Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pen testing techniques

from [Tommy May] Network Security [Permanent Link]
Subject: Re: Pen testing techniques
Date: Wed, 09 Apr 2008 21:49:16 +0000 
Does your SOW allow for you to use any means for penetration?  I would rotate 
my testing tools to get a balanced perspective, just to be sure.  Don't rule 
out social engineering, if its within your scope.

As far as perspective of the client is concerned, it really all depends on the 
purpose that the business has for bringing you in to conduct the test.  If its 
a means for measuring the effectiveness of their own processes, it actually 
might be extremely well received that there are no vulnerabilities.  A lot of 
times large companies will engage with a service like this to mark off an item 
on a due dilligence sort of checklist, which provides them a value when it 
comes to public confidence...etc.

If they brought you in with the expectation that you find vulnerabilitiies that 
have already been found, it may be back to the drawing board for you.

Just 2 cents... if you have more info, feel free to send it to me and I will 
see how I can help.

Thanks,
Tommy



 -------------- Original message ----------------------
From: "Atif Azim" <azim.atif@gmail.com>

Hello,
I am new to pen testing and am currently involved in doing an external
pen test for one of our clients.We are doing it through Core
Impact.Reconnaisance showed only port 80 as open and the web server
running IIS 6.0.Core Impact did not find any vulnerabilities in the
server and hence was unable to penetrate.The web application was also
tested for SQL Injection and PHP remote file inclusion and did not
find any vulnerabilities there either.

My question is what else can we do besides relying on Core Impact for
this pen test.And what impression can a client get if we say to them
that there are no vulnerabilites in your network or web app.Its
dificult to digest something like that for a security specialist that
everythings alright.

Looking forward to some great views.Thanks.

Regards,
Atif Azim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Pen testing techniques, Nathan Sportsman
Next by Date:  Re: Pen testing techniques, jond
Previous by Thread:  Re: Pen testing techniques, v3nd3rs5uck
Next by Thread:  donloading jsp for pen-test, victorfrankenstein
Indexes:  [Date] [Thread] [Top] [All Lists]