|
power botton posted:yeah I dont see how migrating the actual domain is hard. merging a companies IT resources and all that risk is a real issue and involves the business but standing up a new domain and trust is clicking next like 10 times and changing some samaccountnames. worst case scenario just rely on sid history and wide open trusts. well, sid history only works as long as the original domain is online, so there's that at no point did i say it was hard, i said it was expensive. which it is, because it's time consuming to do right. but yes, if you handwave all the complexity of doing it in a live environment with an active business, it's actually very simple and probably anyone could do it essentially for free.
|
#
?
Nov 2, 2019 01:48
|
|
|
|
| # ? Apr 25, 2024 21:15 |
|
|
infernal machines posted:well, sid history only works as long as the original domain is online, so there's that so you agree it's all people problems and from a technical perspective its pretty easy.
|
|
#
?
Nov 2, 2019 02:46
|
|
|
yes, was that in question? i have no idea what set off y'alls pedant sense about an anecdote regarding how single label domains are hosed and costly to fix infernal machines fucked around with this message at 02:57 on Nov 2, 2019 |
|
#
?
Nov 2, 2019 02:47
|
|
|
arguing directory
|
|
#
?
Nov 2, 2019 09:23
|
|
|
power botton posted:worst case scenario just rely on sid history and wide open trusts.
|
|
#
?
Nov 2, 2019 09:39
|
|
|
idk why but it's kinda funny that you can grab the ntds.dit file from a DC, mount it with dsamain and then just bind via LDAP (using ldp or ldifde is easiest) to see basically all objects and attributes (not passwords though). you'd think there'd be some kind of mechanism to protect it so that it won't work on a device other than the DC.
|
|
#
?
Nov 2, 2019 10:00
|
|
|
evil_bunnY posted:lol you don't know poo poo how won't that work? let me just pick a random application you would have to migrate. Exchange? here's how you migrate exchange: sid history and trusts. it works 100% of the time infernal machines posted:yes, was that in question? im just trying to clear up some misconceptions re: "costly" migrations
|
|
#
?
Nov 2, 2019 11:24
|
|
|
Pile Of Garbage posted:idk why but it's kinda funny that you can grab the ntds.dit file from a DC, mount it with dsamain and then just bind via LDAP (using ldp or ldifde is easiest) to see basically all objects and attributes (not passwords though). you'd think there'd be some kind of mechanism to protect it so that it won't work on a device other than the DC. it's just a database file after all. it does contain password hashes too, so if you've got that, you've got the domain power botton posted:im just trying to clear up some misconceptions re: "costly" migrations well thank goodness you were here to set everyone straight.
|
|
#
?
Nov 2, 2019 14:43
|
|
|
given that sid history filter disabling isn't even strictly necessary depending on use case, lol
|
|
#
?
Nov 2, 2019 15:09
|
|
|
From the grey forumsCup Runneth Over posted:rolling your own crypto: a thread
|
|
#
?
Nov 2, 2019 16:45
|
|
|
Volmarias posted:From the grey forums The real story here is that people still post interesting stuff in SH/SC
|
|
#
?
Nov 2, 2019 16:51
|
|
|
Remember how hackers had stolen the NordVPN crypto keys? Predictably, passwords have begun appearing. EDIT: ⇓ Yup, you're absolutely right. I hecked up. BlankSystemDaemon fucked around with this message at 19:54 on Nov 2, 2019 |
|
#
?
Nov 2, 2019 18:54
|
|
|
D. Ebdrup posted:Remember how hackers had stolen the OpenVPN crypto keys? Predictably, passwords have begun appearing. nordvpn, not just openvpn in general
|
|
#
?
Nov 2, 2019 19:06
|
|
|
Volmarias posted:From the grey forums giggling about how the tweeter thinks they're "posting as a google group" when that's still just a usenet thing that google groups is showing them
|
|
#
?
Nov 2, 2019 19:44
|
|
|
fishmech posted:giggling about how the tweeter thinks they're "posting as a google group" when that's still just a usenet thing that google groups is showing them It gets worse: https://twitter.com/isislovecruft/status/1189645628973797376?s=19
|
|
#
?
Nov 2, 2019 20:00
|
|
|
hmm, yes, that is indeed some impressive digging uncovering that slack
|
|
#
?
Nov 2, 2019 20:09
|
|
|
D. Ebdrup posted:Remember how hackers had stolen the NordVPN crypto keys? Predictably, passwords have begun appearing. That's just credential stuffing though.
|
|
#
?
Nov 2, 2019 20:30
|
|
|
spankmeister posted:That's just credential stuffing though. quote:In some cases, they’re the string of characters to the left of the @ sign in the email address. In other cases, they’re words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end.
|
|
#
?
Nov 2, 2019 20:34
|
|
|
D. Ebdrup posted:Still,I might've hoped that people who wanted to hide stuff might want to put in the slightest amount of effort. lets be real, people mainly use vpn's to pirate poo poo
|
|
#
?
Nov 2, 2019 20:45
|
|
|
Volmarias posted:From the grey forums I have a delightful piece of code to share from a recent engagement. I'll post it later. Preview: It uses a Caesar Cipher to "encrypt" passwords.
|
|
#
?
Nov 3, 2019 01:37
|
|
|
Well as a hacker I would never guess that
|
|
#
?
Nov 3, 2019 09:03
|
|
|
How much of a secfuck is it to roll your own MFA? Specifically when the first factor (username/password) is provided by an established auth provider and you're adding your own time-based OTP afterwards. My instincts are that it's a terrible idea for a bunch of reasons, especially given our auth provider fully supports all sorts of MFA implementations, but my imposter syndrome is kicking in hard right now. Is it fundamentally wrong for the same reasons as rolling your own crypto? Or just a bit of a waste of time if someone's done the work for you?
|
|
#
?
Nov 3, 2019 12:27
|
|
|
toiletbrush posted:How much of a secfuck is it to roll your own MFA? Specifically when the first factor (username/password) is provided by an established auth provider and you're adding your own time-based OTP afterwards. totp is crypto. that should be all you need to know
|
|
#
?
Nov 3, 2019 13:53
|
|
|
toiletbrush posted:How much of a secfuck is it to roll your own MFA? Specifically when the first factor (username/password) is provided by an established auth provider and you're adding your own time-based OTP afterwards. Also it's not clear exactly how you're adding "your own time-based OTP afterwards" to a "first factor... provided by an established auth provider" but you're using some sort of identity federation service to allow users to log in to a website and just adding an additional TOTP step that doesn't seem inherently problematic but if this is what you mean I'm not sure I understand the point of allowing users to reuse accounts from another service (which is usually intended as a convenience) and trusting that service for authentication but them forcing them to have an additional TOTP secret specifically for your site (or whatever it is). At this point it seems like you should just make the users log in to your site directly. Unless I'm misunderstanding what you mean by "auth provider"? mystes fucked around with this message at 14:10 on Nov 3, 2019 |
|
#
?
Nov 3, 2019 14:02
|
|
|
toiletbrush posted:How much of a secfuck is it to roll your own MFA? Specifically when the first factor (username/password) is provided by an established auth provider and you're adding your own time-based OTP afterwards. totp isn't too bad, it requires you to hold the totp secret (keep it next to the bcrypt'd password), have a sync'd clock (ntp), and run sha-1 a bunch of times use a library, it's easy
|
|
#
?
Nov 3, 2019 14:16
|
|
|
mystes posted:I don't understand if you're saying you're just using an existing TOTP implementation (not rolling your own crypto so it's OK) or you're literally rolling your own TOTP style protocol (bad). This seems really dodgy to me because firstly we're rolling our own crypto-adjacent code (which may or may not be bad), and we've also now got two separate markers of being authenticated to juggle and make sure to remember to verify in any APIs we want to expose, plus handling all the gnarly edge cases like being 'half' authenticated and invalidating one when the other becomes invalid etc. It feels like a massive surface area for risk and maintenance that could be entirely avoided by using the MFA build into Azure.
|
|
#
?
Nov 3, 2019 15:17
|
|
|
toiletbrush posted:It feels like a massive surface area for risk and maintenance that could be entirely avoided by using the MFA build into Azure. yeah probably, lol, everything on azure is "insert coin to continue" but it's probably cheaper than doing your own
|
|
#
?
Nov 3, 2019 15:26
|
|
|
You need an auth service that vends one token after being given the user/pass and TOTP value, or rejects the whole thing. You don't want to let attackers know that they have one value or the other correct. You especially don't want to have your main codebases checking "hey do we have both of these things", since this is a recipe for "an attacker with stolen credentials can turn off MFA" or some other nonsense. You can vend the user/pass token to the user after they auth with the TOTP instead of creating yet another token, but the important thing is that it's gated on both and the user gets nothing (not even a separate error message) without both.
|
|
#
?
Nov 3, 2019 15:37
|
|
|
Volmarias posted:You don't want to let attackers know that they have one value or the other correct.
|
|
#
?
Nov 3, 2019 15:42
|
|
|
do any of them accept the wrong password, demand the MFA and then reject the login?
|
|
#
?
Nov 3, 2019 15:48
|
|
|
mystes posted:Lol this is how MFA works everywhere though. I know 
|
|
#
?
Nov 3, 2019 15:50
|
|
|
pseudorandom name posted:do any of them accept the wrong password, demand the MFA and then reject the login? I mean theoretically it would be better to not reveal that the password is correct like Volmarias said, but the password should be useless without the MFA anyway and the MFA provides so much more security than the password that I think everyone has just decided that it's not worth it to make the login process more confusing just to avoid revealing that the password was correct. That said, the reason it's usually a separate step is because either 1) not all users will have MFA enabled, or 2) there may be MFA options other than TOTP which won't work if you just have three text boxes on the same page. If you're going to require TOTP for all users and not support other stuff like U2F then you could very well just ask for the TOTP code on the same page as the password and not reveal which was wrong. mystes fucked around with this message at 15:55 on Nov 3, 2019 |
|
#
?
Nov 3, 2019 15:51
|
|
|
if you implement your own totp just be sure to have it accept ranges of numbers, so that “[0,999999]” always passes for example. thanks and god bless
|
|
#
?
Nov 3, 2019 16:05
|
|
|
Progressive JPEG posted:if you implement your own totp just be sure to have it accept ranges of numbers, so that “[0,999999]” always passes for example. thanks and god bless
|
|
#
?
Nov 3, 2019 16:16
|
|
|
pseudorandom name posted:do any of them accept the wrong password, demand the MFA and then reject the login? I use a Citrix portal that does this
|
|
#
?
Nov 3, 2019 17:16
|
|
|
pseudorandom name posted:do any of them accept the wrong password, demand the MFA and then reject the login? AWS does this
|
|
#
?
Nov 3, 2019 18:26
|
|
|
It's always DNS.
|
|
#
?
Nov 3, 2019 19:16
|
|
|
domain’s not secure
|
|
#
?
Nov 3, 2019 20:01
|
|
|
Where does DNS come into play?
|
|
#
?
Nov 3, 2019 21:40
|
|
|
|
| # ? Apr 25, 2024 21:15 |
|
|
because network solutions is a dns registrar
|
|
#
?
Nov 3, 2019 22:00
|
|
