7 Minute Security

This might be obvious, but security is not all domain admin dancing and maximum pwnage. Sometimes, despite my best efforts, a security project does a faceplant. Today's episode focuses on a phishing campaign that had plenty of "bites" but got immediately shut down – for reasons I still don't understand.

Hola friends!  My week has very much been about trying to turnaround pentest dropboxes as quickly as possible.  In that adventure, I came across two time-saving discoveries:

If you feel some of this is better seen than said, on this week's 7MinSec.club Tuesday TOOLSday broadcast we show this in more detail.

Happy Thanksgiving week friends! Today we're celebrating a turkey and pie overload by sharing another fun tale of pentest pwnage! It involves using pygpoabuse to hijack a GPO and turn it into our pentesting puppet!  Muahahahahaah!!!!  Also:

Hello friends, in today's episode I give an audio summary of a talk I gave this week at the MN GOVIT Symposium called "Should You Hire AI to Run Your Next Pentest?"  It's not a pro-AI celebration, nor is it an anti-AI bashing.  Rather, the talk focuses on my experiences using both free and paid AI services to guide me through an Active Directory penetration test.

Hello friends!  This week I'm talking about what I'm working on this week, including:

Today is episode 700 of the 7MinSec podcast! Oh my gosh. My mom didn't think we could do it, but we did. Instead of a big blowout with huge news, giveaways and special guests, today is a pretty standard issue episode with a (nearly) 7-minute run time!

The topic of today's episode is Pretender (which you can download here and read a lot more about here).  The tool authors explain the motivation behind the tool: "We designed pretender with the single purpose to obtain machine-in-the-middle positions combining the techniques of mitm6 and only the name resolution spoofing portion of Respo...

Today we discuss some pre-travel tips you can use before hopping on a plane to start a work/personal adventure. Tips include:

Today I give a quick review of the cloud version of ProjectDiscovery (not a sponsor!).

Today your pal and mine Joe "The Machine" Skeen pwn one of the two Ninja Hacker Academy domains!  This pwnage included:

We didn't get the second domain pwned, and so I was originally thinking about doing a part 5 in November, but changed my mind.  Going forward, I'm thinking about doing longer, all-in-one hacking livestreams where we cover things like NHA from start to finish.  My first thought would be to do one long livestream where we complete NHA sta...

In today's episode:

Today's tale of pentest pwnage involves:

Don't forget to check out our weekly Tuesday TOOLSday – live every Tuesday at 10 a.m. over at 7MinSec.club!

Hey friends, today I talk about how fun it was two combine two cool pentest tactics, put them in a blender, and move from local admin to mid-tier system admin access (with full control over hundreds of systems)! The Tuesday TOOLSday video we did over at 7minsec.club will help bring this to life as well.

This week your pal and mine Joe "The Machine" Skeen kept picking away at pwning Ninja Hacker Academy.  To review where we've been in parts 1 and 2:

Today we:

Happy Friday! Today's another hot pile of pentest pwnage. To make it easy on myself I'm going to share the whole narrative that I wrote up for someone else:

I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.

I relayed the DA account to a SQL box that B...

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode:

Today's tale of pentest pwnage is a classic case of "If your head is buried in the pentest sand, pop it out for a while, touch grass, and re-enumerate what you've already enumerated, because that can lead to absolute GOLD!"

Hello friends!  Today your friend and mine, Joe "The Machine" Skeen joins me as we keep chipping away at pwning Ninja Hacker Academy!  Today's pwnage includes:

Today I talk about a subject I love while also driving me crazy at the same time: building a pentest training course! Specifically, I dissect a fun/frustrating GPO attack that I need to build very carefully so that every student can pwn it while also not breaking the domain for everybody else. I also talk about how three different flavors of AI failed me in solving a simple task.

Hi friends, we're doing something today we haven't done in a hot minute: take a dip into the 7MinSec mail bag! Today we cover these questions:

Oh man, I'm so excited I can hardly sleep. Our new three-day (4 hours per day) training is getting closer to general release. I talk about the good/bad/ugly of putting together an attack-sensitive lab that students can abuse (but hopefully not break!), and the technical/curriculum-writing challenges that go along with it.

Today's kind of a "story time with your friend Brian" episode: a tale of how my neighbor almost got scammed out of $13k.  The story has a lot of red flags we can all keep in mind to keep ourselves (as well as kids/friends/parents/etc.) safer from these types of shenanigans.

Hey friends, today we start pwning Ninja Hacker Academy – cool CTF-style lab that has you start with no cred and try to conquer domain admin on two domains!

This week I'm working on a mixed bag of fun security and marketing things:

Today's episode is a downer! We talk about things you might want to have buttoned up for when you are eventually not alive anymore:

I also talk about how my dad broke his ribs while trying to break a chimpmunk, and how a freak 4-wheeler accident also had my ribs in agony.

Today Joe "The Machine" Skeen and I pwn the third and final realm in the world of GOAD (Game of Active Directory): essos.local!  The way we go about it is to do a WinRM connection to our previously-pwned Kingslanding domain, coerce authentication out of MEEREEN (the DC for essos.local) and then capture/abuse the TGT with Rubeus!  Enjoy.

Today I share some tips on creating a better purple team experience for your customers, including:

In today's tale of pentest pwnage I talk about a cool ADCS ESC3 attack – which I also did live on this week's Tuesday TOOLSday.  I also talk about Exegol's licensing plans (and how it might break your pentest deployments if you use ProxmoxRox).

Today I share some tips on presenting a wide variety of content to a wide variety of audiences, including:

Hi everybody. Today I take it easy (because my brain is friend from the short week) to tell you about the time I think my HP laptop was compromised at the factory!

Today's fun tale of pentest pwnage discuss an attack path that would, in my opinion, probably be impossible to detect…until it's too late.

Hey friends! Today Joe "The Machine" Skeen and I tackled GOAD (Game of Active Directory) again – this time covering:

Join us next month when we aim to overtake essos.local, which will make us rulers over all realms!

Today's tale of pentest pwnage is another great one!  We talk about:

Today we're excited to release ProxmoxRox – a repo of info and scripts to help you quickly spin up Ubuntu and Windows VMs.  Also, some important news items:

Today's a fun tale of pentest pwnage where we leveraged a WinRM service ticket in combination with the shadow credentials attack, then connected to an important system using evil-winrm and make our getaway with some privileged Kerberos TGTs!  I also share an (intentionally) vague story about a personal struggle I could use your thoughts/prayers/vibes with.

Hello! This week Joe "The Machine" Skeen and I kicked off a series all about pentesting GOAD (Game of Active Directory).  In part one we covered:

Hi friends, today I'm kicking off a series talking about the good/bad/ugly of hosting security services. Today I talk specifically about transfer.zip. By self-hosting your own instance of transfer.zip, you can send and receive HUGE files that are end-to-end encrypted using WebRTC.  Sweet!  I also supplemented today's episode with a short live video over at 7MinSec.club.

Hi friends, in this edition of what I'm working on this week:

Hola friends! Today's tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things:

Hey friends, our good buddy Joe "The Machine" Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again!  Spoiler alert: this time we get DA!  YAY!

Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life):

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff!

Hello there friends, I'm doing another "what I'm working on this week" episode which includes:

In today's episode I talk about what I'm working on this week, including:

Today we live-hack an SCCM server via GOAD SCCM using some attack guidance from Misconfiguration Manager!  Attacks include:

Hi friends, today we're talking about pentesting potatoes (not really, but this episode is sort of a homage to episode 333 where I went to Boise to do a controls assessment and ended up doing an impromptu physical pentest and social engineer exercise).  I talk about what a blast I'm having hunting APTs in XINTRA LABS, and two cool tools I'm building with the help of Cursor:

Today we continue our journey from last week where we spun up a Hetzner cloud server and Ludus.cloud SCCM pentesting range!  Topics include:

I had an absolute ball this week spinning up my first Hetzner server, though it was not without some drama (firewall config frustrations and failing hard drives).  Once I got past that, though, I got my first taste of the amazing world of Ludus.cloud, where I spun up a vulnerable Microsoft SCCM lab and have started to pwn it.  Can't say enough good things about Ludus.cloud, but I certainly tried in this episode!

Today I'm excited about some tools/automation I've been working on to help shore up the 7MinSec security program, including:

Hey friends, today we cover:

Hello friends!  Today we're talking about a neat and quick-to-setup documentation service called Retype.  In a nutshell, you can get Retype installed on GitHub pages in about 5 minutes and be writing beautiful markdown pages (with built-in search) immediately.  I still absolutely love Docusaurus, but I think Retype definitely gives it a run for its money.

Happy new year friends! Today we talk about business/personal resolutions, including:

Today we're doing a milkshake of several topics: wireless pentest pwnage, automating the boring pentest stuff with cursor.ai, and some closing business thoughts at 7MinSec celebrates its 7th year as a security consultancy.  Links discussed today:

Today we've got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things:

The cocoa-flavored cherry on top is a tale of pentest pwnage that includes:

Hey friends, today we're talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

Today's episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including:

Hey friends, we've got a short but sweet tale of pentest pwnage for you today. Key lessons learned:

Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a "hidden" SQL account, and that account ended up being the key to the entire pentest!  I wonder how many hidden SQL accounts I've missed on past pentests….SIGH! Check out the awesome BloodHound gang thread about this here.

Also, can't get Rubeus monitor mode to capture TGTs to the registry?  Try output to file instead:

rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log

In the tangent department...

Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we'd like them to be)!  It also doubles nicely as a primary or backup connection for your DIY pentest dropboxes which we've talked about quite a bit here.  In other news, we've moved from Teachable to Coursestack, so if you've bought training/ebooks with us before, you should've received some emails from us last Friday and can access our new training portal here.  (If you THINK you should've received enrollment emails from CourseStack and didn't, drop us a line here.)

In the tang...

Hey friends, today I'm sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.

Today we're talkin' business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

Hey friends, today I'm putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment.  Perhaps even better than the price tag, Velociraptor runs as a single binary you can deploy to spin up a server and then request endpoints to "phone home" to you by way of GPO scheduled task.  The things I talk about in this episode and show in the YouTube stream are all based off of this awesome presentation from Eric Capuano, who also was kind enou...

Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some thoughts about the conference talk I gave called 7 Ways to Panic a Pentester.

Hey!  I'm speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester!  Today's tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!  It also emphases that cracking NETLM/NETNTLMv1 isn't super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox!  I also share some love for exegol as an all-in-one Active Directory pentesting platform.

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion:

Today we're revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level.  Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

This was my favorite pentest tale of pwnage to date!  There's a lot to cover in this episode so I'm going to try and bullet out the TLDR version here:

Today's tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

Today we're talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges:

Hello friends, I'm excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! – which stands for Brian's Pentesting and Technical Tips for You! It's a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP…what a concept!) covering my favorite bits on the site so far. Enjoy!

Artificial hype alert!  I'm working on a NEW version of BPATTY (Brian's Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation.  It's weird.  But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which is now in archive/read-only mode).

Today we're talking about eating the security dog food – specifically:

Hi, today's tale of pentest pwnage covers a few wins and one loss:

Hey friends, we're doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus!  It's cool, it's free, it's from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin' in about 5 minutes. Important files include:

Today's tale of pentest pwnage includes some fun stuff, including:

Hi friends, today's a tale full of test tips and tools to help you in your adventures in pentesting!

Today I recap a two week persona/biz road trip and talk about the security stuff that got sprinkled into it, including:

Today we have a fun featured interview with my new friend Stu Musil of Ambient Consulting I had a great time talking with Stu about bashing come common misconceptions people have about working with recruiters, plus tackling some frequently asked questions:

Hey friends, today we talk about some not-so-glamorous but ever-so-important stuff related to running a cybersecurity consultancy, including:

Hey friends, today we continue our series all about migrating from VMWare to the world Proxmox!  Specifically:

Hey friends, today we've got a security milkshake episode about Web app pentesting. Specifically we talk about:

In the tangent dept, I moan about how I hate some things about Proxmox but am also starting to love it.

In the tangent #2 department, I talk about tinnitus and ac

Road trip time! I've been traveling this week doing some fun security projects, and thought all this highway time would be a perfect opportunity to take a dip into the 7MS mail bag!  Today's questions include:

Today's tale of pentest pwnage is all about my new favorite attack called SPN-less RBCD. We did a teaser episode last week that actually ended up being a full episode all about the attack, and even step by step commands to pull it off.  But I didn't want today's episode to just be "Hey friends, check out the YouTube version of this attack!" so I also cover:

Today's prelude to a tale of pentest pwnage talks about something called "spnless RBCD" (resource-based constrained delegation).  The show notes don't format well here in the podcast notes, so head to 7minsec.com to see the notes in all their glory.

Sadly, the Broadcom acquisition of VMWare has hit 7MinSec hard – we love running ESXi on our NUCs, but ESXi free is no longer available.  To add insult to injury, our vCenter lab at OVHcloud HQ got a huge price gouge (due to license cost increase; not OVH's fault).  Now we're exploring Proxmox as an alternative hypervisor, so we're using today's episode to kick off a series about the joys and pains of this migration process.

Today we revisit a series about eating the security dog food – in other words, practicing what we preach as security gurus!  Specifically we talk about:

Today we're talking about tips to deal with stress and anxiety:

We did something crazy today and recorded an episode that was 7 minutes long!  Today we talk about some things that have helped us out in recent pentests:

Today's episode is all about writing reports in Sysreptor.  It's awesome!  Main takeaways:

Hey friends, today we've got a tale of pentest pwnage that covers:

Hey friends, today we have a super fun interview with Andrew Morris of GreyNoise to share.  Andrew chatted with us about:

Hey friends, sorry I'm so late with this (er, last) week's episode but I'm back!  Today is more of a prep for tales of pentest pwnage, but topics covered include:

How much fun I had attending and speaking at Netwrix Connect Being a sales guy in conference situations without being an annoying sales guy in conference situations A recap of the talk I co-presented about high profile breaches and lessons we can learn from them

Today's tale of pentest covers:

Hello friends, we're still deep in the podcast trenches this quarter and wanted to share some nuggets of cool stuff we've been learning along the way:

Hey friends, sorry for the late episode but I've been deep in the trenches of pentest adventures.  I'll do a more formal tale of pentest pwnage when I come up for air, but for now I wanted to share some tips I've picked up from recent engagements:

Hey friends, today we cover a funstrating (that's fun + frustrating) issue we had with our DIY pentest dropboxes. TLDL:

Hey friends, today is a first impressions episode about Sysreptor, which according to their GitHub page, is a fully customisable, offensive security reporting solution designed for pentesters, red teamers and other security-related people alike.  It is easy to stand up with Docker, has built-in MFA and a great hybrid WYSIWYG/code editor.  The only scary part?  There is no export to Word (insert suspenseful music here!) - your reports just go right to PDF, friends!  The killer feature for us, though, is the ability to create reports from the command line and send files, notes and findings to Sysreptor auto...

Hey friends, today our pal Hackernovice joins us for a tool (actually two tools!) release party:

Today we talk about some business-y things like:

A pre first impressions opinion on Sysreptor

Why I'm not worried about AI replacing manual pentesting (yet)

My struggle with going "full CEO" vs. staying in the weeds and working on hands-on security projects

Today our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the OWASP Juice Shop, which is "probably the most modern and sophisticated insecure web application!" We got a few wins on the Juice Shop score board today: