Are you curious about the world of offensive security and the role of red teaming? Get ready to unravel this complex realm with our guest, Phillip, an expert with deep insights into these fields. We take these intricate topics head-on, and together we dissect the unique tools used in pen testing, explore adversary emulation in red teaming, and highlight the key differences between them. This thought-provoking conversation underscores the essentiality of ethics and timing in pen testing, as well as the necessity of responsible bug reporting.
Embodying empathy and following best practices in pen testing can make a world of difference, and Phillip sheds light on this vitally important aspect. We discuss the need for proper documentation and the cleanup of any backdoors, accounts, or tools used during tests to ensure optimal security. As we delve deeper into the realities of ethical hacking, we shed light on potential pitfalls, the importance of comprehensive testing, and the high stakes of staying within scope during a pentest.
As we near the end of our riveting conversation, we touch on the transformative potential of AI and Machine Learning in offensive security and red teaming. We discuss the impact of AI-generated malware and the challenges that come with it, all while giving you resources to stay engaged and informed in this ever-evolving field. We even manage to squeeze in a discussion on the security environment of Apple AR devices and how it stacks up against others in the market. Tune in and join us for this enlightening journey through the world of offensive security and red teaming!
Merch: https://cyberwarriorstudios.com/store
Youtube: https://youtube.cyberwarriorstudios.com
Twitch: https://twitch.tv/CyberWarriorStudios
Twitter: @CyberWarriorSt1
Discord: https://discord.gg/eCSRzM6mJf
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
And we're back with another amazing episode of
Security Happy Hour coming rightat you, and I am the Cyber
Warrior.
This is Cyber Warrior Studios,and I know you're all here,
you're all ecstatic, you're allready to get started with your
weekend, and what better way toget started than right here,
right now, tonight, becausethat's how we do.
I promise, if you hang out forjust a little bit, as always
(00:25):
I'll be right back and I'm back.
And, yes, you'll notice myguest this evening is missing.
He's a little MIA.
He might be running a littlebit late trying to get ahold of
him, but that's okay.
We're still going to talkoffensive security, because
(00:47):
that's what this show is allabout today.
But, without further ado, let'sdiscuss it a little bit while
we wait for Phillip to get here.
Before we do hold on, let's seeif the bottle has the same
sound as the can.
I doubt it, but we're going totry.
All right, close enough.
That's a kickoff to SecurityHappy Hour.
So I say that because I don'tknow where Phillip's at.
(01:08):
I messaged him on LinkedIn andhopefully he gets here soon.
But as we go about things andwe look at offensive security
and we look at the ways to getinto the field and all the
different things that go aboutit.
I got to ask, and I ask peopleall the time.
So I want to hear in thecomments I do, I want to know
(01:29):
All right, hey, what are yourquestions about offensive
security?
Because when Phillip gets herewe are going to inundate him
with a ton of questions, allright, so I want them there.
The other thing is what areyour opinions on red team,
offensive security and things ofthat nature?
Because when I think about it Ihave my own outlook.
(01:50):
I've been a pen tester, I'vebeen on red teams, I've been on
blue teams, I've worked veryclosely with GRC teams, so I
have a vast array of experiencein all areas.
I've just never been fullyingrained in GRC Blue team, red
team all day, grc not so much.
(02:10):
So I can answer a lot ofoffensive security questions,
but I would like to know yourthoughts and opinions on
offensive security, team redattack.
Go forth and break down thebarriers.
Yes, you nailed it, that iswhat it is.
It's go through and screw it.
Let's just break it all down.
Let's get in any way we can.
(02:31):
Let me put this up real quick.
There we go, and I'm going toyell out Phillip for being late.
That is, my beer overflows.
Welcome all newcomers.
Did I really put that up?
Oh, you're awesome, andrea, Ididn't even know.
(02:52):
I shared that I am interestedin red team.
Does it mean, hold on, wait, Iam interested in becoming very
bad?
Does that mean I am interestedin red team?
It really depends.
I mean, as long as you're doingit legally, then yeah, if
you're doing it illegally, thatmeans we have to have other
(03:14):
discussions, not on air, whereeverybody can hear what does
offensive mean to you?
What is red team?
Oh, I love that question.
So offensive is I don't evenwant to say ethical hacking,
because hacking is a mindset.
Well, hackers, hacking, it's amindset.
(03:37):
Offensive is breaking intothings, it is doing things in
such a way that you areexploiting weaknesses,
vulnerabilities, things likethat.
And it could be physical, itcould be social engineering, it
could be you name it.
(03:57):
There's a ton of differentthings.
It could be softwarevulnerabilities, coding, a bunch
of things go along with that.
So that's offensive, it'sattacking, it is being on the
offensive.
It's a straightforward meaningRed team versus pen.
Testing is a whole differentcan of worms, because when you
(04:18):
look at a red team and this ismy opinion and other people may
have a different opinion andactually Phillip has showed up,
he's here, so there he is what'sgoing on, phillip?
You're a little bit late today.
Man, you're killing me, smalls.
Speaker 2 (04:35):
Sorry about that.
Yeah, I had a call from someoneand I didn't want to be rude
and get him off the phone andthen I'm joining from the road.
I'm here for B-Sites, sanAntonio, teaching a web app pen
testing workshop.
So having to use my laptop,using I know the pain.
Speaker 1 (04:54):
I know the pain.
Speaker 2 (04:56):
Using my janky gear.
Speaker 1 (04:57):
Actually, I'll be doing that next week at New
Jersey Cyberfire Sites with AlexWainstrop Wainstrop, I forgot I
pronounced the last name, butAlex, he started it back during
COVID.
It's his fourth year doing it,so I'll be going up there and
doing a live show on the next Ibelieve it's actually this
Tuesday.
I want to say it is the 13th.
So, yes, there will be twosecurity happy hours next week
(05:20):
One live from a conference andthen one next Friday.
But anywho, phillip, since wehave a question up here already,
I'm going to finish addressingthis red team versus pen testing
, but then I want your take onGriffin's question and I'll flip
you to the top once we get tothat point, because it's on your
face right now.
Speaker 2 (05:39):
Yeah, that's, yeah, one of my biggest pet peeves
working in offensive securitywhen you know the difference,
yup, and you hear someone usingit wrong.
But I mean it's just a matterof just generalizations, because
some people call all defensivestuff blue team and some people
generalize all offensive as redteaming, when red teaming is
(06:00):
actually more adversaryemulation.
So you're saying yeah.
Speaker 1 (06:05):
That's what I was going to get around to is, you
know, pen testing is using thetools, being loud and obnoxious
and just trying to see ifthere's any vulnerabilities that
you can get into.
The point is to get caught.
You want people to see you.
And then the red team is you'retrying to be more adversarial,
you don't want to get caught.
You want to be as quiet aspossible, you want to be able to
(06:26):
use tools as minimally aspossible, you don't really want
to trigger signatures and you'retrying to see if you go bypass
things.
So that's my take on red teamversus pen testing is one is
quiet and adversarial, one isI'm just going to be loud and
obnoxious, find the low hangingfruit or as many holes as
possible and as a short amountof time as possible.
So that's my take on the two.
But I'll let you address thisquestion while I got you here.
Speaker 2 (06:50):
Yeah, no-transcript.
Yeah, the difference is with apen test you're looking for all
the vulnerabilities that can beexploited and exploit them.
With a adversary emulation orred team you're going in, trying
to emulate a real world threatactor.
So you're going through andwith red teaming you're going to
(07:13):
leverage things like phishingand social engineering, even
some physical securityassessments.
But with the pen testing andthey're both important because
all you did was red teaming yourcompany needs to be mature,
your security posture needs tobe mature before you move to
doing the red teaming.
Because with you're trying tofind all the exploitable
(07:34):
vulnerabilities and exploit themand see what you can do.
From that red team operationyou're going to look at one or
two ways in emulating an APT orjust cramming up with your own
type of attack path.
And you hear a lot of timesabout people maintaining access.
This is really where you usethat more in the adversary
emulation or red teaming, tryingto maintain access, trying to
(07:56):
be quiet, trying to goundetected.
So you're also testing thedetection capabilities of the
people and the systems.
The founder of Dallas HackersAssociation has one of the best
descriptions of most simple thatI can think of is the red team
tests, the blue team.
Speaker 1 (08:14):
And that's what I was going to get to, because
someone said something aboutpurple team here in the comments
somewhere and I'm sure I'lladdress it, but I want to
address it now.
In your opinion, what do youfeel brings more together a
purple team, a pen test with ablue team, or a red team with a
blue team?
So, if you were trying to bequiet, that's more testing the
(08:37):
blue team and you should be ableto say, hey, do you see this?
Do you not see this?
Or do you find more penetration, testing, running the tools and
being like, hey, if you seethis, like this is what I'm
doing.
These are the logs that yougenerate.
Are you tracking it?
Are you catching it?
So which do you feel fits moreinto a purple team engagement?
Speaker 2 (08:56):
I kind of think more of the pen test team because
you're going to not use as manyof the tools I would think as a
red team would, because you'retrying to execute everything,
whether it's noisy or not, tosee if it's detected.
Because, for instance, youdon't need to be able to run
mimicats on a system and a lotof times people are running red
team exercises.
They're not using some of thosetools.
(09:16):
So I think it's kind of good touse, you know, kind of like the
pen test team to execute those,and it really doesn't have to
be the one.
Because whenever I was a redteam lead as a global consumers
product company, we did some pentesting and red teaming.
But during our red team orpurple team exercises we brought
people on or had the blue teamtrying to see if they could
(09:39):
detect what we're coming up with, what we're testing.
And it's very important you dothat because I used to work I
did a pen test one time for acompany and the CISO I knew
there was really sharp.
They had a lot of tools andstuff, but they didn't have
things really refined enough tocatch stuff because there was
just so much noise they missedstuff.
So we were going in there.
We had we're down, we had itwas kind of like a full scope
(10:03):
pen test.
They were kind of wanting us totry to go undetected.
We got in there and we wererunning so short on time I was
running Nessa scans, in-mapscans, running responder, run
them all.
Yeah, just like a networkArmageddon, and I wasn't even
detected.
It.
I wasn't even detected.
Speaker 1 (10:21):
So that's crazy.
And the weird thing about thatis so, when I look at it right,
and because you've been doingthe red team thing longer than I
have, I did it for a littlewhile.
I had studied it for a while,got into it for a little while
and then moved out of it andgotten to more consulting.
What do you think gives?
Do companies give a longerrange of time, a red team
(10:42):
engagement or a pen testingengagement?
Because from my experienceusually get about a week for a
pen test, maybe two weeks ifyou're lucky, and then two weeks
to write a report.
I've never been able to do aquiet red team assessment just
because the companies I've dealtwith that they weren't ready
for it.
There was no way that we could,you know, sell that to them.
(11:03):
It just made no sense.
Your security was not in theright spot.
Speaker 2 (11:06):
Yeah, to do those right you need more time and
just a good example is JasonHaddick's just went to work not
long ago for Budobot.
They're a company thatspecialized in red teaming and
some of their engagements areyear long and that's really when
you're getting more intoemulate a real world threat
actor.
They're trying to be quiet.
They're doing this for days,months.
They could be even in youryears because, like one of the
(11:27):
video games that was hacked,that they were hacked by China
and they were farmingcredentials or farming stuff
from that environment.
They were in there for yearsbefore they got caught.
So you're trying to emulate areal world attack and you're
wanting to try to be quiet andtrying to use some of the tools
that more mimic what the realworld people are using the
(11:48):
threat actors and one of thethings if you look at like
ransomware or some of the stuffthese ransomware gangs are using
, or tools that you need to kindof test in your environment
because you know they'redepending a lot on the living
off the land binaries and toolsthat are installed and different
resources are installed bydefault in systems that you see
without having to throw off.
(12:09):
You know, throw red flags byrunning Mimicats or Metasport.
Speaker 1 (12:13):
You too, baby.
You too.
It is an amazing tool.
Actually, I thought about thatone.
I found out about that one, Ithink, like a year or so ago.
They were like you start youtoo, because I was trying to
work on something and I was like, what do you mean?
You start you too.
And then you do a little bit ofresearch and it's like, oh, it
can download an entire payloadand do all this stuff.
I was like, oh, my God, this isso bad.
Speaker 2 (12:33):
Yeah, it's pretty crazy what all you can do with
that.
And it's kind of funny goingback years ago through like a
vulnerable VM there was, likethere used to be a version of in
map that was was exploitable,that you could use it kind of
like a lull bends pretty much.
Speaker 1 (12:48):
I still.
I still use that version of endmap because it has the dashy
for execute.
It is an older version.
The newer versions they got ridof the dashy.
You can't execute a binary orany XE or any command with the
newer versions of end map, whichkind of sucks.
So I have to always go outthere, find the older versions
and use them.
But I do have another questionhere, and then we're going to
(13:08):
let you talk a little bit aboutthe Philip Wiley show, give a
little bit more of anintroduction about yourself.
But Griffin Infosec, which wasa follow on to this question,
how about the ethics when itcomes to being offensive?
And there's a lot of ethicsthat go into it, because there's
a lot of things you can find.
But I'll let you address this.
Speaker 2 (13:25):
Yeah, you definitely need to be ethic about it.
When you mean being ethic, youknow one of the things if you're
a pentester, you're making sureyou're staying within the scope
and the rules of engagement.
As far as doing things on yourown, you want to make sure
you're being careful with that,because if you're doing bug
bounties or those sort of thingsor maybe you find a bug on
someone's website, make sureyou're reporting those
(13:46):
responsibly and staying withinscope.
That way you don't get get introuble.
But yeah, you just want to makesure you're ethical.
Another thing that I thinkhelped me because I come from a
cis admin background, so I knewif I went in and blew up
someone's environment, some poordude was going to, or a woman
is going to have to go throughreinstall their, reinstall their
OS, you know, restore it frombackup.
Speaker 1 (14:10):
Rebuild the active directory infrastructure,
because I've been there before Ihad that stuff break and you
just kind of have empathy forthem.
Speaker 2 (14:16):
You don't want to.
You know, and one of the thingstoo is you know, when you're
finishing up the pentast, makesure you document any back doors
, any accounts and stuff youhave, or any tools or install
where they're at so they can doa proper cleanup.
Let them know that, becausewhen you do that you're going to
get return customers.
When you're if you're everworking as a consultant, you get
paid your bonus on billablehours and you want to be the one
(14:39):
that they ask for back.
And so you want to make surethat you're not disruptive,
you're not overdoing thescanning speeds on mass scan or
something causing disruption.
Speaker 1 (14:49):
Making sure not to use any of the DOS modules and
metasploit yeah definitely, andnot just that, but I think it
comes down to you know, even asa pen tester, you should be
trying your best to clean upyour own tools, clean up your
dirty work, cause you don't wantto leave the holes there for
somebody else to get into.
You know, especially if you'retesting things like ransomware
and want to cry and things likethat, you don't want to leave
(15:11):
those payloads there that anactual ransomware group would go
out there and be able toutilize.
So I do know there's likemetasploit modules out there and
stuff like that that allow youto test for these things.
You don't want to leave theexes there.
You really don't Just saying,yeah, bad idea, yeah.
Speaker 2 (15:30):
Cause the bad thing you leave that under someone
else with you know a threatactor comes in, they got access
to it.
You're leaving the companyvulnerable.
I heard a while back it's beenprobably last year I listened to
the black Hills podcast a lotand we're talking about how
they've had, they've done,engagements behind someone else
and found that someone had ashell open running there for who
(15:51):
knows how long.
Speaker 1 (15:54):
All bad things, all bad things.
So I got about six more starredcomments here.
But before we get into it,because I gotta say I'm excited
for you, I am, I am utterly andcompletely excited for you for
the new show, because you'regoing out on your own, you're,
you're separating yourself fromothers control.
As good as you know, a ITSPmagazine has been to a lot of
(16:17):
podcasts.
How's this?
You've made the decision tokind of go out, market yourself
and go out on your own.
So give us a little rundownabout kind of.
You know what the Phillip Wileyshow was going to be and you
know what it means to you andwhy you're doing it.
Speaker 2 (16:31):
Yeah, and just to go back to say to back to ITSP
magazine they're doing a greatthing.
They've given people a lot ofopportunities to start in
podcasting.
So, like for me, the firstpodcast I did over there was
with Alyssa Miller and ChloeMistagie.
We did the uncommon journey andthen it was, you know, trying
to coordinate.
You know it's enough to try tocoordinate one schedule and a
(16:54):
guest schedule to get on yourshow, much less three people and
a guest.
So they reached out to me aboutdoing my own and it's been good
and it's been a good experience.
But one of the things I kind ofthought, and at the
recommendation of some othersthat are much more successful to
me in content creation andpodcasting, even when I was on
David Bombal show, he told me Ishould do my, do my own thing,
(17:17):
and part of that is it builds inmore seamlessly with my brand.
I do workshops and I've donestreaming before.
I was running the Pone Schoolproject and these are just
things I can do all seamlesslyunder one brand and it's not
confusing If you're doing this,what is this?
And people don't know what you,and it's just makes it easier
for people to find you and therecommendation was even just use
my name to make it easy to find.
(17:38):
They said you want to build abrand you're trying to resell or
you just want to build your ownbrand?
I said I just want to build onbrand.
I'm not really concerned about,you know, creating this
different thing, because I'vedone that with Pone School and
other things.
So so yeah, it's.
One of the things I want to dotoo is I'm going to keep some of
the same formats where I like.
When you're on the show Iinterview people, ask them their
background advice on how to getin, their thoughts on
(18:01):
certifications, degrees andcoding that stuff.
Those are really similar showsin those formats.
But I wanted to also expandwhere I have some episodes that
are more technical in nature.
I had someone on that createdthis project called Pone Cube.
I had him on itsp magazines,the hacker factor.
I do for itsp magazine, but Iwant him to get on and talk
(18:21):
about his project.
So vulnerable Kubernetesinstall so you can practice pen
testing.
Speaker 1 (18:27):
Oh yeah, oh, my old boss, my, the owner of my old
company, would like love that.
I got to send it to him so heknows about it.
Because that's that's utterlyamazing, because I haven't seen
that yet.
I've seen like vulnerableDocker containers.
I've seen phone machines andlabs not with Kubernetes.
So I'm going to have to sendthat.
(18:47):
Do me a favor in the comments,if you're, if you're on YouTube
and can leave a comment, drop alink to there.
Also, send it to me on DM.
I want to send that to my oldboss or my boss's boss.
Speaker 2 (19:01):
Okay.
Speaker 1 (19:02):
The last company I work for because he does all
Kubernetes and cloud andeverything I want to.
I want him to listen to thatone, because that'll be a.
Speaker 2 (19:08):
Yeah, yeah, I'll send it to you.
But yeah, it was a good episodebecause it's interesting the
story of the person that didthat, kenny Parsons.
He used to be.
He was like a project managerand he had kind of like an IE
background and he left.
He was working at SES solutions.
He went somewhere else.
I think he was a projectmanager for them but he got more
into the technical side ofthings, got into
containerization and and allthat.
(19:29):
So he's spoke at our DC 940meetings a couple of times, he's
done Docker talks and and so,any rate, he came up with that.
But another thing is to like aduring on it SP magazine for the
hacker factory I had harmjoy on.
Oh yeah, he was sharing aboutsome of his research and it
(19:53):
really didn't fit into theformat of the show.
But I'm going to have morestuff like that.
Okay, coming on talk abouttheir tools.
I have the creator of trickest.
Speaker 1 (20:04):
So one of the ones I would suggest, if I and I'll see
.
So I think he shut down hisproject because I'm not in a
slack anymore Lee Baird, who hadcreated the bass script for the
discover tools.
So I don't know if you had everused the discover script.
I don't know if you've everheard of Lee Baird.
Speaker 2 (20:22):
I've heard Lee Baird.
Speaker 1 (20:23):
Yeah, I was in his slack channel for a while,
helped him out a little bitalong the lines of his gift repo
or things like that.
But I never really understoodopen source coding and the form
of like get, pull and requestuntil I worked my last job.
So I wasn't able to really.
I'm on, I'm doing my show, I'mgoing to talk to your mother, so
(20:45):
I wasn't able to do all that.
Speaker 2 (20:47):
She's probably in the garage Bryce.
Word with your mother.
Speaker 1 (20:50):
Right.
So I wasn't able to do all that, and so I don't know if it was
just like well, he's not helpinganymore, or if it was, you know
whatever, but but either wayhe'd be a great person to have
on, because his discover scriptsare fantastic for the open
source.
Intel like that type ofoffensive security, your your
(21:13):
initial recon and things likethat.
Speaker 2 (21:15):
Yeah, speaking of the trickest, they have a really
cool platform where theyautomate workflows, because
Nanand or if I guys I may bebutcher his name, but anyway he
was a pentester and he stilldoes bug bounties, so he was
automating his workflows, andthis is not just these scripts.
He came up with a GUI interfaceto set this up, so it's a
(21:35):
really cool tool.
But another, another one Iwanted to have back on because
they had Jeff Foley, the creatorof a mass on the hacker factory
, but I want to have him back onto talk about a mass and
reconnaissance and attacks, sohas gone above and beyond what
they were originally designed todo.
Speaker 1 (21:54):
Because now correct me if I'm wrong, and then I want
to get into this question fromPeter Lee but a mass, when it
was originally created, was justsupposed to be like a mass
scanning tool where I could likescan the entire internet and
like I don't know less than aday it was like maybe less than
an hour even how quick it wasdesigned to do these scans and
(22:18):
now it is an almost full fledgedlike phone suite where it'll
find a ton of shit and in littletime compared to like safe
running and map across an entire, you know, internet scope.
Speaker 2 (22:35):
Yeah, it's originally a reconnaissance, but it's
really turned into a fullfledged attack service
management tool.
Speaker 1 (22:40):
Yeah, that's and that's that just amazes me,
because I loved what it was andthen I went and looked at it and
was like Holy shit, what is allthis?
Speaker 2 (22:50):
Yeah, it's pretty cool.
There's some companies that areusing that for some of their
their products, using that as abackground, as one of the tools.
Speaker 1 (22:58):
Yeah, definitely.
So we got Peter Lee.
I'm gonna throw this up.
Do you find that offensive hasbeen too glorified and getting
inundated with new people?
Speaker 2 (23:08):
I think it's.
It seems super attractive, itis glorified.
People, in some cases peopledon't know about other areas of
cybersecurity.
So this is the only thingyou're really hearing about if
you're outside, and I'd say, ifyou're not an IT or security
then the only jobs you hearabout they always think about
ethical hacking.
So I think there's a lot ofpeople trying to get in and get
(23:29):
the job.
So it's one area because itseems fun and everyone wants to
do it.
So I'd say, on my opinion, Ithink you're probably gonna get
a lot more people trying to getthose roles than maybe some of
the other areas because it seemssexy and fun.
But whenever and not todiscourage anyone from doing it,
but a lot of times people don'trealize you have to write
reports.
Sometimes you have to work somereally messed up hours.
I had an airline that I used totest when I was consulting and
(23:53):
I had to test between 6pm and6am and I would be on site out
of state like two weeks in a row.
So I had to get all thatwrapped up.
So a lot of times I wasspending 12 hour days.
Some people that doesn't bother, but some people it does, and
so those are some of the thingswriting reports.
Sometimes when you're doing thedebrief with the customer,
(24:13):
where you're reading the reportout, sometimes they get offended
because sometimes you got theseLinux administrators that this
is their baby and they don'tbelieve this is vulnerable and
it can't be.
But you show them you have tomake sure you really document
this stuff well.
Speaker 1 (24:28):
It's Linux.
It can't get any malware or getreached or anything.
Speaker 2 (24:32):
And then you got people that's like don't, they
don't want to report, they tryto negotiate the risk of it, try
to talk you out of it, try totalk you out of things on the
scope of the pentest andnegating the real reason for a
pentest.
You want to find thevulnerabilities.
We're not trying to eliminatestuff and trying to give you a
nice looking report that doesn'taccurately depict your
environment, because you need toremediate these things to
(24:54):
prevent a breach.
Speaker 1 (24:56):
And that's been the biggest thing for me, right Is
when I look at it and when I wasdoing pentesting and stuff,
listening to some of thesescopes.
Some of these scopes would doone of three things.
They'd either eliminate theproduction environment and like
only use test and dev, or they'deliminate test and dev and like
only do the productionenvironment.
I'm like, if I can access anyof those through your network or
(25:19):
through the outside, you mightwant them tested, because, guess
what?
The attacker doesn't give adamn if it says test or dev,
that's probably the first onethey're going to go for.
And then, on top of that, ifyou have a link between test and
dev to production, well now I'mjust going to run ham because
test and dev is going to beproduction, or at least it
(25:41):
should be.
Speaker 2 (25:42):
Yeah, so it's rough.
A good example of that is onetime I was doing external
pentests back when I was stillconsulting, and through a SQL
injection vulnerability I wasable to get command line access.
They had XP command shellenabled on the server.
I was able to get on there dumpcredentials.
This is back in 2014.
Speaker 1 (26:01):
So was it really running server 2000?
Speaker 2 (26:06):
Probably I don't remember, but I was able to get
on there, dump that passwordhash and crack it with John the
Ripper in less than 20 minutesusing like all the default stuff
, and now it would take you back.
It's 30 seconds and so it'spassword, all lowercase and the
number one.
And whenever I submitted thereport to them they said oh, we
knew about this.
It's a development environment.
(26:28):
I got into that from theinternet.
I am sure that you're notsegregating that off from
anywhere else.
So if this was been like anetwork pentest, then I could
have pivoted to other servers,but it wasn't.
I was following the rules ofengagement and staying within
scope.
But this is some of the casesthere.
And then, when you mentioned ifit connects on the same network
(26:48):
a lot of times too, you got tolook at if they got how many
times a people's dev environmentidentical to prod.
They're going to update or fixsomething here and they don't
fix it across.
Everything is to be tested andI really don't like the idea of
doing a sampling of anenvironment, because how are you
going to guarantee it's all thesame If you're sampling 10
percent of it?
I guarantee it's not identical.
(27:10):
So that's just.
Speaker 1 (27:11):
Yep, and you're going to have different software.
You're going to have differentthings.
You're going to have differentpatches and updates.
Maybe somebody didn't reboottheir Google Chrome that day, so
now I've got a Chromevulnerability that I can exploit
.
Or they didn't, you know theydidn't update something else.
Or, hey, I know you said torestart my computer, but you
give me a month.
I'm going to wait my month andit's just not going to happen.
Like these things matter, andif you're not willing to test it
(27:35):
and test your entireenvironment, there's an issue
and that's been my biggest issuewith offensive security.
And one of the reasons I'mhappy not to be a pen tester
anymore is because I got tiredof the check the box attitude
behind these engagements of look, I just need something to give
my auditors.
Can you please just go do thisfor like five grand?
(27:56):
Like for what?
Like, no, like.
That's a bone assessment.
That's me running Nessus andsaying, here you go.
That's really all it is.
So that's the way I look at it.
It's just it's.
Speaker 2 (28:11):
I'm so glad not to be a pen tester anymore, it's
interesting too, because there'sthere's a guy that is really
well known.
He's a SANS instructor.
I'll think of his name here ina minute but he started out as a
pen tester and he got burnedout on it because he'd perform a
pen test.
He'd come back next year.
Another remediation was done,so he felt like he was wasting
his time.
If you're not going to fix it,I'm wasting my time.
(28:32):
So he went into just doingdigital forensics and he's happy
there.
Speaker 1 (28:36):
He's teaching stuff for SANS, I might be Ted
Demopolis.
Ted Demopolis is one of myinstructors for one of my
courses, so they can be.
I don't know.
I'll take him like eight SANScourses, something like that.
Speaker 2 (28:47):
I don't know, I forget how many, so trying to
think of his name because heruns.
Yeah, it's, it's.
He's local here to the Dallasarea.
I can't think of his name atthe moment, but he, I'd be Ted.
No, it's not Ted, yeah.
Speaker 1 (29:01):
No.
Speaker 2 (29:02):
Okay, it's not Ted.
I know Ted, but no, I saiddifferent guy.
Yeah, it's a David Cowan.
Speaker 1 (29:07):
Never had him.
Speaker 2 (29:08):
Yeah, david Cowan.
Speaker 1 (29:09):
I've had.
I've been through anyone whocame up to like the military
army to teach their SANS courses.
I met like Mark Baggett isamazing.
You ever want to learn Python?
Talk to Mark Baggett.
That man will put you throughto Ringer and I have been able
to send that man code and likewhat am I missing here?
And he'll be like oh, youforgot to do a return.
(29:30):
Fuck, okay.
Like genius dude, I love him.
When it comes to scripting inPython, that dude knows his shit
.
Hands down.
I do have a comment here fromnot applicable not applicable, I
love it.
I like that I would like to doall sort of stuff I have
(29:50):
enrolled in school, but I feellike they are teaching nothing
about bad stuff.
I would like to know and I hopeyou comment later on down,
because I got to get all the waydown the stream I want to know
what do you mean by nothingabout bad stuff, Cause that's
all I was taught.
Going through certificationsand trainings in school was
(30:12):
hacking.
That's all I ever learned wasthe offensive side.
I don't know, Phil, what aboutyou?
Have you learned anything otherthan the offensive side in any
of your trainings or anythingyou've done?
Speaker 2 (30:23):
Yeah, it's like this.
Well, I think when you'retrying, if you're going to a
college, it's kind of difficultto find the offensive stuff.
They may offer one class andsometimes it's based on the CEH
or something like that, but Ithink there's not enough
offensive stuff in the courses.
And then sometimes not to regon the teachers.
But if you're looking you canlook at a lot of different
courses and if someone butthere's certain courses you
(30:44):
really need someone that's got abackground in it to teach it.
You know digital forensics, pentesting, you know some of the
firewall stuff.
People can learn the content andteach it.
But you know, I think youreally need to understand the
area of work in it to be able toexplain to the students and
show them some different things.
And go outside and just thetextbook or whatever training
labs you have.
(31:04):
But a lot of cases for yourgood training you've got to go
outside of the colleges.
I mean, it's what they teach inthe colleges is good stuff.
But when you get into the good,into the weeds, hands-on stuff,
a lot of times you've got tofind something outside with the
college to learn from.
Speaker 1 (31:23):
Yeah, even me, going through my master's program I
dealt with that.
So my very first intro tocybersecurity class is a
master's program, which whythere was always blows my mind.
Why there's an intro tocybersecurity class in a
master's program to this daywill always boggle my mind.
But my instructor was like ohyeah, I worked for all these
three letter agencies and doneall this stuff and me and her
(31:44):
went rounds because of the oneday I said, hey, look, so I'm
looking if I have an IDS and IPS.
I said you got an IPS in line.
It's blocking all traffic andI'm an attacker and I'm getting
stops from being able to doanything.
Will I not know that there's anIPS in line that's stopping me
from doing this?
Her response every time was itdepends on how much money you
(32:07):
spent.
I got in that.
She ruined my 4.0, as I was.
I never finished my master'sbecause they PCS me.
But she ruined my 4.0 because Itaught the class out in the
smoke pit.
I'd go smoke.
Everybody would come out there.
I'd tell them about firewallsand all the other bullshit that
goes around with security.
But when I wrote my paper shegave me a bad grade because she
(32:30):
must have read my review priorto and knew it was me Because I
was the only one that had theballs to stand up and like she
doesn't know a damn thing.
And she knew that because I wasthe only one to argue with her.
Speaker 2 (32:42):
Yeah, that's-.
Speaker 1 (32:43):
And so I got a bad grade.
Speaker 2 (32:44):
That's the case a lot of times is students come in
here.
It's like that's kind of likeanother.
I won't call it, would nevermention the person's name, but
there was some other professorteaching another campus while I
was teaching my class.
You know, I was the one thatstarted teaching the pen testing
course there.
He was teaching some otherstuff like A plus, network plus,
maybe security plus, and allthese people were coming to
(33:06):
class.
My wife actually had him andbefore I even started teaching
he was talking about how thisguy would go on and on about
himself, how he's such a ninjathat you know he does pen
testing, he's got a companydoing pen testing, and then
here's all the stuff he'stalking about.
And what's kind of funny is Ikind of knew the guy was, didn't
know what he's talking aboutbecause I looked at his LinkedIn
profile, was able to figurethat out pretty quickly.
(33:27):
But I was in class.
I remember like the first monthof my class.
Dr So-and-so is so good, hedoes this, this and all this.
You can't hack his systembecause he does this, this, this
, going on and on again.
But by the end of that semesterthey thought that dude didn't
know what he was talking about.
They just kind of seen and Iwasn't trying to disprove him,
(33:47):
but they heard what I waslecturing about and what I was
showing them demonstrating.
Based on what they hear fromhim, they kind of found out the
guy was full hot air.
Speaker 1 (33:55):
Oh yeah, I mean I even had that, even going
through CS courses, like you'dhave people come in and be like
oh yeah, no, no, no, no, and Ikid you not.
So I was in a class, for Ithink it was the GCIH.
I want to say it was theincident handler, so it might
have been just one of theregular hacking classes without
a certification I forget whichone, but we had warrant officers
(34:17):
, we had majors and, you know,lieutenants and captains and a
bunch of people that weren'tactually going through the MOS
training.
They were just there because itwas a sans course and they were
allowed to take it and by thetime the first two days was up,
I owned everybody's computersfor the most part, I'd say
probably about 75% of thecomputers in the classroom I had
(34:40):
full control of.
And I had this warrant officercome up to me and his I want to
say his buddy, was either amajor or maybe a colonel.
No, not a colonel, lieutenantColonel.
So it was either major orLieutenant Colonel, I can't
remember what it was.
He came up to me and he goeswhat the hell are you doing?
I said, oh, you see all thesered little lightning bolts,
cause I was tired of usingMetasploit.
(35:00):
I started using the GUI for itand I can't remember the name of
it.
Speaker 2 (35:03):
Armour tension yeah armour tension.
Speaker 1 (35:05):
So you saw the little red lightning bolts and it was
like, what are you doing?
I was like, oh, you see allthese.
Yeah, I own all of thosecomputers.
Speaker 2 (35:13):
Did you do a hell of a thing.
It was like huh, did you do ahell of a thing.
Speaker 1 (35:16):
No, didn't have to.
They all.
They set all the defaultpasswords to the exact same
thing, and people in the classthat you're going for
cybersecurity that have allthese offensive tools on them.
These assholes didn't changethe default password.
Speaker 2 (35:31):
Oh, wow.
Speaker 1 (35:32):
So I literally went in and just was like and you're
mine, and you're mine, andyou're mine, and the warrant was
like you don't have mine, doyou?
I was like nah, you were smartenough to change your password.
I didn't.
And I don't feel like goingthrough trying to figure it out
right now.
So fuck it, I don't care.
But there was a kid in classthat literally would always on
(35:52):
Facebook and doing other stuff.
He was failing a class, but hewas also on Facebook all the
time doing all this other shit.
I'd be looking at his monitoras he's doing things.
I'd close out of his browser,he'd open it back up and do it.
I got tired of it so I juststarted shutting out his
computer and he literally lookup like what like, and you're
done.
If you started to back up, goon Facebook again and you're
(36:14):
done.
Started back up, get on, that,you're done.
I do that shit all the time,just for shits and giggles.
But that's the beauty of theoffensive, especially in a
classroom environment, you cando that type of shit.
I had been studying it foryears by that point, so I was
literally just looking there,going fucking with tolls, just
having my final people A.
Adrienne does have a question.
(36:35):
Can OSINT be a career path allon its own?
Speaker 2 (36:41):
Yeah, I would say so.
People are doing it, using itfor different areas.
I mean collecting informationon people.
Yeah, I.
Speaker 1 (36:49):
Would.
I would say so too Slowly,because when you're looking at
things like the FBI, when you'relooking at PIs, when you're
looking at all these other youknow areas Even if it's not a
you work for a company you canstart your own company and OSINT
because then you sell that datato or give that data to private
(37:11):
Investigators and the FBI andyour local PD and things like
that.
They call you in and pull youin on a contract to be able to
do these certain things becausethey don't have the, the
manpower or the time or whateverto be able to do it.
So I agree, I think OSINTdefinitely has its frame and its
ability to really I Think ithas its specialty to really just
(37:33):
just go, because not everybodycan do it.
Speaker 2 (37:35):
Yeah, I'd say one of the things too that I've seen
over the years too, because youknow some of the the narrow
scopes of PCI pentesting a lotof Pentesters really don't
believe in.
Speaker 1 (37:46):
You said PCI.
Speaker 2 (37:47):
Yeah, how has kind of hurt the industry is.
There's a lot of pentestersthat don't do OSINT and I've
done Pentests where before that,like the one I was mentioned,
it was a full scope pentest.
I was running all the tools andno one detected anything like
what I was doing.
The external pentest, you know,I found all the network blocks,
domain names, did sub domainenumeration and then I went back
(38:10):
and used A show Dan and I wentin there, found that they had
like an FTP server in Indonesiathat wasn't coming in with
network blocks.
Just so happens, the littlelogin warning banner that is on
the FTP server it's like anyother system you log into had
the name of the company.
That's how it was found.
So if I had done OSINT Thenthat would have been uncovered.
(38:30):
You know this is a FTP serverusing clear text authentication
across the internet.
Speaker 1 (38:36):
Yeah, and and OSINT is one of those things I learned
about that.
You know.
It's one of those things youlearn for a while and don't
realize you know it.
I've actually got a friend inchat right now Her name is
Amanda that is very good atfinding all types of information
and you know those things thatthe FBI wishes they could do.
That's awesome.
I'm just saying, like herability, I'm just trying to get
(38:57):
her through the technicalaspects of it so that she can
actually get a job in it.
So, yes, amanda, if anybodywants to hire someone that knows
OSINT and able to dig up dirton anything anybody anywhere Go
to her.
She's fucking amazing.
Speaker 2 (39:13):
Don't make, don't make Amanda mad.
Speaker 1 (39:15):
No, don't do it, don't do it.
Speaker 2 (39:17):
She'll find her dirty laundry oh yeah, all of it,
let's see.
Speaker 1 (39:22):
So I got a question here and I'll bring up false
ranges because you know it'syou're my guess it's your chef.
If I want to start off in GRC,is there a particular way I
should lean towards, ieoffensive, defensive, pen
testing, etc.
Speaker 2 (39:39):
For me.
I'm not really experiencingthis area, but if you're going
to be in GRC, then more of theDefensive stuff would be would
be helpful, although if youunderstood the offensive side it
would help because it's it's amuch different, less technical
area the compliance GRC stuffbecause when I worked at the
company as a red team lead, wehad a I Was doing a pen test
(40:03):
against active directory.
At the same time the internalaudit team was doing an audit
against active directory.
So some of the things actdirect active directory did and
windows.
They didn't understand that.
So, honestly, a lesser Skilledpath or less knowledge as far as
the technical side would besomething like like GRC.
(40:25):
But I mean, the more youunderstand security, the better
you're going to do with it.
For instance, like working withthe, the GRC folks.
Not knowing some of thesethings about active directory
would be easier for them tooverlook.
But yeah, you would more.
The defensive side is whatyou're going to to use, although
if you knew the offensive sideit would would would probably
(40:46):
make you better at GRC and Ithink someone that came from a
GRC background Into pen testingwould be from their auditing
background, would be able tooffer some things that may be.
You know, a typical pen testerwouldn't.
Speaker 1 (41:00):
But yeah, it's yeah, and she says here, is it just
jumping in on anything I know oris it just jumping in on
anything I know could contributethe GRC?
So if you know, misha, I mayneed you to to elaborate on that
, because I'm that continuationis is kind of Confusing me at
(41:24):
this at the moment, so I'll waiton you to elaborate.
I'm gonna hide that.
That, that continuation I dowant to bring up.
Sorry, in AR's question, andthis one might take you a while.
Phil, just pay it.
My man loves my man loves hisAI and his.
Okay, so what is?
your take on using AI and ML forred teaming or pen testing.
Yeah, I think it.
Speaker 2 (41:45):
I think it's awesome, I think it's gonna be very
helpful and, and back beforechat, gpt Came out and it was
accessible to people.
Everyone was always asking isit gonna replace pen testers?
And I don't think any time inthe foreseeable future.
But what it's going to do isit's gonna help us do our jobs
better, because one of thethings with Pen testing once
(42:07):
upon a time there weren'tvulnerability scanners, there
weren't meta-sploit you had togo out and manually do all this
stuff right scripts or your owntools to do this and you didn't.
So Nowadays, if you'reperforming a pen test, it'd be
difficult to do a thorough pentest without running a
vulnerability scan.
What it's gonna do is it'sgonna take some of these tools
that we have and it's gonna andit's gonna help with making us
(42:30):
more scalable, make thesevulnerabilities more accessible,
make these vulnerabilityscanners better, maybe even some
of the evasion techniques andstuff from like meta-sploit.
Hopefully that'll evolve tomake it easier for for people to
learn.
You still need to know themanual stuff, but so many
companies aren't really doingthe level of a number of pen
(42:51):
tests that they need to becausethey don't have enough people in
enough time.
So I think it's really gonnahelp.
I mean, the bad guys are usingit.
We need to learn how to use it,and one of the things I've seen
about it is, if you're gonnawrite scripts, you kind of have
to understand a little bit aboutthe scripting language to use
it.
But I know some companies areusing AI and machine learning in
their external attack surfacemanagement programs and stuff.
(43:13):
So I think it's awesome.
It's a a good opportunity.
I Love it for writing.
I use it for my podcast.
Speaker 1 (43:20):
So so I have an issue now, because I knew this was
gonna happen.
Did you see the latest blog orarticle or whatever it came out?
Chat GPT or opening, I forgetwhat I think was.
Chat GPT actually created aMalware that can transform.
Speaker 2 (43:42):
Malleable yeah yeah.
Speaker 1 (43:45):
It created.
It wrote code for a Transformerto malware.
That yeah and just changeitself as it goes, and it's not
supposed to be able to do that.
It's not supposed to be able towrite offensive code.
Yeah, but wrote offensive code.
Speaker 2 (44:00):
Yeah, it's pretty.
Yeah, it gives you all thewarnings and stuff.
You're not supposed to do this,but you can get around it
pretty easy.
And then people say if you usethe AI I mean the API with it
then you can get around thosewarnings even easier.
Speaker 1 (44:15):
Yeah, yeah, if you know how it works.
Yeah, definitely.
Speaker 2 (44:18):
Yeah.
Speaker 1 (44:22):
You just get loud until they hopefully see a catch
.
Oh, how about starting outquiet and if nothing is detected
, you just get louder until theyhopefully see it or catch it.
Speaker 2 (44:32):
Sometimes you do that .
There's there's been pentests.
I've been on before.
That really wasn't Wasn'treally a red team operation, but
they asked us to try to goUndetected for so long and then
initially get louder to see ifwe're detected, so that way you
can kind of Figure out thedetection point.
I think really when you'retrying to go Undetected, I think
that's kind of a better methodthan just trying to go
(44:54):
undetected, see kind ofprogressively get louder and see
at what level they're able todetect you.
Speaker 1 (45:00):
Yeah, definitely I.
I agree with that completely.
The doing system administrationhelp when you got into the
offensive side big time.
Speaker 2 (45:10):
Yeah, I would.
It made it helped a lot easier.
Yeah, because what one of thethings too you know, if you get
access, you get a shell, youknow a command line to a Linux
or Windows system.
If you know how to administerthose systems, it's gonna make
your life a lot easier becauseyou get command line and you get
the right permissions.
Sometimes you can shut downthings like firewalls.
Then you can get certain typesof tools of work that may not
(45:31):
been able to work at youropening up more ports.
So otherwise, if you don'treally understand the operating
systems that well, you're gonnabe doing a lot of googling and
research trying to figure thingsout.
So really, my opinion, whenyou're becoming a pentester, you
don't have to be a sys admin,but you kind of want, like sys
admin level, knowledge of theoperating systems.
Speaker 1 (45:50):
That's always been my biggest thing, right.
So a lot of people talk aboutfoundations Kev Tech, I have,
you have, a lot of other peoplehave, I think, whether it's blue
team, red team, purple team,grcu, name it having a
foundational knowledge ofoperating systems, systems,
administration, networkadministration, things like this
do nothing but help you in yourcareer.
You don't have to have done thejob per se, but having that
(46:14):
base level knowledge of okay,how did GPOs work, what is a
domain, what is a forest, whatis what is all this other stuff,
so that if logs come in, I know, okay, well, this user account,
it failed authentication, so itshould do this log.
Alright, I get it because I'veunder.
I understand enough aboutactive directory, where the
authentication goes, and thekind of frame of communication
(46:36):
along the line, or if someone'sdoing a sequel injection.
You have a web applicationfirewall.
You have all the stuff.
You understand the differentlogging in the different
Technologies in place.
If you have no clue about any ofthat and you're like I'm gonna
go be a security analyst, forwhat homie you're?
You're literally what are youlooking for?
Because you have no backgroundin anything and have no clue
(47:00):
what you're looking for Now.
If you could tell me you have abase level knowledge of all
these different communicationvectors?
100%.
Go be a junior analyst, learnmore about correlation and
things like that got you.
But if you have no aspect ofknowledge on Active directory,
on authentication, on operatingsystems, on firewalls, on any of
(47:23):
this stuff, I'm not bringingyou in a junior as a junior
analyst with a certification.
I'm just not because you're not.
If I can't get thatfoundational knowledge out of
you of, okay, what is port 443?
Oh no, you might want to knowthat before you go be an analyst
.
Yeah.
I'll say it.
(47:43):
So, yeah, n A N A, notapplicable.
Not applicable.
I know.
I put it in the chat just soyou know.
Philip Wiley show.
His link to his show is in thedescription of the YouTube
Videos so you can check it outthere.
I have all his contactinformation there so you can
find him on LinkedIn, youtube,twitch no, not twitch YouTube,
(48:05):
twitter, instagram, linkedin andhis show.
So all that information isthere.
Let's see, man, there's so muchstuff here, so much stuff here.
Oh, here we go.
The GitHub link.
Griffin and Vosack put it inthere, kubernetes go.
I don't know that's for your,the guy from your show, but yeah
(48:27):
, that's.
Speaker 2 (48:28):
That's something different, but that's good to
get to know about.
That's good.
I have to share with my friendabout that to you.
Speaker 1 (48:35):
Let's see, have decided to switch gears and I'm
getting further on the AWS cloudpath and I was wondering what
tools I could use to help me.
All right, all right, you mighthave a better understanding of
this than me because you're moreoffensive and talk more cloud.
I hate the cloud, it's justsomeone else's computer.
Have decided to switch gearsand I'm getting further on the
AWS cloud path and I waswondering what tools I could use
(48:58):
to help give me a deeperunderstanding for maintaining
security.
Speaker 2 (49:03):
Yeah, for me, cloud is just not one area I know but
but I would say whatever nativetools to that platform AWS,
knowing the windows tools, howto use that.
I know there's some third-partytools and some pen testing
tools that you could use, butyeah, I would focus on on those
built-in tools because I know alot of people that do cloud pen
(49:23):
testing that Leverage a lot ofthe built-in stuff when they're
testing those environments.
Speaker 1 (49:28):
Yeah, definitely For anybody watching on LinkedIn.
Understand I cannot, nor canPhilip, unless he's logged in
the link in Chat with LinkedInitself.
So if you're not askingquestions or pulling up comments
something that I'm gonna showPhilip directly we're not gonna
see it.
I see it in my chat, but I haveno way of talking back to you.
Streamyard does not allow it,just so you're aware.
(49:51):
So if you want to get in on thechat and actually be able to
converse with people, youtube isthe best place to go, which is
why I always put it in thecomments preferred is YouTube
because I could interact witheverybody.
Let's see, man, so many commentsthat I'm like missing Because
(50:13):
there's a lot of people actuallytalking.
That it's crazy.
I think I'm caught up.
No, no, I have to tell my wifeto shut down her meeting all the
time.
Jason, I did the same thing formy wife's computer.
Don't worry, it happens.
Let's see.
How do you recommend, how doyou recommend those who were
(50:33):
news stay up to date on events,concerns, etc.
Happing and cyber, while tryingto also learn from the
beginning.
Go ahead, phil.
I thought with that one well,one.
Speaker 2 (50:46):
One of the resources I like to use is Twitter and and
find some people have followthere, because at one time you
were just back when I wasgetting started you were just
reliant on blog posts anddifferent vendor websites.
But yeah, just that's a goodplace because people that create
new tools are putting out there, people doing research, so
people like Sometimes JohnHammond figures out how to
(51:08):
exploit things and he posts uphis research and stuff.
So that's a good place to look.
But one of the things that youmentioned that's a good thing to
keep in mind is something thatyou can do.
Keep in mind is something Idon't do enough of is keep up
with the latest news of what'sgoing on, look into it,
understand it, because whenyou're going through an
interview, there's a good chance, especially when you're talking
to like a hiring manager thatmay not be as technical, they're
(51:30):
gonna ask you questions aboutcurrent events in the news,
because that's what they're kindof keeping up to know what to
watch out for and, you know,guide their team.
So I would make sure to try tokeep up with that.
There's different goodresources on News out there, but
I would keep up with understandit.
So that way your forever andwhat was interviews you can,
just you know, you can explainhow you know this.
(51:52):
Certain malware works, orwhatever, ransomware.
Speaker 1 (51:57):
Yeah, definitely now, and I agree with that right
keeping up with current events.
So when you're just getting in,those current events are gonna
guide you, because it's gonnaguide you to kind of what's what
you want to look into as far asoffensive, defensive, grc, what
that guiding rail is.
So, um, recently CMMC 2.0 cameout, so understanding that and
(52:17):
how it relates to this and howthat comes into play.
As far as offensive security,I'm seeing Lazarus making a
comeback and doing hits andthings like that and trying to
try to Drop ransomware andthings of that nature.
So understanding Lazarus IOC'sin terms of offensive security
and and and what they're using,so that you can help your
(52:38):
clients by saying, okay, I'mgonna drop these palettes, I'm
not gonna drop ransomware, butI'm gonna drop these things and
see if I would be able toexploit ransomware via some
other script or something alongthose lines.
And then, from a blue teamperspective, knowing all of
Lazarus's IOC's knowing want tocry as IOC's Knowing how to
(52:59):
detect these things, these areall huge.
So keeping up with currentevents Really really helps.
When keeping up with everythingelse it's really does.
Let's see.
Speaker 2 (53:12):
Yeah, someone was asking about API, oh, API.
So I shared Corey Balls APIsecure API sec University.
Okay cool link.
That and Corey Balls hackingAPI books.
Let me look at a really good,good course.
Speaker 1 (53:27):
All right, so we're gonna drop that up here.
Api pentesting and training API, sec university slash dash
course or hashtag courses.
So that's for API.
And then I did have a questionfrom Where'd it go?
Where'd it go?
I had another question.
I lost it.
(53:48):
It was up there.
You saw it up there, don't do.
That question is not just ofour host.
She has Twitter things tofollow aside.
Oh, the Twitter one.
Where'd it go?
There, it is All right.
Any chance of getting a Twitterlist of people or companies or
other entities to follow forinfo on keeping up to date All
(54:10):
of the Twitters?
Speaker 2 (54:13):
Good, all of the Twitters?
Good question.
I've got some.
I don't know if they're visibleenough, but I've had some lists
.
I had one I was doing for awhile.
There was like women in inforsick information security that
had a list out there.
But if you look at some of thedifferent sites, a different
account, some people have liststo follow.
But I'd say anyone from BlackHills and trusted sec are great
(54:34):
to follow.
Yeah, those would be some goodones to good ones to start with.
Speaker 1 (54:42):
Yeah, I would say Black Hills in those sec.
There's another one I follow.
They kind of get banned a lotjust because they put out actual
active attacks going on andthey publish the source code
because of their feeds andthings that they do.
I can't remember the name ofthe discord server that I'm in,
but they also publish on Twitter.
So I have to find that and I'lllet you guys know I might.
(55:03):
I'll probably bring it back andput it in the comments If I can
figure out who it is.
Again it's.
It's been a while since I'veactually Investigated all of
their research.
Oh, oh man, I haven't even seena new Apple AR devices.
But what do you think about thesecurity environment of the new
(55:24):
Apple AR devices?
Speaker 2 (55:29):
Yeah, I just seen those.
I don't know anything about thesecurity of it, but man, it's
just a Pretty expensive.
I don't know what thecomparable products that other
people put out cost.
What are the other AR?
Let's see.
Speaker 1 (55:40):
Oculus.
The newest Oculus was a couplehundred bucks or a few hundred
dollars, right.
So it's like three, fourhundred bucks.
I think give or take might beenless as you step up.
There are more expensive onesthat run like a grand, two grand
.
I think the Apple AR is themost expensive one out on the
(56:00):
market or coming out to marketright now and I see no reason
for it.
Yeah, I don't, Apple is not agaming machine.
Apple is not a gaming like youcould put little mobile games on
your phone, but really it'sabout it.
So as far as, like Apple, aaugmented reality, apple VR or
whatever you want to call it, ISee no reason for a thirty five
(56:24):
hundred dollar price tag.
My son's Oculus and I got threeof them do the exact same thing
for all of their games and Idon't need to spend another
three thousand dollars on anApple computer to be able to do
it.
Speaker 2 (56:35):
And usually I don't know people that really using
Apple much for gaming anyway.
No, it's.
Yeah, I would say go.
If you're gonna get somethinglike that, go with whoever the
Industry leader is.
That's putting out good stuff.
Speaker 1 (56:46):
I mean, there's some unfortunately, the industry
leader got bought by Meta, sookay.
Because it was Oculus and thenI could just go by.
Meta got bought by Meta andthen Meta.
Now for some of their shit isrequiring you have to log in
through Facebook to use some ofthe features, and so I'm like I
gotta create a bunch of fakeaccounts.
(57:07):
Kids can do this shit because Ibought it for them before that
happened and now that happened,and metas being stupid and all
this other bullshit.
Speaker 2 (57:15):
Sounds kind of Marvel like into the metaverse.
Speaker 1 (57:18):
It's basically what it is Oculus 350, apple AR.
Thirty five hundred dollars.
Speaker 2 (57:26):
Thirty five hundred, that's yeah yeah, I love my
Apple, my Mac laptops and my Macstudio, my iPhone, but I will
not be buying.
Speaker 1 (57:39):
No, I saw that price tag.
I was like yeah no, like Idon't even have the money for a
Mac.
I custom built my desktop.
That's that's what I use forday to day, and then I have a
MacBook Pro that works at me.
I use that for work.
Yeah, I'll stick to Windows anddesktops until I can afford.
(57:59):
You know the three thousanddollars is gonna cost me to get
a Mac that can do the same shitmy windows desktop.
Speaker 2 (58:05):
I've got, yeah, my latest Mac I bought like in
November or December last year.
I got the Mac studio with theultra, the ultra chip and 128
gigabytes of RAM and what thatcost you.
It was like around fourthousand something dollars.
Yeah, precisely but I can openall sorts.
A lot of chrome tabs, chromefor the win.
Speaker 1 (58:25):
Oh, man, the bad part is in Chrome.
Just because I mean duck, duckgo, my default search engine.
So now everything goes throughduck, duck, go, like I'll use
Chrome just because I've beenusing it forever.
But I'm gonna use duck duck.
Go for my search.
You don't get your money.
No more now you're late, I'llnot give it to you.
(58:48):
But yeah, so I but yeah.
So we're like at the top of thehour, philip and I really got
to know because we talked a lotabout a lot of things tonight
and try to give out as muchadvice as possible and just
answer some questions.
But my question to you is, ifyou had any advice to give
(59:09):
anybody trying to break intoOffensive security, you Would
you recommend it as a juniorrole, right, coming straight
from IT to offensive or nothingto offensive?
And if not, what advice wouldyou give to someone to break
into cybersecurity?
Speaker 2 (59:29):
It's gonna be pretty difficult for a junior role but
it's not impossible.
You can do it.
If you wanna do it.
Don't let anyone talk you outof it.
If it's something you're justpassionate about, you really
wanna do it, go for it.
Don't let anyone talk you outof it.
There's some people that havebeen around a while, like we
have, and they're gonna tell youand this is their point of view
because where they came from,what they learned.
(59:49):
They'll tell you you need to bea sysadmin first before you do
that.
But that's up to you.
It's gonna be a little moredifficult to find the junior
roles because they're gonna wantsomeone as trained.
But then there's a lot ofcompanies that will that hire
new people and bring them upPretorian out of Austin.
They do that.
They hire people out of schooland to pen test jobs.
So it's out there.
(01:00:09):
But yeah, it's gonna be moredifficult for, like, entry level
and junior roles.
But one of the things, thebiggest advice I can give anyone
is networking.
If you just network connectingwith people on LinkedIn,
connecting with people atconferences and meetups the
better you network, the easierit is for you to find a job.
I was just sharing with someonerecently.
Today, over the past 10 jobsI've had, there's only been two
(01:00:33):
jobs that I did not network toget the job.
One of this is once I startednetworking.
You know only two jobs that Ididn't get through networking
and the last two jobs I've hadhave been people.
One I was congratulatingsomeone on a new job.
I got recruited.
They created a role for me.
The second one I got recruitedby Ira Winkler.
(01:00:55):
He saw what I was doing for myprevious employer and I got
recruited there.
The role didn't exist, theycreated it for me.
So, networking some of thestudents I've had before when I
was teaching the pen testingclass at Dallas College people
I've mentored all the peoplethat find jobs the easiest way.
They're networking and LinkedIn.
(01:01:15):
For sure.
You can network on Twitter.
There's different Discordservers.
Go to your security b-sidesconferences, your different
cybersecurity meetup groups.
If the ISSA meetings are notyour style, then the local DEF
CON groups, the OWASP chaptersjust get involved, because the
(01:01:36):
more people know you and a rolecomes up, they know what you're
looking for.
Then there's a lot of casesthat'll reach out to you.
I was teaching the class of thecollege.
I had people always reachingout to me for junior pen testers
and if I knew people in thecommunity had the skill set, I
would pass on their informationalong with them too, because
they had the skills and that'sbecause I knew they were going
to the meetings.
(01:01:56):
And it doesn't help to go tothe meetings and just not say
anything.
Go around, introduce yourself,kind of let people know where
you're at in your educationjourney, what kind of jobs
you're looking for, ask foradvice and interact.
And the more you get to knowthese people and know you, the
easier to get the job.
Because once you're able to getyour hands, the resume into the
hands of a hiring manager orsomeone that can get it to the
(01:02:17):
hiring manager, you're going tohave easier job getting that
role than if you applied out ofnowhere just on your own.
An example is when I went towork for US Bank.
I met someone at an OWASPmeeting that was given the
presentation they were hiring.
He let us know.
I gave him my resume.
Within a week I had aninterview.
Within two or three weeks I hada job offer.
(01:02:39):
At the same time I applied atBank of America, same type of
role, and this is coming off offive years of consulting as a
pen tester, oscp, sams, gw, aptcert, more than qualified for
the job, but uploading theresume online.
It took a year to hear backfrom them and they had a job
opening.
Whereas networking, I was ableto get the role.
(01:03:00):
So if you're not experienced oryou have little experience,
it's going to be even moredifficult for you, so it's more
important that you're networking.
Speaker 1 (01:03:09):
And that's the biggest thing is networking has
always been huge.
My first job out of the Army, Igot paid shit and that was the
only job, the only job I havegotten since I retired.
That was not by networking,that was.
I was applying to everything Icould find, found one
da-da-da-da.
(01:03:29):
Now, mind you, when people talkabout experience, when people
talk about roles, at that time Ihad four SAM certifications.
I had all my Ciscocertifications to include CCNA,
ccna CyberSofts, ccna Security,my CEH, my CPT, my degree, and
it took me months afterretirement to find a job and
(01:03:52):
even then it paid shit After.
That is when my networking cameinto play, because the people I
had been talking to prior toretiring finally had rules open.
I have literally worked for thesame person three times because
he does what he does and thingshave happened and he's left and
(01:04:12):
found better jobs and been likehey, look, you wanna come with
me?
Got you, homie, I'm there, I'mout.
I will go work for him any dayof the week, and so for me,
networking has played a hugerole in where I work.
But I will say this as a juniorbeing friends with someone like
(01:04:33):
Philip and networking with themor myself, or I'll even throw
my boss out there.
Ryan Benson, these people willhelp you, as a junior, find
roles because, as junior slotsopen, we see them.
I may not be able to hire ajunior, but Philip might or
somebody else might, and so if Ican't hire a junior, I'm gonna
(01:04:56):
send your information tosomebody else.
I'm like, I know this person.
They bust their ass day in, dayout.
They're learning, they'regrowing.
This is what they do.
Hire them, and that takes a lotmore weight than just you
sending a resume.
Go ahead, send that resume.
They're gonna do shit.
These days, your resume doesn'tmean shit unless somebody sends
it for you.
That's just the way the worldworks because of social media.
(01:05:21):
But saying that Philip hasgiven all his advice.
Philip is a genius.
I love Philip.
Speaker 2 (01:05:28):
Thank you.
Speaker 1 (01:05:29):
Another fellow warrior, one of my brothers, me
and you need to get a beersometime, or?
At least sit down, have a talk.
Sure, we're gonna have to gettogether in person.
I will be at New Jersey cyberfiresize I forget what Alex
calls it.
I will be out that on Tuesday.
So if anybody's there, comelink up.
I will be there doing a showlive, and then I'll be doing a
(01:05:51):
show next Friday as well, so youget two next week, which will
be amazing, otherwise look goahead.
Speaker 2 (01:05:57):
Are you gonna be at RacesCon?
Speaker 1 (01:05:59):
No.
Speaker 2 (01:06:00):
Okay.
Speaker 1 (01:06:01):
No, no, I'm not gonna that one, I just I got too much
shit going on.
I took off all next week tojust I wanted the veggie out.
And now I'm going to aconference and, just like man, I
don't, I don't, wanna, it'sfive and a half hours of driving
just to get to New Jersey.
I ain't trying to damn man, thisshit sucks.
But no, I'm not going to thatone and there's a whole story
(01:06:23):
behind it.
But yeah, I'm going to this.
Alex invited me, said hey, andhe was like hey, you could do
your show, bet I'm there.
And I think I got two peoplepaying me for sponsorships,
which will be even better.
But anywho look, I love you all.
Y'all take care, y'all have agood one.
It's been another amazingepisode of Security Happy Hour
here on Cyber Warrior Studios.
As always, I am the cyberwarrior.
(01:06:44):
Right above me is Phillip Wiley, who is the host of the Phillip
Wiley show.
You can find all ways toconnect with us, support this,
that and the other down below inthe description here on YouTube
.
Otherwise, y'all have afantastic weekend.
Enjoy the rest of your Fridayand I promise We'll be back
again actually two episodes nextweek.
So y'all take care and I'll seeyou then.
(01:07:06):
Arguidacom.
And we're back with another amazing episode of
Security Happy Hour coming rightat you, and I am the Cyber
Warrior.
This is Cyber Warrior Studios,and I know you're all here,
you're all ecstatic, you're allready to get started with your
weekend, and what better way toget started than right here,
right now, tonight, becausethat's how we do.
I promise, if you hang out forjust a little bit, as always
(00:25):
I'll be right back and I'm back.
And, yes, you'll notice myguest this evening is missing.
He's a little MIA.
He might be running a littlebit late trying to get ahold of
him, but that's okay.
We're still going to talkoffensive security, because
(00:47):
that's what this show is allabout today.
But, without further ado, let'sdiscuss it a little bit while
we wait for Phillip to get here.
Before we do hold on, let's seeif the bottle has the same
sound as the can.
I doubt it, but we're going totry.
All right, close enough.
That's a kickoff to SecurityHappy Hour.
So I say that because I don'tknow where Phillip's at.
(01:08):
I messaged him on LinkedIn andhopefully he gets here soon.
But as we go about things andwe look at offensive security
and we look at the ways to getinto the field and all the
different things that go aboutit.
I got to ask, and I ask peopleall the time.
So I want to hear in thecomments I do, I want to know
(01:29):
All right, hey, what are yourquestions about offensive
security?
Because when Phillip gets herewe are going to inundate him
with a ton of questions, allright, so I want them there.
The other thing is what areyour opinions on red team,
offensive security and things ofthat nature?
Because when I think about it Ihave my own outlook.
(01:50):
I've been a pen tester, I'vebeen on red teams, I've been on
blue teams, I've worked veryclosely with GRC teams, so I
have a vast array of experiencein all areas.
I've just never been fullyingrained in GRC Blue team, red
team all day, grc not so much.
(02:10):
So I can answer a lot ofoffensive security questions,
but I would like to know yourthoughts and opinions on
offensive security, team redattack.
Go forth and break down thebarriers.
Yes, you nailed it, that iswhat it is.
It's go through and screw it.
Let's just break it all down.
Let's get in any way we can.
(02:31):
Let me put this up real quick.
There we go, and I'm going toyell out Phillip for being late.
That is, my beer overflows.
Welcome all newcomers.
Did I really put that up?
Oh, you're awesome, andrea, Ididn't even know.
(02:52):
I shared that I am interestedin red team.
Does it mean, hold on, wait, Iam interested in becoming very
bad?
Does that mean I am interestedin red team?
It really depends.
I mean, as long as you're doingit legally, then yeah, if
you're doing it illegally, thatmeans we have to have other
(03:14):
discussions, not on air, whereeverybody can hear what does
offensive mean to you?
What is red team?
Oh, I love that question.
So offensive is I don't evenwant to say ethical hacking,
because hacking is a mindset.
Well, hackers, hacking, it's amindset.
(03:37):
Offensive is breaking intothings, it is doing things in
such a way that you areexploiting weaknesses,
vulnerabilities, things likethat.
And it could be physical, itcould be social engineering, it
could be you name it.
(03:57):
There's a ton of differentthings.
It could be softwarevulnerabilities, coding, a bunch
of things go along with that.
So that's offensive, it'sattacking, it is being on the
offensive.
It's a straightforward meaningRed team versus pen.
Testing is a whole differentcan of worms, because when you
(04:18):
look at a red team and this ismy opinion and other people may
have a different opinion andactually Phillip has showed up,
he's here, so there he is what'sgoing on, phillip?
You're a little bit late today.
Man, you're killing me, smalls.
Speaker 2 (04:35):
Sorry about that.
Yeah, I had a call from someoneand I didn't want to be rude
and get him off the phone andthen I'm joining from the road.
I'm here for B-Sites, sanAntonio, teaching a web app pen
testing workshop.
So having to use my laptop,using I know the pain.
Speaker 1 (04:54):
I know the pain.
Speaker 2 (04:56):
Using my janky gear.
Speaker 1 (04:57):
Actually, I'll be doing that next week at New
Jersey Cyberfire Sites with AlexWainstrop Wainstrop, I forgot I
pronounced the last name, butAlex, he started it back during
COVID.
It's his fourth year doing it,so I'll be going up there and
doing a live show on the next Ibelieve it's actually this
Tuesday.
I want to say it is the 13th.
So, yes, there will be twosecurity happy hours next week
(05:20):
One live from a conference andthen one next Friday.
But anywho, phillip, since wehave a question up here already,
I'm going to finish addressingthis red team versus pen testing
, but then I want your take onGriffin's question and I'll flip
you to the top once we get tothat point, because it's on your
face right now.
Speaker 2 (05:39):
Yeah, that's, yeah, one of my biggest pet peeves
working in offensive securitywhen you know the difference,
yup, and you hear someone usingit wrong.
But I mean it's just a matterof just generalizations, because
some people call all defensivestuff blue team and some people
generalize all offensive as redteaming, when red teaming is
(06:00):
actually more adversaryemulation.
So you're saying yeah.
Speaker 1 (06:05):
That's what I was going to get around to is, you
know, pen testing is using thetools, being loud and obnoxious
and just trying to see ifthere's any vulnerabilities that
you can get into.
The point is to get caught.
You want people to see you.
And then the red team is you'retrying to be more adversarial,
you don't want to get caught.
You want to be as quiet aspossible, you want to be able to
(06:26):
use tools as minimally aspossible, you don't really want
to trigger signatures and you'retrying to see if you go bypass
things.
So that's my take on red teamversus pen testing is one is
quiet and adversarial, one isI'm just going to be loud and
obnoxious, find the low hangingfruit or as many holes as
possible and as a short amountof time as possible.
So that's my take on the two.
But I'll let you address thisquestion while I got you here.
Speaker 2 (06:50):
Yeah, no-transcript.
Yeah, the difference is with apen test you're looking for all
the vulnerabilities that can beexploited and exploit them.
With a adversary emulation orred team you're going in, trying
to emulate a real world threatactor.
So you're going through andwith red teaming you're going to
(07:13):
leverage things like phishingand social engineering, even
some physical securityassessments.
But with the pen testing andthey're both important because
all you did was red teaming yourcompany needs to be mature,
your security posture needs tobe mature before you move to
doing the red teaming.
Because with you're trying tofind all the exploitable
(07:34):
vulnerabilities and exploit themand see what you can do.
From that red team operationyou're going to look at one or
two ways in emulating an APT orjust cramming up with your own
type of attack path.
And you hear a lot of timesabout people maintaining access.
This is really where you usethat more in the adversary
emulation or red teaming, tryingto maintain access, trying to
(07:56):
be quiet, trying to goundetected.
So you're also testing thedetection capabilities of the
people and the systems.
The founder of Dallas HackersAssociation has one of the best
descriptions of most simple thatI can think of is the red team
tests, the blue team.
Speaker 1 (08:14):
And that's what I was going to get to, because
someone said something aboutpurple team here in the comments
somewhere and I'm sure I'lladdress it, but I want to
address it now.
In your opinion, what do youfeel brings more together a
purple team, a pen test with ablue team, or a red team with a
blue team?
So, if you were trying to bequiet, that's more testing the
(08:37):
blue team and you should be ableto say, hey, do you see this?
Do you not see this?
Or do you find more penetration, testing, running the tools and
being like, hey, if you seethis, like this is what I'm
doing.
These are the logs that yougenerate.
Are you tracking it?
Are you catching it?
So which do you feel fits moreinto a purple team engagement?
Speaker 2 (08:56):
I kind of think more of the pen test team because
you're going to not use as manyof the tools I would think as a
red team would, because you'retrying to execute everything,
whether it's noisy or not, tosee if it's detected.
Because, for instance, youdon't need to be able to run
mimicats on a system and a lotof times people are running red
team exercises.
They're not using some of thosetools.
(09:16):
So I think it's kind of good touse, you know, kind of like the
pen test team to execute those,and it really doesn't have to
be the one.
Because whenever I was a redteam lead as a global consumers
product company, we did some pentesting and red teaming.
But during our red team orpurple team exercises we brought
people on or had the blue teamtrying to see if they could
(09:39):
detect what we're coming up with, what we're testing.
And it's very important you dothat because I used to work I
did a pen test one time for acompany and the CISO I knew
there was really sharp.
They had a lot of tools andstuff, but they didn't have
things really refined enough tocatch stuff because there was
just so much noise they missedstuff.
So we were going in there.
We had we're down, we had itwas kind of like a full scope
(10:03):
pen test.
They were kind of wanting us totry to go undetected.
We got in there and we wererunning so short on time I was
running Nessa scans, in-mapscans, running responder, run
them all.
Yeah, just like a networkArmageddon, and I wasn't even
detected.
It.
I wasn't even detected.
Speaker 1 (10:21):
So that's crazy.
And the weird thing about thatis so, when I look at it right,
and because you've been doingthe red team thing longer than I
have, I did it for a littlewhile.
I had studied it for a while,got into it for a little while
and then moved out of it andgotten to more consulting.
What do you think gives?
Do companies give a longerrange of time, a red team
(10:42):
engagement or a pen testingengagement?
Because from my experienceusually get about a week for a
pen test, maybe two weeks ifyou're lucky, and then two weeks
to write a report.
I've never been able to do aquiet red team assessment just
because the companies I've dealtwith that they weren't ready
for it.
There was no way that we could,you know, sell that to them.
(11:03):
It just made no sense.
Your security was not in theright spot.
Speaker 2 (11:06):
Yeah, to do those right you need more time and
just a good example is JasonHaddick's just went to work not
long ago for Budobot.
They're a company thatspecialized in red teaming and
some of their engagements areyear long and that's really when
you're getting more intoemulate a real world threat
actor.
They're trying to be quiet.
They're doing this for days,months.
They could be even in youryears because, like one of the
(11:27):
video games that was hacked,that they were hacked by China
and they were farmingcredentials or farming stuff
from that environment.
They were in there for yearsbefore they got caught.
So you're trying to emulate areal world attack and you're
wanting to try to be quiet andtrying to use some of the tools
that more mimic what the realworld people are using the
(11:48):
threat actors and one of thethings if you look at like
ransomware or some of the stuffthese ransomware gangs are using
, or tools that you need to kindof test in your environment
because you know they'redepending a lot on the living
off the land binaries and toolsthat are installed and different
resources are installed bydefault in systems that you see
without having to throw off.
(12:09):
You know, throw red flags byrunning Mimicats or Metasport.
Speaker 1 (12:13):
You too, baby.
You too.
It is an amazing tool.
Actually, I thought about thatone.
I found out about that one, Ithink, like a year or so ago.
They were like you start youtoo, because I was trying to
work on something and I was like, what do you mean?
You start you too.
And then you do a little bit ofresearch and it's like, oh, it
can download an entire payloadand do all this stuff.
I was like, oh, my God, this isso bad.
Speaker 2 (12:33):
Yeah, it's pretty crazy what all you can do with
that.
And it's kind of funny goingback years ago through like a
vulnerable VM there was, likethere used to be a version of in
map that was was exploitable,that you could use it kind of
like a lull bends pretty much.
Speaker 1 (12:48):
I still.
I still use that version of endmap because it has the dashy
for execute.
It is an older version.
The newer versions they got ridof the dashy.
You can't execute a binary orany XE or any command with the
newer versions of end map, whichkind of sucks.
So I have to always go outthere, find the older versions
and use them.
But I do have another questionhere, and then we're going to
(13:08):
let you talk a little bit aboutthe Philip Wiley show, give a
little bit more of anintroduction about yourself.
But Griffin Infosec, which wasa follow on to this question,
how about the ethics when itcomes to being offensive?
And there's a lot of ethicsthat go into it, because there's
a lot of things you can find.
But I'll let you address this.
Speaker 2 (13:25):
Yeah, you definitely need to be ethic about it.
When you mean being ethic, youknow one of the things if you're
a pentester, you're making sureyou're staying within the scope
and the rules of engagement.
As far as doing things on yourown, you want to make sure
you're being careful with that,because if you're doing bug
bounties or those sort of thingsor maybe you find a bug on
someone's website, make sureyou're reporting those
(13:46):
responsibly and staying withinscope.
That way you don't get get introuble.
But yeah, you just want to makesure you're ethical.
Another thing that I thinkhelped me because I come from a
cis admin background, so I knewif I went in and blew up
someone's environment, some poordude was going to, or a woman
is going to have to go throughreinstall their, reinstall their
OS, you know, restore it frombackup.
Speaker 1 (14:10):
Rebuild the active directory infrastructure,
because I've been there before Ihad that stuff break and you
just kind of have empathy forthem.
Speaker 2 (14:16):
You don't want to.
You know, and one of the thingstoo is you know, when you're
finishing up the pentast, makesure you document any back doors
, any accounts and stuff youhave, or any tools or install
where they're at so they can doa proper cleanup.
Let them know that, becausewhen you do that you're going to
get return customers.
When you're if you're everworking as a consultant, you get
paid your bonus on billablehours and you want to be the one
(14:39):
that they ask for back.
And so you want to make surethat you're not disruptive,
you're not overdoing thescanning speeds on mass scan or
something causing disruption.
Speaker 1 (14:49):
Making sure not to use any of the DOS modules and
metasploit yeah definitely, andnot just that, but I think it
comes down to you know, even asa pen tester, you should be
trying your best to clean upyour own tools, clean up your
dirty work, cause you don't wantto leave the holes there for
somebody else to get into.
You know, especially if you'retesting things like ransomware
and want to cry and things likethat, you don't want to leave
(15:11):
those payloads there that anactual ransomware group would go
out there and be able toutilize.
So I do know there's likemetasploit modules out there and
stuff like that that allow youto test for these things.
You don't want to leave theexes there.
You really don't Just saying,yeah, bad idea, yeah.
Speaker 2 (15:30):
Cause the bad thing you leave that under someone
else with you know a threatactor comes in, they got access
to it.
You're leaving the companyvulnerable.
I heard a while back it's beenprobably last year I listened to
the black Hills podcast a lotand we're talking about how
they've had, they've done,engagements behind someone else
and found that someone had ashell open running there for who
(15:51):
knows how long.
Speaker 1 (15:54):
All bad things, all bad things.
So I got about six more starredcomments here.
But before we get into it,because I gotta say I'm excited
for you, I am, I am utterly andcompletely excited for you for
the new show, because you'regoing out on your own, you're,
you're separating yourself fromothers control.
As good as you know, a ITSPmagazine has been to a lot of
(16:17):
podcasts.
How's this?
You've made the decision tokind of go out, market yourself
and go out on your own.
So give us a little rundownabout kind of.
You know what the Phillip Wileyshow was going to be and you
know what it means to you andwhy you're doing it.
Speaker 2 (16:31):
Yeah, and just to go back to say to back to ITSP
magazine they're doing a greatthing.
They've given people a lot ofopportunities to start in
podcasting.
So, like for me, the firstpodcast I did over there was
with Alyssa Miller and ChloeMistagie.
We did the uncommon journey andthen it was, you know, trying
to coordinate.
You know it's enough to try tocoordinate one schedule and a
(16:54):
guest schedule to get on yourshow, much less three people and
a guest.
So they reached out to me aboutdoing my own and it's been good
and it's been a good experience.
But one of the things I kind ofthought, and at the
recommendation of some othersthat are much more successful to
me in content creation andpodcasting, even when I was on
David Bombal show, he told me Ishould do my, do my own thing,
(17:17):
and part of that is it builds inmore seamlessly with my brand.
I do workshops and I've donestreaming before.
I was running the Pone Schoolproject and these are just
things I can do all seamlesslyunder one brand and it's not
confusing If you're doing this,what is this?
And people don't know what you,and it's just makes it easier
for people to find you and therecommendation was even just use
my name to make it easy to find.
(17:38):
They said you want to build abrand you're trying to resell or
you just want to build your ownbrand?
I said I just want to build onbrand.
I'm not really concerned about,you know, creating this
different thing, because I'vedone that with Pone School and
other things.
So so yeah, it's.
One of the things I want to dotoo is I'm going to keep some of
the same formats where I like.
When you're on the show Iinterview people, ask them their
background advice on how to getin, their thoughts on
(18:01):
certifications, degrees andcoding that stuff.
Those are really similar showsin those formats.
But I wanted to also expandwhere I have some episodes that
are more technical in nature.
I had someone on that createdthis project called Pone Cube.
I had him on itsp magazines,the hacker factor.
I do for itsp magazine, but Iwant him to get on and talk
(18:21):
about his project.
So vulnerable Kubernetesinstall so you can practice pen
testing.
Speaker 1 (18:27):
Oh yeah, oh, my old boss, my, the owner of my old
company, would like love that.
I got to send it to him so heknows about it.
Because that's that's utterlyamazing, because I haven't seen
that yet.
I've seen like vulnerableDocker containers.
I've seen phone machines andlabs not with Kubernetes.
So I'm going to have to sendthat.
(18:47):
Do me a favor in the comments,if you're, if you're on YouTube
and can leave a comment, drop alink to there.
Also, send it to me on DM.
I want to send that to my oldboss or my boss's boss.
Speaker 2 (19:01):
Okay.
Speaker 1 (19:02):
The last company I work for because he does all
Kubernetes and cloud andeverything I want to.
I want him to listen to thatone, because that'll be a.
Speaker 2 (19:08):
Yeah, yeah, I'll send it to you.
But yeah, it was a good episodebecause it's interesting the
story of the person that didthat, kenny Parsons.
He used to be.
He was like a project managerand he had kind of like an IE
background and he left.
He was working at SES solutions.
He went somewhere else.
I think he was a projectmanager for them but he got more
into the technical side ofthings, got into
containerization and and allthat.
(19:29):
So he's spoke at our DC 940meetings a couple of times, he's
done Docker talks and and so,any rate, he came up with that.
But another thing is to like aduring on it SP magazine for the
hacker factory I had harmjoy on.
Oh yeah, he was sharing aboutsome of his research and it
(19:53):
really didn't fit into theformat of the show.
But I'm going to have morestuff like that.
Okay, coming on talk abouttheir tools.
I have the creator of trickest.
Speaker 1 (20:04):
So one of the ones I would suggest, if I and I'll see
.
So I think he shut down hisproject because I'm not in a
slack anymore Lee Baird, who hadcreated the bass script for the
discover tools.
So I don't know if you had everused the discover script.
I don't know if you've everheard of Lee Baird.
Speaker 2 (20:22):
I've heard Lee Baird.
Speaker 1 (20:23):
Yeah, I was in his slack channel for a while,
helped him out a little bitalong the lines of his gift repo
or things like that.
But I never really understoodopen source coding and the form
of like get, pull and requestuntil I worked my last job.
So I wasn't able to really.
I'm on, I'm doing my show, I'mgoing to talk to your mother, so
(20:45):
I wasn't able to do all that.
Speaker 2 (20:47):
She's probably in the garage Bryce.
Word with your mother.
Speaker 1 (20:50):
Right.
So I wasn't able to do all that, and so I don't know if it was
just like well, he's not helpinganymore, or if it was, you know
whatever, but but either wayhe'd be a great person to have
on, because his discover scriptsare fantastic for the open
source.
Intel like that type ofoffensive security, your your
(21:13):
initial recon and things likethat.
Speaker 2 (21:15):
Yeah, speaking of the trickest, they have a really
cool platform where theyautomate workflows, because
Nanand or if I guys I may bebutcher his name, but anyway he
was a pentester and he stilldoes bug bounties, so he was
automating his workflows, andthis is not just these scripts.
He came up with a GUI interfaceto set this up, so it's a
(21:35):
really cool tool.
But another, another one Iwanted to have back on because
they had Jeff Foley, the creatorof a mass on the hacker factory
, but I want to have him back onto talk about a mass and
reconnaissance and attacks, sohas gone above and beyond what
they were originally designed todo.
Speaker 1 (21:54):
Because now correct me if I'm wrong, and then I want
to get into this question fromPeter Lee but a mass, when it
was originally created, was justsupposed to be like a mass
scanning tool where I could likescan the entire internet and
like I don't know less than aday it was like maybe less than
an hour even how quick it wasdesigned to do these scans and
(22:18):
now it is an almost full fledgedlike phone suite where it'll
find a ton of shit and in littletime compared to like safe
running and map across an entire, you know, internet scope.
Speaker 2 (22:35):
Yeah, it's originally a reconnaissance, but it's
really turned into a fullfledged attack service
management tool.
Speaker 1 (22:40):
Yeah, that's and that's that just amazes me,
because I loved what it was andthen I went and looked at it and
was like Holy shit, what is allthis?
Speaker 2 (22:50):
Yeah, it's pretty cool.
There's some companies that areusing that for some of their
their products, using that as abackground, as one of the tools.
Speaker 1 (22:58):
Yeah, definitely.
So we got Peter Lee.
I'm gonna throw this up.
Do you find that offensive hasbeen too glorified and getting
inundated with new people?
Speaker 2 (23:08):
I think it's.
It seems super attractive, itis glorified.
People, in some cases peopledon't know about other areas of
cybersecurity.
So this is the only thingyou're really hearing about if
you're outside, and I'd say, ifyou're not an IT or security
then the only jobs you hearabout they always think about
ethical hacking.
So I think there's a lot ofpeople trying to get in and get
(23:29):
the job.
So it's one area because itseems fun and everyone wants to
do it.
So I'd say, on my opinion, Ithink you're probably gonna get
a lot more people trying to getthose roles than maybe some of
the other areas because it seemssexy and fun.
But whenever and not todiscourage anyone from doing it,
but a lot of times people don'trealize you have to write
reports.
Sometimes you have to work somereally messed up hours.
I had an airline that I used totest when I was consulting and
(23:53):
I had to test between 6pm and6am and I would be on site out
of state like two weeks in a row.
So I had to get all thatwrapped up.
So a lot of times I wasspending 12 hour days.
Some people that doesn't bother, but some people it does, and
so those are some of the thingswriting reports.
Sometimes when you're doing thedebrief with the customer,
(24:13):
where you're reading the reportout, sometimes they get offended
because sometimes you got theseLinux administrators that this
is their baby and they don'tbelieve this is vulnerable and
it can't be.
But you show them you have tomake sure you really document
this stuff well.
Speaker 1 (24:28):
It's Linux.
It can't get any malware or getreached or anything.
Speaker 2 (24:32):
And then you got people that's like don't, they
don't want to report, they tryto negotiate the risk of it, try
to talk you out of it, try totalk you out of things on the
scope of the pentest andnegating the real reason for a
pentest.
You want to find thevulnerabilities.
We're not trying to eliminatestuff and trying to give you a
nice looking report that doesn'taccurately depict your
environment, because you need toremediate these things to
(24:54):
prevent a breach.
Speaker 1 (24:56):
And that's been the biggest thing for me, right Is
when I look at it and when I wasdoing pentesting and stuff,
listening to some of thesescopes.
Some of these scopes would doone of three things.
They'd either eliminate theproduction environment and like
only use test and dev, or they'deliminate test and dev and like
only do the productionenvironment.
I'm like, if I can access anyof those through your network or
(25:19):
through the outside, you mightwant them tested, because, guess
what?
The attacker doesn't give adamn if it says test or dev,
that's probably the first onethey're going to go for.
And then, on top of that, ifyou have a link between test and
dev to production, well now I'mjust going to run ham because
test and dev is going to beproduction, or at least it
(25:41):
should be.
Speaker 2 (25:42):
Yeah, so it's rough.
A good example of that is onetime I was doing external
pentests back when I was stillconsulting, and through a SQL
injection vulnerability I wasable to get command line access.
They had XP command shellenabled on the server.
I was able to get on there dumpcredentials.
This is back in 2014.
Speaker 1 (26:01):
So was it really running server 2000?
Speaker 2 (26:06):
Probably I don't remember, but I was able to get
on there, dump that passwordhash and crack it with John the
Ripper in less than 20 minutesusing like all the default stuff
, and now it would take you back.
It's 30 seconds and so it'spassword, all lowercase and the
number one.
And whenever I submitted thereport to them they said oh, we
knew about this.
It's a development environment.
(26:28):
I got into that from theinternet.
I am sure that you're notsegregating that off from
anywhere else.
So if this was been like anetwork pentest, then I could
have pivoted to other servers,but it wasn't.
I was following the rules ofengagement and staying within
scope.
But this is some of the casesthere.
And then, when you mentioned ifit connects on the same network
(26:48):
a lot of times too, you got tolook at if they got how many
times a people's dev environmentidentical to prod.
They're going to update or fixsomething here and they don't
fix it across.
Everything is to be tested andI really don't like the idea of
doing a sampling of anenvironment, because how are you
going to guarantee it's all thesame If you're sampling 10
percent of it?
I guarantee it's not identical.
(27:10):
So that's just.
Speaker 1 (27:11):
Yep, and you're going to have different software.
You're going to have differentthings.
You're going to have differentpatches and updates.
Maybe somebody didn't reboottheir Google Chrome that day, so
now I've got a Chromevulnerability that I can exploit
.
Or they didn't, you know theydidn't update something else.
Or, hey, I know you said torestart my computer, but you
give me a month.
I'm going to wait my month andit's just not going to happen.
Like these things matter, andif you're not willing to test it
(27:35):
and test your entireenvironment, there's an issue
and that's been my biggest issuewith offensive security.
And one of the reasons I'mhappy not to be a pen tester
anymore is because I got tiredof the check the box attitude
behind these engagements of look, I just need something to give
my auditors.
Can you please just go do thisfor like five grand?
(27:56):
Like for what?
Like, no, like.
That's a bone assessment.
That's me running Nessus andsaying, here you go.
That's really all it is.
So that's the way I look at it.
It's just it's.
Speaker 2 (28:11):
I'm so glad not to be a pen tester anymore, it's
interesting too, because there'sthere's a guy that is really
well known.
He's a SANS instructor.
I'll think of his name here ina minute but he started out as a
pen tester and he got burnedout on it because he'd perform a
pen test.
He'd come back next year.
Another remediation was done,so he felt like he was wasting
his time.
If you're not going to fix it,I'm wasting my time.
(28:32):
So he went into just doingdigital forensics and he's happy
there.
Speaker 1 (28:36):
He's teaching stuff for SANS, I might be Ted
Demopolis.
Ted Demopolis is one of myinstructors for one of my
courses, so they can be.
I don't know.
I'll take him like eight SANScourses, something like that.
Speaker 2 (28:47):
I don't know, I forget how many, so trying to
think of his name because heruns.
Yeah, it's, it's.
He's local here to the Dallasarea.
I can't think of his name atthe moment, but he, I'd be Ted.
No, it's not Ted, yeah.
Speaker 1 (29:01):
No.
Speaker 2 (29:02):
Okay, it's not Ted.
I know Ted, but no, I saiddifferent guy.
Yeah, it's a David Cowan.
Speaker 1 (29:07):
Never had him.
Speaker 2 (29:08):
Yeah, david Cowan.
Speaker 1 (29:09):
I've had.
I've been through anyone whocame up to like the military
army to teach their SANS courses.
I met like Mark Baggett isamazing.
You ever want to learn Python?
Talk to Mark Baggett.
That man will put you throughto Ringer and I have been able
to send that man code and likewhat am I missing here?
And he'll be like oh, youforgot to do a return.
(29:30):
Fuck, okay.
Like genius dude, I love him.
When it comes to scripting inPython, that dude knows his shit
.
Hands down.
I do have a comment here fromnot applicable not applicable, I
love it.
I like that I would like to doall sort of stuff I have
(29:50):
enrolled in school, but I feellike they are teaching nothing
about bad stuff.
I would like to know and I hopeyou comment later on down,
because I got to get all the waydown the stream I want to know
what do you mean by nothingabout bad stuff, Cause that's
all I was taught.
Going through certificationsand trainings in school was
(30:12):
hacking.
That's all I ever learned wasthe offensive side.
I don't know, Phil, what aboutyou?
Have you learned anything otherthan the offensive side in any
of your trainings or anythingyou've done?
Speaker 2 (30:23):
Yeah, it's like this.
Well, I think when you'retrying, if you're going to a
college, it's kind of difficultto find the offensive stuff.
They may offer one class andsometimes it's based on the CEH
or something like that, but Ithink there's not enough
offensive stuff in the courses.
And then sometimes not to regon the teachers.
But if you're looking you canlook at a lot of different
courses and if someone butthere's certain courses you
(30:44):
really need someone that's got abackground in it to teach it.
You know digital forensics, pentesting, you know some of the
firewall stuff.
People can learn the content andteach it.
But you know, I think youreally need to understand the
area of work in it to be able toexplain to the students and
show them some different things.
And go outside and just thetextbook or whatever training
labs you have.
(31:04):
But a lot of cases for yourgood training you've got to go
outside of the colleges.
I mean, it's what they teach inthe colleges is good stuff.
But when you get into the good,into the weeds, hands-on stuff,
a lot of times you've got tofind something outside with the
college to learn from.
Speaker 1 (31:23):
Yeah, even me, going through my master's program I
dealt with that.
So my very first intro tocybersecurity class is a
master's program, which whythere was always blows my mind.
Why there's an intro tocybersecurity class in a
master's program to this daywill always boggle my mind.
But my instructor was like ohyeah, I worked for all these
three letter agencies and doneall this stuff and me and her
(31:44):
went rounds because of the oneday I said, hey, look, so I'm
looking if I have an IDS and IPS.
I said you got an IPS in line.
It's blocking all traffic andI'm an attacker and I'm getting
stops from being able to doanything.
Will I not know that there's anIPS in line that's stopping me
from doing this?
Her response every time was itdepends on how much money you
(32:07):
spent.
I got in that.
She ruined my 4.0, as I was.
I never finished my master'sbecause they PCS me.
But she ruined my 4.0 because Itaught the class out in the
smoke pit.
I'd go smoke.
Everybody would come out there.
I'd tell them about firewallsand all the other bullshit that
goes around with security.
But when I wrote my paper shegave me a bad grade because she
(32:30):
must have read my review priorto and knew it was me Because I
was the only one that had theballs to stand up and like she
doesn't know a damn thing.
And she knew that because I wasthe only one to argue with her.
Speaker 2 (32:42):
Yeah, that's-.
Speaker 1 (32:43):
And so I got a bad grade.
Speaker 2 (32:44):
That's the case a lot of times is students come in
here.
It's like that's kind of likeanother.
I won't call it, would nevermention the person's name, but
there was some other professorteaching another campus while I
was teaching my class.
You know, I was the one thatstarted teaching the pen testing
course there.
He was teaching some otherstuff like A plus, network plus,
maybe security plus, and allthese people were coming to
(33:06):
class.
My wife actually had him andbefore I even started teaching
he was talking about how thisguy would go on and on about
himself, how he's such a ninjathat you know he does pen
testing, he's got a companydoing pen testing, and then
here's all the stuff he'stalking about.
And what's kind of funny is Ikind of knew the guy was, didn't
know what he's talking aboutbecause I looked at his LinkedIn
profile, was able to figurethat out pretty quickly.
(33:27):
But I was in class.
I remember like the first monthof my class.
Dr So-and-so is so good, hedoes this, this and all this.
You can't hack his systembecause he does this, this, this
, going on and on again.
But by the end of that semesterthey thought that dude didn't
know what he was talking about.
They just kind of seen and Iwasn't trying to disprove him,
(33:47):
but they heard what I waslecturing about and what I was
showing them demonstrating.
Based on what they hear fromhim, they kind of found out the
guy was full hot air.
Speaker 1 (33:55):
Oh yeah, I mean I even had that, even going
through CS courses, like you'dhave people come in and be like
oh yeah, no, no, no, no, and Ikid you not.
So I was in a class, for Ithink it was the GCIH.
I want to say it was theincident handler, so it might
have been just one of theregular hacking classes without
a certification I forget whichone, but we had warrant officers
(34:17):
, we had majors and, you know,lieutenants and captains and a
bunch of people that weren'tactually going through the MOS
training.
They were just there because itwas a sans course and they were
allowed to take it and by thetime the first two days was up,
I owned everybody's computersfor the most part, I'd say
probably about 75% of thecomputers in the classroom I had
(34:40):
full control of.
And I had this warrant officercome up to me and his I want to
say his buddy, was either amajor or maybe a colonel.
No, not a colonel, lieutenantColonel.
So it was either major orLieutenant Colonel, I can't
remember what it was.
He came up to me and he goeswhat the hell are you doing?
I said, oh, you see all thesered little lightning bolts,
cause I was tired of usingMetasploit.
(35:00):
I started using the GUI for itand I can't remember the name of
it.
Speaker 2 (35:03):
Armour tension yeah armour tension.
Speaker 1 (35:05):
So you saw the little red lightning bolts and it was
like, what are you doing?
I was like, oh, you see allthese.
Yeah, I own all of thosecomputers.
Speaker 2 (35:13):
Did you do a hell of a thing.
It was like huh, did you do ahell of a thing.
Speaker 1 (35:16):
No, didn't have to.
They all.
They set all the defaultpasswords to the exact same
thing, and people in the classthat you're going for
cybersecurity that have allthese offensive tools on them.
These assholes didn't changethe default password.
Speaker 2 (35:31):
Oh, wow.
Speaker 1 (35:32):
So I literally went in and just was like and you're
mine, and you're mine, andyou're mine, and the warrant was
like you don't have mine, doyou?
I was like nah, you were smartenough to change your password.
I didn't.
And I don't feel like goingthrough trying to figure it out
right now.
So fuck it, I don't care.
But there was a kid in classthat literally would always on
(35:52):
Facebook and doing other stuff.
He was failing a class, but hewas also on Facebook all the
time doing all this other shit.
I'd be looking at his monitoras he's doing things.
I'd close out of his browser,he'd open it back up and do it.
I got tired of it so I juststarted shutting out his
computer and he literally lookup like what like, and you're
done.
If you started to back up, goon Facebook again and you're
(36:14):
done.
Started back up, get on, that,you're done.
I do that shit all the time,just for shits and giggles.
But that's the beauty of theoffensive, especially in a
classroom environment, you cando that type of shit.
I had been studying it foryears by that point, so I was
literally just looking there,going fucking with tolls, just
having my final people A.
Adrienne does have a question.
(36:35):
Can OSINT be a career path allon its own?
Speaker 2 (36:41):
Yeah, I would say so.
People are doing it, using itfor different areas.
I mean collecting informationon people.
Yeah, I.
Speaker 1 (36:49):
Would.
I would say so too Slowly,because when you're looking at
things like the FBI, when you'relooking at PIs, when you're
looking at all these other youknow areas Even if it's not a
you work for a company you canstart your own company and OSINT
because then you sell that datato or give that data to private
(37:11):
Investigators and the FBI andyour local PD and things like
that.
They call you in and pull youin on a contract to be able to
do these certain things becausethey don't have the, the
manpower or the time or whateverto be able to do it.
So I agree, I think OSINTdefinitely has its frame and its
ability to really I Think ithas its specialty to really just
(37:33):
just go, because not everybodycan do it.
Speaker 2 (37:35):
Yeah, I'd say one of the things too that I've seen
over the years too, because youknow some of the the narrow
scopes of PCI pentesting a lotof Pentesters really don't
believe in.
Speaker 1 (37:46):
You said PCI.
Speaker 2 (37:47):
Yeah, how has kind of hurt the industry is.
There's a lot of pentestersthat don't do OSINT and I've
done Pentests where before that,like the one I was mentioned,
it was a full scope pentest.
I was running all the tools andno one detected anything like
what I was doing.
The external pentest, you know,I found all the network blocks,
domain names, did sub domainenumeration and then I went back
(38:10):
and used A show Dan and I wentin there, found that they had
like an FTP server in Indonesiathat wasn't coming in with
network blocks.
Just so happens, the littlelogin warning banner that is on
the FTP server it's like anyother system you log into had
the name of the company.
That's how it was found.
So if I had done OSINT Thenthat would have been uncovered.
(38:30):
You know this is a FTP serverusing clear text authentication
across the internet.
Speaker 1 (38:36):
Yeah, and and OSINT is one of those things I learned
about that.
You know.
It's one of those things youlearn for a while and don't
realize you know it.
I've actually got a friend inchat right now Her name is
Amanda that is very good atfinding all types of information
and you know those things thatthe FBI wishes they could do.
That's awesome.
I'm just saying, like herability, I'm just trying to get
(38:57):
her through the technicalaspects of it so that she can
actually get a job in it.
So, yes, amanda, if anybodywants to hire someone that knows
OSINT and able to dig up dirton anything anybody anywhere Go
to her.
She's fucking amazing.
Speaker 2 (39:13):
Don't make, don't make Amanda mad.
Speaker 1 (39:15):
No, don't do it, don't do it.
Speaker 2 (39:17):
She'll find her dirty laundry oh yeah, all of it,
let's see.
Speaker 1 (39:22):
So I got a question here and I'll bring up false
ranges because you know it'syou're my guess it's your chef.
If I want to start off in GRC,is there a particular way I
should lean towards, ieoffensive, defensive, pen
testing, etc.
Speaker 2 (39:39):
For me.
I'm not really experiencingthis area, but if you're going
to be in GRC, then more of theDefensive stuff would be would
be helpful, although if youunderstood the offensive side it
would help because it's it's amuch different, less technical
area the compliance GRC stuffbecause when I worked at the
company as a red team lead, wehad a I Was doing a pen test
(40:03):
against active directory.
At the same time the internalaudit team was doing an audit
against active directory.
So some of the things actdirect active directory did and
windows.
They didn't understand that.
So, honestly, a lesser Skilledpath or less knowledge as far as
the technical side would besomething like like GRC.
(40:25):
But I mean, the more youunderstand security, the better
you're going to do with it.
For instance, like working withthe, the GRC folks.
Not knowing some of thesethings about active directory
would be easier for them tooverlook.
But yeah, you would more.
The defensive side is whatyou're going to to use, although
if you knew the offensive sideit would would would probably
(40:46):
make you better at GRC and Ithink someone that came from a
GRC background Into pen testingwould be from their auditing
background, would be able tooffer some things that may be.
You know, a typical pen testerwouldn't.
Speaker 1 (41:00):
But yeah, it's yeah, and she says here, is it just
jumping in on anything I know oris it just jumping in on
anything I know could contributethe GRC?
So if you know, misha, I mayneed you to to elaborate on that
, because I'm that continuationis is kind of Confusing me at
(41:24):
this at the moment, so I'll waiton you to elaborate.
I'm gonna hide that.
That, that continuation I dowant to bring up.
Sorry, in AR's question, andthis one might take you a while.
Phil, just pay it.
My man loves my man loves hisAI and his.
Okay, so what is?
your take on using AI and ML forred teaming or pen testing.
Yeah, I think it.
Speaker 2 (41:45):
I think it's awesome, I think it's gonna be very
helpful and, and back beforechat, gpt Came out and it was
accessible to people.
Everyone was always asking isit gonna replace pen testers?
And I don't think any time inthe foreseeable future.
But what it's going to do isit's gonna help us do our jobs
better, because one of thethings with Pen testing once
(42:07):
upon a time there weren'tvulnerability scanners, there
weren't meta-sploit you had togo out and manually do all this
stuff right scripts or your owntools to do this and you didn't.
So Nowadays, if you'reperforming a pen test, it'd be
difficult to do a thorough pentest without running a
vulnerability scan.
What it's gonna do is it'sgonna take some of these tools
that we have and it's gonna andit's gonna help with making us
(42:30):
more scalable, make thesevulnerabilities more accessible,
make these vulnerabilityscanners better, maybe even some
of the evasion techniques andstuff from like meta-sploit.
Hopefully that'll evolve tomake it easier for for people to
learn.
You still need to know themanual stuff, but so many
companies aren't really doingthe level of a number of pen
(42:51):
tests that they need to becausethey don't have enough people in
enough time.
So I think it's really gonnahelp.
I mean, the bad guys are usingit.
We need to learn how to use it,and one of the things I've seen
about it is, if you're gonnawrite scripts, you kind of have
to understand a little bit aboutthe scripting language to use
it.
But I know some companies areusing AI and machine learning in
their external attack surfacemanagement programs and stuff.
(43:13):
So I think it's awesome.
It's a a good opportunity.
I Love it for writing.
I use it for my podcast.
Speaker 1 (43:20):
So so I have an issue now, because I knew this was
gonna happen.
Did you see the latest blog orarticle or whatever it came out?
Chat GPT or opening, I forgetwhat I think was.
Chat GPT actually created aMalware that can transform.
Speaker 2 (43:42):
Malleable yeah yeah.
Speaker 1 (43:45):
It created.
It wrote code for a Transformerto malware.
That yeah and just changeitself as it goes, and it's not
supposed to be able to do that.
It's not supposed to be able towrite offensive code.
Yeah, but wrote offensive code.
Speaker 2 (44:00):
Yeah, it's pretty.
Yeah, it gives you all thewarnings and stuff.
You're not supposed to do this,but you can get around it
pretty easy.
And then people say if you usethe AI I mean the API with it
then you can get around thosewarnings even easier.
Speaker 1 (44:15):
Yeah, yeah, if you know how it works.
Yeah, definitely.
Speaker 2 (44:18):
Yeah.
Speaker 1 (44:22):
You just get loud until they hopefully see a catch
.
Oh, how about starting outquiet and if nothing is detected
, you just get louder until theyhopefully see it or catch it.
Speaker 2 (44:32):
Sometimes you do that .
There's there's been pentests.
I've been on before.
That really wasn't Wasn'treally a red team operation, but
they asked us to try to goUndetected for so long and then
initially get louder to see ifwe're detected, so that way you
can kind of Figure out thedetection point.
I think really when you'retrying to go Undetected, I think
that's kind of a better methodthan just trying to go
(44:54):
undetected, see kind ofprogressively get louder and see
at what level they're able todetect you.
Speaker 1 (45:00):
Yeah, definitely I.
I agree with that completely.
The doing system administrationhelp when you got into the
offensive side big time.
Speaker 2 (45:10):
Yeah, I would.
It made it helped a lot easier.
Yeah, because what one of thethings too you know, if you get
access, you get a shell, youknow a command line to a Linux
or Windows system.
If you know how to administerthose systems, it's gonna make
your life a lot easier becauseyou get command line and you get
the right permissions.
Sometimes you can shut downthings like firewalls.
Then you can get certain typesof tools of work that may not
(45:31):
been able to work at youropening up more ports.
So otherwise, if you don'treally understand the operating
systems that well, you're gonnabe doing a lot of googling and
research trying to figure thingsout.
So really, my opinion, whenyou're becoming a pentester, you
don't have to be a sys admin,but you kind of want, like sys
admin level, knowledge of theoperating systems.
Speaker 1 (45:50):
That's always been my biggest thing, right.
So a lot of people talk aboutfoundations Kev Tech, I have,
you have, a lot of other peoplehave, I think, whether it's blue
team, red team, purple team,grcu, name it having a
foundational knowledge ofoperating systems, systems,
administration, networkadministration, things like this
do nothing but help you in yourcareer.
You don't have to have done thejob per se, but having that
(46:14):
base level knowledge of okay,how did GPOs work, what is a
domain, what is a forest, whatis what is all this other stuff,
so that if logs come in, I know, okay, well, this user account,
it failed authentication, so itshould do this log.
Alright, I get it because I'veunder.
I understand enough aboutactive directory, where the
authentication goes, and thekind of frame of communication
(46:36):
along the line, or if someone'sdoing a sequel injection.
You have a web applicationfirewall.
You have all the stuff.
You understand the differentlogging in the different
Technologies in place.
If you have no clue about any ofthat and you're like I'm gonna
go be a security analyst, forwhat homie you're?
You're literally what are youlooking for?
Because you have no backgroundin anything and have no clue
(47:00):
what you're looking for Now.
If you could tell me you have abase level knowledge of all
these different communicationvectors?
100%.
Go be a junior analyst, learnmore about correlation and
things like that got you.
But if you have no aspect ofknowledge on Active directory,
on authentication, on operatingsystems, on firewalls, on any of
(47:23):
this stuff, I'm not bringingyou in a junior as a junior
analyst with a certification.
I'm just not because you're not.
If I can't get thatfoundational knowledge out of
you of, okay, what is port 443?
Oh no, you might want to knowthat before you go be an analyst
.
Yeah.
I'll say it.
(47:43):
So, yeah, n A N A, notapplicable.
Not applicable.
I know.
I put it in the chat just soyou know.
Philip Wiley show.
His link to his show is in thedescription of the YouTube
Videos so you can check it outthere.
I have all his contactinformation there so you can
find him on LinkedIn, youtube,twitch no, not twitch YouTube,
(48:05):
twitter, instagram, linkedin andhis show.
So all that information isthere.
Let's see, man, there's so muchstuff here, so much stuff here.
Oh, here we go.
The GitHub link.
Griffin and Vosack put it inthere, kubernetes go.
I don't know that's for your,the guy from your show, but yeah
(48:27):
, that's.
Speaker 2 (48:28):
That's something different, but that's good to
get to know about.
That's good.
I have to share with my friendabout that to you.
Speaker 1 (48:35):
Let's see, have decided to switch gears and I'm
getting further on the AWS cloudpath and I was wondering what
tools I could use to help me.
All right, all right, you mighthave a better understanding of
this than me because you're moreoffensive and talk more cloud.
I hate the cloud, it's justsomeone else's computer.
Have decided to switch gearsand I'm getting further on the
AWS cloud path and I waswondering what tools I could use
(48:58):
to help give me a deeperunderstanding for maintaining
security.
Speaker 2 (49:03):
Yeah, for me, cloud is just not one area I know but
but I would say whatever nativetools to that platform AWS,
knowing the windows tools, howto use that.
I know there's some third-partytools and some pen testing
tools that you could use, butyeah, I would focus on on those
built-in tools because I know alot of people that do cloud pen
(49:23):
testing that Leverage a lot ofthe built-in stuff when they're
testing those environments.
Speaker 1 (49:28):
Yeah, definitely For anybody watching on LinkedIn.
Understand I cannot, nor canPhilip, unless he's logged in
the link in Chat with LinkedInitself.
So if you're not askingquestions or pulling up comments
something that I'm gonna showPhilip directly we're not gonna
see it.
I see it in my chat, but I haveno way of talking back to you.
Streamyard does not allow it,just so you're aware.
(49:51):
So if you want to get in on thechat and actually be able to
converse with people, youtube isthe best place to go, which is
why I always put it in thecomments preferred is YouTube
because I could interact witheverybody.
Let's see, man, so many commentsthat I'm like missing Because
(50:13):
there's a lot of people actuallytalking.
That it's crazy.
I think I'm caught up.
No, no, I have to tell my wifeto shut down her meeting all the
time.
Jason, I did the same thing formy wife's computer.
Don't worry, it happens.
Let's see.
How do you recommend, how doyou recommend those who were
(50:33):
news stay up to date on events,concerns, etc.
Happing and cyber, while tryingto also learn from the
beginning.
Go ahead, phil.
I thought with that one well,one.
Speaker 2 (50:46):
One of the resources I like to use is Twitter and and
find some people have followthere, because at one time you
were just back when I wasgetting started you were just
reliant on blog posts anddifferent vendor websites.
But yeah, just that's a goodplace because people that create
new tools are putting out there, people doing research, so
people like Sometimes JohnHammond figures out how to
(51:08):
exploit things and he posts uphis research and stuff.
So that's a good place to look.
But one of the things that youmentioned that's a good thing to
keep in mind is something thatyou can do.
Keep in mind is something Idon't do enough of is keep up
with the latest news of what'sgoing on, look into it,
understand it, because whenyou're going through an
interview, there's a good chance, especially when you're talking
to like a hiring manager thatmay not be as technical, they're
(51:30):
gonna ask you questions aboutcurrent events in the news,
because that's what they're kindof keeping up to know what to
watch out for and, you know,guide their team.
So I would make sure to try tokeep up with that.
There's different goodresources on News out there, but
I would keep up with understandit.
So that way your forever andwhat was interviews you can,
just you know, you can explainhow you know this.
(51:52):
Certain malware works, orwhatever, ransomware.
Speaker 1 (51:57):
Yeah, definitely now, and I agree with that right
keeping up with current events.
So when you're just getting in,those current events are gonna
guide you, because it's gonnaguide you to kind of what's what
you want to look into as far asoffensive, defensive, grc, what
that guiding rail is.
So, um, recently CMMC 2.0 cameout, so understanding that and
(52:17):
how it relates to this and howthat comes into play.
As far as offensive security,I'm seeing Lazarus making a
comeback and doing hits andthings like that and trying to
try to Drop ransomware andthings of that nature.
So understanding Lazarus IOC'sin terms of offensive security
and and and what they're using,so that you can help your
(52:38):
clients by saying, okay, I'mgonna drop these palettes, I'm
not gonna drop ransomware, butI'm gonna drop these things and
see if I would be able toexploit ransomware via some
other script or something alongthose lines.
And then, from a blue teamperspective, knowing all of
Lazarus's IOC's knowing want tocry as IOC's Knowing how to
(52:59):
detect these things, these areall huge.
So keeping up with currentevents Really really helps.
When keeping up with everythingelse it's really does.
Let's see.
Speaker 2 (53:12):
Yeah, someone was asking about API, oh, API.
So I shared Corey Balls APIsecure API sec University.
Okay cool link.
That and Corey Balls hackingAPI books.
Let me look at a really good,good course.
Speaker 1 (53:27):
All right, so we're gonna drop that up here.
Api pentesting and training API, sec university slash dash
course or hashtag courses.
So that's for API.
And then I did have a questionfrom Where'd it go?
Where'd it go?
I had another question.
I lost it.
(53:48):
It was up there.
You saw it up there, don't do.
That question is not just ofour host.
She has Twitter things tofollow aside.
Oh, the Twitter one.
Where'd it go?
There, it is All right.
Any chance of getting a Twitterlist of people or companies or
other entities to follow forinfo on keeping up to date All
(54:10):
of the Twitters?
Speaker 2 (54:13):
Good, all of the Twitters?
Good question.
I've got some.
I don't know if they're visibleenough, but I've had some lists
.
I had one I was doing for awhile.
There was like women in inforsick information security that
had a list out there.
But if you look at some of thedifferent sites, a different
account, some people have liststo follow.
But I'd say anyone from BlackHills and trusted sec are great
(54:34):
to follow.
Yeah, those would be some goodones to good ones to start with.
Speaker 1 (54:42):
Yeah, I would say Black Hills in those sec.
There's another one I follow.
They kind of get banned a lotjust because they put out actual
active attacks going on andthey publish the source code
because of their feeds andthings that they do.
I can't remember the name ofthe discord server that I'm in,
but they also publish on Twitter.
So I have to find that and I'lllet you guys know I might.
(55:03):
I'll probably bring it back andput it in the comments If I can
figure out who it is.
Again it's.
It's been a while since I'veactually Investigated all of
their research.
Oh, oh man, I haven't even seena new Apple AR devices.
But what do you think about thesecurity environment of the new
(55:24):
Apple AR devices?
Speaker 2 (55:29):
Yeah, I just seen those.
I don't know anything about thesecurity of it, but man, it's
just a Pretty expensive.
I don't know what thecomparable products that other
people put out cost.
What are the other AR?
Let's see.
Speaker 1 (55:40):
Oculus.
The newest Oculus was a couplehundred bucks or a few hundred
dollars, right.
So it's like three, fourhundred bucks.
I think give or take might beenless as you step up.
There are more expensive onesthat run like a grand, two grand
.
I think the Apple AR is themost expensive one out on the
(56:00):
market or coming out to marketright now and I see no reason
for it.
Yeah, I don't, Apple is not agaming machine.
Apple is not a gaming like youcould put little mobile games on
your phone, but really it'sabout it.
So as far as, like Apple, aaugmented reality, apple VR or
whatever you want to call it, ISee no reason for a thirty five
(56:24):
hundred dollar price tag.
My son's Oculus and I got threeof them do the exact same thing
for all of their games and Idon't need to spend another
three thousand dollars on anApple computer to be able to do
it.
Speaker 2 (56:35):
And usually I don't know people that really using
Apple much for gaming anyway.
No, it's.
Yeah, I would say go.
If you're gonna get somethinglike that, go with whoever the
Industry leader is.
That's putting out good stuff.
Speaker 1 (56:46):
I mean, there's some unfortunately, the industry
leader got bought by Meta, sookay.
Because it was Oculus and thenI could just go by.
Meta got bought by Meta andthen Meta.
Now for some of their shit isrequiring you have to log in
through Facebook to use some ofthe features, and so I'm like I
gotta create a bunch of fakeaccounts.
(57:07):
Kids can do this shit because Ibought it for them before that
happened and now that happened,and metas being stupid and all
this other bullshit.
Speaker 2 (57:15):
Sounds kind of Marvel like into the metaverse.
Speaker 1 (57:18):
It's basically what it is Oculus 350, apple AR.
Thirty five hundred dollars.
Speaker 2 (57:26):
Thirty five hundred, that's yeah yeah, I love my
Apple, my Mac laptops and my Macstudio, my iPhone, but I will
not be buying.
Speaker 1 (57:39):
No, I saw that price tag.
I was like yeah no, like Idon't even have the money for a
Mac.
I custom built my desktop.
That's that's what I use forday to day, and then I have a
MacBook Pro that works at me.
I use that for work.
Yeah, I'll stick to Windows anddesktops until I can afford.
(57:59):
You know the three thousanddollars is gonna cost me to get
a Mac that can do the same shitmy windows desktop.
Speaker 2 (58:05):
I've got, yeah, my latest Mac I bought like in
November or December last year.
I got the Mac studio with theultra, the ultra chip and 128
gigabytes of RAM and what thatcost you.
It was like around fourthousand something dollars.
Yeah, precisely but I can openall sorts.
A lot of chrome tabs, chromefor the win.
Speaker 1 (58:25):
Oh, man, the bad part is in Chrome.
Just because I mean duck, duckgo, my default search engine.
So now everything goes throughduck, duck, go, like I'll use
Chrome just because I've beenusing it forever.
But I'm gonna use duck duck.
Go for my search.
You don't get your money.
No more now you're late, I'llnot give it to you.
(58:48):
But yeah, so I but yeah.
So we're like at the top of thehour, philip and I really got
to know because we talked a lotabout a lot of things tonight
and try to give out as muchadvice as possible and just
answer some questions.
But my question to you is, ifyou had any advice to give
(59:09):
anybody trying to break intoOffensive security, you Would
you recommend it as a juniorrole, right, coming straight
from IT to offensive or nothingto offensive?
And if not, what advice wouldyou give to someone to break
into cybersecurity?
Speaker 2 (59:29):
It's gonna be pretty difficult for a junior role but
it's not impossible.
You can do it.
If you wanna do it.
Don't let anyone talk you outof it.
If it's something you're justpassionate about, you really
wanna do it, go for it.
Don't let anyone talk you outof it.
There's some people that havebeen around a while, like we
have, and they're gonna tell youand this is their point of view
because where they came from,what they learned.
(59:49):
They'll tell you you need to bea sysadmin first before you do
that.
But that's up to you.
It's gonna be a little moredifficult to find the junior
roles because they're gonna wantsomeone as trained.
But then there's a lot ofcompanies that will that hire
new people and bring them upPretorian out of Austin.
They do that.
They hire people out of schooland to pen test jobs.
So it's out there.
(01:00:09):
But yeah, it's gonna be moredifficult for, like, entry level
and junior roles.
But one of the things, thebiggest advice I can give anyone
is networking.
If you just network connectingwith people on LinkedIn,
connecting with people atconferences and meetups the
better you network, the easierit is for you to find a job.
I was just sharing with someonerecently.
Today, over the past 10 jobsI've had, there's only been two
(01:00:33):
jobs that I did not network toget the job.
One of this is once I startednetworking.
You know only two jobs that Ididn't get through networking
and the last two jobs I've hadhave been people.
One I was congratulatingsomeone on a new job.
I got recruited.
They created a role for me.
The second one I got recruitedby Ira Winkler.
(01:00:55):
He saw what I was doing for myprevious employer and I got
recruited there.
The role didn't exist, theycreated it for me.
So, networking some of thestudents I've had before when I
was teaching the pen testingclass at Dallas College people
I've mentored all the peoplethat find jobs the easiest way.
They're networking and LinkedIn.
(01:01:15):
For sure.
You can network on Twitter.
There's different Discordservers.
Go to your security b-sidesconferences, your different
cybersecurity meetup groups.
If the ISSA meetings are notyour style, then the local DEF
CON groups, the OWASP chaptersjust get involved, because the
(01:01:36):
more people know you and a rolecomes up, they know what you're
looking for.
Then there's a lot of casesthat'll reach out to you.
I was teaching the class of thecollege.
I had people always reachingout to me for junior pen testers
and if I knew people in thecommunity had the skill set, I
would pass on their informationalong with them too, because
they had the skills and that'sbecause I knew they were going
to the meetings.
(01:01:56):
And it doesn't help to go tothe meetings and just not say
anything.
Go around, introduce yourself,kind of let people know where
you're at in your educationjourney, what kind of jobs
you're looking for, ask foradvice and interact.
And the more you get to knowthese people and know you, the
easier to get the job.
Because once you're able to getyour hands, the resume into the
hands of a hiring manager orsomeone that can get it to the
(01:02:17):
hiring manager, you're going tohave easier job getting that
role than if you applied out ofnowhere just on your own.
An example is when I went towork for US Bank.
I met someone at an OWASPmeeting that was given the
presentation they were hiring.
He let us know.
I gave him my resume.
Within a week I had aninterview.
Within two or three weeks I hada job offer.
(01:02:39):
At the same time I applied atBank of America, same type of
role, and this is coming off offive years of consulting as a
pen tester, oscp, sams, gw, aptcert, more than qualified for
the job, but uploading theresume online.
It took a year to hear backfrom them and they had a job
opening.
Whereas networking, I was ableto get the role.
(01:03:00):
So if you're not experienced oryou have little experience,
it's going to be even moredifficult for you, so it's more
important that you're networking.
Speaker 1 (01:03:09):
And that's the biggest thing is networking has
always been huge.
My first job out of the Army, Igot paid shit and that was the
only job, the only job I havegotten since I retired.
That was not by networking,that was.
I was applying to everything Icould find, found one
da-da-da-da.
(01:03:29):
Now, mind you, when people talkabout experience, when people
talk about roles, at that time Ihad four SAM certifications.
I had all my Ciscocertifications to include CCNA,
ccna CyberSofts, ccna Security,my CEH, my CPT, my degree, and
it took me months afterretirement to find a job and
(01:03:52):
even then it paid shit After.
That is when my networking cameinto play, because the people I
had been talking to prior toretiring finally had rules open.
I have literally worked for thesame person three times because
he does what he does and thingshave happened and he's left and
(01:04:12):
found better jobs and been likehey, look, you wanna come with
me?
Got you, homie, I'm there, I'mout.
I will go work for him any dayof the week, and so for me,
networking has played a hugerole in where I work.
But I will say this as a juniorbeing friends with someone like
(01:04:33):
Philip and networking with themor myself, or I'll even throw
my boss out there.
Ryan Benson, these people willhelp you, as a junior, find
roles because, as junior slotsopen, we see them.
I may not be able to hire ajunior, but Philip might or
somebody else might, and so if Ican't hire a junior, I'm gonna
(01:04:56):
send your information tosomebody else.
I'm like, I know this person.
They bust their ass day in, dayout.
They're learning, they'regrowing.
This is what they do.
Hire them, and that takes a lotmore weight than just you
sending a resume.
Go ahead, send that resume.
They're gonna do shit.
These days, your resume doesn'tmean shit unless somebody sends
it for you.
That's just the way the worldworks because of social media.
(01:05:21):
But saying that Philip hasgiven all his advice.
Philip is a genius.
I love Philip.
Speaker 2 (01:05:28):
Thank you.
Speaker 1 (01:05:29):
Another fellow warrior, one of my brothers, me
and you need to get a beersometime, or?
At least sit down, have a talk.
Sure, we're gonna have to gettogether in person.
I will be at New Jersey cyberfiresize I forget what Alex
calls it.
I will be out that on Tuesday.
So if anybody's there, comelink up.
I will be there doing a showlive, and then I'll be doing a
(01:05:51):
show next Friday as well, so youget two next week, which will
be amazing, otherwise look goahead.
Speaker 2 (01:05:57):
Are you gonna be at RacesCon?
Speaker 1 (01:05:59):
No.
Speaker 2 (01:06:00):
Okay.
Speaker 1 (01:06:01):
No, no, I'm not gonna that one, I just I got too much
shit going on.
I took off all next week tojust I wanted the veggie out.
And now I'm going to aconference and, just like man, I
don't, I don't, wanna, it'sfive and a half hours of driving
just to get to New Jersey.
I ain't trying to damn man, thisshit sucks.
But no, I'm not going to thatone and there's a whole story
(01:06:23):
behind it.
But yeah, I'm going to this.
Alex invited me, said hey, andhe was like hey, you could do
your show, bet I'm there.
And I think I got two peoplepaying me for sponsorships,
which will be even better.
But anywho look, I love you all.
Y'all take care, y'all have agood one.
It's been another amazingepisode of Security Happy Hour
here on Cyber Warrior Studios.
As always, I am the cyberwarrior.
(01:06:44):
Right above me is Phillip Wiley, who is the host of the Phillip
Wiley show.
You can find all ways toconnect with us, support this,
that and the other down below inthe description here on YouTube
.
Otherwise, y'all have afantastic weekend.
Enjoy the rest of your Fridayand I promise We'll be back
again actually two episodes nextweek.
So y'all take care and I'll seeyou then.
(01:07:06):
Arguidacom.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.