Re: Using 0days as part of pen-test?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Reyna Padilla wrote:
Well I think that if you can identify a 0day, and you are able to
exploit, then you have a plus over a lot of just-framework-pentesters,
not trying to talk bad about anybody.

Although I haven't though this way, interesting point.

And the point is to probe the
network is vulnerable. I think it is ok to exploit 0days, but ofcourse
you will explain that in the final report, and then you might do
whatever you want with your research. Maybe, things will depend on the
contract you sign with your customer about tecniques, procedures, and
what kind of explotations you are allowed to test.


They requested by almost a full pen-test scenario, including everything
even social engineering.

Javier Reyna
CCSE WCSE ISS-CS NSP JNCIA-FWV
Consultor en Seguridad
jreyna@xxxxxxxxxxxxxx
www.onlinet.com.mx
,,__
o" )~
''''
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkltBK0ACgkQH+KgkfcIQ8ebGACg1iJLFSqSI87rWj4zTYJp7BGL
9jYAn1LTtxio1Vng3C5h+zOZQL1i9NWf
=D+JM
-----END PGP SIGNATURE-----



Relevant Pages