Tuesday, February 23, 2016

Low Hanging Fruit Initiative

The Low Hanging Fruit Initiative [LHFI] is my own little project to make life easier on pen-testers like myself. Not that life is that hard for me, I'm just lazy and as I go along, I find things that should be simple are overly complex, overlooked, or under appreciated . So I develop tools, scripts, etc. to get the most juice I can from the low hangers and fill what I feel are gaps in the process of exploitation. Not passing up quarters for dollars has allowed me to take my game to a new level.

The way I see it, the bad guys are not coming into networks and just focusing on the vulnerabilities with CVSS scores of 10, they are searching the network looking for anything they can get their hands on to further their penetration or increase the scope of the breach and I don't understand why we cant do the same. When ever things like this are talked about, they always take the defender approach or the cracker approach, its never really looked at from a pen-testers perspective. Some might say the cracker and pen-testers approach should be the same, but they operate under a different set of restrictions. The most prominent being time for pen-testers, where often the quarters are passed up for a dollar to save time and keep costs low.  I'm not saying people need to rethink their current process, just saying maybe add a step or two. After you found all the show stoppers, take time to revisit the mediums and lows, maybe there is a gem waiting to be discovered using the scripts found here/elsewhere or your own.

The over all goal of the LHFI is to help pen-testers penetrate deeper into a network from more places. I hope this will lead to better secured and resilient networks which is good for everyone. To denote which posts contribute to the LHFI I will start using the LHFI label. If you have scripts, programs, ect. that you think fits under LHFI please let me know. I would be happy to showcase them on my blog. Thank you for reading and happy hacking.