Atif Azim wrote:
Well, the results are definitely verified through nmap as well.OS is
win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
has assigned us the job to perform the pen test and knows about it.
I do have the CPTS training dvd and am going through that, but it will
take time to digest that horde of information.Also downloading web
goat to get my hands wet with web app testing.
The client's website offers a place for legitimate users (I cannot
become that legitimate user) to login and do their respective tasks.So
what is available to me as a pen tester is only the user ID and
password field to play with :)
No offense intended toward *you*, but IMHO, it is grossly negligent for your
firm to have thrown you into a solo gig without a) proper training, b)
having shadowed a senior engineer or consultant on a number of other gigs,
and c) without local (internal) resources to escalate to, in the event
something like this happened.
Some nuts can be hard to crack, and you have to be willing and able to
conduct research, and run hundreds of manual tests (especially against web
apps). If you're relying solely on _tools_, my friend, you're going to have
a short, unrewarding career, because that a pen-tester doth not make.
PS. You should strangle whomever scoped this engagement, and do it yourself
from now on.
-jp
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
