Nice work.

Do you have any idea what you want to do in infosec? Are you in the US?

Sorry, I was being a dick, I'll be serious for a minute.

It's a strange question. Illegal hacking is bad but it also keeps me employed on the white hat side. Our industry benefits from the Anonymous stuff and also when the media takes an incident and scares the crap out of people that don't understand it.

I don't promote illegal activity and I agree that a serious hacking incident can have devastating effects to a business.

I think a more interesting question is in regards to cyber warfare and what you think about nations using it against each other.....in my opinion, I think those hacks are good...

Stating that a person only needs a firewall to be secure is such an ignorant statement. There is so much wrong with it, I won't even get into it here. Go read about the attest new York times incident. They had a firewall AND antivirus ooooooooo. Those hackers must have used voodoo to get in 

Don't forget about a flux capacitor (FC). Firewall + FC = Fort Knox

Accunetix has pretty reports

Clients love pretty.

+1

We've had Accunetix and Hailstorm, but I hate both. I always end up using Burp because it gives me the most manual control. I still think web app testing is 80% human.

If you only have three tries, trim this list down:

password
Password1
Companyname1
Currentmonth2013 (or 2012)
Currentseason2013 (or 2012)

Nope, not a requirement. Might be a suggestion, but not a req.

Just use fgdump on a non-critical DC: http://www.foofus.net/~fizzgig/fgdump/

I say "non critical" because LSASS has been known to crash.

This will dump all the domain hashes to a text file and then use them in whatever tool you want, wherever it lives.

This will get flagged by your AV so be sure to shut it down first.

Go get the web application hackers handbook and read it cover to cover. You'll get an idea of "where to look and what to look for" when testing web apps.

Hashcat is command line http://hashcat.net/hashcat/

If you want something short and sweet you can use python and py2exe it. Just add a for loop to this:

import hashlib,binascii
hash = hashlib.new('md4', "thisismyhashvalue".encode('utf-16le')).digest()
print binascii.hexlify(hash)

There is a tool called hash_id.py in backtrack that will do exactly that.

/pentest/passwords/hash-identifier/

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

On line 130 of the script you see "---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then -- you're safe (for now). "

In the code you see what he does to check for 08-067 and it begins to makes sense...

   -- Call netpathcanonicalize
--   status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")
   
   local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
   local path2 = "\\n"
   status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)

   -- Stop the SMB session
   msrpc.stop_smb(smbstate)

   if(status == false) then
      if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
         return true, INFECTED
      elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
         return true, PATCHED
      else
         return true, UNKNOWN, netpathcompare_result
      end
   end


   return true, VULNERABLE
end

Depending on what algorithm you're trying to crack, it will be either GPU intensive or CPU intensive. If you want a box that is ONLY for cracking, you should just build a desktop with multiple GPUs. If you need a box that can do some cracking but also be used for other things, just make sure you get a GPU in the box that is CUDA or OpenCL compatible. This way you can leverage tools like cudaHashcatPlus.

I'll break each out separately based on how much time I spend on each. Keep in mind though, this is a field where you should really try to learn everything you can. However, hopefully this helps you prioritize...

Forensics: 0%, we have a dedicated forensics guy, that is all he does. I think this is normal, but others can correct me if I'm wrong.
Network testing: TONS of TIME, a typical pen test in my company is some flavor of a network pen test, i.e. external, internal
Application Testing: TONS of TIME, I spend equally as much time on web apps as I do on network PT. In fact, on almost EVERY network pen test, you'll run across web apps that may/may not help you with the objectives of the pen test. You need to know both network and web apps equally.
Wireless: SOME, these are usually "bundled" into internal pentests our company sells, but it's not the norm. Not near as much time is spent here. Wireless  is pretty easy stuff though, it really doesn't take all that much time to get up to speed on the basics, as well as enterprise wireless stuff.
Exploit writing: (as a hobby, LOTS) (for work, much LESS) If a company has a true research group, you might be doing this all the time. Similarly if you worked at a place like Metasploit, you would be writing sploits all the time. We have a lot of guys at my place that have never written an exploit, its not a "critical" skill for basic pen testing.

In my opinion, I think you should start with network and web apps, study them equally, become a bad ass at both. The rest will come easy if you master those two.