7MS #426: Tales of Internal Pentest Pwnage - Part 19
7 Minute Security7 Aug 2020

7MS #426: Tales of Internal Pentest Pwnage - Part 19

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

First and foremost, I have to say that 7 Minute Security's official stance on toads is that nobody should be licking them at any time, for any reason. Also, I can neither confirm nor deny that toads can catch coronavirus. Listen to today's episode...it'll make more sense.

We've got another swell tale of internal pentest pwnage for you today! Highlights include:

  • If you've collected a ton of hashes with Responder, the included DumpHash.py gives you a lovely organized list of collected hashes!

  • Here's one way you can grab the latest CME binary:

curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip -L -o cme.zip

Note to self: I must've been using outdated CME forever, because the correct syntax to get the wdigest flag is now a little different:

cme smb HOST -u localadmin -H "hash" --local-auth -M wdigest -o ACTION=enable

  • If you're looking to block IPv6 (ab)use in your environment, this article has some great tips.

  • When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team

  • Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords.

  • A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to.

  • I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more!

  • Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

Episoder(696)

7MS #617: Tales of Pentest Pwnage – Part 55

7MS #617: Tales of Pentest Pwnage – Part 55

Hey friends, today we’ve got a tale of pentest pwnage that covers: Passwords – make sure to look for patterns such as keyboard walks, as well as people who are picking passwords where the month the password changed is part of the password (say that five times fast)! Making sure you go after cached credentials Attacking SCCM – Misconfiguration Manager is an absolute gem to read, and The First Cred is the Deepest – Part 2 with Gabriel Prud’homme is an absolute gem to see.  Also, check out sccmhunter for all your SCCM pwnage needs.

29 Mar 202436min

7MS #616: Interview with Andrew Morris of GreyNoise

7MS #616: Interview with Andrew Morris of GreyNoise

Hey friends, today we have a super fun interview with Andrew Morris of GreyNoise to share.  Andrew chatted with us about: Young Andrew’s early adventures in hacking his school’s infrastructure (note: don’t try this at home, kids!) Meeting a pentester for the first time, and getting his first pentesting job Spinning up a box on the internet, having it get popped instantly, and wondering…”Are all these people trying to hack me?” Battling through a pentester’s least favorite part of the job: THE REPORT! GreyNoise’s origin story How to build a better honeypot/honeynet

22 Mar 202459min

7MS #615: Tales of Pentest Pwnage – Part 54

7MS #615: Tales of Pentest Pwnage – Part 54

Hey friends, sorry I’m so late with this (er, last) week’s episode but I’m back!  Today is more of a prep for tales of pentest pwnage, but topics covered include: Make sure when you’re snafflin‘ that you check for encrypted/obfuscated logins and login strings – it might not be too tough to decrypt them! On the defensive side, I’ve found myself getting *blocked* doing things like SharpHound runs, Snaffler, PowerHuntShares, etc.  Look through the readme files for these tools and try cranking down the intensity/threads of these tools and you might fly under the radar.

19 Mar 202421min

7MS #614: How to Succeed in Business Without Really Crying - Part 16

7MS #614: How to Succeed in Business Without Really Crying - Part 16

How much fun I had attending and speaking at Netwrix Connect Being a sales guy in conference situations without being an annoying sales guy in conference situations A recap of the talk I co-presented about high profile breaches and lessons we can learn from them

8 Mar 202436min

7MS #613: Tales of Pentest Pwnage – Part 53

7MS #613: Tales of Pentest Pwnage – Part 53

Today’s tale of pentest covers: Farming for credentials (don’t forget to understand trusted zones to make this happen properly!) Snaffling for juice file shares Stealing Kerberos tickets with Rubeus

1 Mar 202433min

7MS #612: Pentestatonix - Part 2

7MS #612: Pentestatonix - Part 2

Hello friends, we’re still deep in the podcast trenches this quarter and wanted to share some nuggets of cool stuff we’ve been learning along the way: Snaffler – pairs nicely with PowerHuntShares to find juicy tidbits within file/folder shares Group3r – helps you find interesting and potentially abusable Group Policy Object configurations Farmer – totally awesome toolkit for dropping tricky files on shares that will do things like fire up the Webclient service for any system browsing the share (doesn’t require admin rights!) or coaxing a system into authenticating with you via HTTP or SMB

25 Feb 202432min

7MS #611: Pentestatonix

7MS #611: Pentestatonix

Hey friends, sorry for the late episode but I've been deep in the trenches of pentest adventures.  I'll do a more formal tale of pentest pwnage when I come up for air, but for now I wanted to share some tips I've picked up from recent engagements: GraphRunner - awesome PowerShell toolkit for interacting with Microsoft Graph API.  From a pentesting perspective, it may help you bridge the "gap" between LAN-side AD and Azure and find some goodies - like files with and XSLX extension containing the word password. PowerUpSQL -I typically use this to make SQL servers cough me up a hash via SMB using stored procedures, but I learned this week that I'll deeeefffffinitely use the Invoke-SQLAudit -Verbose functionality going forward.

19 Feb 202434min

7MS #610: DIY Pentest Dropbox Tips – Part 9

7MS #610: DIY Pentest Dropbox Tips – Part 9

Hey friends, today we cover a funstrating (that's fun + frustrating) issue we had with our DIY pentest dropboxes. TLDL:   The preseed file got jacked because I had a bad Kali metapackage in it. While I was tinkering around with preseed files, I decided it would be more efficient to have the Kali ISO call that preseed file directly over HTTP (rather than make a new ISO every time I made a preseed change).  To accomplish that: Mount the Kali ISO Explore to isolinux > txt.cfg Modify the txt.cfg to include a custom boot option that calls your preseed over HTTP.  For example: label install menu label ^Install Yermaum kernel /install.amd/vmlinuz append net.ifnames=0 preseed/url=https://somewebsite/kali.preseed locale=en_US keymap=us hostname=kali777 domain=7min.sec simple-cdd/profiles=kali desktop=xfce vga=788 initrd=/install.amd/initrd.gz --- quiet

9 Feb 202420min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
forklart
popradet
aftenpodden-usa
stopp-verden
fotballpodden-2
nokon-ma-ga
dine-penger-pengeradet
det-store-bildet
frokostshowet-pa-p5
rss-ness
rss-penger-polser-og-politikk
aftenbla-bla
e24-podden
bt-dokumentar-2
rss-gukild-johaug
unitedno
rss-dannet-uten-piano
rss-borsmorgen-okonominyhetene