Metasploit mailing list archives

Pen-Testing and Metasploit Question

From: rafael.pandini at gmail.com (pandini pandini)
Date: Wed, 29 Apr 2009 18:03:50 -0300

Matt Gardenghi, TK and BN thanks for your replies !

 One quote about Matt Gardenghi reply, about writing a good report.
Just a .pdf document, containing all vulnerabilities found (Machine
XXX vulnerable to ms08-069), its severity (Critical), and how to fix
it (some link to a patch) ? Other informations (If I was asked to do
it)  like credentials grabbed(Plain text/hashed passwords),
informations about hosts and devices (running linux, apache, etc), if
the target has some database then some tables of an database, or
source codes from the a internal cvs server of the company, as "proof"
of what can be done by an attacker is usefull or just say "passwords
can be stolen" ?

 About the report, someone has some "model" or example of report that
can be shared with us ?

 I agree with you TK about certifications, and I seriouly thinking
about CEH certification. But I have no ideia from where to start,
someone knows a good book/material ?

 Thanks in advance,
 Pandini.

On 4/23/09, Ben Nell <enemy.cow at gmail.com> wrote:

A good place to look for help with these types of questions might be
the Security Focus pen-test list.  You can read some details about it
at http://seclists.org/#pen-test.

A lot of this sort of thing has already been discussed, so you could
probably find a lot of useful information reading through the
archives.

BN

pandini pandini wrote:


?I'm in the same boat that professor, trying to get into pentest
industry but I don't know "where to start". I agree with what max
said, imho methodology is the center of the thing, know how and why,
is really better than know "where to click" or what command to run.

?My questions are, "What the industry expect from a pentester" (audit
database, software source code, networks, servers , etc..), "What is
generally done in a basic pentest", and what certifications are "good"
to proof some basic knowledge. Just say to a company that "I'm able to
do a pentest, can you give me a change ?" will don't work.

?I think that I need some formal proof of knowledge, as I haven't any
professinal experience in pentest, this is the only one way that I
see.



?Thanks in advance,
?Pandini.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Pen-Testing and Metasploit Question, (continued)
- - Pen-Testing and Metasploit Question max (Apr 21)
    - Pen-Testing and Metasploit Question Ronald L. Rosson Jr. (Apr 21)
- Pen-Testing and Metasploit Question rogue (Apr 20)
  - Pen-Testing and Metasploit Question chuks Jonia (Apr 20)
- Message not available
  - Pen-Testing and Metasploit Question Professor 0110 (Apr 21)
    - Pen-Testing and Metasploit Question MaXe (Apr 22)
- Pen-Testing and Metasploit Question Simon Taplin (Apr 22)
  - Pen-Testing and Metasploit Question pandini pandini (Apr 23)
    - Pen-Testing and Metasploit Question Kevin Beaver (Apr 23)
    - Pen-Testing and Metasploit Question Ben Nell (Apr 23)
    - Pen-Testing and Metasploit Question pandini pandini (Apr 29)
    - Pen-Testing and Metasploit Question Matt Gardenghi (Apr 30)
    - Pen-Testing and Metasploit Question chuks Jonia (May 02)
    - Pen-Testing and Metasploit Question Matt Gardenghi (May 04)
    - Pen-Testing and Metasploit Question Kevin Beaver (May 04)
    - Pen-Testing and Metasploit Question Matt Gardenghi (Apr 23)
- Pen-Testing and Metasploit Question metafan at intern0t.net (Apr 20)
  - Pen-Testing and Metasploit Question Edward Bjarte Fjellskål (Apr 22)
    - Pen-Testing and Metasploit Question MaXe (Apr 22)