7MS #705: A Phishing Campaign Fail Tale
This might be obvious, but security is not all domain admin dancing and maximum pwnage. Sometimes, despite my best efforts, a security project does a faceplant. Today's episode focuses on a phishing campaign that had plenty of "bites" but got immediately shut down – for reasons I still don't understand.
12 Dec 21min
7MS #704: DIY Pentest Dropbox Tips – Part 12
Hola friends! My week has very much been about trying to turnaround pentest dropboxes as quickly as possible. In that adventure, I came across two time-saving discoveries: Using a Proxmox LXC as a persistent remote access method Writing a Proxmox post-deployment script that installs Splashtop on the Windows VM, and resets the admin passwords on both VMs, all from the Proxmox SSH console without touching the console on either VM If you feel some of this is better seen than said, on this week's 7MinSec.club Tuesday TOOLSday broadcast we show this in more detail.
5 Dec 24min
7MS #703: Tales of Pentest Pwnage – Part 79
Happy Thanksgiving week friends! Today we're celebrating a turkey and pie overload by sharing another fun tale of pentest pwnage! It involves using pygpoabuse to hijack a GPO and turn it into our pentesting puppet! Muahahahahaah!!!! Also: This week over at 7MinSec.club we looked at how to defend against some common SQL attacks We're very close to offering our brand new LPLITE:GOAD 3-day pentest course (likely in mid-January). It will get announced on 7MinSec.club first, so please make sure you're subscribed there (it's free!) Did you miss our talk called Should You Hire AI Run Your Next Pentest? Check it out on YouTube!
28 Nov 22min
7MS #702: Should You Hire AI to Run Your Next Pentest?
Hello friends, in today's episode I give an audio summary of a talk I gave this week at the MN GOVIT Symposium called "Should You Hire AI to Run Your Next Pentest?" It's not a pro-AI celebration, nor is it an anti-AI bashing. Rather, the talk focuses on my experiences using both free and paid AI services to guide me through an Active Directory penetration test.
21 Nov 21min
7MS #701: What I'm Working on This Week – Part 5
Hello friends! This week I'm talking about what I'm working on this week, including: Preparing a talk called Should You Hire AI to Run Your Next Pentest for the Minnesota GOVIT Symposium. Playing with Lithnet AD password protection (I will show this live on next week's Tuesday TOOLSday). The Light Pentest logo contest has a winner!
14 Nov 18min
7MS #700: Pretender
Today is episode 700 of the 7MinSec podcast! Oh my gosh. My mom didn't think we could do it, but we did. Instead of a big blowout with huge news, giveaways and special guests, today is a pretty standard issue episode with a (nearly) 7-minute run time! The topic of today's episode is Pretender (which you can download here and read a lot more about here). The tool authors explain the motivation behind the tool: "We designed pretender with the single purpose to obtain machine-in-the-middle positions combining the techniques of mitm6 and only the name resolution spoofing portion of Responder." On a recent pentest, I used Pretender's "dry run" mode to find a hostname (that didn't exist) that a ton of machines were querying for, and poisoned requests just for that host. This type of targeted poisoning snagged me some helpful hashes that I was able to crack/relay, all while minimizing the risk of broader network disruption!
7 Nov 8min
7MS #699: Pre-Travel Security Tips
Today we discuss some pre-travel tips you can use before hopping on a plane to start a work/personal adventure. Tips include: Updating the family DR/BCP plan Lightening your purse/wallet Validating/testing backups and restores Ensuring your auto coverage is up to snuff
31 Okt 30min
7MS #698: Baby's First ProjectDiscovery
Today I give a quick review of the cloud version of ProjectDiscovery (not a sponsor!).
24 Okt 24min
