7MS #660: Baby's First Hetzner and Ludus

Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1. In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!): Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!) Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!) If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye. We also talk about lessons learned from this pentest - both things done well and things the org can do to make the next pentester's job a lot harder.

25 Maalis 201938min

Buckle up! This is one of my favorite episodes. Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative to share. Below are some highlights of topics/tools/techniques discussed: Building a pentest dropbox The timing is perfect - my pal Paul (from Project7) and Dan (from PlexTrac) have a two-part Webinar series on building your own $500 DIY Pentest Lab, but the skills learned in the Webinars translate perfectly into making a pentest dropbox. Head to our webinars page for more info. Securing a pentest dropbox What I did with my Intel NUC pentest dropbox is build a few VMs as follows: Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it. Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS). Scoping/approaching a pentest From what I can gather, there are (at least) two popular schools of thought as it relates to approaching a pentest: From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there. Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point. Pentest narrative For one of the tests I worked on, here were some successes and challenges I had along the way: Check out the show notes at 7MS.us as there's lots more good info there!

22 Maalis 201942min

I recently had the awesome opportunity to take the awesome Real World Red Team course put on by Peter Kim, author of The Hacker Playbook series. TLDR and TLDR (too long don't listen): go take this training. Please. Now. The end. If you want to hear more, check out today's podcast episode where I talk about all the wonderful tidbits I learned from Peter during the training, including: Doppelganger attacks - does your target have a frequently used site like mail.company.com? Try buying up mailcompany.com with a copy of their email portal (using Social Engineer Toolkit), and the creds might come pouring in! Get potential usable creds from old breaches (Adobe, Ashley Madison, LinkedIn, Spotify) Password spraying is often really effective to get you your first set of creds - check out Spray or DomainPasswordSpray When creating phishing payloads, Veil will help you craft something to bypass AV When you're in a network and have grabbed your first set of creds, run BloodHound or SharpHound to map the Active Directory and find your high-value targets Check systems for MS17-010 for some potential easy wins Look for potential accounts that you can Kerberoast For more info visit today's show notes on 7ms.us

14 Maalis 201934min

Today's episode is brought to you by NoteCast. Try it free for 60 days (no credit card required) and enter code 7MS when completing your signup. In today's episode, I talk about how the level of Windows server/client logging out of the box is...not really awesome. I then look at how we can create a GPO that turns logging "up to 11" using some free tools and cheat sheets. If you want to simulate this in your own lab by building out an Active Directory environment, check out part 1 of a Webinar series we've been working on called DIY $500 Pentest Lab, which helps you select hardware/software components you need to build a lab. Then coming up soon is part 2 where we'll build out a Windows 2012 server, promote it to a DC, join a couple clients to it, and prepare to start hacking! Once your AD and clients are setup, you can start slurping up their logs for free using a Papertrailapp account (not a sponsor). I went ahead and paid for a $7/mo plan so I could get 1GB of storage and a little longer log retention. Then, I used LOG-MD to audit a Windows workstation and get some great recommendations on what registry settings and security policy tweaks to make. Finally, I started turning this into a GPO so I could begin pushing out these settings en masse. My living/breathing document to capture all this information is in a new gist that I plopped here.

6 Maalis 201923min

Today's featured interview is with Lewie Wilkinson, senior integration engineer at Pondurance. Pondurance helps customers improve their security posture by providing a managed threat hunting and response solution, including a 24/7 SOC. Lewie joined me via Skype to talk a lot about a topic I'm fascinated with: incident response! I had a slew of questions and topics I wanted to discuss, including: Fundamentals of threat hunting What is threat hunting? What are the fundamentals to start mastering? How can someone start developing the core skills to get good at it? How can sysadmins/network admin, who have a busy enough time already just keeping the digital lights on, handle the mounting pressure to also shoulder security responsibilities as part of their job duties? What training/cert options are good to build skills in threat hunting? Lets say you know one of your users has clicked something icky and you suspect compromised machine/creds. You pull the machine off the network and rebuild it. How do you know that you've found/limited the extent of the damage? Are attackers on networks typically wiping logs on systems as the bounce around laterally? Anything to add to the low-hanging hacker fruit list? Why is it so critical to not just have logs, but have verbose logs with rich data you need in an investigation? When does it make sense to outsource some security responsibilities to a third party? Learn more about Pondurance at their Web site and Twitter.

20 Helmi 20191h

Today's featured interview is with Ameesh Divatia, cofounder and CEO at Baffle. Baffle offers an interesting approach to data protection that they call data-centric protection, and the idea is you need to protect information at the record level, not just the sort of traditional approach of "encrypt at rest" and call it good. Ameesh sat down with me to talk about a lot of high level data and security privacy concerns, specifically: Data privacy - it seems like every 15 minutes there's yet another massive data breach. Why is this continuing to happen? What are the basic security/privacy fundamentals that companies should be doing but, for whatever reason, are not? GDPR What does GDPR mean to the average person? Why it was a data privacy wake-up call for so many? Have there been any sizable fines issued thus far? How can data that companies collect on us be processed in a way that doesn't compromise security? Learn more about Baffle at their Web site and Twitter.

14 Helmi 201929min

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! This episode focuses on security for families/kids - specifically cell phone security for tweenagers. We hit a milestone in the 7MS household this year because my tweenage son got an iPhone, much to my...uhh...not excitement. So we decided to wrap the following technical and administrative controls around the phone to hopefully make it a pleasant experience for everybody: Technical I really dig the Apple family sharing controls, which let you do things like: Have the phone "sleep" at certain hours Limit the total amount of screen time per day Require you to authorize any apps that are downloaded We turned on OpenDNS to help filter inappropriate content. I also use UniFi access points, which allow you to create a separate wireless SSID with a voucher system enabled on it. That way, you can hand out vouchers to kids with a defined amount of access attached to it (like 1 hour or whatever you like). We use it as a reward once the kids' chores and homework is complete. Administrative For our tweenager with the phone, we wrote up an agreement about acceptable use of the phone - including guidelines around the device's physical security, passwords and PINs, appropriate content, etc. You can grab a copy here

6 Helmi 201936min

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Psst...my pals Paul and Dan are hosting a Webinar all about building your own pentest lab for ~$500. This is happening next Tuesday, Feb. 5 at 12 p.m. CST. Sign up here. Today I thought I'd kind of hit the reset/refresh button and give you a little background on: My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/) The history of 7MS the podcast (inspired by 10 minute podcast) How the podcast helped launch 7MS the business The various resources 7MS has worked on to help you in your IT/security career, such as: BPATTY - Brian's Pentesting and Technical Tips for You A Slack channel full of cool security people who want to help you learn, and learn from others as well Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy Thinking about starting your own company? Come see me at Secure360 this summer for my talk called So You Want to Start a Security Company.

31 Tammi 201949min