Its well known in hacking circle that edus are the easiest targets even from the outside. Strangely enough, I was aware of one “ethical hacker” teaching pentesting,that recommended to pentesters to practice hacking into educational facilities as a way to practice and get your “chops”.
Now I should say this situation is rapidly changing and security has gotten much better. I don’t recommend this as a way to get your chops at this time unless you are willing to risk jail time for your art and remember in jail you can’t practice any hacking! You must remember things are getting so automated now that even the most over worked admin can set things in place that will catch a newbie.
For me internal audits are usually so much easier. Not always, but often. It depends on the situation and what's allowed. Sometimes its so easy I don’t even feel like a hacker if permissions exist. I remember one time I was asked to audit the security of huge Catholic school internally. I was allowed to present myself as the computer repair man so no one seemed to mind me walking around. I think it took about all of 15 minutes. I went to a station that was available. I reset the bios password. I then changed the settings so I could boot to my live linux CD. I recorded the boot key and I grabbed the SAM file and saved it to my USB thumb. I walked away and sat back down in a corner and ran my cracker and had the admin pass in just a minute or so with a dictionary crack. It was COUGAR. Jeeze, I didn’t even need to do all that because having spoken a bit with the admin I already knew she was a cat lover. I am sure after LION, KITTY, PANTHER,etc.. I would have hit it. I still like password guessing more than cracking, but it was so easy in this situation to grab the SAM. I remember one time in an internal audit after I got admin access, I installed radmin on a box and was able to log everything that occurred later. Simple little innocent radmin, something they should have noticed in the task bar. Their anti-virus didn’t see it as a threat since it was a commercial product. I haven’t even mentioned hardware keyloggers, lol. Hardware keyloggers are perhaps the most devastating attack we can do if we have physical access. If I can have physical access and little limitations, it’s almost scary what you can do. If I get bored, I almost want to see how sloppy I can be and get away with it. It doesn’t matter if the sever is fully patched and has the latest greatest firewall. It doesn’t matter if the all the clients are firewalled and patched. Policies and how employees implement them is the key and then how a breach is dealt with when discovered. Strong passwords would have blocked my simple "attacks" every time but it seems rare I encounter one. Peolple like easy to remember things and are usually not educated in making a password paraphrase.
On the other hand, A black box test from the outside can really test your metal. You can spend days trying to research and find the target. Probe and probe. Finally you are discovering it only to find it completely locked down. UGH! So now you try and go around the other way. Perhaps a client side attack or some social engineering or both. Actually client side attacks rarely work with out a little social engineering so we could classify it in that category if we chose to. Ok, your browser exploit didn’t work so what’s next? Can you code a Trojan that can’t be detected? Can you fool whoever into trusting you into downloading it? For what I call a “full on full on” these skills are paramount.