7MS #501: Tales of Pentest Pwnage - Part 31

Hello friends, in today's episode I give an audio summary of a talk I gave this week at the MN GOVIT Symposium called "Should You Hire AI to Run Your Next Pentest?"  It's not a pro-AI celebration, nor is it an anti-AI bashing.  Rather, the talk focuses on my experiences using both free and paid AI services to guide me through an Active Directory penetration test.

21 Marras 21min

Hello friends!  This week I'm talking about what I'm working on this week, including: Preparing a talk called Should You Hire AI to Run Your Next Pentest for the Minnesota GOVIT Symposium. Playing with Lithnet AD password protection (I will show this live on next week's Tuesday TOOLSday). The Light Pentest logo contest has a winner!

14 Marras 18min

Today is episode 700 of the 7MinSec podcast! Oh my gosh. My mom didn't think we could do it, but we did. Instead of a big blowout with huge news, giveaways and special guests, today is a pretty standard issue episode with a (nearly) 7-minute run time! The topic of today's episode is Pretender (which you can download here and read a lot more about here).  The tool authors explain the motivation behind the tool: "We designed pretender with the single purpose to obtain machine-in-the-middle positions combining the techniques of mitm6 and only the name resolution spoofing portion of Responder." On a recent pentest, I used Pretender's "dry run" mode to find a hostname (that didn't exist) that a ton of machines were querying for, and poisoned requests just for that host.  This type of targeted poisoning snagged me some helpful hashes that I was able to crack/relay, all while minimizing the risk of broader network disruption!

7 Marras 8min

Today we discuss some pre-travel tips you can use before hopping on a plane to start a work/personal adventure. Tips include: Updating the family DR/BCP plan Lightening your purse/wallet Validating/testing backups and restores Ensuring your auto coverage is up to snuff

31 Loka 30min

Today I give a quick review of the cloud version of ProjectDiscovery (not a sponsor!).

24 Loka 24min

Today your pal and mine Joe "The Machine" Skeen pwn one of the two Ninja Hacker Academy domains! This pwnage included: Swiping service tickets in the name of high-priv users Dumping secrets from wmorkstations Disabling AV Extracting hashes of gMSA accounts We didn't get the second domain pwned, and so I was originally thinking about doing a part 5 in November, but changed my mind. Going forward, I'm thinking about doing longer, all-in-one hacking livestreams where we cover things like NHA from start to finish. My first thought would be to do one long livestream where we complete NHA start to finish. Would you be interested? Let me know at 7MinSec.club, as I'm thinking this could be an interesting piece of bonus content.

18 Loka 13min

In today's episode: I got a new podcast doodad I really like JitBit as a security ticketing system (not a sponsor) The Threat Hunting with Velociraptor 2-day training was great. Highly recommend. I got inspired to take this class after watching the 1-hour primer here.

10 Loka 27min

Today's tale of pentest pwnage involves: Using mssqlkaren to dump sensitive goodies out of SCCM Using a specific fork of bloodhound to find machines I could force password resets on (warning: don't do this in prod…read this!) Don't forget to check out our weekly Tuesday TOOLSday – live every Tuesday at 10 a.m. over at 7MinSec.club!

3 Loka 15min