7 Minute Security

Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus!  Specifically we talk about: We’re going to get a third-party assessment on 7MinSec (the business) Tips for secure email backup/storage Limiting the retention of sensitive data you store in cloud places

Today we’re talking about tips to deal with stress and anxiety: It sounds basic, but take breaks – and take them in a different place (don’t just stay in the office and do more screen/doom-scrolling) I’ve never gotten to a place in my workload where I go “Ahhh, all caught up!” so I should stop striving to hit that invisible goal. Chiropractic and back massages have done wonders for the tightness in my neck and shoulders For me, video games where you punch and kick things relieves stress as well (including a specific game that’s definitely not for kids!)

We did something crazy today and recorded an episode that was 7 minutes long!  Today we talk about some things that have helped us out in recent pentests: When using Farmer to create “trap” files that coerce authentication, I’ve found way better results using Windows Search Connectors (.searchConnector-ms) files This matrix of “can I relay this to that” has been super helpful, especially early in engagements

Today’s episode is all about writing reports in Sysreptor.  It’s awesome!  Main takeaways: The price is free (they have a paid version as well)! You can send findings and artifacts directly to the report server using the reptor Python module Warning: Sysreptor only exports to PDF (no Word version option!) Sysreptor has helped us write reports faster without sacrificing quality

Hey friends, today we’ve got a tale of pentest pwnage that covers: Passwords – make sure to look for patterns such as keyboard walks, as well as people who are picking passwords where the month the password changed is part of the password (say that five times fast)! Making sure you go after cached credentials Attacking SCCM – Misconfiguration Manager is an absolute gem to read, and The First Cred is the Deepest – Part 2 with Gabriel Prud’homme is an absolute gem to see.  Also, check out sccmhunter for all your SCCM pwnage needs.

Hey friends, today we have a super fun interview with Andrew Morris of GreyNoise to share.  Andrew chatted with us about: Young Andrew’s early adventures in hacking his school’s infrastructure (note: don’t try this at home, kids!) Meeting a pentester for the first time, and getting his first pentesting job Spinning up a box on the internet, having it get popped instantly, and wondering…”Are all these people trying to hack me?” Battling through a pentester’s least favorite part of the job: THE REPORT! GreyNoise’s origin story How to build a better honeypot/honeynet

Hey friends, sorry I’m so late with this (er, last) week’s episode but I’m back!  Today is more of a prep for tales of pentest pwnage, but topics covered include: Make sure when you’re snafflin‘ that you check for encrypted/obfuscated logins and login strings – it might not be too tough to decrypt them! On the defensive side, I’ve found myself getting *blocked* doing things like SharpHound runs, Snaffler, PowerHuntShares, etc.  Look through the readme files for these tools and try cranking down the intensity/threads of these tools and you might fly under the radar.

How much fun I had attending and speaking at Netwrix Connect Being a sales guy in conference situations without being an annoying sales guy in conference situations A recap of the talk I co-presented about high profile breaches and lessons we can learn from them

Today’s tale of pentest covers: Farming for credentials (don’t forget to understand trusted zones to make this happen properly!) Snaffling for juice file shares Stealing Kerberos tickets with Rubeus

Hello friends, we’re still deep in the podcast trenches this quarter and wanted to share some nuggets of cool stuff we’ve been learning along the way: Snaffler – pairs nicely with PowerHuntShares to find juicy tidbits within file/folder shares Group3r – helps you find interesting and potentially abusable Group Policy Object configurations Farmer – totally awesome toolkit for dropping tricky files on shares that will do things like fire up the Webclient service for any system browsing the share (doesn’t require admin rights!) or coaxing a system into authenticating with you via HTTP or SMB

Hey friends, sorry for the late episode but I've been deep in the trenches of pentest adventures.  I'll do a more formal tale of pentest pwnage when I come up for air, but for now I wanted to share some tips I've picked up from recent engagements: GraphRunner - awesome PowerShell toolkit for interacting with Microsoft Graph API.  From a pentesting perspective, it may help you bridge the "gap" between LAN-side AD and Azure and find some goodies - like files with and XSLX extension containing the word password. PowerUpSQL -I typically use this to make SQL servers cough me up a hash via SMB using stored procedures, but I learned this week that I'll deeeefffffinitely use the Invoke-SQLAudit -Verbose functionality going forward.

Hey friends, today we cover a funstrating (that's fun + frustrating) issue we had with our DIY pentest dropboxes. TLDL:   The preseed file got jacked because I had a bad Kali metapackage in it. While I was tinkering around with preseed files, I decided it would be more efficient to have the Kali ISO call that preseed file directly over HTTP (rather than make a new ISO every time I made a preseed change).  To accomplish that: Mount the Kali ISO Explore to isolinux > txt.cfg Modify the txt.cfg to include a custom boot option that calls your preseed over HTTP.  For example: label install menu label ^Install Yermaum kernel /install.amd/vmlinuz append net.ifnames=0 preseed/url=https://somewebsite/kali.preseed locale=en_US keymap=us hostname=kali777 domain=7min.sec simple-cdd/profiles=kali desktop=xfce vga=788 initrd=/install.amd/initrd.gz --- quiet

Hey friends, today is a first impressions episode about Sysreptor, which according to their GitHub page, is a fully customisable, offensive security reporting solution designed for pentesters, red teamers and other security-related people alike.  It is easy to stand up with Docker, has built-in MFA and a great hybrid WYSIWYG/code editor.  The only scary part?  There is no export to Word (insert suspenseful music here!) - your reports just go right to PDF, friends!  The killer feature for us, though, is the ability to create reports from the command line and send files, notes and findings to Sysreptor automagically!

Hey friends, today our pal Hackernovice joins us for a tool (actually two tools!) release party: EvilFortiAuthenticator - it's like a regular FortiAuthenticator, but evil.  This tool allows you to capture the FortiAuthenticator API and subsequently steal the entire device's config, subsequently allowing you to restore the config to a second server and potentially steal cleartext Active Directory creds and SMTP accounts!  We talk about BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC). Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk! After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password. Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear! TCMLobbyBBQ - this tool has nothing to do with security, but helps PC players of the Texas Chain Saw Massacre get into lobbies more efficiently.

Today we talk about some business-y things like: A pre first impressions opinion on Sysreptor Why I'm not worried about AI replacing manual pentesting (yet) My struggle with going "full CEO" vs. staying in the weeds and working on hands-on security projects

Today our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the OWASP Juice Shop, which is "probably the most modern and sophisticated insecure web application!" We got a few wins on the Juice Shop score board today: Found the score board Bullied the chatbot Fired a DOM XSS Located a confidential document Gave the Juice Shop a devastating zero stars review Fired a DOM XSS which played the OWASP Juice Shop Jingle

Today our friend Amanda Berlin, Lead Incident Detection Engineer at Blumira, joins us to talk about being more mentally healthy in 2024! P.S. - did you miss Amanda's past visits to the program? Then check out episode 518, 536 and 588. Be sure to check out the next edition of Amanda's Defensive Security Handbook when it comes out in later January, 2024!

Today we tease two upcoming tool releases (shooting for Q1, 2024): TCMLobbyBBQ - a Python script for PC players of The Texas Chain Saw Massacre game to help players get out of lobbies and into live games ASAP! The script uses PyAutoGUI to take screenshots of what part of the game you're in, then make appropriate key presses and mouse clicks to get into lobby queues, then alert you when the game actually starts! EvilFortiAuthenticator - this tool will allow you to steal administrator API tokens from FortiAuthenticator which can lead to full compromise of the physical device. Happy new year!

Today I look at potentially replacing Splashtop and UptimeRobot (check out our episode about it here) with Tailscale and Uptime Kuma. The missing link (which I'd love some help with) is answering this security question: how can I setup Tailscale so that my 7MinSec testing box can connect to all these NUCs spread around the globe, but those NUCs cannot connect to each other (in case one is compromised)? Got some ideas? Let me know please!

Today we're talkin' business! Specifically: How to (gently) say "no" to (some) client projects How to (politely) challenge end-of-year deadlines An idea I'm kicking around in the lab - where I might do away with UptimeRobot and Splashtop in favor of Tailscale and Uptime Kuma