I just got back from an assessment and wanted to do a real cool "Day in the life" type post. Unfortunately the customer was a pain in the ass (see #2), so no cool "how I owned blah.com" post. Check g0ne's blog for that. But here are a couple observations that aren't in any of those hacking books.
-Even though you were invited by someone in that organization to make security better, there are plenty of people in that organization that DIDN'T invite you and don't want you there. Especially if it requires them doing some work to get you IP space or a place to put all your gear or just requiring them get to get off their ass in general. Not to mention you are there to see how good a job they have been doing, and if they haven't been doing a good job...
-Be prepared to be blamed for any and all network issues that arise while you are there doing your assessment, even if you are out to dinner :-) The customer had a network outage occur while I was at dinner. Now even though DoS was not in the scope...instead of the admin's actually doing some work to determine the cause of the outage I was immediately blamed as doing a Denial of Service attack on the subnet. Apparently from outside the firewall AND through my phone AND while I was at dinner AND was able to make this happen a non-public network. How's that for some kung fu!
-Be prepared for that person that invited you in #1 to not be real thrilled when you succeeded. In fact, be prepared for them to be really pissed when you do your low tech hacking into their secure building or if you totally own their network.
**The rest of this probably is in some hacking book
-If you share IP space with people, building, and computers you have no control over, you may want to treat all those things as hostile into your network. Blindly trusting data and traffic coming from computers based on IP has never been a good thing and still isnt.
-Other things in the do not do list
* Do not broadcast your virtual meetings via VNC without authentication especially if you blindly trust IPs in your range that you don't control, watching briefings and meetings is always fun through unauthenticated VNC sessions.
* LM Hashes are just bad in so many ways I cant even start, especially if your patch policy is bad
* A password policy of no complexity, length or age requirements isnt much of a password policy