// Jordan Drysdale and Kent Ickler talk about Best Practices for setting up Active Directory. Bre joins as fake Sierra to host and ask questions from the audience since real Sierra was on vacation. See the webcast and Kent’s show notes here.
Podcast: Play in new window | Download
Kent Ickler & Jordan Drysdale// BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. The podcast version is available here. Also, the slides are available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7214618/ Preface Active Directory out of the box defaults aren’t enough to keep your network […]
Ethan Robish // WebSockets Overview WebSockets is a technology to allow browsers and servers to establish a single TCP connection and then asynchronously communicate in either direction. This is great for web apps as it allows real time updates without the browser needing to send hundreds of new HTTP polling requests in the background. It’s […]
Jordan Drysdale//* In this blog, we are assuming that we have obtained an access key, a secret key and maybe a .pem key from a network user who left these things lying around. What services do they have access to? How far can we get? Here we stand again, on the shoulders of giants with […]
Scott Worden* // So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track. The 3 Stage of the Penetration Test The TESTER The TESTED Having the penetration tester reach your crown jewels, get root, own you, pwn you, own3d, 0wn3d, […]
CJ Cox talks about the highs, lows, hows and why’s of security policy. // Show Notes Why are we doing this? Do you hate your audience? GDPR was bad enough. My Methodology The Rant Cross between Bob Cat Goldthwaite and Dennis Miller Policy is the foundation to the foundation Don’t we all just love Policy […]
Podcast: Play in new window | Download
Craig Vincent// This all started with a conversation I was having with a few other BHIS testers. At the time, I was testing a web application that used WebSockets. The app was giving me headaches, and I was venting my frustration. Penetration testers, red teams, and baddies are always looking for new ways to sneak […]
Jordan Drysdale// Full disclosure and tl;dr: The NCC Group has developed an amazing toolkit for analyzing your AWS infrastructure against Amazon’s best practices guidelines. Start here: https://github.com/nccgroup/Scout2 Then, access your AWS console as a user with privilege enough to create an “auditor” account (best practice tip #1: once your admin accounts are online and MFA […]
Matthew Toussain//* Wouldn’t you like to START your pentests knowing every username for all individuals in your target environment? Gmail, G Suite, Outlook Web Access, Exchange Web Services… Email. A divine gift issued to hackers with no statute of limitations. In this blog we explore an exploitation workflow using new features of the MailSniper toolkit. […]
