7MS #467: How to Succeed in Business Without Really Crying - Part 9

Today we revisit a series we haven’t touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don’t always follow them as a consultancy. So today we talk about: How the internal 7MS infosec policy development is coming along Why I’m no longer going to be “product agnostic” going forward Some first impressions of a new tool I’m trying called ITGlue (not a sponsor) How to start building a critical asset list - and how it shouldn’t overlook things like domain names and LetsEncrypt certs Also, don’t forget we are doing weekly livestreams on security topics!

23 Syys 202247min

Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form. TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly. I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!

16 Syys 202236min

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include: If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line: cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' Then you can scan with nmap to find the "live" hosts: nmap -sn -iL targets.txt For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions. If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like: cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes! Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp! Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

9 Syys 202250min

Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show?  Check it out here)!  You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization.  Today we virtually sat down to tackle a variety of topics and questions, including: What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange?  Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them? Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)?  Spoiler alert: yes. Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec? Does Amanda think there's a gender bias in the security industry? Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

2 Syys 20221h 5min

Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic. How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale? Password policies - they're not just as easy as "Have a password of X length with Y complexity." Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.

27 Elo 202240min

Hey friends, today we share the (hopefully) thrilling conclusion of last week's pentest. Here are some key points: If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it! #!/bin/bash File="localadmin.txt" Lines=$(cat $File) for Line in $Lines do echo --- $Line --- >> dump.txt echo --------------------- >> dump.txt sudo python3 /opt/impacket/examples/secretsdump.py -k "$Line" >> dump.txt echo --------------------- >> dump.txt done From those dumps you can definitely try to crack the DCC hashes using a local or cloud cracker - see our series on this topic for some guidance. Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm! The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)

19 Elo 202244min

Ok, ok, I know.  I almost always say something like "Today is my favorite tale of pentest pwnage."  And guess what?  Today is my favorite tale of pentest pwnage, and I don't even know how it's going to end yet, so stay tuned to next week's (hopefully) exciting conclusion.  For today, though, I've got some pentest tips to hopefully help you in your journeys of pwnage: PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them.  Note there is a -Threads flag to adjust the intensity of your scan. Are your mitm6 attacks not working properly - even though they look like they should?  There might be seem LDAP/LDAPs protections in play.  Use LdapRelayScan to verify! Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working?  Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1.  Also look at PassTheCert as another tool to abuse ADCS vulnerabilities. Example syntax for LdapCurrentUser: Get-LdapCurrentUser -certificate my.pfx -server my.domain.controller:636 -usessl -CertificatePassword admin If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset.  That way you can quickly find users who haven't changed their password since the AD backup: get-aduser -filter * -server victimdomain.local -properties pwdlastset,passwordlastset,enabled | where { $_.Enabled -eq $True} | select-object samaccountname,passwordlastset | sort-object passwordlastset

12 Elo 202235min

Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this: If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/ A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so: gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache Then in most tools you can pass the cred by doing something like: crackmapexec smb DC01 -k In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage! I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance. Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

5 Elo 202254min