7MS #502: Building a Pentest Lab in Azure

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.

18 Heinä 201711min

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!

13 Heinä 201710min

I've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. So this weekend I started getting the hardware portion ready, which includes: Ubiquiti Edge Router X (~$99) TP-Link TL-SG105E (~$35) CanaKit Raspberry Pi 3 Complete Starter Kit (~$70) If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edge Router X to TP-LINK switch, let me know. Otherwise for now I'm just focusing on crafting content for part 2, where we'll dive into actually turning the Pi into a Bro sensor using Sweet Security.

5 Heinä 201710min

I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options: --throttle - for example, I've been using --throttle 1000 in order to be a bit less intense on my target site --request-timeout and --connect-timeout help your scan recover smoothly from site errors/timeouts Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)

29 Kesä 201711min

Tell me I can't be the only one who regularly wants to combine a bunch of small Nessus scans files into a big fat Nessus scan file, and then make pretty pictures/graphs/summaries that the customer can easily understand? Over the last few weeks I must've tried every Powershell and Python script I could get my hands on, yet still didn't find the magic bullet solution. That is, until I found this little beauty of a tool: NamicSoft. It's a $65 tool for Windows that will not only combine multiple Nessus files into one huge file, but it offers a ton of export/reporting features to make the Nessus data more valuable. Oh, and it can also digest Burp and Nexpose data as well! More on today's episode...

25 Kesä 201713min

Through kind of a weird series of events, I have an opportunity to speak at ILTACON this summer in Vegas (baby!). I'll be talking about some things you can do if you suspect your perimeter is breached, as well as low-hanging fruit you can implement to better defend against breaches. I'm pumped. And I've done the most important part and chosen a PowerPoint theme: A Few Good Men :-) I've spoken with some of you in the past and know a few of you spend your days and sleepless nights hunting threats. If so I'd love to talk to you to get some creative ideas as it relates to crafting the session content.

14 Kesä 201710min

This week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment: The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2. Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as: Accounts that haven't been logged into for a long time Accounts with passwords that haven't been refreshed in a long time Privileged groups that need review (Domain Admins, Enterprise Admins, etc.) AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs. Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.

7 Kesä 201710min

I'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away. In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts: fping -a -g 10.0.5.0/16 > blah.txt Then, to setup the reverse shell, I just forwarded port 22 from my Ubiquiti gear to my internal Kali host, and then ran this to make the reverse connection: ssh pwnie@localhost -p 3333 Lastly, to setup the reverse shell so you can proxy Web traffic to an alternate host/port, such as the Nessus port, setup your shell like so: ssh pwnie@localhost -p 3333 -ND 8080 Then leave that window open and setup your Web browser so that you do a SOCKS5 proxy to localhost:8080. Finally, visit http://ip.of.your.host:XXXX. So if your Pulse was 1.2.3.4 and had Nessus running, you'd visit https://1.2.3.4:8834. Enjoy!

2 Kesä 201712min