7 Minute Security

Follow 7 Minute Security
Share on
Copy link to clipboard

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

Brian Johnson


    • May 30, 2025 LATEST EPISODE
    • weekly NEW EPISODES
    • 26m AVG DURATION
    • 674 EPISODES

    4.7 from 66 ratings Listeners of 7 Minute Security that love the show mention: security topics, infosec, cyber security, brian, highly recommend listening, shares, short, news, tips, minutes, earth, experience, helpful, informative, great job, awesome, thanks, good, fun, show.


    Ivy Insights

    The 7 Minute Security podcast is a fantastic resource for anyone interested in cybersecurity. The host, Brian, provides insightful and practical information in a concise and entertaining manner. The podcast covers a wide range of topics related to cybersecurity, including hands-on experiences, industry news, pen-testing tips, and more. Brian's extensive knowledge and experience shine through in each episode, making it an invaluable resource for both beginners and seasoned professionals in the field.

    One of the best aspects of this podcast is its focus on hands-on experience. Brian shares his real-life experiences and challenges in the world of cybersecurity, providing listeners with practical insights that they can apply to their own work. This approach makes the podcast highly relatable and allows listeners to learn from someone who has been through it all. Additionally, Brian's sense of humor adds an extra layer of enjoyment to each episode.

    Another great aspect of this podcast is its informative nature. Whether you are a recent graduate in the field of infosec or an experienced Windows admin looking to transition into security, this podcast has something to offer. The episodes cover all aspects of cybersecurity, giving listeners a well-rounded understanding of the subject matter. It also serves as a valuable educational tool for those studying for certifications such as OSCP.

    While there are very few negative aspects to mention about this podcast, some listeners might find the episodes too short at just seven minutes each. However, it's worth noting that the brevity allows for quick consumption and easy integration into daily routines – even squeezing in an episode during a short break can provide valuable insights.

    In conclusion, The 7 Minute Security podcast is an excellent resource for anyone interested in cybersecurity or seeking professional development in the field. With its informative content, relatable host, and practical approach to learning through hands-on experience, this podcast is highly recommended. Whether you're looking for industry news updates or seeking tips on pen-testing techniques, The 7 Minute Security will not disappoint.



    More podcasts from Brian Johnson

    Search for episodes from 7 Minute Security with a specific topic:

    Latest episodes from 7 Minute Security

    7MS #677: That One Time I Was a Victim of a Supply Chain Attack

    Play Episode Listen Later May 30, 2025 13:48


    Hi everybody. Today I take it easy (because my brain is friend from the short week) to tell you about the time I think my HP laptop was compromised at the factory!

    7MS #676: Tales of Pentest Pwnage – Part 72

    Play Episode Listen Later May 27, 2025 59:34


    Today's fun tale of pentest pwnage discuss an attack path that would, in my opinion, probably be impossible to detect…until it's too late.

    7MS #675: Pentesting GOAD – Part 2

    Play Episode Listen Later May 16, 2025 31:41


    Hey friends! Today Joe “The Machine” Skeen and I tackled GOAD (Game of Active Directory) again – this time covering: SQL link abuse between two domains Forging inter-realm TGTs to conquer the coveted sevenkingdoms.local! Join us next month when we aim to overtake essos.local, which will make us rulers over all realms!

    7MS #674: Tales of Pentest Pwnage – Part 71

    Play Episode Listen Later May 9, 2025 49:00


    Today's tale of pentest pwnage is another great one!  We talk about: The SPNless RBCD attack (covered in more detail in this episode) Importance of looking at all “branches” of outbound permissions that your user has in BloodHound This devilishly effective MSOL-account-stealing PowerShell script (obfuscate it first!) A personal update on my frustration with ringing in my ears

    7MS #673: ProxmoxRox

    Play Episode Listen Later May 3, 2025 30:31


    Today we're excited to release ProxmoxRox – a repo of info and scripts to help you quickly spin up Ubuntu and Windows VMs.  Also, some important news items: 7MinSec.club in-person meeting is happening Wednesday, May 14!  More details here. We did our second Tuesday TOOLSday this week and showed you some local privesc techniques when you have local admin on an endpoint

    7MS #672: Tales of Pentest Pwnage – Part 70

    Play Episode Listen Later Apr 25, 2025 55:07


    Today's a fun tale of pentest pwnage where we leveraged a WinRM service ticket in combination with the shadow credentials attack, then connected to an important system using evil-winrm and make our getaway with some privileged Kerberos TGTs!  I also share an (intentionally) vague story about a personal struggle I could use your thoughts/prayers/vibes with.

    7MS #671: Pentesting GOAD

    Play Episode Listen Later Apr 18, 2025 25:18


    Hello! This week Joe “The Machine” Skeen and I kicked off a series all about pentesting GOAD (Game of Active Directory).  In part one we covered: Checking for null session enumeration on domain controllers Enumerating systems with and without SMB signing Scraping AD user account descriptions Capturing hashes using Responder Cracking hashes with Hashcat

    7MS #670: Adventures in Self-Hosting Security Services

    Play Episode Listen Later Apr 11, 2025 36:48


    Hi friends, today I'm kicking off a series talking about the good/bad/ugly of hosting security services. Today I talk specifically about transfer.zip. By self-hosting your own instance of transfer.zip, you can send and receive HUGE files that are end-to-end encrypted using WebRTC.  Sweet!  I also supplemented today's episode with a short live video over at 7MinSec.club.

    7MS #669: What I'm Working on This Week – Part 3

    Play Episode Listen Later Apr 4, 2025 42:37


    Hi friends, in this edition of what I'm working on this week: 3 pulse-pounding pentests that had…problems Something I'm calling the unshadow/reshadow credentials attack Heads-up on a new video experiment I'm going to try next week

    7MS #668: Tales of Pentest Pwnage – Part 69

    Play Episode Listen Later Mar 28, 2025 30:22


    Hola friends! Today's tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things: adconnectdump – for all your ADSync account dumping needs! Adam Chester PowerShell script to dump MSOL service account dacledit.py (part of Impacket) to give myself full write privileges on the MSOL sync account: dacledit.py -action ‘write' -rights ‘FullControl' -principal lowpriv -target MSOL-SYNC-ACCOUNT -dc-ip 1.2.3.4 domain.com/EXCHANGEBOX$ -k -no-pass Looking to tighten up your Exchange permissions – check out this crazy detailed post

    7MS #667: Pentesting GOAD SCCM - Part 2!

    Play Episode Listen Later Mar 21, 2025 28:52


    Hey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again!  Spoiler alert: this time we get DA!  YAY! Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life): GOAD SCCM walkthrough MisconfigurationManager – tremendous resource for enumerating/attacking/privesc-ing within SCCM This gist from Adam Chester will help you decrypt SCCM creds stored in SQL

    7MS #666: Tales of Pentest Pwnage – Part 68

    Play Episode Listen Later Mar 14, 2025 45:35


    Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff! Selective Snaffling with Snaffler The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse! TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and Evil-WinRMing!

    7MS #665: What I'm Working on This Week - Part 2

    Play Episode Listen Later Mar 7, 2025 28:49


    Hello there friends, I'm doing another “what I'm working on this week” episode which includes: BPATTY v1.6 release – big/cool/new content to share here PWPUSH – this looks to be an awesome way (both paid and free) to securely share files and passwords

    7MS #664: What I'm Working on This Week

    Play Episode Listen Later Feb 28, 2025 25:38


    In today's episode I talk about what I'm working on this week, including: Playing with Sliver C2 and pairing it with ShellcodePack Talking about Netexecer, my upcoming tool that helps automate some of the early/boring stuff in an internal pentest A gotcha to watch out for if utilizing netexec's MSSQL upload/download functionality

    playing mssql
    7MS #663: Pentesting GOAD SCCM

    Play Episode Listen Later Feb 21, 2025 29:41


    Today we live-hack an SCCM server via GOAD SCCM using some attack guidance from Misconfiguration Manager!  Attacks include: Unauthenticated PXE attack PXE (with password) attack Relaying the machine account of the MECM box over to the SQL server to get local admin

    7MS #662: Pentesting Potatoes - Part 2

    Play Episode Listen Later Feb 14, 2025 37:39


    Hi friends, today we're talking about pentesting potatoes (not really, but this episode is sort of a homage to episode 333 where I went to Boise to do a controls assessment and ended up doing an impromptu physical pentest and social engineer exercise).  I talk about what a blast I'm having hunting APTs in XINTRA LABS, and two cool tools I'm building with the help of Cursor: A wrapper for Netexec that quickly finds roastable users, machines without SMB signing, clients running Webclient and more. A sifter of Snaffler-captured files to zero in even closer on interesting things such as usernames and passwords in clear text.

    7MS #661: Baby's First Hetzner and Ludus – Part 2

    Play Episode Listen Later Feb 8, 2025 37:53


    Today we continue our journey from last week where we spun up a Hetzner cloud server and Ludus.cloud SCCM pentesting range!  Topics include: Building a Proxmox Backup Server (this YouTube video was super helpful) Bridging a second WAN IP to the Hetzner/Ludus server Wrestling with the Hetzner (10-rule limit!) software firewall When attacking SCCM – you can get a version of pxethief that runs in Linux!

    7MS #660: Baby's First Hetzner and Ludus

    Play Episode Listen Later Feb 1, 2025 34:34


    I had an absolute ball this week spinning up my first Hetzner server, though it was not without some drama (firewall config frustrations and failing hard drives).  Once I got past that, though, I got my first taste of the amazing world of Ludus.cloud, where I spun up a vulnerable Microsoft SCCM lab and have started to pwn it.  Can't say enough good things about Ludus.cloud, but I certainly tried in this episode!

    7MS #659: Eating the Security Dog Food - Part 8

    Play Episode Listen Later Jan 24, 2025 28:29


    Today I'm excited about some tools/automation I've been working on to help shore up the 7MinSec security program, including: Using Retype as a document repository Leveraging the Nessus API to automate the downloading/correlating of scan data Monitoring markdown files for “last update” changes using a basic Python script

    7MS #658: WPA3 Downgrade Attacks

    Play Episode Listen Later Jan 17, 2025 32:58


    Hey friends, today we cover: The shiny new 7MinSec Club BPATTY updates A talk-through of the WPA3 downgrade attack, complemented by the YouTube livestream

    7MS #657: Writing Rad Security Documentation with Retype

    Play Episode Listen Later Jan 10, 2025 20:36


    Hello friends!  Today we're talking about a neat and quick-to-setup documentation service called Retype.  In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately.  I still absolutely love Docusaurus, but I think Retype definitely gives it a run for its money.

    7MS #656: How to Succeed in Business Without Really Crying - Part 21

    Play Episode Listen Later Jan 3, 2025 45:01


    Happy new year friends! Today we talk about business/personal resolutions, including: New year's resolution on the 7MinSec biz side to have a better work/life balance New training offering in the works Considering Substack as a communications platform A mental health booster that I came across mostly by accident

    7MS #655: Happy Hacking Holidays

    Play Episode Listen Later Dec 30, 2024 58:08


    Today we're doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai, and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy.  Links discussed today: AWUS036ACH wifi card (not my favorite anymore) Panda PAU09 N600 (love this one!) The very important Github issue that helped me better understand BPFs and WPA3 attacks TrustedSec article on WPA3 downgrade attacks

    7MS #654: Tales of Pentest Pwnage – Part 67

    Play Episode Listen Later Dec 13, 2024 41:50


    Today we've got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things: A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng Syntax on using two different tools to parse creds from Dehashed An updated tutorial on using Gophish for phishing campaigns The cocoa-flavored cherry on top is a tale of pentest pwnage that includes: Abusing SCCM Finding gold in SQL configuration/security audits

    7MS #653: How to Succeed in Business Without Really Crying – Part 20

    Play Episode Listen Later Dec 6, 2024 49:59


    Hey friends, today we're talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

    7MS #652: Securing Your Mental Health - Part 6

    Play Episode Listen Later Dec 2, 2024 41:52


    Today's episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including: Journaling Meditation (An activity I'm ashamed of but has actually done wonders for my mental health)

    7MS #651: Tales of Pentest Pwnage – Part 66

    Play Episode Listen Later Nov 22, 2024 31:07


    Hey friends, we've got a short but sweet tale of pentest pwnage for you today. Key lessons learned: Definitely consider BallisKit for your EDR-evasion needs If you get local admin to a box, enumerate, enumerate, enumerate!  There might be a delicious task or service set to run as a domain admin that can quickly escalate your privileges!

    7MS #650: Tales of Pentest Pwnage - Part 65

    Play Episode Listen Later Nov 15, 2024 53:40


    Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a “hidden” SQL account, and that account ended up being the key to the entire pentest!  I wonder how many hidden SQL accounts I've missed on past pentests….SIGH! Check out the awesome BloodHound gang thread about this here. Also, can't get Rubeus monitor mode to capture TGTs to the registry?  Try output to file instead: rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:userspublicsome-innocent-looking-file.log In the tangent department, I talk about a personal music project I'm resurrecting to help my community.

    7MS #649: First Impressions of Twingate

    Play Episode Listen Later Nov 8, 2024 72:12


    Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we'd like them to be)!  It also doubles nicely as a primary or backup connection for your DIY pentest dropboxes which we've talked about quite a bit here.  In other news, we've moved from Teachable to Coursestack, so if you've bought training/ebooks with us before, you should've received some emails from us last Friday and can access our new training portal here.  (If you THINK you should've received enrollment emails from CourseStack and didn't, drop us a line here.) In the tangent portion of our program, I give a health update on my mom and dad, and talk about some resources I'm exploring to reduce stress and anxiety after what has been a tough week for many of us.

    7MS #648: First Impressions of Level.io

    Play Episode Listen Later Nov 1, 2024 40:17


    Hey friends, today I'm sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.

    7MS #647: How to Succeed in Business Without Really Crying – Part 19

    Play Episode Listen Later Oct 25, 2024 22:23


    Today we're talkin' business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

    7MS #646: Baby's First Incident Response with Velociraptor

    Play Episode Listen Later Oct 18, 2024 16:15


    Hey friends, today I'm putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment.  Perhaps even better than the price tag, Velociraptor runs as a single binary you can deploy to spin up a server and then request endpoints to “phone home” to you by way of GPO scheduled task.  The things I talk about in this episode and show in the YouTube stream are all based off of this awesome presentation from Eric Capuano, who also was kind enough to publish a handout to accompany the presentation.  And on a personal note, I wanted to share that Velociraptor has got me interested in jumping face first into some tough APT labs provided by XINTRA.  More to come on XINTRA's offering, but so far I'm very impressed!

    7MS #645: How to Succeed in Business Without Really Crying - Part 18

    Play Episode Listen Later Oct 14, 2024 31:02


    Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some thoughts about the conference talk I gave called 7 Ways to Panic a Pentester.

    7MS #644: Tales of Pentest Pwnage – Part 64

    Play Episode Listen Later Oct 4, 2024 41:09


    Hey!  I'm speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester!  Today's tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!  It also emphases that cracking NETLM/NETNTLMv1 isn't super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

    7MS #643: DIY Pentest Dropbox Tips – Part 11

    Play Episode Listen Later Sep 27, 2024 26:40


    Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Active Directory pentesting platform.

    7MS #642: Interview with Ron Cole of Immersive Labs

    Play Episode Listen Later Sep 23, 2024 42:00


    Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion: VetSec Fortinet Veterans Program Immersive Labs Cyber Million FedVTE

    7MS #641: DIY Pentest Dropbox Tips – Part 10

    Play Episode Listen Later Sep 13, 2024 27:42


    Today we're revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level.  Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

    7MS #640: Tales of Pentest Pwnage – Part 63

    Play Episode Listen Later Sep 7, 2024 43:19


    This was my favorite pentest tale of pwnage to date!  There's a lot to cover in this episode so I'm going to try and bullet out the TLDR version here: Sprinkled farmer files around the environment Found high-priv boxes with WebClient enabled Added “ghost” machine to the Active Directory (we'll call it GHOSTY) RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting Use net.py to add myself to local admin on the victim host Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style! Pulled the TGT from a host not protected with Credential Guard Figured out the stolen user's account has some “write” privileges to a domain controller Use rbcd.py to delegate from GHOSTY and to the domain controller Request a TGT for GHOSTY Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname) Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

    7MS #639: Tales of Pentest Pwnage - Part 62

    Play Episode Listen Later Sep 3, 2024 7:02


    Today's tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

    7MS #638: Tales of Pentest Pwnage – Part 61

    Play Episode Listen Later Aug 23, 2024 32:44


    Today we're talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges: Check the C: drive! If you get local admin and the system itself looks boring, check root of C – might have some interesting scripts or folders with tools that have creds in them. Also look at Look at Get-ScheduledTasks Find ids and passwords easily in Snaffler output with this Snaffler cleaner script There's a ton of gold to (potentially) be found in SQL servers – check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!

    7MS #637: BPATTY[RELOADED] Release Party

    Play Episode Listen Later Aug 17, 2024 7:01


    Hello friends, I'm excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! – which stands for Brian's Pentesting and Technical Tips for You! It's a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP…what a concept!) covering my favorite bits on the site so far. Enjoy!

    7MS #636: A Prelude to BPATTY(RELOADED)

    Play Episode Listen Later Aug 12, 2024 11:21


    Artificial hype alert!  I'm working on a NEW version of BPATTY (Brian's Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation.  It's weird.  But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which is now in archive/read-only mode).

    Claim 7 Minute Security

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel