7MinSec

7 Minute Security podcast - full episode guide

Below is a blurb on each podcast episode, as well as a link to the corresponding show notes (if available). I apologize but this gist is often a little outdated, so to view the show notes for the latest episodes be sure to also check out 7ms.us.

---

7MS #586: DIY Pentest Dropbox Tips – Part 8

Today, sadly, might be the last episode of DIY pentest dropbox tips for a while because I found (well, ChatGPT did actually) the missing link to 100% automate a Kali Linux install! Check episode #449 for more info on building your Kali preseed file, but essentially the last line in my file runs a kali.sh script to download/install all the pentest tools I want.

View this episode's show notes for more information

7MinSec

Patching solution bake-off	PDQ Deploy/Inventory	Ninite	ManageEngine	ivanti
Agent or agentless	Agentless (w/option coming in Q4 for an agent install)	Agent	Both	Both
LAN/cloud centralized administration	LAN only	Cloud only	Both	LAN only
Can push Microsoft updates?	Cumulative monthly updates	No	Yes	Yes
Can work w/non-MS machines (Macs/Linux)?	Can identify device type but not actively inventory/patch non-MS	No	Yes - Mac/Linux agent and ability to push patches (!)	Yes - via Ivanti patch for Linux/Unix/Mac environments
Training/certification	Hefty Youtube training library	Unknown	Training videos library easily available from inside the Web interface. Also it looks like they do a Webinar each Patch Tuesday about the latest MS patches.	Yes check out this
Pricing model	Per admin console (PDQ is ok with one

7MinSec

You can listen to this song on episode #276 of the 7 Minute Security podcast

Verse 1

You said you wouldn't do it
You said you wouldn't click that link
But you totally did
It’s clear you didn’t stop and think
How the promise of a free burrito would be all that it took
To open up our networks to virtual crooks

7MinSec

Tired of recruiters pinging you about jobs that you don't care about or are under/overqualified for, but you'd like to utilize their time/skills/talent to find gigs you DO want? Customize this template and send it to them!

---

Hello,

Thanks for your email. The position you sent me is not a fit, however, here are some of the things I’d be looking for if I were to consider another position:

• A contract position would be my first choice, but I would go FTE for the right opportunity

7MinSec

Update 8/24/23:

I now do password cracking in the cloud using a suped up AWS rig. More details here.

---

This document is under construction, but is intended to get you up and running quickly with cracking hashes in the cloud using the Paperspace service.

Resources used for this article:

• https://samiux.blogspot.com/2017/12/howto-install-hashcat-on-ubuntu-16043.html

7MinSec

Creating AD backup dump of user accounts and hashes

Upgrade to latest version of PowerShell

Check your version with:

$Psversiontable.psversion

If you are below Major: 5, Minor:1 head to Microsoft's download site to get the latest.

7MinSec

How to Build a Cuckoo Sandbox Malware Analysis System

I had a heck of a time getting a Cuckoo sandbox running, and below I hope to help you get one up and running relatively quickly by detailing out the steps and gotchas I stumbled across along the way. I mention this in the references at the end of this gist, but what you see here is heavily influenced by this article from Nviso

Build your Linux Cuckoo VM

1. Setup a Ubuntu 16.04 64-bit desktop VM (download here) in VMWare with the following properties:

• 100GB hard drive
• 2 procs
• 8 gigs of RAM

7MinSec

7 minute interviews? What's that?

It's a new (and hopefully fun) interview format I want to engage in with members of the information security community on the 7 Minute Security podcast.

Wait wait wait. Who are you? What's this all about?

I'm Brian from 7 Minute Security, LLC and I've been having a blast doing some longer-form interviews with security folks, but I thought it would be fun to do a shorter-form outline where I ask 7 questions (ok, maybe a few more than 7...but I like lucky numbers). Some questions will be serious. Others will not.

Ok I'll bite. What kind of questions would you ask in this 7-minute interview?

Check these out:

7MinSec

Low Hanging Hacker Fruit

This gist focuses on (relatively) free and (relatively) easy things organizations can do to better protect their networks without buying yet another black box with blinking lights.

Got some ideas of your own that should be on this list? Please leave a comment below!

Implementing a stronger AD password policy

Microsoft has a great paper on the topic that gives some nice high level recommendations:

• Use a unique password per site
• Enable complexity

7MinSec

Active Directory Security 101

This document complements the Active Directory security topics talked about on the 7 Minute Security podcast miniseries related to Active Directory - specifically #329. The purpose of this doc is to compile resources we can all use to make our Active Directory environments more physically and logically secure. Here we go....

Practice good physical security

I can't tell you how many companies I've run into that have flippin' Fort Knox around their DCs at their primary office (cameras, motion detectors, angry guard dogs, snipers, etc.) but then the branch office has a DC under the receptionist's desk with no security controls. Make sure all domain controllers are physically locked down. I think a good minimum config is to have the DC locked in a room with keycard access - where only a subset of employees have physical access.

Put users in a least priv