Steve Syfuhs

47.1K posts

Steve Syfuhs

@SteveSyfuhs

Windows and Authentication at Microsoft. Developer. Mostly dog pictures. Might actually be two dogs in a trench coat. 🇺🇸 / 🇨🇦 @syfuhs.net on blue sky

Seattle, WA Katılım Şubat 2009

2.2K Takip Edilen16.2K Takipçiler

Steve Syfuhs@SteveSyfuhs·24 Tem

@olafhartong Cheap binary representation arithmetic. LONG_MAX minus some round number. I don’t remember what off the top of my head. It’s purely for Linux interop. Windows uses 64 bit time and Kerberos itself is agnostic. We bumped it up recently to nudge some aging libraries along.

English

410

Olaf Hartong@olafhartong·23 Tem

@SteveSyfuhs would you be able to explain why the Kerberos ticket lifetime is set to September 13, 2037, at 02:48:05 UTC ? I assume an end of epoch safe margin. But why 128 days, 26min and 2 seconds ? Is there a reason or good story there ?

English

627

Steve Syfuhs@SteveSyfuhs·16 Tem

@cadenzza_ @JosephRyanRies @NerdPyle The statement stands. It's accurate. We use it internally for things like SC testing. I still don't recommend you build a product on it.

English

151

Steve Syfuhs@SteveSyfuhs·11 Tem

@JosephRyanRies @cadenzza_ @NerdPyle They aren’t going away any time soon, but we aren’t ever going to invest more energy into them. I don’t recommend building a product on them.

English

181

Steve Syfuhs@SteveSyfuhs·15 Haz

@awakecoding @SchwaanK It’s locked behind a feature flag. We’re fixed the final ship bugs but it takes a while for changes to bubble up. Breaking fallback is such a PITA.

English

158

Marc-André Moreau@awakecoding·14 Haz

@SchwaanK @SteveSyfuhs I had no idea the local KDC was in 24H2, I guess it means IAKerb is in there was well

English

264

Sean Kenny@SchwaanK·14 Haz

Hmm on 24H2? @SteveSyfuhs @awakecoding

English

319

Steve Syfuhs@SteveSyfuhs·14 Haz

@awakecoding @arekfurt The SSH channel is a transparent proxy of the opaque TLS data then? Today, which stage is being told it must auth to localhost? It sounds then like it’s currently violating server auth by design, which isn’t ideal.

English

203

Marc-André Moreau@awakecoding·13 Haz

@SteveSyfuhs @arekfurt When mstsc validates the certificate in TLS, it checks for "IT-HELP-RDP", not "localhost". When mstsc does Kerberos authentication, the server name is "IT-HELP-RDP" not "localhost". TLS and Kerberos server validation now works with the *intended* server name, not the tunnel name

English

298

Marc-André Moreau@awakecoding·10 Haz

Do you sometimes use RDP through an SSH tunnel? Are you aware that this specific use case is not properly covered by the current NTLM deprecation plan from Microsoft? Even with IAKerb and the TryIPSPN solution, connecting to "localhost:<local port>" will never work for Kerberos

English

18.9K

Steve Syfuhs@SteveSyfuhs·13 Haz

@awakecoding @arekfurt I go back to server auth. As long as the thing the user sees is localhost, it connecting to anything but localhost voids the server authentication. It doesn’t matter what the intermediate layers do. If something lies about what it’s connecting to, that’s breaking server auth.

English

211

Marc-André Moreau@awakecoding·12 Haz

@arekfurt @SteveSyfuhs Which brings me back to my point: Total NTLM Obliteration Or Go Home We can't realistically cover 100% of use cases without changes, but we at least need ways to make it happen which don't include "just use a VPN instead of an SSH tunnel" because that's never going to fly

GIF

English

223

Steve Syfuhs@SteveSyfuhs·12 Haz

@awakecoding @arekfurt The absolute reality is that 100% is always unattainable. We have a plan for ~92% give or take. The remaining might be covered by attrition, or we do some exceptionally weird things, or we live with it. Or who knows, I may have sold myself right onto an ice flow going out to sea.

English

353

Steve Syfuhs@SteveSyfuhs·12 Haz

@awakecoding @arekfurt At some point we just call it. Our target is when we our metrics hit a ridiculously low number of negotiated NTLM connections. If there are still hard dependencies that require NTLM because insecure behaviors, well maybe we accept that, and they’re stuck manually turning it on.

English

409

Steve Syfuhs@SteveSyfuhs·11 Haz

@arekfurt @awakecoding Anything routed through a thing named localhost means you likely can’t get proper server auth, certainly not for preexisting protocols that have specific server auth semantics. That’s not something I’m interested in solving for, *yet*. Let me kill the 90% use cases first.

English

151

Brian in Pittsburgh@arekfurt·11 Haz

@awakecoding @SteveSyfuhs Tunneling RDP inside SSH like this may be more useful to more people than one might expect. Is there anything in current plans that might not have been publicly addressed quite yet that could allow this to work without fallback to NTLM?

English

749

Steve Syfuhs@SteveSyfuhs·4 Haz

@JefTek @EricaZelic In that regard it’s mildly offensive when it gets called legacy or not modern considering just how much of the world runs on it, without issue, every day. It certainly could use some improvements, and it’s getting them. Same as TLS.

English

406

Steve Syfuhs@SteveSyfuhs·4 Haz

@JefTek @EricaZelic I would call the internal distinction something else and it would get me in trouble. Kerberos is like TLS: well defined and underpins literally everything. TLS is not modern by any definition, but it gets improved over time. Kerberos too.

English

491

IAM!ERICA@EricaZelic·4 Haz

3 years ago I would not have thought as Kerberos as a legacy protocol, yet here we are. Microsoft refers to it as a legacy protocol in the Entra ID Architecture documentation.

English

17.8K

Steve Syfuhs@SteveSyfuhs·25 May

@dwizzzleMSFT @_C_King_123 Compatible with what, sorry? Do you mean an NTLM implementation that’s compatible with Samba? AFAIK they have a built in one. Our NTLM deprecation efforts are coming along nicely too, but the interop with Samba et al is an ongoing process. We’ll have more on that later.

English

309

David Weston (DWIZZZLE)@dwizzzleMSFT·24 May

@_C_King_123 still uses NTLM for now @SteveSyfuhs might have an idea about Kerberos server to use

English

194

CKing123@_C_King_123·24 May

@dwizzzleMSFT do you know if Windows 11's SMB no longer uses NTLM (and uses one of those Kerberos features announced earlier) for home users? Also, is there a Kerberos equivalent like MIT Kerberos I can use for Samba server that is compatible?

English

189

Steve Syfuhs@SteveSyfuhs·19 May

@JosephRyanRies @MGrafnetter This is the second time this bug has come up in a week. Interesting.

English

📔 Michael Grafnetter@MGrafnetter·18 May

Has anyone else noticed this ntdsutil typo, which has been present in Windows Server for as long as I can remember? It always catches my eye while creating #ActiveDirectory IFM backups, but is too silly to report to Microsoft Support. CC: @SteveSyfuhs

English

1.4K

Steve Syfuhs@SteveSyfuhs·17 May

@awakecoding @cnotin Strictly speaking pku2u doesn’t care where the cert is. It relies on certpoleng to do that, and in the AADJ case certpoleng has an AADJ plugin. There’s a certpoleng event log that’s fairly detailed. The application protocol knows nothing about pku2u.

English

192

Marc-André Moreau@awakecoding·16 May

@cnotin @SteveSyfuhs I doubt you'll get much more information as this would be considered an implementation-specific detail, something which is often kept out of official protocol documentation, if there was such a thing when it comes to PKU2U in RDP + Entra ID. No, the PKU2U RFC is not enough "docs"

English

160

Clément Notin@cnotin·16 May

@awakecoding hello! You're the only one tweeting about PKU2U 😉 I'm using it (made sure it wasn't RDS AAD auth by unchecking its option) but I don't see the P2P cert in the user's cert store on the client. Have you already seen this? It appears though when I use PKU2U for SMB

English

777

Steve Syfuhs@SteveSyfuhs·9 May

@NathanMcNulty @_dirkjan TAP might have different logic on lifetime. TAP didn’t exist when I wrote the TGT code. We’re talking to the current owners about this. It’s not a vulnerability by our classification since no security boundary has been bypassed, but certainly worth aligning for the stated reasons

English

263

Nathan McNulty@NathanMcNulty·9 May

@_dirkjan Hey Dirk-jan, testing this with SIF and getting results that conflict with Steve's comments here (I think!) I did a SIF of 2 hours for All cloud apps, created TAP, got Cloud TGT, waited 6 hours, and extracted NT hash Did you try past 10 hours? :) x.com/SteveSyfuhs/st…

Steve Syfuhs@SteveSyfuhs

@NathanMcNulty @StevenKister1 It generally follows the lifetime of the PRT or max age of the TGT, whichever is less. It's a bit wonky because while they are given at the same time, they aren't inherently bound to one another. You can get a TGT that lives longer than SIF, but in practice you never will.

English

1.4K

Dirk-jan@_dirkjan·6 May

New blog: Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes. Some tips and tricks on abusing TAPs for Windows Hello persistence and NT hash recovery over Cloud Kerberos Trust. dirkjanm.io/lateral-moveme…

English

247

518

55K

Steve Syfuhs@SteveSyfuhs·10 Nis

@JimSycurity @4ndr3w6S @exploitph You wouldn’t believe me if I told you. I might have to do a presentation on how this went wrong.

English

226

Jim Sykora@JimSycurity·10 Nis

@4ndr3w6S @exploitph @SteveSyfuhs Makes sense. Curious what changed in the server/KDC part of the patch between March and today.

English

404

Andrew@4ndr3w6S·10 Nis

👀 (cc: @exploitph, @SteveSyfuhs, and @JimSycurity)

3.3K

Steve Syfuhs@SteveSyfuhs·22 Mar

@Evil_Mog @MSFTBlueHat @nicfill Aren’t the first, won’t be the last. Will have to give it a listen.

English

201

EvilMog® @mog.evil.af@Evil_Mog·22 Mar

I had so much fun on the @MSFTBlueHat podcast, thank you @nicfill for having me. Also thank you @SteveSyfuhs and sorry I keep pronouncing your name wrong.

Microsoft BlueHat@MSFTBlueHat

🎧 Join Dustin Heywood @Evil_Mog, Hacker, Researcher, and Senior Leader at IBM, on the latest episode of The #BlueHat Podcast as he demonstrates cracking NTLM version 1, shares insights on auditing legacy systems, and discusses the critical role of IT asset management. Tune in now: podcasts.apple.com/us/podcast/sec… Don’t forget to take our BlueHat podcast survey for a chance to win an exclusive BlueHat Yeti cup: forms.office.com/r/YpPS2LAv5S

English

1.2K

Steve Syfuhs@SteveSyfuhs·13 Mar

@4ndr3w6S Certainly took us long enough, yeesh. Glad this was all sorted though. It was a good find.

English

Andrew@4ndr3w6S·12 Mar

The amount of professionalism from @SteveSyfuhs and his team was like no other 🤗 Keep rocking and fighting the good fight 🤘

English

440

Steve Syfuhs@SteveSyfuhs·12 Mar

@Evil_Mog NO I HAVE BEEN BURNED BY THESE DANG IDS AT LEAST ONCE FRIGGEN EH. Not this one though. There’s a few of these suckers lying in wait to anger you.

English

213

EvilMog® @mog.evil.af@Evil_Mog·11 Mar

learn.microsoft.com/en-us/openspec… [M-RPRN] RPC UUID - 12345678-1234-ABCD-EF00-0123456789AB Looks like an outright placeholder, but its correct, a fellow X-Forcer found this and I'm just lol @SteveSyfuhs you could use a laugh

English

672

Keşfet

@olafhartong @cadenzza_ @awakecoding @SchwaanK @arekfurt @JefTek @EricaZelic @dwizzzleMSFT