@est
Anyways, I guess we should all use export-grade #cryptography since I can call all those named into existence in about 45 minutes, and anyway there are still several a trillion keys in 40 bit space, that's still like 100 keys per person.
#rc4 #defcon

Long story short, while there is an entire genre of papers on RC4 vulnerabilities (see Wikipedia's rc4 article for a good starting point), most of these revolve around key reuse, something that I didn't have here. I was able to find a long abandoned open source project to use CUDA to parallelize cracking RC4 https://github.com/morningForever/rc4_crack_cuda
#RC4 #cryptography #hacking

If you didn't apply the out of band december patch, the offical fix for the #RC4 issue is now included in all patches.

#PatchTuesday #Kerberos #Fix #OOB

Don't feel stupid because you #reverse something by accident. It happens to everybody. I reversed #base64 or #RC4 or #CobaltStrike by accident thinking it was something interesting... And after 1h I felt so stupid. But the positive aspect is you will recognize it immediately next time 😂

@matthegap with this Update they moved from rc4 as default to aes (which is great) but they somehow borked kerberos pre-auth (still using rc4) which lead to mcuh stuff breaking and the #hotfix Patch for Domain Controllers

More on the #rc4 change here:
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

Rc4 disabling guidance from #Microsoft #Patchday #RC4 #aes #DESAESteR(C4)

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-do-i-know-if-my-ad-environment-is-impacted-by-the-november/ba-p/3679869

#RC4 #activedirectory #windows #windowsupdate

Let's See how it goes

https://www.askwoody.com/2022/business-patchers-alert-out-of-band-patch-expected-to-fix-domain-controller-issues/

#windowsupdate #RC4 #aDESAESteR(C4)

Updated guidelines for #KB5021131
How to manage the Kerberos protocol changes related to CVE-2022-37966

ApplyDefaultDomainPolicy is the official workaround.

#Kerberos #RC4 #AES

https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d#knownissues5021131

Ignoring the conspiracy-myth ramblings surrounding it, I've always enjoyed writing a [CipherSaber](http://ciphersaber.gurus.org/). But, from a practical PoV, #RC4 is getting a bit long in the tooth, even for a toy. I personally think #chacha20 is *almost* as simple to code from memory (I'm clearly not a good point of reference; I code crypto for fun, after all). Do others here agree? Do you have better suggestions? Would it be worth to write up a "CS3" page (sans the rambling, obviously)?

60 is the new 24

#AESSK #AES #RC4 #Hardening #AD #Kerberos

Waiting for the updated November patches...

#patchtuesday #Kerberos #AES #RC4 #RC4Disaster

I don't know what type of query language this is, but it's not LDAP. (CVE-2022-37967)

If you want to check which accounts allow RC4 usage in your domain use my #PowerShell script.

https://gist.github.com/f-bader/9f54cce6c64d282771e307097cd6ded9

#patchtuesday #KB5020805 #Kerberos #RC4 #CVE202237967

RFC 8758: Deprecating RC4 in Secure Shell (SSH)

L'algorithme de chiffrement symétrique #RC4, trop fragile, est abandonné depuis longtemps. Ce nouveau #RFC le retire officiellement de #SSH.

https://www.bortzmeyer.org/8758.html