Originally this was going to be a response to a welcome thread recently posted. However I got carried away and decided this post needed to have its own thread, hopefully to encourage discussion about the topic.
The reason for this is because as they say "To catch a criminal you have to think as such" and all the books I've seen on white or grey hat hacking always seems to talks about a 'method' way of doing so. I don't any good hacker thinks in a methodology way, he or she is always thinking outside of the box and is always finding more than one solution to solve a problem.
First off welcome, however I respectfully disagree
Thinking outside the box is very much so a methodology in itself. Lots of people like to chalk it up as some magical innate skill. It really isn't. It can be taught, just typically lateral thinking skills are naturally developed by people with inquisitive mindsets bent on problem solving.
Look at it this way: all those books about white and grey hat hacking and what not all tend to mention the attacker's mindset and the typical methodological process of attacking systems right? Think about why all those books mention it. Its because of precedence, because the first real documents and books mentioned them. Now why would THOSE books and resources mention them? Well the first resources were written almost exclusively by mischievous blackhats deciding to go legit. Talking about the first white hats who really were skilled hackers. They mention those methodologies cause thats what they really did while they were still 'blackhat' attackers.
I'd argue that you are misinterpreting the disconnect between the attackers methodology and the rampant decay of the security industry. Its not that the attackers methodology doesn't translate into a skilled hacker, its that unskilled hackers are rehashing said methodoly
without actual zealous adherence and application of the methodology.
Put it this way: why are script kiddies
really so annoying and constitute as a derogatory term for an unskilled attacker? Nearly everyone will tell you that it's cause they don't understand their tools, they are only looking at bragging rights, don't do their own homework, etc. Let's look at that in light of an attackers methodology:
1. Don't understand their tools: This correlates to the preparation stage of of the attackers methodology(and if you havn't heard of the prep stage, thats cause people who understand the methodology take it as a 'well duh' stage, and those that don't, don't realize its a stage). Script kiddies aren't taking the time to plan and account in advance and the most obvious display of this deficiency is in a complete disregard for trying to learn the tools they want to use.
2.Bragging focused: In all actuality there is nothing inherently wrong with having 'earning bragging rights' as being your motivator and end goal in terms of the attackers mindset. I won't necessarily share your motivations or goals, but that is independent of the mindset itself. What this really is a visible expression/correlation of the non-adherence problem. Namely that a methodology is duh methodical and implies individual steps. Script kiddies that are focused on bragging rights and are all 'pls giv exploit for ssh' or 'help! hydra not working on this site!' are actually having the issue that they are skipping steps. They are trying to jump straight into the 'compromise/initial foothold' stage of the attack, cause they aren't aware/don't care that there are steps before hand(notably the prep and recon steps). My best advice for ANYONE trying to hack ANYTHING always has been and always will be 'forget about how to get in, do your homework and proper recon'. Too many people ignore the importance of reconnaissance and don't realize that if you have done proper rigorous reconnaissance then the whole 'compromise/foothold/exploit/getting in' step literally becomes self-evident. It is simply a matter of fact of 'this is the hard path into the system'. You may not necessarily like or be accustomed to this path or even be in scope for a pentest but it IS there.
3. Don't do their homework: This is a phrase I like to use for when people fail to google or investigate their own problems and has a stronger meaning in reference to an attackers methodology. This is really a joint issue of the above points. A failure to prepare for 'The Attack', lack of rigorous reconnaissance, and not adhering to the other overlooked footnote in the attackers methodolgy: that you may, nay will, have to jump back and forth between the steps. Don't confuse jump with skipping though. It simply means that in light of new information, you may have to reiterate previous steps. This is where lateral outside of the box thinking skills are commonly expressed. Out of the box thinking is simply questioning the presumed assumptions of the problem and exploring new possibilities when an assumption is deemed flawed if not outright wrong.
The last point bears repeating. As an example, lets say you are an attacker going after BigCorp. You've done your prep work and have a general plan. You start your recon work and start identifying systems, boxes, sites, protocols, servers, what have you that BigCorp uses. This information is building a group of assumptions in your head about BigCorp. Without getting into philosophy, assumptions here can be entirely correct and even have evidence to support it. One of these inevitable assumptions whether you realize it or not is the assumption of 'Now I know their systems, boxes, sites, protocols, servers, etc in place'. Unfortunately it feels like BigCorp is magically lockdown. Everything is patched, employees aint taking the bait, configurations are good, it feels like Donald Knuth and Bruce Schneier had a love child and was given full reign over BigCorp with unlimited funds. At this point its time to challenge your assumptions. In this example the assumption is going to be 'I know everything they are using'. Do you REALLY know everything they use? You go back through your data and notice that halfway through some network enumeration your favorite scanner started to throttle scan rates before eventually petering off. Aha! Perhaps DKBS had set up an IDS to enforce a type of tar pit when certain addresses were accessed? You do your homework and now take a slower distributed approach and find a new box you didnt see before. DKBS mustve been drunk when he set it up as it has an old vulnerability and on the box are ssh keys for root on every box in the network. Game over DKBS.
Now you may have noticed I have deliberately NOT outlined the attackers methodology itself, nor have I really explained how to go about what steps I did mention. This is because as insert-name-here said, hes seen all these other books and what not explain it and noted that there is a disconnect between the methodology and a skilled attacker(Im paraphrasing). So instead of rehashing old words, I decided to elaborate more on how the absence of the attackers methodology results in unskilled attackers. Sometimes the best way to get a concept to click with some people is to show them how something doesn't work
sound familiar to anyone?
