7 Minute Security
7 Minute Security
Brian Johnson
7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.
7MS #608: New Tool Release - EvilFortiAuthenticator
Hey friends, today our pal Hackernovice joins us for a tool (actually two tools!) release party: EvilFortiAuthenticator - it's like a regular FortiAuthenticator, but evil.  This tool allows you to capture the FortiAuthenticator API and subsequently steal the entire device's config, subsequently allowing you to restore the config to a second server and potentially steal cleartext Active Directory creds and SMTP accounts!  We talk about BulletsPassView - a tool that originially allowed us to simply unmask the "hidden" API key in the FortiAuthenticator client (this did NOT work in the latest version of FAC). Once you get the API key, check out Fortinet's documentation to do fun things like dump the whole config to a file on disk! After you steal the config and restore it to a fresh FortiAuthenticator, use maintenance mode to reset the admin password. Once you can adjust the restored config to your liking, try using MITMsmtp to capture email server creds in the clear! TCMLobbyBBQ - this tool has nothing to do with security, but helps PC players of the Texas Chain Saw Massacre get into lobbies more efficiently.
Jan 26
43 min
7MS #607: How to Succeed in Business Without Really Crying - Part 15
Today we talk about some business-y things like: A pre first impressions opinion on Sysreptor Why I'm not worried about AI replacing manual pentesting (yet) My struggle with going "full CEO" vs. staying in the weeds and working on hands-on security projects
Jan 19
39 min
7MS #606: Hacking OWASP Juice Shop (2024 edition)
Today our pals Bjorn Kimminich from OWASP and Paul from Project7 and TheUnstoppables.ai join us as we kick off a series all about hacking the OWASP Juice Shop, which is "probably the most modern and sophisticated insecure web application!" We got a few wins on the Juice Shop score board today: Found the score board Bullied the chatbot Fired a DOM XSS Located a confidential document Gave the Juice Shop a devastating zero stars review Fired a DOM XSS which played the OWASP Juice Shop Jingle
Jan 12
29 min
7MS #605: Navigating the Demands of Tech Leadership with Amanda Berlin of Blumira
Today our friend Amanda Berlin, Lead Incident Detection Engineer at Blumira, joins us to talk about being more mentally healthy in 2024! P.S. - did you miss Amanda's past visits to the program? Then check out episode 518, 536 and 588. Be sure to check out the next edition of Amanda's Defensive Security Handbook when it comes out in later January, 2024!
Jan 5
58 min
7MS #604: A Two Tool Teaser
Today we tease two upcoming tool releases (shooting for Q1, 2024): TCMLobbyBBQ - a Python script for PC players of The Texas Chain Saw Massacre game to help players get out of lobbies and into live games ASAP! The script uses PyAutoGUI to take screenshots of what part of the game you're in, then make appropriate key presses and mouse clicks to get into lobby queues, then alert you when the game actually starts! EvilFortiAuthenticator - this tool will allow you to steal administrator API tokens from FortiAuthenticator which can lead to full compromise of the physical device. Happy new year!
Jan 1
26 min
7MS #603: Monitoring Your Tailscale Network with Uptime Kuma
Today I look at potentially replacing Splashtop and UptimeRobot (check out our episode about it here) with Tailscale and Uptime Kuma. The missing link (which I'd love some help with) is answering this security question: how can I setup Tailscale so that my 7MinSec testing box can connect to all these NUCs spread around the globe, but those NUCs cannot connect to each other (in case one is compromised)? Got some ideas? Let me know please!
Dec 24, 2023
28 min
7MS #602: How to Succeed in Business Without Really Crying - Part 14
Today we're talkin' business! Specifically: How to (gently) say "no" to (some) client projects How to (politely) challenge end-of-year deadlines An idea I'm kicking around in the lab - where I might do away with UptimeRobot and Splashtop in favor of Tailscale and Uptime Kuma
Dec 15, 2023
44 min
7MS #601: Breaking Up With Active Directory
Today our pal Nate Schmitt (you may remember him from his excellent Dealing with Rejection: A DMARC Discussion Webinar) joins us to talk about breaking up with Active Directory. He covers: Why would you want to consider removing AD from your environment? What are common items to plan for? What steps should you take to efficiently plan a migration? What common challenges or considerations will you face?
Dec 11, 2023
27 min
7MS #600: First Impressions of Using AI on Penetration Tests
Hey friends, today I share my experience working with ChatGPT, Ollama.ai, PentestGPT and privateGPT to help me pentest Active Directory, as well as a machine called Pilgrimage from HackTheBox. Will AI replace pentesters as we know them today? In my humble opinion: not quite yet. Check out today's episode to hear more, and please join me on Wednesday, December 6 for my Webinar on this topic with Netwrix called Hack the Hackers: Exploring ChatGPT and PentestGPT in Penetration Testing!
Dec 1, 2023
22 min
7MS #599: Baby's First Responsible Disclosure
Today we talk about our first experience working through the responsible disclosure process after finding vulnerabilities in a security product. We cannot share a whole lot of details as of right now, but wanted to give you some insight into the testing/reporting process thus far, which includes the use of: BulletsPassView MITMsmtp mitmproxy
Nov 25, 2023
38 min
Load more