ITSEC Newsletter 2024-09-12

It's not often that you find yourself staring at code that few people have ever seen, code that was an important part in bringing down the apartheid system in South Africa, and code that was used for secure communication using one-time pads smuggled into South Africa by a flight attendant on floppy disks. But I found myself doing that one morning recently after having helped decrypt a 30 year old PKZIP file whose password had long been forgotten.

In this blog post, I’ll be going through some of the reasons why I believe that attacking Active Directory from Linux is a better choice than attacking from Windows; and of course some examples of how to do so. I had this realization that the majority of the time when my friends were having issues, I would direct them to port their ticket(s) to linux and use the tools there with --debug. The errors thrown here are usually much more helpful and easier to google, and not affected by the instability of Windows. I believe that the majority of the time, you can perform the same attacks on Active Directory from Linux as you would from Windows, but with the added benefit of being able to debug your issues more easily. I don’t claim that attacking from Linux is the right choice for all scenarios. It is ultimately the responsibility of the operator to decide what tools to use based on the situation at hand.

An always-on or long-lived VPN configuration implies that the device must store some authentication material, i.e., a cookie, that is used by the VPN client to restore the connection without user interaction. Like any other cookie or credential material, this presents an opportunity for an adversary to steal and replay to gain access. In this post, we’ll investigate how one such product, Palo Alto’s GlobalProtect client, makes reasonable but ultimately defeatable efforts to secure such credential material.