0:01

You know security is

0:04

hard, so let's assume

0:06

we're probably going to

0:09

get poned by noon.

0:11

But if we all

0:14

start to get the

0:17

basics right, we might

0:19

not fully get poned

0:22

until tonight. Well, hello.

0:24

Happy, well, Friday when

0:26

I'm recording this. Welcome to

0:29

the Seven Minute Security Podcast.

0:31

My name is Brian Johnson.

0:33

And I'll be your friend

0:36

and your host. And today,

0:38

we're going to do what's

0:41

become a little bit of

0:43

a catch-all episode filed under

0:45

the category of what I'm working

0:47

on this week. And as the

0:50

title implies, it's a smattering of

0:52

what I've been working on this

0:54

week. in the security world.

0:56

So specifically, let me tell

0:58

you what I'm thinking about

1:00

so you can decide whether

1:02

or not you want to come

1:05

along for this journey with us. I

1:07

want to tell you a couple examples

1:10

of pulse pounding pen test

1:12

problems. So, you know, sometimes

1:14

my pulse gets pounding when it's like,

1:16

ooh, closing in on DA. I can

1:19

see the light at the end of...

1:21

And this is like the opposite of

1:23

that where I go, OMG did something

1:25

break, did something tip over, did something

1:28

blue screen, did something reboot.

1:30

And I think they're, you know,

1:32

they're cautionary tales that we can

1:34

all learn from. So I want

1:36

to talk about that. Then I'll

1:38

probably take a quick break and

1:40

thank our longtime friend and

1:43

sponsor, Safe Past at me. I want

1:45

to tell you a little bit about them.

1:47

And then I want to tell you my

1:49

experience with... I'm just kind of

1:52

calling it the Unshadow Reshadow Credentials

1:54

attack. I don't really think anybody

1:56

calls it that, but that's what it

1:58

was in my mind. That

2:01

was pretty sweet. And then

2:03

tell you about an upcoming,

2:05

I think this will probably

2:07

be next week sometime, because

2:10

I got stuff to do this weekend.

2:12

I, on the 7MS newsletter, the

2:14

7men suck dot club sub stack,

2:16

they added the ability to do,

2:18

what is it, RTMP, is that

2:20

what you call it, real time,

2:22

or RTSP, something where. you can

2:24

now do live video through the

2:26

app, which you always could, but

2:29

I hadn't played with it because

2:31

you could only just like go live

2:33

with your phone and be like, hey

2:35

guys, I'm here. But I like to screen

2:37

share and, you know, show you

2:39

security stuff. Well, anyway, they added

2:41

whatever it is, RTMP, RTSP,

2:43

QRST, whatever it is where you

2:45

can get a streaming key and

2:48

then you can plug that key

2:50

into other things like restream, which

2:52

I use for like broadcasts and

2:54

stuff. And by way of that,

2:56

then I can actually share my

2:58

screen and, you know, show you

3:00

security stuff. So I'm thinking about,

3:02

you know, to keep this smart

3:04

business people happy by trying to

3:06

get, you know, subscribers doing, you

3:09

know, some live stream stuff that

3:11

you can only get via the

3:13

newsletter, which or the sub

3:15

stack, which is free, by

3:17

the way. But I think

3:19

I'll, I think I'll tinker

3:21

with that next week. And

3:23

the short live video that

3:25

I had in mind was

3:27

to show you how I

3:30

got what I think is

3:32

a pretty perfect password pusher

3:34

configuration. And as a quick

3:36

reminder, password pusher is this

3:38

awesome security service that's both

3:40

free and commercial, where you

3:42

can push with a

3:44

unique URL, passwords, little

3:46

blobs of texts, files,

3:48

and make them self-destruct

3:51

or make them, you

3:53

know, give your customer

3:55

the option to nuke

3:57

the message upon receiving.

3:59

Yeah, well I'll tell you about that

4:01

in a little bit, but the thing is,

4:03

I got all gigady in the shorts about

4:05

it a couple weeks ago and shared with

4:07

you my thoughts on it and my config

4:10

file, and then some of you were like,

4:12

wait a minute, whenever I restart this Docker

4:14

instance, I lose all the files that I

4:16

had shared with people, like the links work,

4:18

but the files don't work. And I was

4:20

like, nah, that can't be right. And son

4:22

of a gun, you were right. So I

4:24

had to get to get to get to

4:26

the bottom of that. and fix it and

4:28

so that's what I think I want to

4:30

show you in next week's live stream

4:32

but I'll talk about it I'll talk

4:34

about the fix so I'm not like

4:36

leaving you hanging but I think I'll

4:38

close with that and then that will

4:40

be that and send you on your

4:42

way for the day I just may

4:44

what do you say I might hang

4:46

out by the bay and make things out

4:49

of clay all right let's start

4:51

with a couple of these

4:53

pulse pounding pen test problems.

4:56

One was actually from a

4:58

couple weeks ago, I just

5:01

wanted to revisit it.

5:03

And that was, I learned

5:05

kind of the hard way

5:07

that net exec, when you

5:09

use it to interact with

5:12

a sequel database, if you

5:14

issue a command to

5:16

list D-I-R-C-1-backslash via XP

5:19

command shelf, for example,

5:21

net exec will... connect

5:23

to that sequel instance, turn

5:26

on XP Command Shell if

5:28

it's not already on, run

5:30

the DIR, sequel, and backslash,

5:32

and then close XP Command

5:35

Shell on the way out. Now I

5:37

can see from a security tool

5:39

and from a default standpoint, that's

5:42

actually a really good idea because

5:44

I'm not a, excuse me, I'm

5:46

not a DBA, but my clients

5:49

and DBA friends have said, yeah,

5:51

you know. Most times we leave

5:53

XP command shell off or disabled

5:56

unless we really need it for

5:58

something and that's fine unless

6:00

you really need it for something.

6:02

So I got in a situation

6:05

where it was like causing confusion

6:07

and problems because XP command shell

6:09

kept getting shut off. So the

6:12

note to self there, the lesson

6:14

learned for me anyway, is I

6:16

think I'm going to stick to

6:18

MS sequel client dot pie, which

6:21

is part of Impacket, or I

6:23

usually just on the window side

6:25

of things, I bring along a

6:27

copy of the sequel management studio.

6:30

and just connect to a database

6:32

that way and kind of, you

6:34

know, run, look through files and

6:36

look through data that way. Or

6:38

if you're just, I guess, you

6:41

know, aware of what the

6:43

intended defaults should be, then

6:45

you'd probably be fine using

6:47

net exec, if indeed the

6:49

default should be that that

6:51

connection is closed. Speaking of

6:53

defaults, the default thing that

6:55

I do... Pretty much every

6:57

morning is order caribou and

6:59

I'm gonna do that real

7:01

quick. I'm just bringing you along

7:03

for the ride if you don't mind

7:06

We're talking business and we're

7:08

taking care of even more

7:10

important business And that's and

7:12

that's that's what's good. Okay,

7:14

and then there's two other

7:16

examples I want to share

7:18

with you Both from like

7:20

the last month so on one

7:22

pen test I was My

7:24

box was on the land side

7:26

of the corporate network and then

7:29

I was attacking some WAN side

7:31

Azure VMs Two of them that

7:33

I had a local admin foothold

7:35

on and I was attached to

7:38

them with SMB client NG which

7:40

by the way that is really

7:42

cool And I'm getting more familiar

7:44

with it. It's kind of becoming

7:47

my my go-to if you want

7:49

to see a quick A few

7:51

moments of that in action, I

7:53

welcome you to check out last

7:56

month's live stream with Joe the

7:58

Machine Skeen. You can find that

8:00

at... 7menccom slash live we

8:02

finished a two-part series on

8:04

attacking Goad SECM and in

8:07

that episode I I showed

8:09

how like I wanted to give

8:11

SMB client NG a spin and

8:13

it's just yeah it's got a

8:16

lot of cool features and it's

8:18

it's made by shoot I forgot

8:20

and it's made by shoot I

8:22

forgot and I think we figured

8:25

it out on the lives train

8:27

but it It's made by an

8:29

author of some other great security

8:31

tools. So consider that for your

8:34

kind of SMB enumeration and crawling

8:36

needs. But anyway, I had SMB

8:38

client NG shells on these boxes

8:40

and they both dropped at the same time.

8:42

So I was like, all right, well, let's

8:45

up arrow and reconnect. I don't know,

8:47

maybe they're just a little blip on

8:49

the VPN or something like that. And

8:51

then it's like the client, the, the,

8:54

the, the, the, the, the, The connection

8:56

was just like, I'm trying, I'm trying,

8:58

I'm trying, I'm done, I can't do

9:00

it. Well, that's weird. Well, let me

9:03

just try to ping that, one of

9:05

those boxes. Oh, ping is down, but

9:07

you know, maybe, I just couldn't remember

9:09

if ping was blocked by default, so

9:12

let's do an end map and disable

9:14

ping and check for open ports. Oh,

9:16

no open ports on either of the

9:18

boxes. And then that's when I do

9:21

just a little bit of a chart

9:23

in my pants. Because I just assumed

9:25

the worst that like I don't know

9:27

I mean it wouldn't make sense that

9:30

SMB client would make something You know

9:32

totally wet the bed, but but that's

9:34

where my mind goes because I'm just

9:37

I'm just designed that way. It's a

9:39

gift It's not a it's not a

9:41

prison of my own mind. It's a

9:43

gift to automatically assume the worst in

9:45

cases cases like these So I was

9:48

like oh, maybe since this is across

9:50

a VPN connection maybe The whole connection

9:52

went down. Let me ping other

9:54

boxes in the Azure VM land.

9:56

Oh no, they're up and sprightly

9:58

and working just fine. Oh

10:00

fart face now I'm really in trouble

10:02

so on this group chat I had

10:05

going with the IT team it was

10:07

late and I think they were maybe

10:09

in Eastern time zone so it was

10:11

even later it was like 1130 Central

10:14

I was like I'm really sorry I

10:16

don't know here's exactly what happened here's

10:18

kind of the time stamp of what

10:20

I was doing I don't think anything

10:22

that I was doing caused this to

10:25

roll over But could you check on

10:27

it as soon as possible? And again,

10:29

you know, sorry if there's been

10:31

trouble. And about 10 minutes later,

10:33

they ping me back. They're like,

10:35

oh yeah, no, it's all good. You

10:37

happen to hit exactly our

10:40

monthly patch window. So it was,

10:42

yeah, what I say, it was

10:44

1130. It's like their window started

10:46

at, you know, 1230 AM on

10:48

that particular day. And, you know,

10:50

over the course of the next

10:52

like 12 hours, everything was going

10:54

down for... for rebuts. And I

10:57

was like, oh, cool. And that's

10:59

one of those moments where then

11:01

I just step away and be

11:03

like, enough pen testing for

11:05

tonight. I'm getting, I'm a,

11:07

what is it, Murta from

11:09

Lethal Weapon? Just getting too

11:12

old for this stuff. Lesson

11:14

learned there, right? Might be

11:16

good in the, you know,

11:18

pre-pen test questions might be

11:20

good for me to ask.

11:22

you know, hey, when's your

11:24

patch cycle and or do

11:26

you have maintenance windows of

11:28

any kind coming up that

11:31

I might run into and

11:33

might help me avoid some

11:35

inner terror in my heart just

11:38

knowing that, you know,

11:40

some unavailable system is

11:42

expected. Third one I got

11:45

for you is... Oh, hold on

11:47

a second. What was that from...

11:49

Oh, yeah, yeah. So... ran into

11:51

a weird situation that also prompted

11:53

me to go, okay, I gotta

11:55

ask some more questions about

11:58

EDR stuff ahead of time. was

12:00

on a test where, once again,

12:02

had local admin to the box.

12:04

And I knew it to be

12:07

a valuable box running services that,

12:09

you know, likely were gonna be

12:11

secrets dumpable. And so I gave

12:14

secrets dump a spin. Side note,

12:16

I wanted to mention last

12:18

time, whatever last tale of

12:20

pen test ponage was where I

12:23

talked about. The secret's dumping,

12:25

I got a comment saying,

12:27

you know, hey, I'm surprised

12:29

you even run that anymore.

12:31

Like, even Defender catches that

12:33

and stops it. Like, why do

12:35

you even waste your time? And

12:37

to address that, I haven't found

12:39

it to be a waste of time.

12:42

Now, yes, I agree with you.

12:44

Defender and EDRs, much better at

12:46

catching it and stopping at

12:48

mid-flight. But I still say, like, I

12:50

mean, 20% of the time. it still works

12:53

and I even I remember

12:55

specifically maybe it's like a year

12:57

ago talking through that with you all

12:59

a little bit and going why

13:02

is leading EDR brand X you

13:04

know stopping Secret's dump

13:06

dead in its tracks in one

13:08

environment and then just letting it

13:10

through in the other like is

13:12

there not to me that shouldn't

13:15

be a editable. rule set

13:17

where you go block

13:19

secret stump, check or

13:21

not check. Like that

13:23

should 100% be checked.

13:25

So anyway, but for

13:27

that reason that I

13:29

don't fully understand, I'm

13:32

going to go from

13:34

the attacker's perspective and

13:37

abuse it. So I

13:39

do still give Secret

13:42

stump a toss All right,

13:44

thank you. on. So

13:49

I still give it a shot, but

13:51

in this case, nope, it didn't

13:53

work. And when I, the secrets

13:55

dump I was doing was under

13:57

the context of I had done... I

14:00

had done RBCD or Shadowcred and

14:02

I had the ticket that impersonated

14:04

the administrator, the DA account, in

14:06

a SIF's SMB context, right? So

14:08

I could attach to it with

14:11

SMB client and G or do

14:13

secrets dump, stuff like that. And

14:15

so I, yeah, I tried the

14:17

secrets dump and it got, it

14:19

got killed mid-flight, which is such

14:22

a like, oh, hold your breath.

14:24

And if you've seen that on

14:26

a pen test, hold on. Thank

14:28

you. Hi. Have a great weekend.

14:30

You would do the same. Take

14:33

care. If you've seen that on

14:35

a pen test, you know what

14:37

I mean, where you get the

14:39

Secret's Command, all queued up, and

14:41

you hit enter, and then the

14:44

tool's like, okay, here's the boot

14:46

key, something, something, something. And now,

14:48

remote registry was not started, so

14:50

we're going. And here we go.

14:52

And I got like one. Sam

14:55

hash out and then it's just

14:57

like Python errors thread killed process

14:59

died you're an idiot whatever it

15:01

says And it's like okay shoot

15:03

that's not gonna work So I

15:06

went up up arrow in my

15:08

command Q to just redo the

15:10

SMB authentication to that box just

15:12

to be like make sure it

15:14

didn't go into like full shields

15:16

up mode and I can't remember

15:19

exactly what the message was it

15:21

was something It was something like,

15:23

something about revoked permissions. It wasn't,

15:25

it's like the authentication was recognized

15:27

but had been stripped. And in

15:30

this discord or slack chat I

15:32

was having with some folks at

15:34

the time, they said, oh, that

15:36

actually is likely a block or

15:38

revocation of the ticket that you

15:41

were using. So in other words,

15:43

they said if you go back

15:45

and request another... Another one under

15:47

a different DA context, you could

15:49

probably... your attack path. But they

15:52

gave me the idea. They said,

15:54

hey, for round two, maybe grab

15:56

a WinRM ticket and then that

15:58

gives you a little bit more

16:00

flexibility because you can attach to

16:03

the host over WinRM. Makes it

16:05

a little easier to do your

16:07

typical scrounging of the C drive

16:09

and see if there's anything interesting

16:11

at the route or if you

16:14

can get to people's one drive

16:16

folders. And then also, you could.

16:18

perhaps run an obfuscated rubius dot

16:20

exe and steal some important TGTs

16:22

of you know whatever machine account

16:25

or other other accounts interacting on

16:27

the box and I was like

16:29

okay beautiful I'm gonna do that

16:31

I'm gonna do that tomorrow so

16:33

I wrote the the group I

16:36

was working with and said hey

16:38

just as a heads up I'm

16:40

done for the day I was

16:42

picking on box z over here

16:44

and it didn't seem to like

16:47

what I was doing it likely

16:49

blocked an attempt to extract credential

16:51

information. And you know, so you

16:53

might see some alerts for that

16:55

and then I will resume probably,

16:58

you know, tomorrow or something. So

17:00

this was I think at like

17:02

noon and then the next day

17:04

I woke up to there had

17:06

been a bit of an email

17:08

exchange between some of the executives

17:11

and the IT team over email

17:13

at like one in the morning

17:15

and what and so the IT

17:17

team is one group the MDR

17:19

group is another is my understanding

17:22

like they're real I don't know

17:24

you know kind of connected but

17:26

operate separately I guess that third-party

17:28

MDR group had called the IT

17:30

team and the executives in the

17:33

wee hours of the morning presumably

17:35

to to be like whoa we

17:37

see this weirdness on this this

17:39

box. And that as just a

17:41

little bit of an aside is

17:44

like puts me in a situation

17:46

I don't really like to be

17:48

in. Well it could probably be

17:50

its own episode but like when

17:52

it comes to work with MDRs.

17:55

I'm a big fan of don't

17:57

tell them that the pen test

17:59

is coming let's just plug my

18:01

box in let's get me some

18:03

creds and let's start the test

18:06

and let's see what you get

18:08

alerted on and not and how

18:10

quickly and the reason for that

18:12

is never to make any individual

18:14

or group or company feel like

18:17

they're not doing a great job

18:19

but the fact of the matter

18:21

is These services are very expensive.

18:23

They promise short alert times, they

18:25

promise catching all the things and

18:28

even warn you before you get

18:30

a cold, right? But sometimes when

18:32

you actually test them, your results

18:34

may vary. And this will be

18:36

a case where definitely when it

18:39

comes to the readout, I am

18:41

going to be a little bit

18:43

critical that, hey, I did, you

18:45

know, I did a pretty loud...

18:47

move against one of your key

18:49

endpoints and had I not taken

18:52

a break had I continued down

18:54

picking on that box I would

18:56

have tried you know the win

18:58

our M ticket angle right and

19:00

stolen tickets and probably got to

19:03

all the things and had my

19:05

way with the domain and it's

19:07

not great that it was I

19:09

think like 13 or 14 hours

19:11

later that you get a call

19:14

about it right so so that

19:16

is the case where I am

19:18

gonna you know talk about that

19:20

during the readout. And truly in

19:22

my heart of hearts, I hope

19:25

that that feedback for the third

19:27

party vendor is, you know, received

19:29

positively where they can go, well,

19:31

hey, we want to figure out

19:33

why this was the way it

19:36

was, right? Was there some delay

19:38

in getting the alert information? Was

19:40

it missed on the ticket board?

19:42

Was it filtered? Was the alert

19:44

tuned wrong? All those things, right.

19:47

are good pieces of information to

19:49

have. But sadly, as I've shared

19:51

before, sometimes the MDR vendor goes

19:53

after me and kind of picks

19:55

on me as like, well, no.

19:58

I mean, nobody actually uses that

20:00

tool set and nobody would actually

20:02

do things that way. And I

20:04

stand my ground pretty firm and

20:06

go, yeah, they do. Yeah, I'll

20:09

give you any number of IR,

20:11

you know, documentation or you could

20:13

read just about any breach response,

20:15

you know, post-mortem report on the

20:17

internet and you'll see, you know,

20:20

things like curb roasting and the

20:22

net command and secrets. Like it's

20:24

all very common. So, you know,

20:26

I, I, I, I, I do,

20:28

I deny this, or I deflect,

20:31

I'm rubber, your glue, whatever you

20:33

say, bounces off me and sticks

20:35

on you, is, is kind of

20:37

what I get to sometimes. But

20:39

anyway, that was the case here.

20:41

So the executives and the IT

20:44

team were called early in the

20:46

morning, they weren't real happy about

20:48

that. But I think still in

20:50

that, ultimately they're like, oh, okay,

20:52

this is what the call tree

20:55

is like. And I think this

20:57

might have been the case here.

20:59

Sometimes the pen test is the

21:01

first time, you know, the alerts

21:03

go to a severity level high

21:06

enough where, you know, the call

21:08

trees and the, you know, the

21:10

email alerts and whatever, that everybody's

21:12

responding for the first time, you

21:14

know, quote unquote, for reals. So

21:17

anyway, I got those messages and

21:19

I'm like, boy, that's really crazy.

21:21

And then a little later that

21:23

afternoon, so this is the next

21:25

day after the secret stumping. Then

21:28

I, in the lab, I practice

21:30

the grabbing of a win-r-m ticket

21:32

and getting that all set up.

21:34

There was a little bit of,

21:36

there was a little bit of

21:39

problem with that. And I can't

21:41

remember exactly the snags that I

21:43

ran into. But if it's not

21:45

already under the evil win-r-m page

21:47

on B-patty. Rocks, it will be

21:50

soon. B-patty. Rocks is Brian's pen

21:52

testing and technical tips for you.

21:55

And if you just go to

21:57

it and then in the upper

21:59

right you search evil. you'll probably

22:01

see the page for Evil WinRM,

22:03

get a match right away. And

22:05

then, yeah, I just, if it's

22:07

not there now, it'll be there

22:09

in the next update for sure.

22:12

A couple, I don't know, syntax

22:14

or flag snafoos to get the

22:16

WinRM ticket to properly be like,

22:18

you know, passable. So I got

22:20

that working in the lab and

22:22

I was all excited, I was

22:24

like, cool. I'm gonna go over

22:26

to the customer now, I'm gonna

22:28

do this. for reals and Hopefully

22:30

steal some valuable TGTs, so I

22:32

did the the forging part And

22:34

that all worked and then it

22:36

was time for the actual passing

22:38

with win r.m. And I was

22:40

getting all these errors long story

22:42

short Come to find out what

22:44

once I took a step back

22:46

it actually pinged the box and

22:48

enmapped the box without Without checking

22:51

for ping This box was completely

22:53

It's just crickets and tumbleweets and

22:55

dust flying by. This box looked

22:57

to be offline. So then I

22:59

went back to the group, I

23:01

was like, hey, I don't know

23:03

what happened between yesterday, but now

23:05

this box is completely unavailable, did

23:07

something happen? And they said, oh,

23:09

well, yeah, we can see alerts

23:11

on it, and it appears to

23:13

be in isolation, but we can't

23:15

take it out. And it seems

23:17

like it's something only this third

23:19

party vendor. can do. So we've

23:21

sent a note to them and

23:23

hopefully they can bring it out

23:25

of isolation and I was like,

23:27

all right, well I'm going to

23:29

be breathing into a paper bag

23:32

and also not testing any further

23:34

because I just I don't want

23:36

to introduce anything new into this

23:38

equation and it's a key server

23:40

that they need for the start

23:42

of business Monday morning. So I

23:44

left a continuous ping going from

23:46

my pen test box to this

23:48

end point. I would just kind

23:50

of check on it, you know,

23:52

poke my head into the office

23:54

the afternoon, nope, nope, nope, nope.

23:56

Finally at like 1130 I go

23:58

to bed, it's still down and

24:00

there's no email update. And I'm

24:02

not sure if this third party

24:04

vendor is not 24-7 or what

24:06

the holdup was, but it really

24:08

did not make me, I really

24:11

had a tough time sleeping that

24:13

night because I just, it's both

24:15

a blessing and a curse. Like

24:17

if I'm thinking about a pen

24:19

test, I'm trying to get some

24:21

ideas for. Sometimes I'll wake up

24:23

for like a 3 a.m. peep

24:25

break and have like a... Oh,

24:27

what if I do this? And

24:29

then that's also a curse because

24:31

then I have to go run

24:33

out to the computer and actually

24:35

try it and then I sometimes

24:37

like will fully wake up and

24:39

not be able to go back

24:41

to sleep. But on the other

24:43

side of things, if there's something

24:45

like this where it's like, what

24:47

the heck is going on with

24:49

this box? And I don't ever

24:52

want operations to disrupt business. I'm

24:54

having nightmares about them getting to,

24:56

you know, 8 a.m. Monday and

24:58

then this box is not available.

25:00

just feeling responsible for it, you

25:02

know. So I stopped terrible and

25:04

had all sorts of bad nightmares

25:06

about like, yeah, just that. And

25:08

then I think it was, it

25:10

was such a, on a personal

25:12

note, it was such a kick

25:14

to the Stones because it was

25:16

like a spring, it's like the

25:18

kids didn't have school, my wife

25:20

didn't have work, and we were

25:22

all going to get to sleep

25:24

in. which was going to be

25:26

a real treat and I couldn't.

25:28

I was just, I'm eyes wide

25:31

open at 6 a.m. So I

25:33

just, you know, jump out of

25:35

bed, look around the corner at

25:37

my computer monitor, and it's still

25:39

dead ping. And so I'm up

25:41

and I'm, you know, no email

25:43

updates, but I just, I can't

25:45

go back to bed. I mean,

25:47

it's like, I don't know what

25:49

they would need from me, but

25:51

I still just couldn't calm back

25:53

down, and so it gets to

25:55

be like. seven o'clock seven thirty

25:57

seven forty seven fifty and i

25:59

think it was like seven fifty

26:01

four something ding ding bing the

26:03

pings are going through and then

26:05

one of the executives right hey

26:07

i'm back in i was like

26:09

oh thank the lord but i

26:12

am way too jacked up now

26:14

to uh... to go back to

26:16

bed. And so lesson learned from

26:18

that one, I think, would be

26:20

just more ahead of time talking

26:22

through, do we know how the

26:24

endpoints are configured as far as

26:26

how aggressively will they isolate themselves?

26:28

And maybe more importantly, you know,

26:30

who is it somebody, a client

26:32

contact, is it a, MSP, is

26:34

it a third party, who has

26:36

their finger on the trigger to

26:38

quickly unisulate a box? Should we

26:40

need to do that? So that'll

26:42

be that'll be part of my

26:44

Pre questionnaire before we ever get

26:46

started in the test now? Going

26:48

forward All right, let's see. I

26:50

want to tell you about the

26:53

the the shadow Unshadow, shadow, credentials

26:55

attack, but first let me take

26:57

a brief moment Let us thank

26:59

our friends and longtime sponsors of

27:01

the podcast safe past me Featuring,

27:03

we haven't talked about this as

27:05

much, featuring the patented Pone check.

27:07

So Pone check, well let's talk

27:09

about the peanut butter and jelly

27:11

combo, these two services bring. Safepass.me

27:13

is essentially from a technical point

27:15

of view, it's a little MSI,

27:17

you download, you throw it on

27:19

both, or all your domain controllers,

27:21

reboot them, and just by doing

27:23

that, you will, going forward, be

27:25

protecting... users from choosing over a

27:27

billion bad, weak, leaked, breached passwords.

27:29

And you can also create a

27:32

word list of your own. So

27:34

if you know maybe there's a

27:36

company catchphrase, maybe you know there's

27:38

some, I don't know, some words,

27:40

some mascot, some something that people

27:42

are always picking as their password

27:44

plus year or something like that,

27:46

you can roll your own word

27:48

list as well and really make

27:50

it hard for people to pick

27:52

a password. That's not. Great. So

27:54

that's kind of what I call

27:56

the peanut butter side of Safe

27:58

Pass. And now the jelly side.

28:00

is Pone Check. So Pone Check

28:02

will, and this happens all internally

28:04

in your network, it will audit

28:07

your environment to look for

28:09

people using the bad passwords.

28:12

So near a hash, leave your

28:14

network, it's all checked locally, and

28:16

you get extra bang for your

28:18

buck by using Pone Check, because

28:20

not only do you find people

28:23

using passwords that are not

28:25

so great, you may identify...

28:27

people who have the same password.

28:29

So I'll give you an example from

28:32

real life. A few years ago, one

28:34

of my clients had a help

28:36

desk intern, and I'm not pooping

28:38

on help desk interns. I'm just

28:40

saying this, this is what happened.

28:42

A bunch of people were hired

28:44

over the summer. The intern, help

28:46

desk person was responsible for setting

28:48

up their accounts, and he gave

28:50

them like a, you know, summer 2019

28:52

password. He gave everybody the same

28:54

password, and when he set up

28:56

their accounts, he ticked the box

28:59

for do not expire the

29:01

password. So that meant these

29:03

folks never ever would change

29:05

their password. Insert a pen

29:08

test and the pen tester

29:10

was doing some seasonal

29:12

spraying of season plus

29:14

year for the password and

29:16

not only got one account,

29:18

got like 15 accounts. So

29:21

here's where Pone check and

29:23

help you find those stragler

29:26

accounts as well. They offer

29:28

NIST compliance and this is

29:30

designed by security pros for

29:32

security pros. It's super lightning

29:34

fast performance. You know, when

29:37

Bob from accounting goes to

29:39

change his password after Safe

29:41

Pass is installed, it checks his

29:43

want to be password against a

29:45

billion passwords in just a couple

29:48

seconds. And you can set it

29:50

up all in about the time it

29:52

takes to make a hot cup of

29:54

Java or like me a delicious mint

29:57

hot cocoa. Now, here's the best news

29:59

of all. Until fall, okay, so the

30:01

last day in August, Safe

30:04

Pass has offered an exclusive

30:06

7MS discount, which has increased

30:08

to 20 percent. So that is 20

30:11

percent off of new clients,

30:13

new business, when you mention

30:15

7MS, just go to Safe Pass. .me,

30:17

let them know that 7-minute

30:19

security sent you and get

30:22

your 20 percent off. for,

30:24

you know, being awesome and

30:26

being a new client. That's

30:28

all one word. S-A-F-E-P-A-S-S dot

30:31

me. Don't forget to check

30:33

out and ask about Pone

30:35

Check as well. That's super

30:37

sweet. Okay, shadow credentials,

30:40

Unshadow, Reshadow

30:42

is what I want to talk

30:44

about. So I was working

30:46

with a client not too long

30:49

ago that I think it's maybe

30:51

there. fourth year of receiving a

30:53

pen test, which just isn't a

30:55

side. I do after, after, you

30:57

know, three or so, I usually

30:59

do suggest like, hey, it's not a

31:01

bad idea, right? Like, of course, we

31:03

want your business forever, but if they're

31:06

ever like, you know, do you think

31:08

we should get a fresh set of

31:10

eyes? Sure, I think that's a good

31:12

idea. But I was working on a

31:14

test and I try not to look

31:16

at. At tests like last year's test,

31:18

I try to go in with fresh

31:21

eyes and you know test all the

31:23

new stuff I learned and as much

31:25

as possible Not remember past year's test

31:27

so I can you know, hopefully find

31:29

some new goodness or badness I guess

31:31

but new new good findings to bring

31:33

to their attention and I came across

31:35

a box that I had Local admin on

31:37

and I was like, oh, I think this

31:40

is is is a candidate for the shadow

31:42

credentials attack Which I'll put a link

31:44

in the show notes today for a

31:47

really awesome Just short video

31:49

concise walks through the risk

31:51

the actual attack and the defense

31:53

side of things And I went

31:55

to run the attack and I

31:57

got some sort of like

32:00

insufficient permissions error. And as

32:02

I say this now, I realize

32:04

I probably missed out a bunch

32:06

of times because I just blindly

32:08

assumed, well, that's some sort of

32:10

block that they have somewhere to

32:13

prevent the attack. But I used

32:15

Whisker.ExE to look at that box

32:17

and see what the, whatever it's

32:19

called, MSDS, what is it, key

32:21

credential or something, attribute. I was

32:23

trying to see what was in

32:26

that attribute and it showed a

32:28

update time stamp of a date

32:30

that made me go, wait a

32:32

minute, this looks to be, you

32:34

know, we test about the same

32:37

time every year. Was this, was

32:39

this one of our fingerprints from

32:41

a previous test? And it was.

32:43

Now, as an aside on that.

32:45

I try to be really diligent

32:47

about like at the end of

32:50

the test saying hey here's every

32:52

cred we saw here's every sensitive

32:54

document that you know we peeked

32:56

at here's any DNS entries we

32:58

mucked with or and when I

33:01

say muck I mean add not

33:03

change them but add here's maybe

33:05

a phantom machine object we added

33:07

to the the domain but this

33:09

must have been overlooked and and

33:11

when I look back at a

33:14

previous year's report it looks like

33:16

we were trying to use shadow

33:18

credentials for escalation, but then either

33:20

didn't need it or didn't, wasn't

33:22

able to pull it off for

33:24

one reason or another. And so

33:27

as I went around looking for

33:29

that error, I came across a

33:31

great write-up about, from our good

33:33

pal, ZeroXDF, which really, as I

33:35

go forward as a pen tester,

33:38

pretty much any pen test problem

33:40

I run into, I really should

33:42

just go and read his awesome.

33:44

articles because I found so many

33:46

answers in them. But anyway, in

33:48

the write-up that I read through,

33:51

and I'll try to link to

33:53

it if I remember, it said,

33:55

oh, one of the reasons you

33:57

can... this error is because there's

33:59

already a shadow credential sitting there.

34:02

And in the article it says

34:04

here's one way you can kind

34:06

of unshadow that credential and then

34:08

re stamp in a new value.

34:10

And he showed that there's a

34:12

branch or a fork or whatever

34:15

you call it of Impacket that

34:17

you can download and compile and

34:19

then you can set up a

34:21

relay in such a way that

34:23

you get an interactive Eldap. show

34:26

and then while you're while you've

34:28

got that show active you can

34:30

issue some commands to literally undo

34:32

or you know remove clear that

34:34

attribute and then you know stamp

34:36

in a new one from the

34:39

the box you're using now as

34:41

the new device ID or whatever

34:43

they call that that entry when

34:45

it gets plugged in and then

34:47

go about the rest of the

34:50

attack. Now as I say this

34:52

out loud, I wonder if I

34:54

couldn't have just used... Let's see,

34:56

could I have just used Whisker

34:58

in some context to... uh... clear

35:00

that credential? I probably could have.

35:03

I probably could have. Hold on

35:05

one second, I gotta do kind

35:07

of a weird pass here. Again,

35:09

some farm equipment, and it's over

35:11

the hill. Oh, and I wasn't

35:14

supposed to do that. Because I

35:16

had the yellow line. Whoops. Well,

35:18

wait, is it illegal? If someone's

35:20

in the shoulder. And I just

35:22

went over the line enough so

35:24

that it was under the chassis,

35:27

like right in the middle. Does

35:29

that still count? If a cop

35:31

saw that and it was a

35:33

solid yellow line, could he grab

35:35

me? If I only had two

35:38

wheels outside? I don't know. Anyway,

35:40

I was thinking, yeah, could I

35:42

just use whisker? Maybe. But I

35:44

didn't and it gave me an

35:46

opportunity to read another one of

35:48

ZeroXDF's awesome articles and use a...

35:51

a flavor of impact that I

35:53

hadn't. And then I was able

35:55

to, you know, re shadow the

35:57

credentials and then pull off my

35:59

attack. and get sweet sweet sweet

36:02

sweet domain admin. So the main

36:04

takeaway there was yeah if you

36:06

go to to pull that off

36:08

and you're getting insufficient permissions don't

36:10

do like I did and necessarily

36:12

jump to taking it at its

36:15

word and going oh this is

36:17

a permissions issue it could just

36:19

be that another value is sitting

36:21

there. Oh and I've not yet

36:23

run into this on a pen

36:26

test and correct me if I'm

36:28

wrong. My understanding though is that

36:30

it's just a good practice in

36:32

general to check Before you go

36:34

to abuse that attribute, check to

36:36

see if, you know, if you're

36:39

like attacking a workstation, for example,

36:41

my understanding is that value might

36:43

be, might have something in it

36:45

if the end user is using

36:47

Windows Hello for Business. I believe

36:49

it, by doing that, it puts

36:52

an attribute there, and I think

36:54

if you're just going to rip

36:56

that out, then they might have

36:58

to reenroll. their authentication and I

37:00

don't know. I don't know exactly

37:03

don't quote me on that look

37:05

into it so far I've yet

37:07

to come across a test where

37:09

There's something already there, but just

37:11

just a caution cautionary warning Okay,

37:13

and then last little thing. I'll

37:16

sort of tease you and invite

37:18

you to be part of is

37:20

our newsletter Sevenmen sec dot club.

37:22

It's a sub stack tendency that

37:24

I'm really just using as a

37:27

newsletter, but go to seven of

37:29

Insect. Club. You'll be asked to

37:31

sacrifice an email to the marketing

37:33

gods, but it's not really the

37:35

marketing gods. It's just getting you

37:37

signed up for the list and

37:40

I try to do some sort

37:42

of mailing once a week. And

37:44

it would just be about like,

37:46

maybe it's a bit more of

37:48

a technical write-up to support one

37:51

of the podcast episodes. Maybe it's

37:53

letting you know about our upcoming

37:55

get together in May, stuff like

37:57

that. But you could always hit

37:59

no thanks and still read the

38:01

content anyway. But as I mentioned

38:04

in the beginning of the

38:06

show, Sub Stack has released integration

38:08

with streaming keys, so I'd be

38:10

able to use my restream account

38:13

to go live. on sub stack

38:15

but then also like share my

38:17

screen and do more of the

38:19

stuff we do on YouTube. So

38:21

I think what I'm going to

38:24

try at some point next week

38:26

and I think the way it

38:28

would work is I could

38:30

pre-schedule this and then you would

38:32

get notified of that. Yeah I think

38:35

that's how it would work. I

38:37

wanted to show you quick a

38:39

little update on what I learned

38:41

about password pusher. So I found

38:43

that my config that I was

38:46

so happy about wouldn't save files

38:48

in between docor restarts. So

38:50

I posted an issue to

38:52

the get hub repo and

38:54

at the same time did

38:56

some digging with with cursor

38:58

AI and hey how's it

39:00

going folks and and and

39:02

it helped me get to the

39:05

bottom of it. I described

39:07

kind of the you know what was

39:09

going on to cursor. And it

39:12

said, oh, probably what you're

39:14

having here is a mapping

39:16

and rights issue between the

39:18

docor container and then the

39:20

actual mapped folder on the

39:22

VM that would store the

39:24

files. Because, well, I identified two

39:27

problems. One, the file attachments weren't

39:29

persisting between docor reboots. And then

39:31

when I tried to fix it

39:33

with some mapping and... permission strings

39:35

within my YAMO file. Then when

39:38

I went to upload files, they

39:40

would upload, like the progress bar

39:42

would go from zero to 100,

39:44

and then it would just glow

39:46

red. And then if I looked on my

39:49

VM hard drive, there would be no files. So

39:51

I'm like, okay, this looks like a permission

39:53

issue, but I'm not exactly sure.

39:55

So I sent cursor screenshots of

39:57

what I was experiencing and describing

39:59

the problem. It said, oh yeah,

40:01

yeah, there's some problems here. You've

40:03

got to map, you've got to

40:05

do some CH owning and CH

40:07

modding to get the permissions of

40:09

the user that the Docker container

40:12

is running under, mapped to that

40:14

of your actual virtual machine user.

40:16

And here's what you do. And

40:18

it gave me a couple steps.

40:20

And I thought, oh, this seems

40:22

weird. I don't really like CH

40:25

modding things and CH owning things

40:27

when, you know. I've just found

40:29

the AI stuff isn't necessarily thinking

40:31

about security implications. It's thinking about

40:33

functionality implications. So I shot, I

40:35

shut down the VM, I snapshot

40:38

it, I fired it up and

40:40

then I made those changes and

40:42

it did work. And then I

40:44

went over to the get hub

40:46

issue and said, hey, you know,

40:48

here's what cursor recommends. I don't

40:50

know if this is right, you

40:53

know, what do you think? And

40:55

I was... kind of tickled to

40:57

see the author right back right

40:59

away and go, yeah, that's actually

41:01

exactly what you should do. And

41:03

I'll update the documentation to reflect

41:06

that and then close the issue.

41:08

I was like, all right, Buyah

41:10

for awesome authors who make cool

41:12

security software and and help people

41:14

with issues and also cursor AI

41:16

for, you know, suggesting the right

41:19

thing that was not only functionally

41:21

correct, but security yilly correct. Okay,

41:25

I think that's it. I gotta go do

41:27

a little bit of pen testing and then

41:29

I'm gonna turn off my brain for the

41:32

weekend and actually not work. Gasp, what a

41:34

concept. All right, well, you know the places

41:36

to go, right? Seven Mincet.com has the show

41:38

notes. It actually has, it additionally has information

41:41

about all our services. Risk, we'll take that

41:43

out in post. Risk assessments, penetration testing, training,

41:45

and then seven Mincic. Club is our newsletter.

41:47

many community thing where you can read post

41:49

you can comment on them you can DM

41:52

me and hope to to see

41:54

you there, okay? Have a, yeah,

41:56

God bless you, have a God

41:58

bless you. Have a

42:01

great of your week and weekend, weekend

42:03

we'll we'll talk to

42:05

you next time. Take

42:07

care now, care now, bye then. You've

42:09

been listening to or watching Seven been

42:12

listening to or watching

42:14

a Minute Security, a

42:16

weekly podcast focused on teeming,

42:18

and building a career in building a

42:20

career in security. episodes For

42:22

more episodes like this

42:24

and for information about our

42:27

security consulting services, Visit

42:30

Seven Minsek.com