videodrome

"Eager to clear his name, Barker said he shared with the police copies of his credit card bills and purchase history at Amazon. But on April 21, the investigator called again to say he was coming to arrest Barker for theft."

There is nothing stopping it.

Proper verification is a good start.

Yes, but just added to the haveibeenpwnd db

Archive link -> https://archive.ph/q9gJJ

drama

Great podcast! 👍

sorry… fucking hell i’m old.

haha, I too suffer from the same affliction. 👴

FROM THE ARTICLE:

Exploitation and Impact

In GuardLapse, there are two main exploitation routes:

1. Cracking the Password Hash

Malicious Malory can set up a rogue SMB server. Instead of working as expected, this server accepts authentication requests and grabs the password hash.

If she cracks the password hash successfully, she gains access to whatever the WatchGuard AD account can access.

Even with ZERO privileges assigned to the WatchGuard AD account, authenticated access to the domain in AD environments exposes many attack avenues - Kerberoasting, user enumeration for password spraying, BloodHound recon, and more.

2. SMB Relaying

If other domain PCs don't require SMB signing, she can directly relay the authentication requests to access targeted hosts, eliminating the need to crack the password hash! (This depends on the AD account having admin privileges on targeted hosts).

To show the impact, in my recent engagement, we transitioned from an unauthenticated device on the network to Domain Admin using this issue. We relayed WatchGuard authentication requests to get an initial foothold on several devices. We then exploited other vulnerabilities to secure Domain Admin privileges.

WatchGuard's Response

When I contacted WatchGuard about the behaviour I observed, they responded promptly and helpfully.

They pointed me to the documentation about WatchGuard's Clientless AD SSO methods, which they thought explained what I saw. When I asked about their plans to retire or rework this feature, WatchGuard said they might retire AD Mode but would keep the Event Log Monitor.

They also said they were exploring options to enhance the visibility of security risks associated with Clientless SSO based on my report.

Action

If you use a WatchGuard firewall and rely on clientless SSO, my current, unvalidated recommendation is:

Switch off AD mode and rely on the SSO Client. Remove the Event Log Monitor if you've installed it. NOTE: I haven't validated this fix because I don't own a WatchGuard firewall. If you want to collaborate to validate this fix, please get in touch!

I've also asked WatchGuard for their remediation advice given their customers' current risk. Once they reply, I'll update this post with their guidance.

He's very, very wrong and there are some good answers above as to the why.

Did he give you an example application where he practices this password-free lifestyle?

What are your opinions about this?

I just don't understand his statement , can you elaborate more?