From: Joey Peloquin (joeyp@cotse.net)
Date: Thu Apr 10 2008 - 18:52:47 EDT
Atif Azim wrote:
> Well, the results are definitely verified through nmap as well.OS is
> win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
> has assigned us the job to perform the pen test and knows about it.
> I do have the CPTS training dvd and am going through that, but it will
> take time to digest that horde of information.Also downloading web
> goat to get my hands wet with web app testing.
> The client's website offers a place for legitimate users (I cannot
> become that legitimate user) to login and do their respective tasks.So
> what is available to me as a pen tester is only the user ID and
> password field to play with :)
No offense intended toward *you*, but IMHO, it is grossly negligent for your
firm to have thrown you into a solo gig without a) proper training, b)
having shadowed a senior engineer or consultant on a number of other gigs,
and c) without local (internal) resources to escalate to, in the event
something like this happened.
Some nuts can be hard to crack, and you have to be willing and able to
conduct research, and run hundreds of manual tests (especially against web
apps). If you're relying solely on _tools_, my friend, you're going to have
a short, unrewarding career, because that a pen-tester doth not make.
PS. You should strangle whomever scoped this engagement, and do it yourself
from now on.
-jp
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT