7MS #502: Building a Pentest Lab in Azure

7MS #502: Building a Pentest Lab in Azure

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the tips in today's episode will save you some time/headaches/money should you setup a pentesting training camp in the cloud.

Things I like

  • No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.)

  • You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation

Things I don't like

  • VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain:
dsregcmd /leave Add-Computer -DomainName pwn.town -Restart
  • Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode).

  • Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes.

  • Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell.

  • Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not).

Things that are broken

  • Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh.

  • Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies.

On a personal note, it has been good knowing you because I'm about to spend all my money on a new hobby: indoor skydiving.

Episoder(684)

7MS #516: Tips to Travel More Securely

7MS #516: Tips to Travel More Securely

In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.

14 Apr 202245min

7MS #515: Securing Your Family During and After a Disaster - Part 5

7MS #515: Securing Your Family During and After a Disaster - Part 5

Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.

6 Apr 202235min

7MS #514: Tales of Pentest Pwnage - Part 34

7MS #514: Tales of Pentest Pwnage - Part 34

Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include: I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error! Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold! LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

30 Mar 202250min

7MS #513: Interview with Christopher Fielder and Jon Crotty of Arctic Wolf

7MS #513: Interview with Christopher Fielder and Jon Crotty of Arctic Wolf

Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the report's key points here without needing to provide an email address). The three of us dig in to talk about some of the report's specific highlights, including: Many orgs are running the bare minimum (or nothing!) for endpoint protection Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure P.S. this is Christopher's fifth time on the program. Be sure to check out his first, second, third and fourth interviews with 7MS.

23 Mar 202255min

7MS #512: First Impressions of InsightIDR

7MS #512: First Impressions of InsightIDR

Today I'm sharing some first impressions of the Rapid 7 InsightIDR as kind of a teaser for an eventual new chapter in our Desperately Seeking a Super SIEM for SMBs series. Disclaimer: remember these are first impressions. There may be some missed detections I talk about today that are a me problem and not the technology. I hope to get to the root of those unresolved issues by the time I talk more formally about InsightIDR in a future episode. Enjoy!

17 Mar 202251min

7MS #511: How to Succeed in Business Without Really Crying - Part 10

7MS #511: How to Succeed in Business Without Really Crying - Part 10

Today we're continuing our series focused on [owning a security consultancy], talking specifically about: How not to give up on warm sales leads, even if they haven't panned out for 5+ years! Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs

11 Mar 202236min

7MS #510: First Impressions of Tailscale

7MS #510: First Impressions of Tailscale

Today we share some first impressions of Tailscale, a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!

2 Mar 202242min

7MS #509: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 4

7MS #509: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 4

Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links before users ever actually do.

23 Feb 202234min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
forklart
stopp-verden
popradet
dine-penger-pengeradet
det-store-bildet
nokon-ma-ga
unitedno
aftenbla-bla
fotballpodden-2
rss-ness
e24-podden
rss-penger-polser-og-politikk
rss-fredrik-og-zahid-loser-ingenting
oppdatert
bt-dokumentar-2
amerikansk-politikk
liverpoolno-pausepraten