Re: Using 0days as part of pen-test?
- From: ArcSighter Elite <arcsighter@xxxxxxxxx>
- Date: Tue, 13 Jan 2009 16:16:39 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Javier Reyna Padilla wrote:
Well I think that if you can identify a 0day, and you are able to
exploit, then you have a plus over a lot of just-framework-pentesters,
not trying to talk bad about anybody.
Although I haven't though this way, interesting point.
And the point is to probe the
network is vulnerable. I think it is ok to exploit 0days, but ofcourse
you will explain that in the final report, and then you might do
whatever you want with your research. Maybe, things will depend on the
contract you sign with your customer about tecniques, procedures, and
what kind of explotations you are allowed to test.
They requested by almost a full pen-test scenario, including everything
even social engineering.
Javier Reyna-----BEGIN PGP SIGNATURE-----
CCSE WCSE ISS-CS NSP JNCIA-FWV
Consultor en Seguridad
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----