7 Minute Security

Brian Johnson

  • 41 minutes 50 seconds
    7MS #654: Tales of Pentest Pwnage – Part 67

    Today we’ve got some super cool stuff to cover today!  First up, BPATTY v1.4 is out and has a slug of cool things:

    • A whole new section on old-school wifi tools like airmon-ng, aireplay-ng and airodump-ng
    • Syntax on using two different tools to parse creds from Dehashed
    • An updated tutorial on using Gophish for phishing campaigns

    The cocoa-flavored cherry on top is a tale of pentest pwnage that includes:

    • Abusing SCCM
    • Finding gold in SQL configuration/security audits
    13 December 2024, 5:44 pm
  • 49 minutes 59 seconds
    7MS #653: How to Succeed in Business Without Really Crying – Part 20

    Hey friends, today we’re talking about tips to effectively present your technical assessment to a variety of audiences – from lovely IT and security nerds to C-levels, the board and beyond!

    6 December 2024, 10:44 pm
  • 41 minutes 52 seconds
    7MS #652: Securing Your Mental Health - Part 6

    Today’s episode talks about some things that helped me get through a stressful and hospital-visit-filled Thanksgiving week, including:

    • Journaling
    • Meditation
    • (An activity I’m ashamed of but has actually done wonders for my mental health)
    2 December 2024, 8:09 pm
  • 31 minutes 7 seconds
    7MS #651: Tales of Pentest Pwnage – Part 66

    Hey friends, we’ve got a short but sweet tale of pentest pwnage for you today. Key lessons learned:

    • Definitely consider BallisKit for your EDR-evasion needs
    • If you get local admin to a box, enumerate, enumerate, enumerate!  There might be a delicious task or service set to run as a domain admin that can quickly escalate your privileges!
    22 November 2024, 8:33 pm
  • 53 minutes 40 seconds
    7MS #650: Tales of Pentest Pwnage - Part 65

    Oooooo, giggidy! Today is (once again) my favorite tale of pentest pwnage. I learned about a feature of PowerUpSQL that helped me find a “hidden” SQL account, and that account ended up being the key to the entire pentest!  I wonder how many hidden SQL accounts I’ve missed on past pentests….SIGH! Check out the awesome BloodHound gang thread about this here.

    Also, can’t get Rubeus monitor mode to capture TGTs to the registry?  Try output to file instead:

    rubeus monitor /interval:5 /nowrap /runfor:60 /consoleoutfile:c:\users\public\some-innocent-looking-file.log

    In the tangent department, I talk about a personal music project I’m resurrecting to help my community.

    15 November 2024, 5:45 pm
  • 1 hour 12 minutes
    7MS #649: First Impressions of Twingate

    Today we take a look at a zero-trust / ditch-your-VPN solution called Twingate (not a sponsor but we’d like them to be)!  It also doubles nicely as a primary or backup connection for your DIY pentest dropboxes which we’ve talked about quite a bit here.  In other news, we’ve moved from Teachable to Coursestack, so if you’ve bought training/ebooks with us before, you should’ve received some emails from us last Friday and can access our new training portal here.  (If you THINK you should’ve received enrollment emails from CourseStack and didn’t, drop us a line here.)

    In the tangent portion of our program, I give a health update on my mom and dad, and talk about some resources I’m exploring to reduce stress and anxiety after what has been a tough week for many of us.

    8 November 2024, 9:42 pm
  • 40 minutes 17 seconds
    7MS #648: First Impressions of Level.io

    Hey friends, today I’m sharing my first (and non-sponsored) impressions of Level.io, a cool tool for managing Windows, Mac and Linux endpoints. It fits a nice little niche in our pentest dropbox deployments, it has an attractive price point and their support is fantastic.

    1 November 2024, 8:37 pm
  • 22 minutes 23 seconds
    7MS #647: How to Succeed in Business Without Really Crying – Part 19

    Today we’re talkin’ business – specifically how to make your report delivery meetings calm, cool and collect (both for you and the client!).

    25 October 2024, 7:00 pm
  • 16 minutes 15 seconds
    7MS #646: Baby’s First Incident Response with Velociraptor

    Hey friends, today I’m putting my blue hat on and dipping my toes in incident response by way of playing with Velociraptor, a very cool (and free!) tool to find evil in your environment.  Perhaps even better than the price tag, Velociraptor runs as a single binary you can deploy to spin up a server and then request endpoints to “phone home” to you by way of GPO scheduled task.  The things I talk about in this episode and show in the YouTube stream are all based off of this awesome presentation from Eric Capuano, who also was kind enough to publish a handout to accompany the presentation.  And on a personal note, I wanted to share that Velociraptor has got me interested in jumping face first into some tough APT labs provided by XINTRA.  More to come on XINTRA’s offering, but so far I’m very impressed!

    18 October 2024, 12:07 pm
  • 31 minutes 2 seconds
    7MS #645: How to Succeed in Business Without Really Crying - Part 18

    Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some thoughts about the conference talk I gave called 7 Ways to Panic a Pentester.

    14 October 2024, 1:55 am
  • 41 minutes 9 seconds
    7MS #644: Tales of Pentest Pwnage – Part 64

    Hey!  I’m speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester!  Today’s tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate!  It also emphases that cracking NETLM/NETNTLMv1 isn’t super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

    4 October 2024, 2:35 pm
  • More Episodes? Get the App
© MoonFM 2024. All rights reserved.