
What Does a Hacker Do? - aware7
https://aware7.de/en/blog/what-does-a-hacker-do
======
ascended
Much of this appears to be written by a contracted vulnerability assessor. I
have performed both vulnerability assessments and penetration tests. For
customers that have a specific adversary they have identified and asked us to
emulate, for businesses that require a periodic attestation for compliance to
standard like PCI, sometimes it is just an enthusiastic manager that wants a
hacker to test them thinking they have made all the security tool deals that
will protect them, and for customers that just want the findings as a report
to help define future product enhancements.

I've used some very important and distinctive terms that your post failed to
address; 1) Findings 2) Vulnerability Assessment 3) Penetration test 4)
attestation of compliance (AoC)

A vuln scan is not a pentest, the difference is very simple. A pentest not
only finds things that can be exploited, for it to be a pentest it actually
needs to craft the exploit to validate them. The vuln scan is just reporting
unvalidated findings, if you didnt craft an exploit you are not reporting a
vulnerability yet. And always remember the rule, one in none. One instance of
a finding through one test is not enough, one validation for a solid finding
is not yet validation until you've crafted at least 2 tests. And a report is
not an AoC, an attestation of compliance must have been provided with evidence
for all findings, not just screenshot but real evidence that the customer can
replay to corroborate your finding. Furthermore, an AoC is ueless if you
simply provided a CVSS, it must be risk-based and relevant to the customer. A
CVSS rating that is INFO is often a HIGH RISK because the vendor CVSS didn't
have the customer context to rate it but often these INFO rating offer the
vectors to gain private keys and such that can be used in a multi-staged
attack but CVSS is only concerned with the current context, stage-1 of the
attack, it cares not if stage-2 is a disclosure of a private key and stage-n
is exfil.

I really wish the so-called hackers and these so-called ethical hackers from
offensive security certifications (that unfortunately make up the majority)
actually spoke to their customers and learned what customers really need.
Instead of being in a solo, using severely limited tools like kali, in their
hoodies, and ignoring the reality of what it means to be a professional..

Take in the advice above, at least try to act like a useful part of this
industry, I can't tell you how many times customers ask to get a real report
after getting so many terrible failed reports wasting their money and time.
Maybe more than just once this year i'd like a customer to tell me they've
never had a bad experience with a so-called pentester..

