tag:blogger.com,1999:blog-50431957675413265682026-04-11T00:41:53.611-07:00Mark R. Gamache's Random BlogHere's random stuff related to what I am working on or interested in during my work day or in my personal life. I'm a nerd. The content will be nerdy.Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.comBlogger46125tag:blogger.com,1999:blog-5043195767541326568.post-40654543087858081132020-07-15T18:20:00.000-07:002020-07-15T18:27:11.210-07:00Exploiting AD gpLink for Good or Evil
GPOwn
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-22402516471249716252018-03-28T20:42:00.000-07:002018-03-28T20:45:13.838-07:00If I Can't Reach Active Directory, it's DownUnless it's not.
I recently had a customer tell me that my AD servers were broken. They were unable to set SPNs via Setspn.
They were able to run AD queries and were able to do other "AD Stuff". As always, I demanded a packet capture.
In very short order, the issue was clear. Setspn, for reasons I cannot guess, uses RPCs to the domain controller to set SPNs. I have not clue why it doesn't justMark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-14936752871442341362018-03-28T20:05:00.000-07:002018-03-28T20:05:25.520-07:00Living off the land with Kerberos and netsh interface portproxy
Have you ever been in the situation where you need to do
some remote PowerShell on a machine, but you can’t find a layer 3 path to the
server?
Did you find out that you could get remote PowerShell on the
machine next to it, but you don’t want to pass your credentials to that
machine, to double hop? You know, ‘cause
you aren’t insane…
Did you ever say, why can’t I use that machine Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-17618594793853417882017-08-28T15:11:00.000-07:002017-08-28T15:11:53.864-07:00Keep an Eye on Your Index Fund Dollars. You May be Surprised.
Keep and eye on your Index fund money
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:107%;
font-size:11.0pt;
Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-15288255384620789732017-08-25T11:22:00.000-07:002017-09-29T08:56:06.600-07:00Detecting Attackers in a Windows Active Directory Network
I Smell Attackers
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com6tag:blogger.com,1999:blog-5043195767541326568.post-35767074344766773222017-08-20T11:17:00.000-07:002017-08-20T11:17:19.316-07:00Keep an Eye on Those Bond Investment Fees While re-balancing my portfolio stock/bond/cash ratios, I discovered something I had
not seen before…
While I talk about my Fidelity account, it is almost certain that this issue will be found with most brokerages.
If
you use the Brokerage link option to manage your 401K investments, and if you
have other Fidelity investment accounts, it is worth taking a look at your
“core position”Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-35835865140686039342017-08-07T13:37:00.001-07:002017-08-08T16:29:33.690-07:00Copying the NTAuth Enterprise store certificates from one Forest to anotherThe enterprise NTAuth store is a key Active Directory configuration item. It is key to allowing user to login with smartcards. When using PKI cross forest, we usually use the PKISync.ps1 script to lihnk the two forests PKI configurations. This script is designed to allow cross forest certificate enrollment, wich it does well. It does not cover the NTAuth config for smartcards. Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-40692934766205681042017-03-24T18:56:00.000-07:002017-03-24T18:56:17.816-07:00I Just Saved $121!!I'm not one to pimp products unless they are really good and I understand them, but today is an exception.
I have NO IDEA how GoodRX works, but I do know it saved me $121.11 on a single prescription. Usually, when you install an app that get's you something for free, you are the commodity. Most apps want all sorts of crazy access to your phone. GoodRX wanted pretty basic Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-11856979365526161572017-03-16T12:07:00.000-07:002017-09-29T08:57:13.803-07:00The Tyranny of Network Level Authentication and CredSSP
The Tyranny of Network Level Authentication and CredSSP
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com4tag:blogger.com,1999:blog-5043195767541326568.post-20258446808018169912017-02-10T18:12:00.000-08:002017-02-10T18:12:45.542-08:00PowerShell Module for Reading Group Managed Service Account PasswordsI recently covered the topic of Active Directory Group Managed Service Accounts. They are the new hotness from Microsoft. I also offed up some code snippets for interacting with them.
Now I offer up a PowersShell module that also exposes .NET classes and methods for reading gMSA passwords.
This module has a couple of great uses. First of all, not all services and Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-28158019687079035112016-12-30T10:38:00.001-08:002017-09-29T08:57:48.031-07:00gMSAs are a Little Bit Weird
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-6892397458802139042016-12-28T15:14:00.002-08:002017-09-29T08:58:28.140-07:00Any sufficiently advanced Active Directory Web Service is indistinguishable from magic
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-92114424498440776152016-12-06T19:35:00.001-08:002016-12-06T19:35:38.960-08:00The Strange Case of John Legere's Alien Abduction
From the first time I talked to John Legere face to face, I felt
there was an "other worldly" quality to him. He seemed to radiate
some sort of power.
Based on
T-Mobile's quarter
over quarter performance since
his taking the reins, I think it is pretty clear what is going on...
I suspect that
John Legere was abducted by aliens and subjected to some sort of enhancements.
Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-72370516008453024472016-11-09T07:53:00.002-08:002016-11-09T07:53:52.053-08:00Just to Clarify Ghee is butterMark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com1tag:blogger.com,1999:blog-5043195767541326568.post-54746834248423364742014-05-15T13:34:00.000-07:002014-05-15T13:50:43.316-07:00Thank You Satya Nadella, for Saving the Internet... for a whileA while back, I asked if Satya Nadella was going to reverse MSs decision to stop publishing security patches for XP, for free. I didn't get a call or email from Mr. Nadella and MS did not change their overall plan.
That said, MS decided to release the big Internet Explorer patch and include XP. This is a particularly big bug and would be devastating to the web, if left unpatched.Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-31583651329216198692014-02-21T14:25:00.001-08:002014-02-21T14:55:17.348-08:00Tech Job Postings are Funny! Post 1 Amazon.comI get a lot of recruiters emailing me and I get job postings in my RSS feeds. Many of these postings are unintentionally funny, some are downright embarrassing, and some just leak a lot of information about a company.
I've decided to start posting some of these with commentary. The one that finally made this decision for me is from Amazon.com . A copy can be found here. I've Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com1tag:blogger.com,1999:blog-5043195767541326568.post-37174279539821759742014-02-09T15:28:00.000-08:002014-02-10T09:32:51.265-08:00Will Satya Nadella Save the Internet on April 8th 2014?
If you have worked for Microsoft, or any huge company, this
will be no surprise; Microsoft has many groups working against each other or at
least spending dollars in one department that could save or make millions in
another. It’s not easy to align everything in a large company, especially when
it has been run by the worst
CEO in America for so long. Microsoft is regularly in the Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com2tag:blogger.com,1999:blog-5043195767541326568.post-22566247483523190472014-01-11T12:44:00.002-08:002016-12-07T12:10:06.784-08:00Godaddy Asks People NOT TO USE ITS HOSTED EMAIL and May Not Even Use It Themselves
Disclaimer,
Godaddy made me angry with a billing issue. This is what caused me to
look into the value I get from them. While my language may be angry and
inflammatory, the facts are not disputable. I have informed them about
their messed up SMTP TLS, but have not heard back.
Try to send
a secure mail to Godaddy hosted addresses and they will return this messageMark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com3tag:blogger.com,1999:blog-5043195767541326568.post-58516378357867702862013-05-20T22:27:00.000-07:002016-12-18T09:40:31.570-08:00Demystifying Certificate Requirements in Mutual TLS
Understanding Certificates and SSL/TLS long ago became an IT
fundamental.
Somehow, the industry seems to have not noticed. In my
quest to take fewer calls on this stuff, here is my attempt to help demystify
all the certificates involved in Client SSL/Mutual TLS. I seem to be spending
2+ hours a day on the phone talking web and server admins through this stuff.
The reason I am Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com2tag:blogger.com,1999:blog-5043195767541326568.post-49649015137232752352013-03-29T18:24:00.000-07:002014-02-10T09:31:24.077-08:00Hello IT Person, Welcome to the Security Organization
This is a post that is long overdue. The IT industry went
through a revolution and most people in IT missed it and are still missing it.
If you are in any form of IT related job, you are in the
information security field.
You may say, “No, I’m just an IT Project Manager (analyst,
whatever), security is another team”. You are wrong and your career is heading
towards a cliff.
ItMark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com0tag:blogger.com,1999:blog-5043195767541326568.post-74859703394114865112013-01-15T14:32:00.000-08:002014-07-07T14:07:49.196-07:00NTLM hasn’t been relevant for like 12 years... and other lies.
A surprising number of foolish Slashdotters have pointed out that
my latest work, breaking
the NTLM and LM handshakes and phishing for users’ NT hashes, is totally
irrelevant and has been for 12ish years.
As a fan of debate, I’ll start with points that are interesting
but have no real bearing on the topic.
Slashdotters are
clearly not
qualified to make this Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com1tag:blogger.com,1999:blog-5043195767541326568.post-81933894230919021672013-01-08T10:00:00.000-08:002017-10-18T19:38:53.122-07:00NTLM Challenge Response is 100% Broken (Yes, this is still relevant)
NTLM Challenge Response is 100% Broken (Yes, this is still relevant)
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com15tag:blogger.com,1999:blog-5043195767541326568.post-25517775939359156422013-01-04T21:55:00.001-08:002014-02-10T09:45:24.739-08:00Rehashing Pass the Hash
The first question one might ask is, “Really… Why are
you writing about this old news now?” The answer is simple; even with the
release of Window 8 and Server 2012, Pass the Hash (PTH) attacks are still
incredibly simple and effective. While from an academic standpoint
passing the hash is simple to understand, it is a bit more complex from an
attacker or defender’s Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com3tag:blogger.com,1999:blog-5043195767541326568.post-66826510664531887562012-09-16T12:46:00.000-07:002013-01-12T09:39:19.291-08:00Microsoft, STOP WITH THE SOCIAL!Researching some nuanced Microsoft systems information has caused me to put this string in my always open cut and pasted text file: site:microsoft.com -site:social.technet.microsoft.com -site:social.msdn.microsoft.com
I have searched for hundreds of bits of MS info and looked for hundreds of MS solutions to issues via Bing and Google. I HAVE NEVER FOUND Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com1tag:blogger.com,1999:blog-5043195767541326568.post-29166097611338594192012-03-15T19:56:00.000-07:002014-07-21T08:25:45.785-07:00Proper PKI Configuration for SSL/TLS Servers
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","Mark Gamachehttp://www.blogger.com/profile/12517057928398775070noreply@blogger.com5