For at give dig den bedst mulige oplevelse bruger dette websted cookies. Gennemgå vores Fortrolighedspolitik og Servicevilkår for at lære mere.
Forstået!
Indhold leveret af Paul Asadoorian and Security Weekly. Alt podcastindhold inklusive episoder, grafik og podcastbeskrivelser uploades og leveres direkte af Paul Asadoorian and Security Weekly eller deres podcastplatformspartner. Hvis du mener, at nogen bruger dit ophavsretligt beskyttede værk uden din tilladelse, kan du følge processen beskrevet her https://da.player.fm/legal.
Player FM - Podcast-app Gå offline med appen Player FM !
Episode Notes [03:47] Seth's Early Understanding of Questions [04:33] The Power of Questions [05:25] Building Relationships Through Questions [06:41] This is Strategy: Focus on Questions [10:21] Gamifying Questions [11:34] Conversations as Infinite Games [15:32] Creating Tension with Questions [20:46] Effective Questioning Techniques [23:21] Empathy and Engagement [34:33] Strategy and Culture [35:22] Microsoft's Transformation [36:00] Global Perspectives on Questions [39:39] Caring in a Challenging World Resources Mentioned The Dip by Seth Godin Linchpin by Seth Godin Purple Cow by Seth Godin Tribes by Seth Godin This Is Marketing by Seth Godin The Carbon Almanac This is Strategy by Seth Godin Seth's Blog What Does it Sound Like When You Change Your Mind? by Seth Godin Value Creation Masterclass by Seth Godin on Udemy The Strategy Deck by Seth Godin Taylor Swift Jimmy Smith Jimmy Smith Curated Questions Episode Supercuts Priya Parker Techstars Satya Nadella Microsoft Steve Ballmer Acumen Jerry Colonna Unleashing the Idea Virus by Seth Godin Tim Ferriss podcast with Seth Godin Seth Godin website Beauty Pill Producer Ben Ford Questions Asked When did you first understand the power of questions? What do you do to get under the layer to really get down to those lower levels? Is it just follow-up questions, mindset, worldview, and how that works for you? How'd you get this job anyway? What are things like around here? What did your boss do before they were your boss? Wow did you end up with this job? Why are questions such a big part of This is Strategy? If you had to charge ten times as much as you charge now, what would you do differently? If it had to be free, what would you do differently? Who's it for, and what's it for? What is the change we seek to make? How did you choose the questions for The Strategy Deck? How big is our circle of us? How many people do I care about? Is the change we're making contagious? Are there other ways to gamify the use of questions? Any other thoughts on how questions might be gamified? How do we play games with other people where we're aware of what it would be for them to win and for us to win? What is it that you're challenged by? What is it that you want to share? What is it that you're afraid of? If there isn't a change, then why are we wasting our time? Can you define tension? What kind of haircut do you want? How long has it been since your last haircut? How might one think about intentionally creating that question? What factors should someone think about as they use questions to create tension? How was school today? What is the kind of interaction I'm hoping for over time? How do I ask a different sort of question that over time will be answered with how was school today? Were there any easy questions on your math homework? Did anything good happen at school today? What tension am I here to create? What wrong questions continue to be asked? What temperature is it outside? When the person you could have been meets the person you are becoming, is it going to be a cause for celebration or heartbreak? What are the questions we're going to ask each other? What was life like at the dinner table when you were growing up? What are we really trying to accomplish? How do you have this cogent two sentence explanation of what you do? How many clicks can we get per visit? What would happen if there was a webpage that was designed to get you to leave? What were the questions that were being asked by people in authority at Yahoo in 1999? How did the stock do today? Is anything broken? What can you do today that will make the stock go up tomorrow? What are risks worth taking? What are we doing that might not work but that supports our mission? What was the last thing you did that didn't work, and what did we learn from it? What have we done to so delight our core customers that they're telling other people? How has your international circle informed your life of questions? What do I believe that other people don't believe? What do I see that other people don't see? What do I take for granted that other people don't take for granted? What would blank do? What would Bob do? What would Jill do? What would Susan do? What happened to them? What system are they in that made them decide that that was the right thing to do? And then how do we change the system? How given the state of the world, do you manage to continue to care as much as you do? Do you walk to school or take your lunch? If you all can only care if things are going well, then what does that mean about caring? Should I have spent the last 50 years curled up in a ball? How do we go to the foundation and create community action?…
Indhold leveret af Paul Asadoorian and Security Weekly. Alt podcastindhold inklusive episoder, grafik og podcastbeskrivelser uploades og leveres direkte af Paul Asadoorian and Security Weekly eller deres podcastplatformspartner. Hvis du mener, at nogen bruger dit ophavsretligt beskyttede værk uden din tilladelse, kan du følge processen beskrevet her https://da.player.fm/legal.
Want to learn about all of the latest security tools and techniques? This is the show for you! We show you how to install, configure and use a wide variety of security tools for both offense and defense. Whether you are a penetration tester or defending enterprise networks, this show will help you
Indhold leveret af Paul Asadoorian and Security Weekly. Alt podcastindhold inklusive episoder, grafik og podcastbeskrivelser uploades og leveres direkte af Paul Asadoorian and Security Weekly eller deres podcastplatformspartner. Hvis du mener, at nogen bruger dit ophavsretligt beskyttede værk uden din tilladelse, kan du følge processen beskrevet her https://da.player.fm/legal.
Want to learn about all of the latest security tools and techniques? This is the show for you! We show you how to install, configure and use a wide variety of security tools for both offense and defense. Whether you are a penetration tester or defending enterprise networks, this show will help you
Evilginx2 is a man-in-the-middle framework that can be utilized to intercept credentials including two-factor methods victims utilize when logging in to a web application. Instead of just duplicating the target web application it proxies traffic to it making the experience seamless to the victim. In this episode Ralph May (@ralphte1) joins Beau Bullock to demo Evilginx2. LINKS: https://github.com/kgretzky/evilginx2 https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/…
This is the Hacker Summer Camp 2018 edition of Tradecraft Security Weekly. In this week's episode Beau Bullock (@dafthack) talks about some of the more interesting items he saw come out of the Black Hat and DEF CON conferences this year. For Show Links: https://wiki.securityweekly.com/TS_Episode28
Network administrators often utilize Pre-boot Execution Environment (PXE) to rapidly deploy new systems on a network easily. Golden system images can be created with all the software and settings already in place for new systems. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) discusses some of the potential attack vectors surrounding PXE boot deployments. Full Show Notes: https://wiki.securityweekly.com/TS_Episode27…
During the reconnaissance phase of a penetration test being able to discover employee names and email addresses of an organization is extremely important. It is also important to do so as stealthily as possible. Using open-source techniques and tools it is possible to enumerate employee names and email addresses at an organization. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) discusses some of the tools and techniques that can be used to do this. Full Show Notes: https://wiki.securityweekly.com/TS_Episode26…
Organizations are implementing two-factor on more and more web services. The traditional methods for phishing credentials is no longer good enough to gain access to user accounts if 2FA is setup. In this episode Mike Felch (@ustayready) and Beau Bullock (@dafthack) demonstrate a tool that Mike wrote called CredSniper that assists in cloning portals for harvesting two-factor tokens. Links: https://github.com/ustayready/CredSniper…
In this episode of Tradecraft Security Weekly hosts Beau Bullock (@dafthack) and Mike Felch (@ustayready) discuss methods for evading network-based detection mechanisms. Many commercial IDS/IPS devices do a pretty decent job of detecting standard pentesting tools like Nmap when no evasion options are used. Additionally, companies are doing a better job at detecting and blocking IP addresses performing password attacks. Proxycannon is a tool that allows pentesters to spin up multiple servers to proxy attempts through to bypass some of these detection mechanisms. Links: Nmap Evasion Options - https://nmap.org/book/man-bypass-firewalls-ids.html ProxyCannon - https://www.shellntel.com/blog/2016/1/14/update-to-proxycannon…
It is fairly common for pentesters to discover Cross-Site Scripting (XSS) vulnerabilities on web application assessments. Exploiting these issues potentially allow access to a user's session tokens enabling attackers to navigate a site as the victim in the context of the web application. In this episode the hosts Beau Bullock (@dafthack) & Mike Felch (@ustayready) demonstrate how to exploit a XSS vulnerability to access HTML5 local storage to steal a cookie. (Sorry the camera video feed froze at 9 minutes)…
After getting a shell on a server you may or may not have root access. To gain privileged access to a Linux system it may take performing more analysis of the system to find escalation issues. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) provides a methodology for performing various privilege escalation techniques against Linux-based systems. Full Show Notes: https://wiki.securityweekly.com/TS_Episode22…
In this episode of Tradecraft Security Weekly, Mike Felch discusses with Beau Bullock about the possibilities of using framesets in MS Office documents to send Windows password hashes remotely across the Internet. This technique has the ability to bypass many common security controls so add it to your red team toolboxes. LINKS: SensePost Blog - https://www.dropbox.com/s/hmna48mc6qodlrw/TSW%20Episode%2021.mp4?dl=0…
Google provides the ability to automatically add events to a calendar directly from emails received by Gmail. This provides a unique situation for phishing attempts as most users haven't been trained to watch their calendar events for social engineering attempts. In this episode Beau Bullock (@dafthack) and Michael Felch (@ustayready) show how to inject events into a targets calendar using MailSniper bypassing some security controls that Google has in place. Links: Blog Post: https://www.blackhillsinfosec.com/google-calendar-event-injection-mailsniper/…
When pentesting web services or an application that leverage XML files, XML External Entity (XXE) attacks are a great way to start. By injecting an XXE into a well crafted XML payload before it's sent to the server, a penetration tester can trick the parser into executing other actions that the developer never intended. This can lead to reading local files, server-side request forgeries (SSRF) or even gaining remote code execution (RCE). To help penetration testers, Beau Bullock (@dafthack) and Mike Felch (@ustayready) cover a few different methods to attack XML parsers in episode 19 of Tradecraft Security Weekly. Links: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet…
Domain fronting is a technique used to mask command and control (C2) traffic. It is possible for C2 channels to be proxied through CDN's like Cloudfront to make it appear like normal Internet traffic. It is very difficult to detect and block for defenders as it appears as if clients on a network are connecting to valid CDN domains. But, in reality it is transporting a command and control channel. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) is joined by Ralph May (@ralphte1) to talk about what domain fronting is and how to set it up using Cloudfront and PowerShell Empire. Full Show Notes: https://wiki.securityweekly.com/TS_Episode18 LINKS: https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ https://signal.org/blog/doodles-stickers-censorship/ https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/ https://trac.torproject.org/projects/tor/wiki/doc/meek http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/…
If you are a penetration tester password cracking is something you will inevitably do. On most engagements we typically don't have months on end to crack passwords. In an effort to help be more efficient in your cracking techniques Beau Bullock (@dafthack) describes various ways to streamline your approach to cracking in episode 17 of Tradecraft Security Weekly. LINKS: Beau's blog post on password cracking - http://www.dafthack.com/blog/howtocrackpasswordhashesefficiently Hashcat Hash Examples - https://hashcat.net/wiki/doku.php?id=example_hashes…
There are a ton of modules in Metasploit that are extremely useful for performing various attacks post-exploitation. But sometimes there are external tools that you might want to use that are not included in Metasploit. It's possible to proxy other external tools through a Meterpreter session using a module in Metasploit and proxychains. In this episode Derek Banks (@0xderuke) and Beau Bullock (@dafthack) talk about how to pivot external tools through Meterpreter sessions and demo how to dump Kerberos tickets using this method. LINKS: BHIS Toast to Kerberoast Blog - https://www.blackhillsinfosec.com/a-toast-to-kerberoast/…
Session management in web applications is extremely important in regards to securing user credentials and integrity within the application. Sometimes session tokens can be predicted provided the overall randomness is weak. If this is possible a remote attacker may be able to compromise the session of an authenticated user. In this episode of Tradecraft Security Weekly both Beau Bullock (@dafthack) and Mike Felch (@ustayready) discuss the issues associated with creating session tokens with weak entropy.…
Velkommen til Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Slut dig til verdens bedste podcast-app for at styre dine yndlings shows online og afspille dem offline på vores Android og iOS apps. Det er gratis og nemt!