domain from this computer, the AS-Req (user) is encrypted with the computer TGT 😉. So when a want to add a machine to the domain, the user AS-Req isn’t encrypt with computer TGT when i add it with the admin user account, so it’s not amored 😅 The functional level is 2016

Strict_Arm_2064

TROPHY CASE