7MS #449: DIY Pentest Dropbox Tips - Part 3

This week I had the fun opportunity to do a "blind" network security assessment - where basically we had to step into a network we'd never seen before and make some security posture recommendations. I've found that the following software/hardware is quite helpful for this type of assessment: The PwnPulse helps a ton in scanning wired and wireless networks...and even Bluetooth! I've covered the Pulse in past episodes - check out part 1 and part 2. Network Detective will do a ton of helpful Active Directory enumeration and point out potential red flags, such as: Accounts that haven't been logged into for a long time Accounts with passwords that haven't been refreshed in a long time Privileged groups that need review (Domain Admins, Enterprise Admins, etc.) AD policy issues (*warning: by default Network Detective only pulls back a few policies by default. Check out scripts such as my Environment Check to grab a dump of all GPOs. Thycotic Privileged Account Discovery is a free tool that can crawl AD workstations and enumerate the local administrator accounts on each machine. It makes a good case for implementing LAPS.

7 Juni 201710min

I'm continuing to love the our PwnPro and had a chance to use it on a customer assessment this week. For the most part the setup/install was a breeze. Just had a few hiccups that the Pwnie support team straightened me out on right away. In the episode I mention some command line tools and syntax that helped me work with the Pulse. One was using fping to sweep large subnets and accurately find live hosts: fping -a -g 10.0.5.0/16 > blah.txt Then, to setup the reverse shell, I just forwarded port 22 from my Ubiquiti gear to my internal Kali host, and then ran this to make the reverse connection: ssh pwnie@localhost -p 3333 Lastly, to setup the reverse shell so you can proxy Web traffic to an alternate host/port, such as the Nessus port, setup your shell like so: ssh pwnie@localhost -p 3333 -ND 8080 Then leave that window open and setup your Web browser so that you do a SOCKS5 proxy to localhost:8080. Finally, visit http://ip.of.your.host:XXXX. So if your Pulse was 1.2.3.4 and had Nessus running, you'd visit https://1.2.3.4:8834. Enjoy!

2 Juni 201712min

Warning! Warning! This is an off-topic episode! I try really hard to create valuable weekly content about IT/security. However, sometimes a virtual grenade goes off in my life and prevents me from having the necessary time/resources to get my act together. This has been one of those weeks. :-) So today I'm going off-topic and talking about an alleged burglary of some electronics at my home. And once we identified the culprit, wow...nobody was more surprised than me.

25 Maj 20179min

Intro I mentioned last week that I was speaking at the Secure360 conference here in the Twin Cities, and at that time I was preparing a talk called Pentesting 101: No Hoodie Required. I was so nervous that I've basically spent the last week breathing heavily into paper bags and wishing I was on sedatives. But I have good news to report in today's episode, friends! The talk was very well received and the attendees didn't get out torches and pitchforks! #winning! So today's episode (audio below) talks more about the public speaking experiences and highlights some lessons learned: Things I'd do again next time I'd not tempt the demo gods and still pre-record my hacking movies ahead of time. I saw some people do live demos of very technical things and it did not go well for a few of them :-( I would still spend way too many hours cutting together my movies in iMovie so that they followed a good tempo when presented live I would still have a copy of my presentation on two different laptops, 3 USB thumb drives, a cloud copy, and a copy sent to the Secure 360 folks just in case. Backups, backups, backups - am I right? What I'd do differently next time I'd hopefully have the preso done a few days (weeks, even!) ahead of time and practice it in front of colleagues to get some feedback. I'd still have a theme to the presentation, but rather than something specific like Terminator 2, maybe I'd go even more general and pick a movie/character that could appeal even more to the masses. I wouldn't worry so much about having a presentation that "nails it" for everybody. That's just not possible! We're all coming from different backgrounds and skillsets. It's not gonna be a home run for everybody.

18 Maj 201714min

The nervous butterflies are chewing up my organs this week. Why? Because I'm speaking at Secure360 next Tuesday and Wednesday. I'm trying to build a presentation that: Appeals to both techie nerds like me, as well as regular human people Strikes a healthy balance between fun and informative So, my outline is roughly as follows: Intros Lets talk about pentesting vs. vulnerability scans Build your own hackin' lab for $500! Good/bad training (CEH vs. OSCP) Lets hack some stuff following a methodology! Tune in today's episode for more...

11 Maj 201711min

So a few weeks ago I did an episode about the AlienVault Certified Security Engineer certification, and last Friday I took a stab at the test. I failed. It kicked my butt. Today I'm here to both rant about the unfairness of the test and offer you some study tips so you don't suffer a similar fate. P.S. - you should definitely check out this blog as it's one of the few valuable study guides I could find out there on the Interwebs.

4 Maj 201711min

I'm kicking the tires on the PwnPro which is an all-in-one wired, wireless and Bluetooth assessment and pentesting tool. Upon getting plugged into a network, it peers with a cloud portal and lets you assess and pentest from the comfort of your jammies back at your house! Oh, and did I mention it runs Kali on the back end? Delicious. Today's episode dives into some of what I've been learning about the PwnPro as I run it through its paces at work and warm it up for our first customer assessment...

27 Apr 201710min

I've been working with the Bash Bunny for the past few weeks in preparation for a presentation/demo I'm doing in a few weeks. Today I want to talk about what the Bunny is, the cool things it can do, and some of my favorite payloads. Also, I started thinking about what conversation topics spawn from a demo of the Bunny. Specifically, I want to know how people would defend against the Bunny using AD policies, peripheral controls, etc. Check out the Hak5 thread I started about this, as it has got some great ideas.

20 Apr 201710min