7 Minute Security

Today’s a fun tale of pentest pwnage where we leveraged a WinRM service ticket in combination with the shadow credentials attack, then connected to an important system using  and make our getaway with some privileged Kerberos TGTs!  I also share an (intentionally) vague story about a personal struggle I could use your thoughts/prayers/vibes with.

7 Minute Security

Hello! This week Joe “The Machine” Skeen and I kicked off a series all about pentesting .  In part one we covered: Checking for null session enumeration on domain controllers Enumerating systems with and without SMB signing Scraping AD user account descriptions Capturing hashes using Responder Cracking hashes with Hashcat

7 Minute Security

Hi friends, today I’m kicking off a series talking about the good/bad/ugly of hosting security services. Today I talk specifically about . By self-hosting your own instance of transfer.zip, you can send and receive HUGE files that are end-to-end encrypted using WebRTC.  Sweet!  I also supplemented today’s episode with a short live video over at .

7 Minute Security

Hi friends, in this edition of what I’m working on this week: 3 pulse-pounding pentests that had…problems Something I’m calling the unshadow/reshadow credentials attack Heads-up on a new video experiment I’m going to try next week

7 Minute Security

Hola friends! Today’s tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things:  – for all your ADSync account dumping needs! Adam Chester  to dump MSOL service account  (part of Impacket) to give myself full write privileges on the MSOL sync account: dacledit.py -action ‘write’ -rights ‘FullControl’ -principal lowpriv -target MSOL-SYNC-ACCOUNT -dc-ip 1.2.3.4 domain.com/EXCHANGEBOX$ -k -no-pass Looking to tighten up your Exchange permissions – check out this 

7 Minute Security

Hey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out !) tackling  again!  Spoiler alert: this time we get DA!  YAY! Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life):  – tremendous resource for enumerating/attacking/privesc-ing within SCCM will help you decrypt SCCM creds stored in SQL

7 Minute Security

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff! Selective Snaffling with  The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse! TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and ing!

7 Minute Security

Hello there friends, I’m doing another “what I’m working on this week” episode which includes: BPATTY v1.6 release – big/cool/new content to share  – this looks to be an awesome way (both paid and free) to securely share files and passwords

7 Minute Security

In today’s episode I talk about what I’m working on this week, including: Playing with  and pairing it with  Talking about Netexecer, my upcoming tool that helps automate some of the early/boring stuff in an internal pentest A gotcha to watch out for if utilizing netexec’s 

7 Minute Security

Today we live-hack an SCCM server via  using some attack guidance from !  Attacks include: Unauthenticated PXE attack PXE (with password) attack Relaying the machine account of the MECM box over to the SQL server to get local admin