Password Spray

00424_12112019_PodcastPasswordsWeakestLink

, , , , , , ,

Podcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & […]

Podcast: Play in new window | Download

Subscribe: Android | RSS

Read the entire post here

00423_12112019_WebcastPasswordsWeakestLink

, , , , ,

Webcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_PasswordsWeakestLink.pdf 3:26 – In The Beginning 4:23 – What The Experts Say: […]

Podcast: Play in new window | Download

Subscribe: Android | RSS

Read the entire post here

00420_12032019_Passwords

, , , , , ,

Passwords: Our First Line of Defense

Darin Roberts // “Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me a couple of times in the very recent past.   There were 2 separate policies that were shown to me when asking these questions. First was […]

Read the entire post here

00387_05112019_PODCAST_Weaponizing_Intel

, , , , , , , , , , , , , ,

Podcast: Weaponizing Corporate Intel. This Time, It’s Personal!

Beau Bullock & Mike Felch// Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets. Download slides: http://www.activecountermeasures.com/presentations/ In this one-hour BHIS podcast […]

Podcast: Play in new window | Download

Subscribe: Android | RSS

Read the entire post here

BHIS_YT_WEBCAST3

, , , , , , , , , , , , , , , , , , , , , , ,

Webcast: Attack Tactics 5 – Zero to Hero Attack

Timecode links take you to YouTube: 4:11 – Infrastructure & Background8:28 – Overview & Breakdown of Attack Methodology and Plans11:35 – Start of Attack (Gaining Access), Password Spraying Toolkit15:24 – Mailsniper, Retrieve Global Access List21:58 – Lateral Movement, OWA, VPN, SSH27:05 – Scanning/Enumeration, Nmap SSH Brute Force, “Find Open”, Movement, Gaining Access34:07 – Gaining Access, […]

Read the entire post here

00378_03192019_Blog_Rotate_IP

, , , , , , , , , , , ,

How To Rotate Your Source IP Address

Darin Roberts// IP-Go-Round – Source IP Rotation I was on an engagement recently that was blocking my password sprays based on my IP address.  If I made 3 incorrect requests from my IP, I was blocked out from making any other requests for 30 minutes. How annoying is that? It is a great form of […]

Read the entire post here

35439548

, , , , ,

Wide-Spread Local Admin Testing

Brian Fehrman // In our experience, we see many Windows environments in which the local Administrator password is the same for many machines. We refer to this as Wide-Spread Local Administrator Re-use. This type of configuration is extremely advantageous to an attacker. Once the attacker has the local Administrator password for one computer, they can […]

Read the entire post here

1 2