Hey friends! Today's another Tales of Pentest Pwnage!

Quick tangent first on a couple side projects: I've got a music thing at quack.house (like the duck noise, not the drug) and a podcast with my dancer son Atticus at DadOfADancer.com. Speaking of Atticus — he just landed a spot in Master Ballet Academy's summer program in Phoenix, and I am a very proud dance dad over here.

OK, on to the pentest:

• A weird runas quirk: If your AD test account password ends in a percent sign, runas seems to misbehave (Claude thinks Windows is interpreting the % as a variable delimiter). Workaround: runascs.exe, which wraps your tool launch with creds inline. Worked like a champ — notes over on the 7MinSec.wiki.
• Standard first pass: PingCastle for the AD overview, then Snaffler for share crawling, with Chimas as a nicer web UI for searching the Snaffler JSON.
• The "Snaffler missed something" moment: Snaffler is great but it primarily uses pattern matching, so manual review of interesting directories still matters. I found a PowerShell script with a funky obfuscation routine, fed it to Claude for context, tracked down the function definition, and ended up decrypting a local admin password.
• Going loud: SMB-sprayed that cred across the subnets → handful of machines popped → ran a deeper, targeted Snaffler against just those boxes → enumerated sessions and spotted a domain admin interactively logged in.
• Plan A fizzled: Wanted to pull off a favorite trick — sneak in via WinRM and queue a scheduled task as the logged-in DA (no password needed). WinRM was disabled. Oh fart.
• Plan B — the "trap" file: Dropped a malicious .library-ms file directly into the DA's desktop folder. No clicks required — just the desktop being open is enough to trigger an HTTP coercion to my evil box. (Caveat: I think you need a DNS record or computer object that the victim box trusts as "intranet zone.")
• The escalation: Had ntlmrelayx standing by, ready to relay to LDAP on a DC. The coerced auth fired the moment the "trap" file landed on disk. An interactive LDAP shell fired in the DA's context, and I used it to add my low-priv account to the Domain Admins group.
• Defense angles: Rather than chase each technique individually (LDAP signing, web client GPOs, library-ms neutralization, etc.), I like to back up to the systemic fixes that break the chain earlier. Big ones here: deploy LAPS so a single decrypted local admin password isn't a master key everywhere, and a thorough sweep for sensitive data and custom obfuscation routines hanging out on shares.

Got thoughts on any of this? Shoot 'em over — I always love hearing how you'd have tackled things differently.

Hey friends! This week's episode is "Baby's First OpenClaw" – basically me shouting into the void hoping a smart listener will DM me and explain why this thing is supposed to be life-changing. Because right now? I'm a little underwhelmed.
Here's the journey so far:

• The Mac mini quest: After seeing OpenClaw all over my feeds (people curing diseases! solving crimes!), I caved and impulse-bought a Mac mini. They were sold out everywhere, so I ended up paying twice what I wanted. Ick.
• Surprise MDM: First boot on the shiny new Mac, I found it auto-pre-enrolled in some other company's MDM with full remote control. Massive props to the Amazon seller for getting the serial untagged in Apple's database within an hour, so I could wipe and reinstall fresh.
• Pro tips for using Claude on projects like this: (1) give it a few paragraphs of context up front about who you are and what you want, and (2) have it maintain a README.md as you go so you don't lose context when you come back to the project later.
• Security-forward OpenClaw setup: Separate admin and daily-driver accounts, enable FileVault, isolate the box, run OpenClaw as a limited user, lock down Telegram so only my user ID can talk to the bot (apparently strangers have found other folks' bots and started issuing shell commands – yikes).
• The underwhelm: So far OpenClaw can check my email (or I can open my email app)… add a calendar event (or I can open Outlook)… write a script (or I can fire up Claude Code). And a lot of the juicier integrations are flagged as suspicious. So overall, I'm kind of gun-shy around this very expensive chat bot.

This is a call for help, friends! If you're an OpenClaw power user and it's made your life meaningfully better, please reach out and help me see the light.

Hey friends! After last week's heavy episode about my wife's health scare in Punta Cana, today's is a lighter one. (Quick update: she's doing better – still recovering, but appetite's back and she's got some pep again. Thanks so much to everyone who sent kind messages.)

Today I'm gushing about how AI has been making my IT and security life way more efficient:

• Firewall migration: Had AI walk me through a WatchGuard T15W → T25W migration (no clean config export path). AI captured everything – screenshots, branch office VPN, VLANs, firewall rules, DHCP reservations – all organized and replayed step-by-step. The whole project took ~1 hr 15 min (plus 30 min hunting down a subnet typo that was 100% my fault).
• GOAD lab automation: Worked with AI to build a script that handles the full lifecycle of my Light Pentest GOAD student lab – tear it down, rebuild from latest, assign Tommy Boy-themed passwords and sync user accounts to the Apache Guacamole and lab connections. Speaking of which – Light Pentest GOAD class will be re-offered soon once the calendar firms up!
• External pentest wrapper scripts: Finally automated the boring auxiliary testing stuff – nmap, Shodan API, Nessus queuing, subdomain hijacking checks, metadata searches, cred spraying against M365, sysleaks lookups – all correlated and deduplicated into one push-button menu.
• SysReptor automation: If you're not using SysReptor for reporting, check it out. Piping JSON findings straight into reports via API as I test has been a game-changer. A webinar on this might be in 7MinSec's future.

Got cool ways you're using AI for IT/security work? We'd love to hear them!

Hello friends! Today's episode is a bit of a detour from our usual content — it's part vacation horror story, part security/privacy confession. My wife got seriously ill during our spring break trip to Punta Cana, and in the chaos of navigating a foreign hospital at 2 a.m. with zero sleep and a pile of Spanish medical documents, I threw every privacy best practice I've ever preached straight into the ocean. Here's what we cover:

• How a dream all-inclusive resort trip turned into an ambulance ride and a 3-day hospital stay faster than you can say "gastroenteritis"
• Why I uploaded my wife's full medical history, labs, and medication records to AI — unredacted (with no regrets)
• How AI helped me translate docs, track lab trends, brief stateside nurses, and build a full medication schedule with phone reminders (helpful considering the hospital staff's answer to everything was "sorry, no English")
• The absolute legend named Luis who got us through Punta Cana airport security in 15 minutes flat
• Why if you're ever the person back home receiving updates about a medical emergency overseas, Google is not your friend
• My honest security take: sometimes the right risk-based decision is to breach yourself

Today is my favorite pentest pwnage tale of 2026 – and maybe ever! It centers around an ADCS abuse via an attack path I'd never seen before. Tips include:

• Use Netexec to pull Powershell history
• Trying to steal reg hives and the EDR is made? Try copying them out to \\some-other-server.domain.com\share
• This post featured interesting use of the Responder -N option

Hola friends! Today's another fun tale of pentest pwnage. This time we started with no credentials and then set off on the bumpy journey from no-cred zero to domain admin hero! One specific reference in today's podcast that may be helpful to you is setting up ntlmrelayx to listen on port 3128.

Hello friends! We're back with a fun tale of internal network pentest pwnage. This one highlights how AI can be used (with some guardrails!) to automate the boring stuff – and even help you pick part DLLs to find gold nuggets!

P.S. – I do recommend you check out our last three episodes that are all about securing your community, and please check out this Rolling Stone article which will give you a full picture of what has been going on in Minnesota as it relates to the occupation of ICE agents.

Hello friends, in today's edition of How to Secure Your Community, I give a brief recap of part 1 and part 2, and then dive into some cool phone shortcuts you can setup so that with a single tap, you can alert friends/family that you're having an encounter with law enforcement and may need an assist. Here's the things/links discussed:

• This great Rolling Stone article which features interviews and first-hand stories of ICE encounters here in Minnesota
• Fashlight.org page on security and privacy, which features some cool shortcuts you can setup on iPhone to alert friends/family that you're having a negative encounter with law enforcement (or anyone else)
• How I allegedly stole somebody's quesadilla while I was at the movie theater seeing Scream 7
• The one time my wife had an outburst in the middle of a church service