My pentesting tenets

I follow a method built on a few tenets. I didn't set out to make this pseudo-buddhist, but it turned out a little bit like that. These are the things that help me so far.

  1. Try the attack. Don't assume, even if it seems impossible or incredibly stupid that an attack would work. Remember that the early phone phreakers thought it was impossible that whistling 2600Hz could get them a free phone call.
  2. If it isn't written down, it didn't happen. This goes for everything in your life, not just pentesting, but it applies doubly so for pentesting. Attack ideas, attack attempts - everything you thought and tried - needs to be written down. Remember this from Cliff Stoll and The Cuckoo's egg.
  3. Magic isn't real. Even if it seems hackers sometimes communicate on a direct spiritual channel with computers and can sense vulnerabilities before touching the keyboard, every fascinating hack is the result of grueling trial and error, and every slick talk at DEFCON hides literally years of trying shit to see if it worked. For every successful attack, there are hundreds of failed attacks.
  4. Chop wood; carry water. Give yourself over to the method, accept what it gives back, and ask for nothing more. Getting frustrated, getting ahead of yourself, and daydreaming about how this attack will definitely work and will definitely secure you the ultimate prize are all symptoms of not listening to this tenet.
  5. Go step by step. Let your notes guide you to the next step. A knitter creates a beautiful garment out of a single length of wool one stitch at a time. Focus on the next step before you look back and see what you have made, or look forward to what you haven't. Looking forward or backward will make you sad that you haven't done enough.