Dec 23

Certified Ethical Hacker (CEH) Preparation Toolkit

The Tools You Need to Learn Ethical Hacking and Get CEH Certified

This is post number two in my quest to become a Certified Ethical Hacker.

In my last post, I talked about why I am Investing a Year in Ethical Hacking.

Now, I’m going to share the resources I plan to use over the next year.


My general recipe for all certifications is the following:

  • Video Training
  • Book
  • Practice Test
  • Practice Lab
  • Notes
  • Other Websites

Keep reading and I’ll go into detail about each one.

Continue reading

Dec 19

Investing a Year in Ethical Hacking

Why the CEH is worth it and why it will take a full year to earn it.

Nobody sets out to get a “paper” certification.  But that’s what can happen if a certification is the main focus for achievement.  We all know of “paper MCSEs” who memorized enough terms to pass the exam but couldn’t actually do anything.


I have decided to earn the Certified Ethical Hacker (CEH) certification for a number of reasons (more on that below) but I want to do it right.  I don’t want a “paper” certification.

The CEH has value but, like most other exams, it can be cheated.  I want to earn it and really be able to do it!

In this post, I’ll share why I think the CEH is worth pursuing and why it will take a whole year to earn it.

Continue reading

Aug 16

Patch Remediation With PowerShell – Part 1

There are a lot of security topics that are absolutely fascinating but patch management is not one of them.  Even more horrific is patch management remediation.  Deploying patches isn’t so bad but getting that last 10% out of your compliance efforts is just a never ending brutal slog through the mud.


I wrote a quick script to take a list of non-compliant computers and give some basic information about their health and status so action can be taken.  Unfortunately, this script can’t make phone calls to find out why a computer is off or unplugged but it can at least get you started.

Computer List – To start, export a list of computers that need to be evaluated to ComputerList.txt and place in the same directory as the script.

Ping – The script will ping a computer and return a response.  This tells you whether or not the computer is on and responding.

DNS – Next, the script will query DNS for the computer.  This tells you if the computer is off temporarily or if it has been off long enough that the DNS record has been scavenged.  Check your local DNS aging and scavenging settings to learn what this means in your environment.  The default setting are around 2 weeks I think.

Active Directory – Finally, the script checks to see if the computer exists in Active Directory or if it has been deleted.

Output – All the results are written to a new line in ComputerTestResult.CSV file for easy use and filtering in Excel.

Here’s the script…

Continue reading

Aug 14

Password Spray with PowerShell

Find user accounts with weak passwords without getting ntds.dit, admin rights, account lockouts, or logging any events.


With basic domain access and PowerShell, this script uses a password spray technique to test one password at a time against all active user accounts in the domain.

More traditional brute force password guessing might try as many password combinations as possible against a single target user account.  Password spraying takes a reverse approach by casting a net to catch as many accounts as possible.

Unfortunately, passwords can be pretty simple even with complexity requirements enabled.  With complexity enabled, passwords are required to use of a mix or character types.  Specifically, 3 of the 4 types of characters are required to meet complexity requirements.  The 4 types of possible characters are UPPER CASE, lower case, numbers 0123456789, and special characters such as $%&#.  Unfortunately, there is nothing stopping a user from using weak passwords that meet the complexity requirements such as Password1 or Summer2016.

With Azure AD, Microsoft is banning common or known-exposed passwords in its cloud deployments.  I would really like to see the complexity policies in group policy updated to include this same functionality.  Some people have customized their own password filter to prohibit certain passwords while others use 3rd party products to add this additional functionality.   Here is an example of a 3rd party product from nFront Security that has solved this problem.  I haven’t used it so I can’t make a recommendation but it certainly seems like a product that is worth exploring.

Weak passwords are such a massive exposure that this really needs to be built-in functionality.  Until Microsoft’s password policies are improved, scripts like this can help administrators or penetration testers identify and notify users about their risky password choices.

On to the script…

Continue reading

Jun 23

Training Users to Fail

My account password for LinkedIn was leaked as part of the 2012 breach.  I use the same user name on Pandora and, if my password was the same on both sites, this would have left me exposed to password reuse attacks.

I received an email from Pandora Radio today and I think it is great that companies are taking proactive steps to analyze the leaked data and notify potentially affected customers.

What I think Pandora did poorly is include a link and direct users to click on the link.  This looks like a classic phishing email.  We spend money and time training our users not to click links in these kinds of emails and then companies like Pandora undo all of that training by sending legitimate emails that teach users that it is OK to click the link.

It is not OK and Pandora Radio should have done better here.


Mar 30

File Screens Defeat Ransomware – Part 3

File screens have successfully stopped Locky.


I ran a curious file today that gave me the picture above…but my file server is just fine.

For a test, I created multiple file shares.

One share did not have a screen enabled.

The other share had the screen configured as detailed in my previous two posts.

Use File Screen to Stop Ransomware – Part 1

File Screens Don’t Stop Ransomware – Part 2

After running the email attachment, I observed this netstat and task information.


Here is what what is left of the share without the screen.


This is the share that had the screen enabled.  I like this one better!


Continue reading

Mar 29

File Screens Don’t Stop Ransomware – Part 2

File screens don’t stop ransomware, but firewalls do.


In my last post, I suggested that disabling shares in response to an unauthorized file extension was a bit extreme.  After discussing this with other members of the community, I now believe that blocking access is the only real solution.

If ransomware created an encrypted copy of all files and deleted the original copy, a file screen should prevent it.  If the ransomware encrypts the existing file and then renames it, a file screen will prevent the rename but the file will still be encrypted.  This clearly does not solve the problem.

In order to make the file screen effective, it must respond to an unauthorized file extension by immediately blocking all file share activity until the event can be investigated.

The best response I can think of is to use netsh.exe to block file sharing on the firewall in order to halt the attack.  This is done on the Command tab of the file screen window.

Continue reading

Mar 24

Use File Screens to Stop Ransomware – Part 1

Ransomware has become the hot-topic for 2016.  It is bad enough that this crypto malware can encrypt workstations but the risk of one infected user locking down the file server is especially scary.


This article details how you can use Server 2012 file screens to prevent crypto locker from taking over your file server.  There are a lot of good articles out there using file screens for this purpose but they all have one flaw; they are blacklisting every known ransomware extension.  As long as you are blacklisting, you leave yourself exposed to changed tactics.  The steps below detail how to create a file screen whitelist and block everything else that you don’t explicitly allow.  Whether the latest extension is .zzz or .xxx or .AYBABTU, this technique will keep you protected.

The Ransomware file screen is created in three steps:

  1. Add the File Server Resource Manager (FSRM) role
  2. Create an exception list of the extensions you want to allow on your file server
  3. Create a screen that blocks everything else

Continue reading

Mar 20

Permission to Phish

This is a short speech I gave on the topic of phishing using a composite of real customers.  I briefly explain what it looks like and the potential consequences.

Dec 21

If It’s Worth Doing, It’s Worth Doing Right

Have you ever hired someone to work on your house and felt you could have done a better job yourself?  Was the handyman unskilled, lazy, or both?  Maybe he was just going too fast.  Or maybe he just simply didn’t know any better.

This is an all too common scenario in the profession of information technology.  Administrators may learn the bare minimum required to implement a system but never reach the level of expertise required to do it properly.  What companies are left with is unreliable and unsecured systems that are slapped together quickly by poorly trained administrators.

Training must be a top priority for security in any company.  An IT staff of highly trained administrators greatly increases the likelihood that systems will be implemented securely from day-one.

Training from or is a great start.  IT Staff should also attend live classroom training and become certified in each technology they manage.  In addition to specific technical training, a general security training course such as CompTIA’s Security+ should be mandatory for all IT staff from help desk to senior engineers.

When implementing a new technology such as a new operating system or a new backups system, consider the steps below in order to maximize reliability, performance, and security.

  1. Train staff immediately before implementation, not during or after implementation.
  2. Implement the new system with the assistance of an expert in this technology.  No single training event can prepare someone for the challenge of designing and implementing a complex system.  Allow in-house staff to learn from the design and implementation process.
  3. Perform a security assessment on the new system to validate both the technical implementation and the procedures for administration, maintenance, and logging.
  4. Continue to provide ongoing training on the new system.