Re: which is next step after using tools in penetration testing?

[Serg B <sergeslists () gmail com>]

Hi

Why would you want to exploit something that you know can be exploited
(or at least there are better than average chances that it can be)?

It's a waste of your time and your client's money.

You have proven that the vulnerability or at least a potential
vulnerability exists. At this point in time the client is going to go
through the report and attempt to check the version numbers/code/etc
in order to start the remediation process... So in my opinion
exploitation is not a step in the right direction, unless of course
you have been instructed to demonstrate a working exploit. Instead,
perhaps, suggest how they could solve the problem.


Serg




On Wed, Mar 4, 2009 at 2:58 AM,  <praveen_recker () sify com> wrote:
> Hi Manoj,
>
> After the Penetration Testing is done u'll have good amount of data, vulnerability names, CVE's, BID's etc which come 
> under Vulnerability Correlation. Based upon the information available (mentioned above) for Vulnerability, you can 
> google for various exploits. For specific sites u can go through Metasploit, milw0rm etc which are free. You can use 
> commercial tools like CoreImpact, Canvas, BreakingPoint etc which are loaded with commercial exploits.
>
> On the other hand if u r good at perl/python scripting and able to understand the Vulnerability u can write your own 
> exploits. Developing exploits using C/C++ is time consuming.
>
> Best Regards,
> Praveen Darshanam,
> Security Researcher,
> INDIA