7 Minute Security

Hey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again!  Spoiler alert: this time we get DA!  YAY! Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life): GOAD SCCM walkthrough MisconfigurationManager – tremendous resource for enumerating/attacking/privesc-ing within SCCM This gist from Adam Chester will help you decrypt SCCM creds stored in SQL

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff! Selective Snaffling with Snaffler The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse! TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and Evil-WinRMing!

Hello there friends, I’m doing another “what I’m working on this week” episode which includes: BPATTY v1.6 release – big/cool/new content to share here PWPUSH – this looks to be an awesome way (both paid and free) to securely share files and passwords

In today’s episode I talk about what I’m working on this week, including: Playing with Sliver C2 and pairing it with ShellcodePack Talking about Netexecer, my upcoming tool that helps automate some of the early/boring stuff in an internal pentest A gotcha to watch out for if utilizing netexec’s MSSQL upload/download functionality

Today we live-hack an SCCM server via GOAD SCCM using some attack guidance from Misconfiguration Manager!  Attacks include: Unauthenticated PXE attack PXE (with password) attack Relaying the machine account of the MECM box over to the SQL server to get local admin

Hi friends, today we're talking about pentesting potatoes (not really, but this episode is sort of a homage to episode 333 where I went to Boise to do a controls assessment and ended up doing an impromptu physical pentest and social engineer exercise).  I talk about what a blast I'm having hunting APTs in XINTRA LABS, and two cool tools I'm building with the help of Cursor: A wrapper for Netexec that quickly finds roastable users, machines without SMB signing, clients running Webclient and more. A sifter of Snaffler-captured files to zero in even closer on interesting things such as usernames and passwords in clear text.

Today we continue our journey from last week where we spun up a Hetzner cloud server and Ludus.cloud SCCM pentesting range!  Topics include: Building a Proxmox Backup Server (this YouTube video was super helpful) Bridging a second WAN IP to the Hetzner/Ludus server Wrestling with the Hetzner (10-rule limit!) software firewall When attacking SCCM – you can get a version of pxethief that runs in Linux!

I had an absolute ball this week spinning up my first Hetzner server, though it was not without some drama (firewall config frustrations and failing hard drives).  Once I got past that, though, I got my first taste of the amazing world of Ludus.cloud, where I spun up a vulnerable Microsoft SCCM lab and have started to pwn it.  Can’t say enough good things about Ludus.cloud, but I certainly tried in this episode!

Today I’m excited about some tools/automation I’ve been working on to help shore up the 7MinSec security program, including: Using Retype as a document repository Leveraging the Nessus API to automate the downloading/correlating of scan data Monitoring markdown files for “last update” changes using a basic Python script

Hey friends, today we cover: The shiny new 7MinSec Club BPATTY updates A talk-through of the WPA3 downgrade attack, complemented by the YouTube livestream

Hello friends!  Today we’re talking about a neat and quick-to-setup documentation service called Retype.  In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately.  I still absolutely love Docusaurus, but I think Retype definitely gives it a run for its money.

Happy new year friends! Today we talk about business/personal resolutions, including: New year’s resolution on the 7MinSec biz side to have a better work/life balance New training offering in the works Considering Substack as a communications platform A mental health booster that I came across mostly by accident

Today we’re doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai, and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy.  Links discussed today: AWUS036ACH wifi card (not my favorite anymore) Panda PAU09 N600 (love this one!) The very important Github issue that helped me better understand BPFs and WPA3 attacks TrustedSec article on WPA3 downgrade attacks

Today we’ve got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things: A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng Syntax on using two different tools to parse creds from Dehashed An updated tutorial on using Gophish for phishing campaigns The cocoa-flavored cherry on top is a tale of pentest pwnage that includes: Abusing SCCM Finding gold in SQL configuration/security audits

Hey friends, today we’re talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

Today’s episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including: Journaling Meditation (An activity I’m ashamed of but has actually done wonders for my mental health)

Hey friends, we’ve got a short but sweet tale of pentest pwnage for you today. Key lessons learned: Definitely consider BallisKit for your EDR-evasion needs If you get local admin to a box, enumerate, enumerate, enumerate!  There might be a delicious task or service set to run as a domain admin that can quickly escalate your privileges!

Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a “hidden” SQL account, and that account ended up being the key to the entire pentest!  I wonder how many hidden SQL accounts I’ve missed on past pentests….SIGH! Check out the awesome BloodHound gang thread about this here. Also, can’t get Rubeus monitor mode to capture TGTs to the registry?  Try output to file instead: rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log In the tangent department, I talk about a personal music project I’m resurrecting to help my community.

Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we’d like them to be)!  It also doubles nicely as a primary or backup connection for your DIY pentest dropboxes which we’ve talked about quite a bit here.  In other news, we’ve moved from Teachable to Coursestack, so if you’ve bought training/ebooks with us before, you should’ve received some emails from us last Friday and can access our new training portal here.  (If you THINK you should’ve received enrollment emails from CourseStack and didn’t, drop us a line here.) In the tangent portion of our program, I give a health update on my mom and dad, and talk about some resources I’m exploring to reduce stress and anxiety after what has been a tough week for many of us.

Hey friends, today I’m sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.