| 1. Dozens (if not hundreds) of tools are used. It's all about personal preference, and what you're used to. Personally, I don't often use most of the tools you mentioned except Mimikatz; I use a commercial framework paired with many open source or private PowerShell scripts and .NET tools. 2. Something like evilginx2 can provide man in the middle functionality for stealing MFA tokens, or I try to find endpoints that have misconfigured or absent MFA. 3. It depends on the engagement. We like assumed breach scenarios because they're more effective for the time and money involved, but clients want entirely black-box engagements fairly often as well. Otherwise, I'll focus on using OSINT to develop a phishing target list, assuming I do basic scans against the organization's external network footprint and don't find anything egregious. 4. It's all about experience. You have to come up against the tools, and then see what works. It's really a lot of trial and error, though a lot of common bypass techniques will work against multiple products. There's no one-size-fits-all bypass. 5. Twitter, public Slack channels, and research performed by myself and my coworkers. 6. Learn soft skills. It's easy to teach someone how to do the technical part of the job, but you have to be able to communicate it to stakeholders. Technically, you should focus on the areas that interest you, but ensure that it's something used by the types of clients you're doing work for. It doesn't help to know the latest and greatest Linux attacks if none of your clients even know what Linux is. It doesn't help to be a badass web application pentester if you're expected to be able to move through a large Active Directory environment. Personally, I focus on Windows and Active Directory environments. |