punktwissen IT Services
Since more than 20 years we have been providing IT services to large corporations as well as small businesses. Specialties: IT security (PKI), software development, automation, IT in pharmaceutical manufacturing and logistics.
Also private persons and small businesses are facing increasingly complex IT-related requirements imposed by governmental agencies or large suppliers - to be balanced with opportunities and risks (Cloud services, convergence of building technology and computer networks, cyber security).
Providing 'coaching to the point' as needed, we support with the pragmatic implementation of compliance requirements. We test and review of hardware and software, analyzing security, reliability, interoperability - and how features compare to functional requirements.
My writeup of how I owned this box by issuing myself a logon hardware crypto token on behalf of the Administrator – abusing a misconfiguration of certificate templates! I joined a box to the domain, used Kali Linux and Windows in parallel, and ran a fake DNS server with locator records for Active Directory. A software certificate would not have been sufficient – I needed the /smartcard options of net use and runas.
A review of Peter Gutmann's terrific book Engineering Security, and some of my related encounters.
Analysis of business processes in pharmaceutical manufacturing and mapping of those processes onto the design of IT systems - as an intermediary between production, quality management and software development, based on more than 20 years of experience. A MES supports: Manufacturing control, control of material flow, production planning, master batch records, electronic batch recording, warehouse management, management of quality status, batch and material tracking.
Review and migration of Windows PKIs - versions NT / 2000 / 2003 / 2008 / 2012 / 2016, and troubleshooting of certificate validation - also for exotic applications. Troubleshooting of the validation of convoluted X.509 certificate paths. openSSL CA.
If you test / 'hack' Windows Domain join and logon from your rogue client, you need to think about DNS Locator records.
My write-up for owning the machine Helpline on hackthebox - my 'silly unintended path to root': You can read the EFS encrypted files - by injecting a recovery agent key and certificate ... and waiting for another user to *look at the flag file*.
A few commands I found useful when trying to own locked-down machines!
Echo Unreadable Hex Characters in Windows: forfiles (2019-05-08)
How to write any file on a locked-down Windows box, and when all you can do is pasting readable characters into a simple shell?
Ethereal was a box classified as ‘insane’ at hackthebox, a platform for learning to pentest and “playing capture-the-flag”. You got command execution over DNS, and you had to use openssl telnet-style to get a reverse shell. To own system you need to sign an MSI with a CA cert/key file you found on the box.
Certificates and PKI. The Prequel. (2019-02-18)
Nostalgic post – how it began, in the late 1990s: Sending faxes to US-based CA companies to prove the legitimate status of a company whose name was one dot over the X.509 common name character limit. Bonus: Accidental Google hacking for discovering webservers running on >20 year old platforms.
How to log basically anything with CMI / UVR16x2. As the CMI has a Modbus interface it can log data from a Modbus server running on Raspberry Pi, and this Modbus server can forward data from other loggers as a 'protocol translator' and provide values derived from calculations, or it can serve up the result of any calculation as a Modbus register value.
Unintended 2nd Order SQL Injection (2018-12-15)
I have accepted a benign version of 2nd order SQL injection as a fact of life. But then interesting things happened when a parcel was (not) delivered.
A Color Box. Lost in Translation (2018-11-18)
The control system was turned upset down again and the Data Kraken was looking at its entangled tentacles, utterly confused.
Sort of an Away Note – elkement gone hacking: I discovered the pentesting platform hackthebox and spend all my online time there! It’s all new, yet familiar as I feel I have always reverse engineered anything in some sense.
Cloudy Troubleshooting (2) (2018-06-25)
"Write-up of a hacking challenge ;-) When some network infrastructure loses packets, but seemingly only for one site / cloud app … so that it takes you a while to realize that it’s not an issue with this cloud app."
Where Are the Files? [Winsol - UVR16x2] (2018-05-28)
A little bit of reverse engineering to find out where log files (retrieved from the data logger CMI) may be stored. The question was more interesting than expected – I learned something about Windows security!
Cloudy Troubleshooting (2018-05-13)
Tales from the field – presented as a drama featuring Cloud, Client, Telco and elkement – going down the rabbit hole of debugging, network sniffing, and mind-numbing tests.
Playing with Modbus inputs on the Control and Monitoring Interface of the UVR16x2 controller (and corresponding settings at the Fronius Symo inverter) – step-by-step description.
Reverse Engineering Fun (2017-12-05)
Recently I read a lot about reverse engineering – in relation to malware research. I for one simply wanted to get ancient and hardly documented engineering software to work. Write-up of an analysis I found very interesting!
The Orphaned Internet Domain Risk (2017-10-21)
If you abandon a domain, malvertizers may re-use it – using even your former content available on public archives … taking advantage of your former reputation.
My Data Kraken - a Shapeshifter (2016-12-22)
Answer to the question: How do you analyze and consolidate your logging data? What is the biggest challenge? It’s the ongoing change of the ‘database schema’: New sensors, shuffled columns in log files, new calculated values…
Give the 'Thing' a Subnet of Its Own! (2016-11-20)
A brief report ‘from the workbench’: How recent Internet of Thing hacks reminded me of the often overlooked ‘routing feature’ in Windows… which was helpful in quickly giving control units’ data loggers access to the internet.
Internet of Things. Yet Another Gloomy Post. (2016-09-30)
Some thoughts about recent DDoS attacks – and why I think the discussion about manufacturers locking down their printers is somewhat related. About the tension between being an independent neutral netizen and being plugged in to an inescapable matrix, maybe beneficial but Borg-like nonetheless.
Hacking My Heat Pump - Part 2: Logging Energy Values (2016-08-24)
Connecting Raspberry Pi CAN bus logger to the Stiebel-Eltron heat pump and querying for temperature and energy values. Network traces and details of CAN frames, and automation of logging.
Extending logging infrastructure – automating reading off our heat pump’s internal energy meter by using Raspberry Pi as monitoring device. Before connecting to the heat pump hardware and software is set up and tested with a CAN bus I am familiar with.
Have I Seen the End of E-Mail? (2016-06-10)
I have been impressed by a targeted ransomware attack on very small Austrian businesses.
Everything as a Service (2016-05-19)
Trying to predict the not-to-distant future of heating for consumers – following the ‘as a service’ philosophy introduced to software products long ago: Heating will be turned into monthly subscriptions bundled with internet access and bank accounts, and home owners will host aesthetically pleasing black-boxes operated by 'platforms'.
Watching TV Is Dangerous (2015-05-07)
"Data logger BL-NET is silenced by an IP-TV in the same LAN; solution: Put the logger in its private subnet."
Google and Heating Systems (2) (2014-11-15)
How things (in the Internet of Things) phone home and/or are accessed directly from the internet. Sometimes anonymously to my shock.
When I Did Social Engineering without Recognizing It (2014-08-05)
Title says it all.
5 Years Anniversary: When My Phone Got Hacked (2014-07-18)
This post has some technical information it is more of a personal rant. Now I can laugh about it. I am not a phone phreaker so any input is welcome!
On the arcane nature of pipework, path integrals, and public key infrastructure.
Not specifically about certificates - but about what is often required to troubleshoot validation of certificates: Sniffing.
Demo of the 'native' logon against Active Directory, based on mapping Subject Alternative names in certificates against User Principal Names in AD. Shows why giving somebody change permissions to certificates could be dangerious.
Experimenting with a new format of technical posts - by dividing them into two distinct parts 1) Hopefully accessible 'pop-sci' / 'business' / 'philosophical' introduction, followed by 2) hardcore technical details the non-geek reader could skip.
Exactly what the title says. Some issues from my text file presented in more pop-sci way to your typical geek.
Ein kompakte Zusammenfassung für den nächsten Lebensgeschichten-Networking-Small-Talk.
Cyber Security Satire? (2013-05-19)
Not exactly zoomed in on PKI - but the overall message is in line with the next two posts. This post also includes the only hilarious aspect of my master thesis on smart metering and security.