7MS #326: Interview with Ryan Manship and Dave Dobrotka

Today's featured interview is with Marcello Salvati of Black Hills Information Security. Marcello is a.k.a. byt3bl33d3r, and known for his many contributions to the security community. We here at 7MS first became familiar with his work after using CrackMapExec on our penetration tests, and today we sat down with Marcello to discuss: Brian's Chris Farley moment with Marcello Marcello's infosec origin story CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord. What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding? What the heck is Nim and why is Marcello so excited about OffensiveNim?

4 Helmi 20211h 5min

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called Enterprise Attacker Emulation and C2 Implant Development. In the tangent department, we also touch a bit on: The Fargo TV series Our upcoming interview with Marcello (a.k.a. byt3bl33d3r) from BHIS This Key and Peele sketch I just took my CRTP exam, which we've talked about a lot in the past 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

28 Tammi 202139min

Today we talk about a cool product called Deep Freeze, which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with C:\windows, pack your browser full of shady plugins, and more!), and then just reboot to restore! Note: this is not a sponsored episode, but will probably sound like one because I really dig this product and think you might too :-)

22 Tammi 202148min

Hey friends! We're continuing our series on pentest dropbox building - specifically playing off last week's episode where we started talking about automating the OS builds that go on our dropboxes. Today we'll zoom in a little closer and talk about some of the specific scripting we do to get a Windows 2019 Active Directory Domain Controller installed and updated so that it's ready to electronically punch in the face with some of your mad pentesting skills! Specifically, we talk about these awesome commands: tzutil /s "Central Standard Time" - this is handy to set the time zone of your server build powercfg.exe -change -standby-timeout-ac 0 will stop your VM from falling asleep Invoke-WebRequest "https://somesite/somefile.file" -OutFile "c:\some\path\somefile.file" is awesome for quickly downloading files you need. Couple it with Expand-Archive "C:\some\path\some.zip" "c:\path\to\where\you\want\to\extract\the\zip" to make auto-provisioning your toolkit even faster! Don't like it that Server Manager loves to rear its dumb head upon every login? Kill the task for it with Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask -Verbose. Byeeeeee!!!! I love Chrome more than I love IE/Edge, so I auto install it with: $Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer Now get all the Windows updates! Install-PackageProvider -name nuget -force Install-Module PSWindowsUpdate -force Import-Module PSWindowsUpdate Get-WindowsUpdate Install-WindowsUpdate -AcceptAll -IgnoreReboot Then rename your machine: Write-Host "Picking a new name for this machine...you'll need to provide your admin pw to do so" Rename-Computer -LocalCredential administrator -PassThru Write-Host "New name accepted!" When you're ready to install Active Directory, you can grab the RSAT tools: Write-Host "Lets install the RSAT tooleeeage!" add-windowsfeature -name rsat-adds And then the AD domain services themselves: Write-Host "Now lets install the AD domain services!" add-windowsfeature ad-domain-services Then install the new forest: install-addsforest -domainname your.domain -installdns -DomainNetbiosName yourdomain

15 Tammi 202156min

Happy new year! This episode continues our series on DIY pentest dropboxes with a focus on automation - specifically as it relates to automating the build of Windows 10, Windows Server 2019, Kali and Ubuntu VMs. Here's the resources I talk about in more detail on today's episode that helps make the automagic happen: Windows VMs This article from Windowscentral.com does a great job of walking you through building a Windows 10 unattended install. A key piece of the automation is the autounattend.xml file, which you can somewhat automatically build here, but I think you'll want to install the Windows System Image Manager to really get in the tech weeds and fully tweak that answer file. The handy AnyBurn utility will help you make ISOs out of your Windows 10 / Server 2019 customized builds. Ubuntu VMs I set out to build a Ubuntu 18.x box because Splashtop only supports a few Linux builds. I found a freakin' sweet project called Linux unattended installation that helps you build the preseed.cfg file (kind of like the Windows equivalent of an answer file). The area of preseed.cfg I've been spending hours dorking around with is: d-i preseed/late_command string \ Under this section you can customize things to your heart's content. For example, you could automatically pull down and install all OS packages/updates and a bunch of third party utils you want: in-target sh -c 'apt-get update'; \ in-target sh -c 'apt-get upgrade -y'; \ in-target sh -c 'apt-get install curl dnsrecon git net-tools nmap openssh-server open-vm-tools-desktop python3.8 python3-pip python-libpcap ubuntu-gnome-desktop unzip wget xsltproc -y'; \ Finally, the project provides a slick script that will wrap up your Ubuntu build plus an SSH key into a ready-to-go ISO: build-iso.sh ~/.ssh/id_rsa.pub ~/Desktop/My-kool-kustomized-Ubuntu.iso Awesome! Kali VMs There is some decent documentation on building a preseed.cfg file for Kali. But the best resource I found with some excellent prebuilt config file is this kali-preseed project. Once your seed file is built, it's super easy to simply host it on a machine in your network and let Kali pull it during install. For example, if you've got a Linux box with Python on the network at 192.168.0.7, just make a temporary folder with the preseed.cfg file in it and then run: sudo python3 -m http.server 80 Then, in your virtual environment, create a new VM and boot it to a Kali NetInstaller image. At the splash screen, hit Tab and it'll display a command line you can edit. Remove the line that says something like preseed/file=/cdrom/simple-cdd/default.preseed, add auto=true and then the URL path to your preseed file, such as url=http://192.168.0.7/preseed.cfg. The Kali will ask for a few questions, such as a username and hostname to configure, and then if you're watching your machine hosting preseed.cfg, you'll see your Kali machine grab the config file and take care of the rest from there! Got a better/cooler/funner/faster/awesomer way to do this type of automation? Let us know!

7 Tammi 20211h 6min

Today, Gh0sthax and I talk about week 3/4 of the CRTP - Certified Red Team Professional training, and how it's kicking our butts a bit. Key points include: We agree this is not a certification for folks who are new to pentesting Don't expect to be following along "live" with the instructor during the training sessions You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewalll config! The more PowerShell skills you can walk into this training with, the better. We've got to play with some tools that were new(ish) to us: PowerUpSQL - check out these awesome cheat sheets too! HeidiSQL Rubeus If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam! Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective! A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.

30 Joulu 202048min

Merry Christmas! Happy holidays! Please enjoy the last cyber news edition of 2020, brought to us by our good pal Gh0stHax. Stories covered include: You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details. Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!

23 Joulu 202058min

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include: It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts. Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh. Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here. When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.

17 Joulu 202041min