No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.

On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers. 🙂

Rich