Tailgating… no brats, no grill

 Tailgating… no brats, no grill

A couple of days ago I arrived to work a little early.

As with most medium to large workplaces I have a security badge. Employees with the proper credentials can enter the building using one of many entrances, depending on your department or where you park your car. Visitors, and by that, I mean anyone without a security badge issued, have to use the main entry that is “manned” by security.  This covers package, food, flowers, and any other delivery person.

 Back to my hope of grabbing a cup of coffee at the café before my day officially starts.

 The external entry to the cafe requires you to have your badge… check! I swiped, opened the door, and noticed that there was someone right behind me. This person was chatting on their phone and seemingly, expected me to “hold the door”. I’ve got a few choices here, I can be polite and let the person by, or make sure this person has the proper access. GUESS which one I chose? CORRECT, I chose to block the person’s access (politely) until they swiped their card, and I saw the card reader flash green.

Now it turns out that this employee did have the proper credentials. They worked in another department that I don’t normally meet with. If your employees are not employing the same method, you may have a security issue.

Here are 4 reasons why Tailgating is a safety concern:

1.       Unauthorized access-A person bypassing security protocols could gain access to areas where they could steal equipment or devices or information.

2.        Increased risk of Data Theft- A person accessing a restricted area and steal or sabotage data. This includes any physical documents or any storage devices encounterd.

3.        Physicay Security Breaches -An unauthorized person can gain access areas like server rooms, labs, or corporate offices, such spaces can lead to risks like vandalism, sabotage of equipment, or even safety hazards if sensitive machinery is tampered with.

4.       Compromise of Employee Safety -An intruder could have harmful intentions (e.g., theft, assault, or espionage), and tailgating may allow them to go unnoticed until it’s too late. Additionally, with employees having the ability to work from home the scan, is often used to evaluate which employees are in the building in case of emergency. Train employees to

Training Employees to watch out for tailgaters:

1.        Raise Awareness- Explain how seemingly harmless actions, like holding a door open for someone, could lead to serious security breaches.

2.       Encourage the “See Something, Say Something” Culture -Encourage employees to ask questions like, "Can I help you?" or "Do you have your badge?"

3.       Promote Vigilance at Entry Points -Emphasize that if someone doesn’t have an access card or a valid reason to be there, they should report it immediately.

4.       Roleplay Scenarios in Training -Make it clear that it is not rude to ask anyone to verify that they are authorized to access an area. Simulate scenarios where someone tries to enter behind them and have them practice responding.

By stressing awareness, vigilance, and proactive behavior in training, employees can better understand the dangers of tailgating and be more equipped to prevent it from happening.

 

 

Brute Force: Using your yogurt loyalty against you.

I completed the THM (tryhackme) room Enumeration & Brute Force

Here are the objectives for the room:

  • Understand the significance of enumeration and how it sets the stage for effective brute-force attacks.

  • Learn advanced enumeration methods, mainly focusing on extracting information from verbose error messages.

  • Comprehend the relationship between enumeration and brute-force attacks in compromising authentication mechanisms.

  • Gain practical experience using tools and techniques for both enumeration and brute-force attacks.

I brushed up on Burb Suite , Hyrda and a bit of Linux.

Sometimes you gotta be brutal..

This week I am trying my hand at Enumeration and Brute Force on TryHackMe. It is part of the Web Application Pentesting Pathway.

I neede a bit of help and found a great Youtube channel William Heldman Dr. Heldman really went int the details of why… and I found it very helpful the explanation is broken into 5 videos. It seems like a lot, but noobs will appreciate the explaniations.

Now I definitely read all of the prerequisites for this room… And while I didn't have all of the knowledge needed… I figured I’d wing it! (With the help of THM and “YouTube University” 😂) I will not go into the details of how to complete this room; there are many sites providing you with the information needed to complete the tasks. Instead, I will discuss how to make enumeration and brute force attacks less successful.

Think of enumeration as a hacker scouting for information before they attempt to compromise your information, such as valid login credentials. They will use this information, along with powerful computers, to guess the passwords for your online accounts. By combining enumeration prevention with strong security measures—like using complex passwords, enabling multi-factor authentication, limiting login attempts, and monitoring for unusual activity—you can significantly reduce the risk of brute force attacks and keep your accounts safe from unauthorized access.

Security tips to consider:

  • Use strong passwords: Aim for at least 12 characters, combining numbers, symbols, and both upper and lower case letters.

  • Enable MFA (Multi-Factor Authentication): This adds a second verification step. If your phone is already in your hand, use it for extra security!

  • Pay attention to unusual login activity: Don’t approve a login if you did not initiate it. Change your password immediately if this happens.

  • Use a password manager: Avoid using the same password for multiple accounts. If I crack your yogurt loyalty password, I should not be able to log in to your banking app with that information!! 👩🏾‍💻💸

Be vigilant: Hacking is big business, and you need to stay alert all the time. Don’t be low-hanging fruit for hackers.

Learning and Growing

As I progress on my path toward cybersecurity expertise, I’ve drawn on a variety of resources to sharpen my skills. One of the key programs I’m completing is the Google Cybersecurity course, where I’ve successfully covered several important modules:

  • Tools of the Trade: Linux and SQL

  • Connect and Protect: Networks and Network Security

  • Play It Safe: Manage Security Risks

  • Foundations of Cybersecurity

While penetration testing can be an exciting part of cybersecurity, it’s essential to organize and present the findings in a way that clients can easily grasp. Many business owners might not be very tech-savvy, so they need to clearly understand how vulnerabilities could impact their operations.

In cybersecurity, assessments and reports are a regular part of the job. Today, I’m working on a vulnerability assessment report. This report aims to analyze a vulnerable system within a small database and outline the risks, along with a plan for remediation.

For this, I’m recommending key practices such as:

  • The Principle of Least Privilege

  • The AAA Framework and Defense in Depth

  • Multi-Factor Authentication (MFA)

These exercises are not only practical for my learning but will also serve as valuable references for my future role. Writing reports like these is good preparation, as I expect they’ll be a daily part of my work in cybersecurity

Finishing the Metasploit Exploration room ...

Finishing the Metasploit Exploration room has certainly added a few skills to my knowledgebase. This TryHackMe room has 7 tasks and information to help you along if you are not familiar. It also has hints to help the questions at the end of each task, in case you are stuck.

 The room specifically covered:

  • Scanning target systems with Metasploit

  • How to use the database system

  • Using ms  to run a vulnerability scan

  • Exploit vulverable services on target systems

  •  How to use msfvenom to create payloads and  get a meterpreter session on a target system

I am not ashamed to admit that I will go through a few other exploitations basics and return to this one to see if I am able to breeze through without any hints. My goal is to embed the process so that it is second nature.

Next up I will be Metesploit Meterpreter. This one is a deep dive…👩🏾‍💻

What is a hackers favorite sport? Phishing

What is a hackers favorite sport? Phishing


Attention to detail and persistance

I have been practicing my skills on Try Hack Me, specifically, I have been practicing Metasploit module Metasploit: Exploitation. I will admit I have been dabbling and not paying proper attention. As a result I find my self reviewing the completed tasks before moving on.

So I am breezing through and getting the results already recorded in the questions until I come to the final question. Basically I need to discover a user login using smb_login. Having already completed this task before I go thru the motions

I have already found the module

• search smb_login

• use 0

Now I search options ( to see which options need updating)

set RHOSTS --- Done! ( use the Ip of the of the machine)

set SMBUser--- done ( according to the question the user is penny)

set pass_file —- (this is the user list given earlier in task one: /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt

Now here is where I have a brain blurb I simply need to set pass_file to finish my review and move on to complete the room. Now the perceptive reader will see immediately where I am going to fail at this task, and you are correct. But I will tell you that eventually ended up looking for an explanation of this on Youtube. After trying multiple solutions- I should also mention that during this review I was doing at least two other things and not paying proper attention- I finally discovered my error…

set PASS_FILE (notice the case… details matter)

and just like that its done.

What have I learned?

1. Case matters I had entered pass_file instead of PASS_FILE multiple times even though in show options, it is clearly listed in all uppercase letters

2. When you are learning it is good to practice a skill until it becomes familiar. I went over this task so many times that my fingers now know what to do once I open Metasploit!

Well I have a few more task to review before I complete this room. I’ve got to keep my skills sharp and practice is the only way to create that muscle memory that will serve me well on my journey to Pentesting.

What is the best way to catch a runaway robot? Use a botnet!🤖

I am starting on a journey to become a Pentester. While I have already been a bit of a nerd that loved to tinker with things, in the past couple of years I have decided to take this skill set to another level. I have obtained 2 certifications , Comptia A+ and also the Security +. Now certifications will not make you a Pentester, so I have begun my journey to learn as many skills and techniques that I can, so that “hacking” will be second nature and I can excel at this task.

As I learn and progress I will list my success, failures and lessons learned here to record my journey.

So as a “Hacker in training I will need a new persona. I have decided to use “thespeyegrl” so welcome to the Exploits of THESPEYEGRL As you can tell from the title of this post.. I have a unique sense of humor!!