mythofechelon – WindowsTechs.com

Input multiple password files

Posted on February 11, 2020 by mythofechelon

I have a number of relatively small password files that I’d like to use with Hydra in one go without having to manually merge them but it seems that it doesn’t natively support this or stdin.

From https://security.stackexchange.com/a/1988… Continue reading Input multiple password files→

Security of PwnedPasswordsDLL / PwnedPasswordsDLL-API [on hold]

Posted on March 14, 2019 by mythofechelon

I love the idea of integrating Active Directory with Troy Hunt’s Pwned Passwords so that when users or admins try to set already-compromised passwords then they are rejected and it seems that there are two ways to do this:

… Continue reading Security of PwnedPasswordsDLL / PwnedPasswordsDLL-API [on hold]→

BitLocker To Go password strength

Posted on February 25, 2019 by mythofechelon

When using BitLocker To Go, given that removable drives are inherently offline and may have to resist such attacks, what are the best practices / recommendations for password strength?

Continue reading BitLocker To Go password strength→

How to set header.from?

Posted on December 27, 2017 by mythofechelon

A client recently received an email that was spoofed in a way that I’d never seen before. The following are the anonymised, relevant details from the email’s headers:

authentication-results: spf=none (sender IP is 74.208.4…. Continue reading How to set header.from?→

How to set header.from?

Posted on December 27, 2017 by mythofechelon

A client recently received an email that was spoofed in a way that I’d never seen before. The following are the anonymised, relevant details from the email’s headers:

authentication-results: spf=none (sender IP is 74.208.4.197) smtp.mail… Continue reading How to set header.from?→

Securely granting local administrative permissions

Posted on November 14, 2017 by mythofechelon

I’ve been researching the best method of securely granting local administrative permissions but I’m really struggling to reconcile the security, operational, and cost implications.

I’ve devised a few options:

Create a domain security group (Local Administrators), add the required domain user accounts, and use Group Policy to add the domain security group to the local security group Administrators:
- Pros:
  - Centrally-managed.
  - Auditable.
  - Free.
- Cons:
  - Vulnerable to credential theft and lateral movement attacks.
Option #1 but using separate domain user accounts (`firstname.lastname.admin”):
- Pros: Same as #1
- Cons: Same as #1. Apparently, even authenticating a UAC prompt creates a logon cache which can be exploited.
Option #1 but disabling cached logons:
- Pros:
  - Centrally-managed.
  - Auditable.
  - Free.
  - Not as vulnerable to credential theft and lateral movement attacks.
- Cons:
  - Users will be unable to logon if there’s a problem with the domain or their PC is offsite.
Deploy Microsoft LAPS and issue users with the unique, local administrator credentials:
- Pros:
  - Centrally-managed.
  - Not vulnerable to credential theft and lateral movement attacks.
  - Free.
- Cons:
  - Non-auditable.
Add the required domain user accounts to the local security group Administrators:
- Pros:
  - Auditable (to an extent).
  - Not as vulnerable to credential theft and lateral movement attacks.
  - Free.
- Cons:
  - Not centrally managed.
Implement MFA:
- Pros:
  - Centrally-managed.
  - Auditable.
- Cons:
  - Not free.
  - Still vulnerable to credential theft and lateral movement attacks (according to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models).
Implement a system that uses TOTPs and/or only temporarily grants administrative permissions as-and-when needed:
- Pros:
  - Centrally-managed.
  - Auditable.
  - Not vulnerable to credential theft and lateral movement attacks?
- Cons:
  - Not free.

What is best practice / advised?

Continue reading Securely granting local administrative permissions→

Securely granting local administrative permissions

Posted on November 14, 2017 by mythofechelon

I’ve been researching the best method of securely granting local administrative permissions but I’m really struggling to reconcile the security, operational, and cost implications.

I’ve devised a few options:

Create a doma… Continue reading Securely granting local administrative permissions→

How to spoof a MIME-level email address

Posted on March 23, 2017 by mythofechelon

As a sysadmin, I need to send spoofed emails to ensure that the spoofing protection (DMARC, etc) is working.

I think Emkei’s Fake Mailer can be used to send emails spoofed at the SMTP / 5321.MailFrom level but how does one send emails spo… Continue reading How to spoof a MIME-level email address→

User account existence confirmation

Posted on January 31, 2017 by mythofechelon

It used to be the case that authentication systems wouldn’t confirm whether a user account existed and, instead, would simply report that the user logon name or password was incorrect.

Nowadays, a lot of authentication syste… Continue reading User account existence confirmation→