Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pen testing techniques

From: Joey Peloquin <joeyp () cotse net>
Date: Thu, 10 Apr 2008 17:52:47 -0500
Atif Azim wrote:

Well, the results are definitely verified through nmap as well.OS is
win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
has assigned us the job to perform the pen test and knows about it.
I do have the CPTS training dvd and am going through that, but it will
take time to digest that horde of information.Also downloading web
goat to get my hands wet with web app testing.
The client's website offers a place for legitimate users (I cannot
become that legitimate user) to login and do their respective tasks.So
what is available to me as a pen tester is only the user ID and
password field to play with :)
No offense intended toward *you*, but IMHO, it is grossly negligent for your firm to have thrown you into a solo gig without a) proper training, b) having shadowed a senior engineer or consultant on a number of other gigs, and c) without local (internal) resources to escalate to, in the event something like this happened.
Some nuts can be hard to crack, and you have to be willing and able to conduct research, and run hundreds of manual tests (especially against web apps). If you're relying solely on _tools_, my friend, you're going to have a short, unrewarding career, because that a pen-tester doth not make.
PS. You should strangle whomever scoped this engagement, and do it yourself from now on. 

-jp

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: