7MS #449: DIY Pentest Dropbox Tips - Part 3

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this: Don't let the Internet get you down It's full of trolls and 10 year olds and adolescent clowns So let their words roll off of you, like water off a duck To prove to them that you don't give a darn On a more serious note, here are some opsec tips that hopefully will help you as a security consultant: Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time. Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to! Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days. ....and more on today's episode (see 7ms.us for more show notes)! Has 7MS helped you in your IT and security career? Please consider buying me a coffee!

23 Tammi 202036min

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about: How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this: python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt cut -d ':' -f 2 combined.txt > passwords.txt ruby /opt/pipal/pipal.rb passwords.txt > pip.txt The procdump + lsass trick is still really effective (though sometimes AV gobbles it) (See full show notes at 7ms.us!)

15 Tammi 202053min

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's tale of pentest pwnage I got to try some tools and tricks for the first time! Here are the key points/takeaways from this test: It's great to have additional goals to achieve in a network pentest outside of just "get DA" PayloadsAllTheThings has a great section on Active Directory attacks Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack! If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like: shutdown -r +15 "Rebooting in 15 minutes just in case I mitm6 myself right off this box!" When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields! Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good! There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful. See today's show notes on 7ms.us for more info!

9 Tammi 20201h 5min

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Sung to the tune of "Do You Wanna Build a Snowman" Do you wanna build a Pwnagotchi? Even though you thought you never would? I really hope mine doesn't ever break It grabs wifi handshakes It does it really good! Today's episode is all about Pwnagotchi, a cute little device whose sole purpose in life is to gobble WPA handshakes! Check out today's episode to learn more about the device (as well as some pwn-a-gotchas that you should be aware of), and then come to the next 7MS user group meeting to build your own! If you can't make this meeting I'll also do a Webinar version of the presentation - likely in February or March, so stay tuned to our Webinars page. At the end of today's episode I talk about my troll foot. I fractured my ankle on Christmas Eve and was basically this lady. At the end of the day I received an avulsion fracture and it kinda made my Christmas stink. But 2020 is gonna absolutely rip, friends!

3 Tammi 202043min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Peter Kim of The Hacker Playbook series joins me today to talk about all things hacking! Peter runs a popular west coast hacker meetup, and I was fortunate enough to attend his Real World Red Team training, which I wrote a review about here. Peter sat down with me over Skype to talk about: The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-) How do you balance work and family life when trying to pwn all the things and have a personal life and significant other? How do you break into security when your background is in something totally different, like a mechanic, artist or musician? What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both? What are some other low-hanging fruit organizations can use to better defend their networks? Do you run across some of these good defenses - like honeypots - in your engagements? If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be? ...and more!

26 Joulu 20191h 24min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is all about LAPS - Microsoft's Local Administrator Password solution. In a nutshell, LAPS strengthens and randomizes the local administrator password on the systems across your enterprise. We talked about it way back in episode 252 but figured it was worth a revisit because: It's awesome It's free People still haven't heard of it when I share info about it during conference talks! I've got a full write-up of how to install LAPS here At a recent conference people asked me two awesome edge case questions: What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it? What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

19 Joulu 201924min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. This is part three of this series - part 1 talked about a fire that destroyed my family's home and vehicles, and part 2 was about how to get "back on the grid" and start working with the insurance machine to find a new "normal." Today, I want to answer some burning questions many of you have been asking: Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain) How long to you get to keep rental cars before you have to replace your permanent vehicles? Do you have to stay in a hotel the whole time your house is rebuilt? What about if you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt? What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

12 Joulu 201949min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute. Today's episode is a twofer. That's right, two tales of internal network pentest pwnage. Whoop whoop! We cover: What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward) A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX This handy script runs nmap against subnets, then Eyewitness, then emails the results to you Early in the engagement I'd highly recommend checking for Kerberoastable accounts I really like Multirelay to help me pass hashes, like: MultiRelay.py -t 1.2.3.4 -u bob.admin Administrator yourmoms.admin Once you get a shell, run dump to dump hashes! Then, use CME to pass that hash around the network! crackmapexec smb 192.168.0.0/24 -u Administrator -H YOUR-HASH-GOES-HERE --local auth Then, check out this article to use NPS and get a full-featured shell on your targets

6 Joulu 20191h 2min