7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4
7 Minute Security1 Nov 2019

7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!

I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!

In today's episode we talk about:

  • Running into angry system admins (that are either too fired up or not fired up enough)
  • Being wrong without being ashamed
  • When is it necessary to make too much noice to get caught during an engagement?
  • What are the top 5 tools you run on every engagement?
  • How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
  • How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
  • How do you deal with colleagues who take findings as their own when they talk with management?
  • How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
  • What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
  • How could a fresh grad get into a red team job?
  • What do recruiters look for candidates seeking red team positions?
  • If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
  • What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
  • What's your favorite red team horror story?

Avsnitt(683)

7MS #628: How to Succeed in Business Without Really Crying – Part 17

7MS #628: How to Succeed in Business Without Really Crying – Part 17

Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including: Taking an inventory of all the SaaS stuff your business uses – to keep an eye on spending, know when services are expiring, and track which credit card the services are tied to (so the services don’t almost get cancelled like some did with me!) Tracking domain names, and setting up your own automated rules to notify you well ahead of time when a domain is expiring (maybe that passion project is never gonna happen…time to let those old domains go 🙂 Making a spreadsheet of all important accounts and checking all the auth methods allowed for each account – to prevent attacks such as SIM-swapping

14 Juni 20249min

7MS #627: Migrating from vCenter to Proxmox – Part 2

7MS #627: Migrating from vCenter to Proxmox – Part 2

Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox!  Specifically: Getting my first Proxmox-based NUCs out in the field for live engagements! Pulling the trigger on two bare-metal Proxmox servers to eventually replace my vCenter environment. OVHCloud made it super easy to to add Proxmox to those bare-metals with a simple wizard. I couldn’t figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to RTFM. When getting a bare-metal OS/hypervisor installed, be careful in that the provider may leave the management ports of that host open to the whole world.  In OVH’s case, they have a software firewall that can be tuned so that, for example, only you can hit the management ports for the box. Getting VLANs setup is a snap once the virtual hardware stuff is in place.

10 Juni 202435min

7MS #626: Web Pentesting Pastiche

7MS #626: Web Pentesting Pastiche

Hey friends, today we’ve got a security milkshake episode about Web app pentesting. Specifically we talk about: Burp Suite Enterprise Caido – a lightweight alternative to Burp wfuzz – Web fuzzer.  Using a proxy:wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt –sc 200 “https://somedomain.com/shopping?&qty=%2FUZZ” -p 10.0.7.11:8080 KNOXSS – for XSS testing – pairs nicely with this wrapper: https://github.com/xnl-h4ck3r/knoxnl In the tangent dept, I moan about how I hate some things about Proxmox but am also starting to love it. In the tangent #2 department, I talk about tinnitus and acupuncture!

31 Maj 202450min

7MS #625: A Peek into the 7MS Mail Bag - Part 4

7MS #625: A Peek into the 7MS Mail Bag - Part 4

Road trip time! I’ve been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag!  Today’s questions include: How do you price internal network penetration tests? Have you ever had to deal with a difficult client situation, and how did you resolve it? Are you done going after certs?  Spoiler: no – I’m interested in doing the XINTRA labs (not sure if it includes a cert) Do you provide managed services or just stick with more “one and done” assessment work? You said the “smart business people” tell you to form reseller partnerships, otherwise you’re leaving money on the table – so why don’t you? I’m thinking of starting my own cybersecurity consultancy – what type of insurance do I need to protect me in case of a digital “oops?”

24 Maj 202444min

7MS #624: Tales of Pentest Pwnage – Part 57

7MS #624: Tales of Pentest Pwnage – Part 57

Today’s tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode last week that actually ended up being a full episode all about the attack, and even step by step commands to pull it off.  But I didn’t want today’s episode to just be “Hey friends, check out the YouTube version of this attack!” so I also cover: Our first first impressions of Burp Enterprise Why I have a real hard time believing you have to follow all these steps to install Kali on Proxmox

17 Maj 202429min

7MS #623: Prelude to a Tale of Pentest Pwnage

7MS #623: Prelude to a Tale of Pentest Pwnage

Today’s prelude to a tale of pentest pwnage talks about something called “spnless RBCD” (resource-based constrained delegation).  The show notes don't format well here in the podcast notes, so head to 7minsec.com to see the notes in all their glory.

10 Maj 202424min

7MS #622: Migrating from vCenter to Proxmox - Part 1

7MS #622: Migrating from vCenter to Proxmox - Part 1

Sadly, the Broadcom acquisition of VMWare has hit 7MinSec hard – we love running ESXi on our NUCs, but ESXi free is no longer available.  To add insult to injury, our vCenter lab at OVHcloud HQ got a huge price gouge (due to license cost increase; not OVH’s fault).  Now we’re exploring Proxmox as an alternative hypervisor, so we’re using today’s episode to kick off a series about the joys and pains of this migration process.

5 Maj 202416min

7MS #621: Eating the Security Dog Food - Part 6

7MS #621: Eating the Security Dog Food - Part 6

Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus!  Specifically we talk about: We’re going to get a third-party assessment on 7MinSec (the business) Tips for secure email backup/storage Limiting the retention of sensitive data you store in cloud places

26 Apr 202423min

Populärt inom Politik & nyheter

p3-krim
svd-dokumentara-berattelser-2
rss-krimstad
flashback-forever
rss-vad-fan-hande
aftonbladet-daily
rss-viva-fotboll
olyckan-inifran
rss-sanning-konsekvens
svenska-fall
krimmagasinet
fordomspodden
motiv
rss-expressen-dok
rss-frandfors-horna
dagens-eko
blenda-2
svd-nyhetsartiklar
spar
spotlight