SlideShare a Scribd company logo

Certified Pre-Owned

Will Schroeder
Will Schroeder

"Certified Pre-Owned: Abusing Active Directory Certificate Services" was presented at BlackHat USA 2021 by Will Schroeder and Lee Christensen.

Internet
1 of 30
Download to read offline
Certified Pre-Owned Abusing Active Directory Certificate Services 1 @harmj0y @tifkin_
tl;dr ➜ Background ➜ Account Persistence ➜ Domain Escalation ➜ Persistence with “Golden” Certificates 2
Active Directory Certificate Services ➜ AD CS is a server role that functions as Microsoft’s public key infrastructure (PKI) implementation - Used by organization for smart cards, SSL certificates, code signing, etc. ➜ Clients send certificate signing requests (CSRs) to an (enterprise) CA, which signs issued certificates using the private key for the CA certificate 3
NTAuthCertificates 4 This is the root of domain-based certificate auth!
Certificate Enrollment 5
Certificate Templates ➜ CAs issue certificates with “blueprint” settings defined by certificate templates (stored as AD objects) 6
Subject Alternative Names (SANs) 7 ➜ Allows additional identities to be bound to a certificate beyond the Subject ➜ Can be dangerous when combined with certificates that allow domain authentication! - AD maps certificates to user accounts using the SAN
Aren’t Smartcards Required? 8 ➜ No! Rubeus and Kekeo support Kerberos authentication using certificates via PKINIT - Schannel authentication also supports certificates (e.g., LDAPS)
Account Persistence a.k.a. Long Term LSASS-less Credential Theft 9
“Passive” Certificate Theft 10 ➜ If hardware protection is not used, existing user/machine certificates are stored using DPAPI - Mimikatz and SharpDPAPI can steal such certs/private keys
“Active” Certificate Theft ➜ Users/machines can enroll in any template they have Enroll permissions for - By default the User and Machine templates are available ➜ We want a template that allows for AD authentication - Lets us get a user’s TGT (and NTLM!) - Lets us compromise a computer through RBCD/S4U2Self ➜ We can enroll through DCOM (Certify), RPC, and AD CS web endpoints 11
12
Offensive Advantages 13 ➜ Doesn’t touch lsass.exe’s memory! ➜ Doesn’t need elevation (for user contexts)! ➜ Few existing detection methods! (*currently* lesser known technique : ) ➜ Separate credential material from passwords - Works even if an account changes its password! - Long lifetime. By default, User/Machine templates issue certificates valid for 1 year.
Domain Escalation Domain User → Enterprise Admin 14
Template Misconfigurations: General Requirements ➜ The Enterprise CA grants low-privileged users enrollment rights ➜ Low privileged users can enroll in the template - Specified by the certificate template AD object’s security descriptor ➜ Manager approval is disabled ➜ No “authorized signatures” are required 15
Key Misconfiguration: Templates that Process User-Supplied SANs 1. An attacker can specify an arbitrary SAN when requesting a certificate 2. The certificate enables domain authentication 3. The CA creates and signs a certificate using the attacker-supplied SAN 16 Then the attacker can become any account in the domain!
Escalation Scenarios 17 ➜ ESC1 - General Requirements - [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (i.e., EKU allows auth) - The ENROLLEE_SUPPLIES_SUBJECT flag ➜ ESC2 - General requirements - The Any Purpose EKU or No EKU ➜ ESC3 - General requirements + no “enrollment agent restrictions” - The Certificate Request Agent EKU - Enrollment rights to template with a few other requirements
18
Escalation Scenarios (cont.) 19 ➜ ESC4 - Vulnerable certificate template access control ➜ ESC5 - Vulnerable PKI object access control ➜ ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on a CA - (Allows CSRs for ANY template to specify a SAN!) ➜ ESC7 - Vulnerable CA access control - The ManageCA permission can be used to fixate ESC6
ESC8 - NTLM Relay to HTTP Enrollment Endpoints 20 ➜ AD CS web enrollment endpoints are optional roles (but commonly installed) - All of these endpoints are vulnerable to NTLM relay! ➜ If there is a user-enrollable auth template: - Extends the window for user NTLM relay scenarios ➜ If there is a machine-enrollable auth template: - Combine with printer bug for coerced auth - I.e., take over ANY system in the domain running the spooler service!
21
“ “We determined your finding is valid but does not meet our bar for a security update release.” -MSRC 22
Domain Persistence “One Certificate To Rule Them All” 23
Stealing CA Private Keys 24 ➜ If the private key for a CA’s certificate is not protected by a TPM/HSM, it’s protected by DPAPI - CAs sign issued certificates with this key ➜ If we can steal private key of any CA cert in NTAuthCertificates, we can forge our own certificates as anyone in the domain! ➜ These forged certs can’t be revoked! - The certs are never actually “issued”! - Forged certs work as long as the CA cert is still valid :)
25
Bonus: PKINIT -> NTLM 26 ➜ As part of [MS-PKCA], for backwards compatibility a legitimate certificate can be used to retrieve the associated user/computer’s NTLM hash - First publicly/offensively detailed by @gentilkiwi - Recently integrated into Rubeus by @_ethicalchaos_ and @exploitph ➜ If we combine this with “golden” certificates, we have an alternative way to obtain NTLM credentials for any active user/computer (i.e., an alternative to DCSync)
27
Summary 28 ➜ AD CS has a lot of abuse potential! - User credential theft/machine persistence - Domain escalation and persistence ➜ Our 140 page whitepaper has complete details - Includes extensive defensive information and additional architectural considerations - https://bit.ly/3xLziQ9 ➜ Certify and ForgeCert are now live in the GhostPack GitHub organization, along with PSPKIAudit for auditing your environment
Acknowledgements 29 ➜ Previous work (see the paper for complete details): - Benjamin Delpy, PKISolutions, Christoph Falta, CQURE, Keyfactor, @Elkement, Carl Sörqvist, Brad Hill ➜ Ceri Coburn and Charlie Clark for PKINIT + U2U Rubeus additions ➜ Special thanks to Mark Gamache for collaborating with us on parts of this work
Questions? 30

Recommended

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 

Recommended

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.
Duffie Cooley
 
08 Terraform: Provisioners
08 Terraform: Provisioners08 Terraform: Provisioners
08 Terraform: Provisioners
zekeLabs Technologies
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 

More Related Content

What's hot

SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
Beau Bullock
 
Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.
Duffie Cooley
 
08 Terraform: Provisioners
08 Terraform: Provisioners08 Terraform: Provisioners
08 Terraform: Provisioners
zekeLabs Technologies
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 

What's hot (20)

SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
 
Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.Seccomp Profiles and you: A practical guide.
Seccomp Profiles and you: A practical guide.
 
08 Terraform: Provisioners
08 Terraform: Provisioners08 Terraform: Provisioners
08 Terraform: Provisioners
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 

Similar to Certified Pre-Owned

Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
Shawn Wells
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
David Ochel
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
IRJET Journal
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Netwax Lab
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
DATA SECURITY SOLUTIONS
 
Crypto Analysis slides presentation slides
Crypto Analysis slides presentation slidesCrypto Analysis slides presentation slides
Crypto Analysis slides presentation slides
tahirsaleem54
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
DevOps.com
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKI
ParnashreeSaha
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
Suraj Singh
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Editor IJARCET
 
Avaya Security Certificates Webinar
Avaya Security Certificates WebinarAvaya Security Certificates Webinar
Avaya Security Certificates Webinar
Arrow Systems Integration
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM
Oleg Gryb
 

Similar to Certified Pre-Owned (20)

Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Crypto Analysis slides presentation slides
Crypto Analysis slides presentation slidesCrypto Analysis slides presentation slides
Crypto Analysis slides presentation slides
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKI
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
Avaya Security Certificates Webinar
Avaya Security Certificates WebinarAvaya Security Certificates Webinar
Avaya Security Certificates Webinar
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
Will Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
Will Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
Will Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
Will Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 

More from Will Schroeder (19)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 

Recently uploaded (20)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 

Certified Pre-Owned

  • 1. Certified Pre-Owned Abusing Active Directory Certificate Services 1 @harmj0y @tifkin_
  • 2. tl;dr ➜ Background ➜ Account Persistence ➜ Domain Escalation ➜ Persistence with “Golden” Certificates 2
  • 3. Active Directory Certificate Services ➜ AD CS is a server role that functions as Microsoft’s public key infrastructure (PKI) implementation - Used by organization for smart cards, SSL certificates, code signing, etc. ➜ Clients send certificate signing requests (CSRs) to an (enterprise) CA, which signs issued certificates using the private key for the CA certificate 3
  • 4. NTAuthCertificates 4 This is the root of domain-based certificate auth!
  • 6. Certificate Templates ➜ CAs issue certificates with “blueprint” settings defined by certificate templates (stored as AD objects) 6
  • 7. Subject Alternative Names (SANs) 7 ➜ Allows additional identities to be bound to a certificate beyond the Subject ➜ Can be dangerous when combined with certificates that allow domain authentication! - AD maps certificates to user accounts using the SAN
  • 8. Aren’t Smartcards Required? 8 ➜ No! Rubeus and Kekeo support Kerberos authentication using certificates via PKINIT - Schannel authentication also supports certificates (e.g., LDAPS)
  • 9. Account Persistence a.k.a. Long Term LSASS-less Credential Theft 9
  • 10. “Passive” Certificate Theft 10 ➜ If hardware protection is not used, existing user/machine certificates are stored using DPAPI - Mimikatz and SharpDPAPI can steal such certs/private keys
  • 11. “Active” Certificate Theft ➜ Users/machines can enroll in any template they have Enroll permissions for - By default the User and Machine templates are available ➜ We want a template that allows for AD authentication - Lets us get a user’s TGT (and NTLM!) - Lets us compromise a computer through RBCD/S4U2Self ➜ We can enroll through DCOM (Certify), RPC, and AD CS web endpoints 11
  • 12. 12
  • 13. Offensive Advantages 13 ➜ Doesn’t touch lsass.exe’s memory! ➜ Doesn’t need elevation (for user contexts)! ➜ Few existing detection methods! (*currently* lesser known technique : ) ➜ Separate credential material from passwords - Works even if an account changes its password! - Long lifetime. By default, User/Machine templates issue certificates valid for 1 year.
  • 14. Domain Escalation Domain User → Enterprise Admin 14
  • 15. Template Misconfigurations: General Requirements ➜ The Enterprise CA grants low-privileged users enrollment rights ➜ Low privileged users can enroll in the template - Specified by the certificate template AD object’s security descriptor ➜ Manager approval is disabled ➜ No “authorized signatures” are required 15
  • 16. Key Misconfiguration: Templates that Process User-Supplied SANs 1. An attacker can specify an arbitrary SAN when requesting a certificate 2. The certificate enables domain authentication 3. The CA creates and signs a certificate using the attacker-supplied SAN 16 Then the attacker can become any account in the domain!
  • 17. Escalation Scenarios 17 ➜ ESC1 - General Requirements - [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (i.e., EKU allows auth) - The ENROLLEE_SUPPLIES_SUBJECT flag ➜ ESC2 - General requirements - The Any Purpose EKU or No EKU ➜ ESC3 - General requirements + no “enrollment agent restrictions” - The Certificate Request Agent EKU - Enrollment rights to template with a few other requirements
  • 18. 18
  • 19. Escalation Scenarios (cont.) 19 ➜ ESC4 - Vulnerable certificate template access control ➜ ESC5 - Vulnerable PKI object access control ➜ ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on a CA - (Allows CSRs for ANY template to specify a SAN!) ➜ ESC7 - Vulnerable CA access control - The ManageCA permission can be used to fixate ESC6
  • 20. ESC8 - NTLM Relay to HTTP Enrollment Endpoints 20 ➜ AD CS web enrollment endpoints are optional roles (but commonly installed) - All of these endpoints are vulnerable to NTLM relay! ➜ If there is a user-enrollable auth template: - Extends the window for user NTLM relay scenarios ➜ If there is a machine-enrollable auth template: - Combine with printer bug for coerced auth - I.e., take over ANY system in the domain running the spooler service!
  • 21. 21
  • 22. “ “We determined your finding is valid but does not meet our bar for a security update release.” -MSRC 22
  • 23. Domain Persistence “One Certificate To Rule Them All” 23
  • 24. Stealing CA Private Keys 24 ➜ If the private key for a CA’s certificate is not protected by a TPM/HSM, it’s protected by DPAPI - CAs sign issued certificates with this key ➜ If we can steal private key of any CA cert in NTAuthCertificates, we can forge our own certificates as anyone in the domain! ➜ These forged certs can’t be revoked! - The certs are never actually “issued”! - Forged certs work as long as the CA cert is still valid :)
  • 25. 25
  • 26. Bonus: PKINIT -> NTLM 26 ➜ As part of [MS-PKCA], for backwards compatibility a legitimate certificate can be used to retrieve the associated user/computer’s NTLM hash - First publicly/offensively detailed by @gentilkiwi - Recently integrated into Rubeus by @_ethicalchaos_ and @exploitph ➜ If we combine this with “golden” certificates, we have an alternative way to obtain NTLM credentials for any active user/computer (i.e., an alternative to DCSync)
  • 27. 27
  • 28. Summary 28 ➜ AD CS has a lot of abuse potential! - User credential theft/machine persistence - Domain escalation and persistence ➜ Our 140 page whitepaper has complete details - Includes extensive defensive information and additional architectural considerations - https://bit.ly/3xLziQ9 ➜ Certify and ForgeCert are now live in the GhostPack GitHub organization, along with PSPKIAudit for auditing your environment
  • 29. Acknowledgements 29 ➜ Previous work (see the paper for complete details): - Benjamin Delpy, PKISolutions, Christoph Falta, CQURE, Keyfactor, @Elkement, Carl Sörqvist, Brad Hill ➜ Ceri Coburn and Charlie Clark for PKINIT + U2U Rubeus additions ➜ Special thanks to Mark Gamache for collaborating with us on parts of this work