When Certificates Fail: A Story of Bypassed MFA in Remote Access

 Posted on 2024-09-09  |  6 minutes  |  1108 words

Long time no see! After 3 years of no new blog posts and also no conference talks from my side, I decided it’s time to write again. I’ll start easy with a fun story that happened a while ago. I gave a short lightning talk about this on Alligatorcon 2024, but as it may be of greater interest, ChatGPT and I wrote a little more elaborate version that consists of full sentences. If you prefer clicking through my original slides, you can find them here.

[Read More]
red team  phishing  citrix  mTLS  initial access  certificate  smart card 

Vulnerabilities on vmwareidentity.de (XSS) and in VMware UEM (exportable authentication certificate)

 Posted on 2021-08-29  (Last modified on 2024-09-09)  |  5 minutes  |  1011 words

This post is a short notice about vulnerabilities in VMware products I found earlier this year. During a penetration test of a freshly built environment, I took a closer look at VMware Unified Access Gateway (UAG) in combination with devices enrolled and managed via VMware Unified Endpoint Management (UEM). I found a reflected XSS vulnerability on VMware’s authenticator vmwareidentity.de that can be abused by sending links to unauthenticated victims. Also, I found it possible to export a user’s authentication certificate, which allows to access zero trust protected resources without access to the user’s device or account on a trusted system. There has been no advisory or notification for affected customers I am aware of. The disclosure deadline was already a few weeks ago and VMware did not respond to multiple attempts of contacting them as well as offering an extension of the responsible disclosure timeframe, therefore I am releasing the vulnerability details to the public.

[Read More]
red team  phishing  mimikatz  disclosure  XSS  vmware 

Modding Gophish

 Posted on 2021-05-24  (Last modified on 2024-09-09)  |  22 minutes  |  4676 words

TL;DR: I’ll shine a light on Gophish and how to modify it to change behavior or introduce/remove functionality. At the end of this post, you’ll know how to host custom 404 pages in Gophish and how to abuse HTTP basic auth instead of login forms embedded on the landing page to obtain juicy creds.

A few days ago I tweeted one of my modifications to Gophish:

gophish  red team  phishing