This blog post is part two of a two-part series. For more insights from Gisela and Carlota, check out part one here!
Rapid7 pen testers Gisela Hinojosa and Carlota Bindner are back, ready to answer another rousing round of questions from our customers about the mysterious art of penetration testing. Read on to learn about their go-to attack methods, and defenses that trip them up:
Q: What’s the most underrated thing about what you do?
Carlota: I think report writing is one of the more underrated parts of penetration testing. When people think of penetration testing, they think of gaining access to a network, or finding cross-site scripting on a web application, instead of writing a report about those vulnerabilities and remediation. While it is underrated, reporting is a crucial part of what we do, since it is the tangible product the client receives detailing the engagement and guiding them toward a more secure application or environment.
Q: Which pentesting method/technique (web app, infrastructure, social engineering, etc.) do you find the most interesting and why?
Carlota: I find IoT penetration testing to be most interesting because the methodology we use for testing is focused not only on the device, but also the ecosystem that includes physical and wireless networks and web and mobile applications that connect to and support the device’s function.
Q: What’s your go-to method for obtaining credentials for lateral movement?
Gisela: This really depends on the network environment, but reused Local Admin credentials comes ..
Support the originator by clicking the read the rest link below.
