Re: Using 0days as part of pen-test?

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Reyna Padilla wrote:
> Well I think that if you can identify a 0day, and you are able to
> exploit, then you have a plus over a lot of just-framework-pentesters,
> not trying to talk bad about anybody. 

Although I haven't though this way, interesting point.

> And the point is to probe the
> network is vulnerable. I think it is ok to exploit 0days, but ofcourse
> you will explain that in the final report, and then you might do
> whatever you want with your research.   Maybe, things will depend on the
> contract you sign with your customer about tecniques, procedures, and
> what kind of explotations you are allowed to test.

They requested by almost a full pen-test scenario, including everything
even social engineering.

> Javier Reyna
> CCSE WCSE ISS-CS NSP JNCIA-FWV
> Consultor en Seguridad
> jreyna () onlinet com mx
> www.onlinet.com.mx
> ,,__
> o" )~
> ''''
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkltBK0ACgkQH+KgkfcIQ8ebGACg1iJLFSqSI87rWj4zTYJp7BGL
9jYAn1LTtxio1Vng3C5h+zOZQL1i9NWf
=D+JM
-----END PGP SIGNATURE-----