7 Minute Security

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS "I think of what the world could be If it did not have COVID-19 A million dreams is all it's gonna taaaaaaaaaaaaaaaake!" Today's episode is a continuation and update on the cell phone security for tweenagers episode from about a year ago. Specifically, I talk about: How the cell phone contract I put together for my tweenager kind of blew up in my face I'm the worst dad in the world because my wife and I enforced a "no screens" policy for a few weeks. We lived. Barely. Apple Screen Time is your friend, and helps put some limits on iDevice use The Dream Machine makes it easy to setup a segmented wireless network just for your kids. You can also "time box" their individual network to only broadcast at certain hours of the day You ca

In today's episode I share four fun stay-at-home security projects - three with a security focus and one centered around music. Let's gooooooooo! FoldingAtHome The Folding At Home project helps use your GPU/CPU cycles for COVID-19 research. From the Web site: We need your help! Folding@home is joining researchers around the world working to better understand the 2019 Coronavirus (2019-nCoV) to accelerate the open science effort to develop new life-saving therapies. By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs. It's awesome! Since I run my cra

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to itpro.tv/7MS First and foremost, I hope you all are doing well and taking care of yourselves. Today's episode focuses on disasters, which is unfortunately a very appropriate topic. As a quick refresher, our family had a fire a few months ago. It sucked. I talked about the day of the fire in this episode then did a "how do we get back on the grid?" episode here and then answered some of your FAQs here. Regardless of if your DR plan includes fires, virus outbreaks, tornados or zombie attacks, it's important to have a solid plan for your family and business. So in today's episode I cover these main two topics: A DIY $500 NAS + Unlimited Cloud Backup Plan In trying to be more organized with my backup strategy, I set out to create a new backup plan

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today's episode of pentest pwnage is the (hopefully) exciting conclusion to this episode. Last we left this pentest, we ran into some excellent blue team defenses, including: MFA on internal servers (which we bypassed) Strong passwords Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops) In today's episode we talk about: How maybe it's not a good idea to make computer go completely "shields down" during pentests Being careful not to fat-finger anything when you spawn cmd.exe with creds, like runas /netonly /user:samplecompany\billybob "C:\windows\system32\c

Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness. To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are: Backdoors and Breaches - my favorite incident response card game. OWASP Juice Shop - my favorite vulnerable Web application. Enjoy! Backdoors and Breaches Backdoors and Breaches I love the way teaches me to think about security controls And their proper placement Backdoors and Breaches I can’t wait to blow my paycheck just to get myself a game deck and then move Out of my mother’s basement Soon I’ll be sittin’ down and playing it with my red and blue teams Or John and gang at Black Hills Info Security And when I go to bed tonight I know what’s gonna fill my dreams Backdoors and Breaches Juice Shop VERSE 1 When you want to shop online then you had better be sure The experience is safe and also secure Don't want to let no SQLi o

Today I'm joined by Matt Duench (LinkedIn / Twitter), who has a broad background in technology and security - from traveling to over 40 countries around the world working with telecom services, to his current role at Arctic Wolf where he leads product marketing for their managed risk solution. Matt chatted with me over Skype about a wide variety of security topics, including: Corporate conversations around security have changed drastically in such a short time - specifically, security is generally no longer perceived as a cost center. So why are so many organizations basically still in security diapers as far as their maturity? Why is it still so hard to find “bad stuff” on the network? What are some common security mistakes you wish you could wave a magic wand and fix for all companies? The beauty of the CIS Top 20 and how following even the top 5 controls can stop 85% of attacks. Low-hanging hacker fruit that all organizations should consider addressing, such as: Disabling IPv6 Using a password m

It’s episode 401 and we’re having fun, right? Some things we cover today: The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m. A quick house fire update - we’re closer to demolition now! I finally got a new guitar! Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the highlights: I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind. If you can't dump local hashes with CrackMapExec, try SecretsDump! ./secretsdump.py -target-ip {IP of target machine} localhost/{username}@{target IP} If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group: net user /add ladmin1 s00p3rn4ughtyguy! /Y &

Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast! Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include: Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?). If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ! If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf) for the tip! If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag. If you need to bypass endpoint protection, don't be a

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Believe it or not I'm pentesting your stuff I never thought I could feel so free-hee-hee I compromised one of your Domain Admins Who it could be? The guy with "Password123" In today's episode we're talking all about building your own password-cracking rig! "Wait a minute!" you say. "Are you abandoning the Paperspace password cracking in the cloud thing?" Nope! I'm just bringing that methodology "in house" for a little better opsec and also because last year on Paperspace I spent thousands of dollars. First things first - here's the hardware I ended up with: Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive [Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 (Intel 300 Series chipset)](http

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'll be your Raspberry Pi zero baby I don't know what else to say I'll keep bad stuff off of your network I will do it both night and day Today I talk about four cool Raspberry Pi projects that will help you better secure your network. First off though, I give a shout out to my son Atticus who I want to be more like because he doesn't give a rat's behind what other people think of him! The cool Pi-based projects I love are: Pi-Hole is a black hole for Internet advertisements and it literally installs with just a few commands: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh Pwnagotchi is a cute little devil who exists only to capture WPA handshakes! I did a whole episode on it, and inv

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this: Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn On a more serious note, here are some opsec tips that hopefully will help you as a security consultant: Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time. Scope - make sure you talk about scope, both in written and

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about: How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this: python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combine

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test: It's great to have additional goals to achieve in a network pentest outside of just "get DA" PayloadsAllTheThings has a great section on Active Directory attacks Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack! If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like: shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!" When mitm6+ntlmrelay dumps out a series of html/json files w

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Sung to the tune of "Do You Wanna Build a Snowman" Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good! Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page. At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basicall

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about: The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-) How do you balance work and family life when trying to pwn all the things and have a personal life and significant other? How do you break into security when your background is in something totally different, like a mechanic, artist or musician? What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because: It's awesome It's free People still haven't heard of it when I share info about it during conference talks! I've got a full write-up of how to install LAPS here At a recent conference people asked me two awesome edge case questions: What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it? What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actu

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal." Today, I want to answer some burning questions many of you have been asking: Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain) How long to you get to keep rental cars before you have to replace your permanent vehicles? Do you have to stay in a hotel the whole time your house is rebuilt? What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your tem

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover: What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward) A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX This handy script runs nmap against subnets, then Eyewitness, then emails the results to you Early in the engagement I'd highly recommend checking for Kerberoastable accounts I really like Multirelay to help me pass hashes, like: MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin Once you get a shell, run dump to

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In part 1 of this series we talked about a tragic event my family experienced a few weeks ago: we lost our house and vehicles in a fire. Today I'll talk about: How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes: New licenses New ATM/credit cards Rental vehicles Temporary housing How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect What's it like working with the insurance machine? What do they help with and not help with? How much does it suck to lose all your stuff? (Spoiler alert: a lot) The relief (as weird as that sounds) that comes with losing all your material things Thanks again for your support via GoFundMe

In today's episode I talk about how my family's house and two vehicles were recently destroyed in a fire. The Johnson family is all ok - no injuries, thank God. However, this has turned our world upside down, and over the past week of sleepless nights I've thought a lot about how this tragedy could help others ensure their families are safe and secure both during and after a disaster. I imagine this series will go something like this: Today: Talk about "day zero" - everything that happened on the day of the fire Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards Part 3: Talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith? Some folks in the security community were kind enough to setup a GoFundMe if you'd like to support my family during this time.