Jake Karnes

21 posts

Jake Karnes

Jake Karnes

@jakekarnes42

Sr. Technical Architect / Penetration Tester for @NetSPI. All tweets/etc. are my own.

Katılım Temmuz 2014
16 Takip Edilen456 Takipçiler
Sabitlenmiş Tweet
Jake Karnes
Jake Karnes@jakekarnes42·
All the details for CVE-2020-17049 are now available! The overview contains a summary of the vulnerability and its exploit, including links to 2 deep dive posts which cover much more. blog.netspi.com/cve-2020-17049…
English
5
161
269
0
Jake Karnes
Jake Karnes@jakekarnes42·
@Mad5quirrel @NetSPI @Burp_Suite Very cool! That sounds like a good use case for the AWS Signer extension. I'm glad it worked well for you in this case. I'm reading up on your ASTHOOK analysis tool now too. Looks like great work!
English
1
0
1
0
Jake Karnes
Jake Karnes@jakekarnes42·
@james1052 Thanks for the heads up James. I've followed up with a DM to try and troubleshoot with you.
English
0
0
1
0
James Gallagher
James Gallagher@james1052·
.@jakekarnes42 How do I use AWS Signer 2.0.1 with a gov region like us-gov-west-1? Getting a status code 403 when I try to do gov regions with valid gov creds but not with normal regions.
English
2
0
0
0
Jake Karnes
Jake Karnes@jakekarnes42·
I've published a new release of the AWS Signer Burp Suite extension from @NetSPI. This update brings many quality of life improvements (fetching creds for roles and from OS commands, easy importing, etc). See further details in the blog post: netspi.com/blog/technical…
English
1
3
4
0
Jake Karnes
Jake Karnes@jakekarnes42·
A serious Azure vulnerability discovered and responsibly disclosed by @kfosaaen. Privileged credentials were automatically created and stored such that they were available to (almost) any user in Azure AD.
Karl@kfosaaen

Here's another serious vulnerability to add onto the list of recent Azure issues. This is our write up (and a thread) on CVE-2021-42306 (CredManifest), which addresses the cleartext storage of App Registration credentials in AAD SP manifests. netspi.com/blog/technical… (1/5)

English
0
0
2
0
Jake Karnes
Jake Karnes@jakekarnes42·
@PyroTek3 Excellent analysis and great examples. It's very interesting to see statistics of where this could be leveraged. Thanks for sharing this.
English
1
0
1
0
Sean Metcalf
Sean Metcalf@PyroTek3·
Could attackers compromise Active Directory by leveraging the Kerberos Bronze Bit Attack? Based on what we have seen in Trimarc customer environments, yes it's possible in up to ~20% AD forests. My Trimarc post explores some scenarios & how to identify and remediate.
Trimarc@TrimarcSecurity

Trimarc Founder Sean Metcalf (@PyroTek3) shares his insight on the Kerberos Bronze Bit Attack (CVE-2020-17049), how it works, how to fix it, and how this could be leveraged to potentially compromise Active Directory. Read his post: hub.trimarcsecurity.com/post/leveragin…

English
2
18
56
0
Jake Karnes
Jake Karnes@jakekarnes42·
@TalBeerySec @gentilkiwi I think your timeline got mixed up a bit. The AttackerKB page was updated around (4:26pm Pacific) after the blog was up. My tweet with the blog was 12:39 PM and my addition to AttackerKB references the blog
Jake Karnes tweet media
English
0
0
0
0
Jake Karnes
Jake Karnes@jakekarnes42·
@TalBeerySec According to the AttackerKB site, "A vulnerability should also be considered 'exploited in the wild' if there is a publicly available PoC or exploit...." I shared the exploit, so I clicked the button after the blog went live. Nothing more to it than that.
English
1
0
3
0
Tal Be'ery
Tal Be'ery@TalBeerySec·
3/5 It's reported by author @jakekarnes42 to be exploited in the wild #vuln-details" target="_blank" rel="nofollow noopener">attackerkb.com/topics/dx20vE1…
Tal Be'ery tweet media
English
2
0
3
0
Tal Be'ery
Tal Be'ery@TalBeerySec·
1/5 I have an educated 𝐠𝐮𝐞𝐬𝐬 (just a guess) on the #windows #0day related to #FireEye hack. I suspect @NetSPI @jakekarnes42 #BronzeBit attack (CVE-2020-17049) is related. blog.netspi.com/cve-2020-17049… Circumstantial "evidence" below:
Tal Be'ery tweet media
Tal Be'ery@TalBeerySec

Some "reading-between-the-lines" in @FireEye blog on #fireeye attackers MOs I believe it included some #microsoft #0day, hence explicit mention of "Microsoft" and "Novel Techniques" Additionally today is patch Tuesday. Coincidence? I think not. fireeye.com/blog/products-…

English
1
9
12
0
Jake Karnes
Jake Karnes@jakekarnes42·
@gentilkiwi @Meatballs__ @Meatballs__ has the right idea. For the Bronze Bit attack, no user authentication to the compromised service is required. Attacker can use S4U2self to get a ticket for the user, make it forwardable with the exploit, and then use S4U2proxy to get a ticket for another service.
English
0
0
1
0
Jake Karnes
Jake Karnes@jakekarnes42·
@mkolsek This would let the attacker access the DB as a highly privileged DBA, or make edits while impersonating the CEO, even if those accounts are members of Protected Users or configured as "sensitive and cannot be delegated." Just hypothetical, but I hope it illustrates the issue more
English
1
0
1
0
Jake Karnes
Jake Karnes@jakekarnes42·
@mkolsek I'd imagine you could set that scenario with an IIS server and a SQL Server DB (I haven't personally tried that). In that scenario, with the vulnerability, an attacker who compromises the webapp service account's secret keys could access the DB as any user in the domain.
English
1
0
1
0
Jake Karnes
Jake Karnes@jakekarnes42·
All the details for CVE-2020-17049 are now available! The overview contains a summary of the vulnerability and its exploit, including links to 2 deep dive posts which cover much more. blog.netspi.com/cve-2020-17049…
English
5
161
269
0
Jake Karnes
Jake Karnes@jakekarnes42·
@mkolsek Hi Mitja. Thanks for the kind words and great question. Have you checked out the exploitation blog post? It should have the examples/info you're looking for. Please let me know if it's still unclear though! blog.netspi.com/cve-2020-17049…
English
1
0
1
0
Mitja Kolsek
Mitja Kolsek@mkolsek·
@jakekarnes42 Jake, kudos for the finding and for extensive description of both Kerberos and the flaw you've found. I enjoyed the reading but remain puzzled on just what exactly the attacker needs to mount the attack. Can you describe an example scenario with a specific compromised service?
English
1
0
0
0
Jake Karnes
Jake Karnes@jakekarnes42·
The final "Practical Exploitation" post covers when and how to use the exploit in practice. It covers example attack scenarios and the commands you'll need: blog.netspi.com/cve-2020-17049…
English
0
5
21
0
Jake Karnes
Jake Karnes@jakekarnes42·
The follow-up "Theory" post explains the vulnerability from start to finish. If you've wanted to brush up on your Kerberos and Delegation knowledge, here's a great place to dive in: blog.netspi.com/cve-2020-17049…
English
1
5
15
0
Jake Karnes
Jake Karnes@jakekarnes42·
@SBSDiva Unfortunately, I'm not privy to any additional information regarding the patch. I'm working on the publicly shared info like everyone else, so I can't say when the enforcement of the setting might change. Sorry, I wish I could be of more help there.
English
1
0
0
0
Susan Bradley
Susan Bradley@SBSDiva·
@jakekarnes42 If one applies the patch and not the registry key are you still protected? Do you know when they will change to enforcement of the setting?
English
1
0
0
0
Jake Karnes
Jake Karnes@jakekarnes42·
I'm excited to share that CVE-2020-17049 has been issued for a vulnerability that I found. There are more details to come, but I'll be holding off publishing for now while the patchwork is still ongoing. msrc.microsoft.com/update-guide/v…
English
3
12
50
0
Jake Karnes
Jake Karnes@jakekarnes42·
@SBSDiva I'll be sharing more info once these patches are sorted out by MS. The vulnerability impacts constrained delegation, which could be present in a single domain/forest. The latest patch seems to warn against partial updates and domains with at least one Windows Server 2008 DC.
English
2
0
0
0
Susan Bradley
Susan Bradley@SBSDiva·
@jakekarnes42 When will you be posting more data? MS released the patch but it has side effects #1522msgdesc" target="_blank" rel="nofollow noopener">docs.microsoft.com/en-us/windows/… I'm trying to figure out the impact on single domain/forest do you have any insight?
English
1
0
0
0
Jake Karnes
Jake Karnes@jakekarnes42·
@scriptjunkie1 More details to come on this once the patchwork is wrapped up. I'm looking forward to sharing the info.
English
0
0
1
0