NPR recently had an interview with Christoph Niemann (source). He had several quotes that I think are analogous to hacking activities that I felt were worth pointing out.
“What creates that moment is 100 very boring, unsexy steps — you know, move the line a little further to the left; draw a dog instead of a cat; … draw a chair instead of a table.” – Christoph Niemann
That statement is all kinds of correct. In the movies “I’ll hack the pentagon/fbi/etc” takes 30sec and 15 keystrokes. However, running nmap to determine live hosts, only to run nmap to find open ports, then nikto, then dirb, then Nessus. Those are all VERY boring steps. Manually probing 15 web calls with 4 variables is boring. Then you find the one that gives you admin access, that lets you sqlmap to the entire database. Tons of unsexy that leads to sexy.
Writing a keyspace bruteforcer is unsexy and boring. Until it finds the admin’s key and you went from anonymous access to admin instantly, but it took 3hrs to write the code, and 72hrs of waiting and watching it endlessly loop. Unsexy to sexy.
“This implies you start at zero, and let’s say an idea is 100. This implies that halfway through you would be at 50. In reality, you go from zero to minus 250 and then you go to 17,000 and then you go to R. And then you end at 100” … “I think it’s very important to accept that this is not a linear process.” – Christoph Niemann
This is also very true. In a normal scenario, we most likely get access to an application, then to a user, then to admin, then to domain admin. Very linear. However, many days you’ll get access to a server, then lock out the account or lose access. Maybe you get access to a user, who then reboots before you can lay down persistence, or exits the process before you migrate. Some days you’ll be on fire finding vuln after vuln, the next you’ll find nothing at all.