7MS #508: Tales of Pentest Pwnage - Part 33

Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including: Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out! Creating core policies and procedures that you will actually follow Learning about security frameworks that will help you build a security program from scratch Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit! Knowing where your crown jewels are - be that data, a database, a key system, etc. Writing critical documentation - especially backup/restore procedures. Forming a security "dream team" to help drive your program Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!) P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.

1 Aug 202257min

Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as: Get-InternalSubnets.ps1 - for getting internal subnets Adalanche for grabbing Active Directory info (similar to SharpHound) This tool worked well for me with this syntax: adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS Copernic Desktop Search for pillaging through shares with Google-like search capabilities! PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions! CeWL for creating awesome wordlists to crack with! I don't have a Toyota TRD Pro, but I can't stop watching this reel.

22 Juli 202247min

Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11! Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including: How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats? Why open source detections are a great starting point - but not a magic bullet Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend? Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes? Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block? Common lateral movement tools/techniques Why honeypots rule!

15 Juli 20221h 13min

In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for: Do we have creds to log onto his computer? How about his email accounts? Do we have usernames/passwords for retirement accounts, bank accounts, etc.? For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles? Can we get into his phone to get key info off of text messages and grab phone #s of key contacts? What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial? Do we have redundancy in this plan, or is it all on paper in a file somewhere?

8 Juli 202240min

In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489.

1 Juli 202252min

Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO: Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump, this article I found this article to be super interesting.

24 Juni 202234min

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks: Active Directory enumeration via SharpHound Password spraying through Rubeus Kerberoasting and ASREPRoasting via Rubeus Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi. Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping. Pass-the-hash attacks with CrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

17 Juni 202233min

I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates: List all upgrade profiles: esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Grep for just the ones you want (in my case ESXi 7.x): esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0 Apply the one you want! esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0

10 Juni 202233min