Penetration Testing mailing list archives
Re: Pen testing techniques
From: Joey Peloquin <joeyp () cotse net>
Date: Thu, 10 Apr 2008 17:52:47 -0500
Atif Azim wrote:
Well, the results are definitely verified through nmap as well.OS is win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client has assigned us the job to perform the pen test and knows about it. I do have the CPTS training dvd and am going through that, but it will take time to digest that horde of information.Also downloading web goat to get my hands wet with web app testing. The client's website offers a place for legitimate users (I cannot become that legitimate user) to login and do their respective tasks.So what is available to me as a pen tester is only the user ID and password field to play with :)
No offense intended toward *you*, but IMHO, it is grossly negligent for your firm to have thrown you into a solo gig without a) proper training, b) having shadowed a senior engineer or consultant on a number of other gigs, and c) without local (internal) resources to escalate to, in the event something like this happened.
Some nuts can be hard to crack, and you have to be willing and able to conduct research, and run hundreds of manual tests (especially against web apps). If you're relying solely on _tools_, my friend, you're going to have a short, unrewarding career, because that a pen-tester doth not make.
PS. You should strangle whomever scoped this engagement, and do it yourself from now on.
-jp ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pen testing techniques Atif Azim (Apr 09)
- RE: Pen testing techniques Shenk, Jerry A (Apr 09)
- Re: Pen testing techniques Nathan Sportsman (Apr 09)
- Re: Pen testing techniques Jason (Apr 09)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques Atif Azim (Apr 09)
- Re: Pen testing techniques Erik Harrison (Apr 11)
- Re: Pen testing techniques Joey Peloquin (Apr 11)
- Re: Pen testing techniques vtlists (Apr 11)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques v3nd3rs5uck (Apr 11)
- RE: Pen testing techniques Jason (Apr 12)
- Re: Pen testing techniques Nathan Sportsman (Apr 12)
- Re: Pen testing techniques intel96 (Apr 09)
- get MD5-Hash from /etc/shadow file markus sesser (Apr 11)
- Re: get MD5-Hash from /etc/shadow file Razi Shaban (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Larry Offley (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Morgan Reed (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Peter Kosinar (Apr 14)