How deep do you go ;) ?

[Nortcele]

Okay so when performing a penetration test, you have done all your research, you have spent hours on the job to get your list of hosts and there open ports,

after performing your scan you manage to find 'x' amount of vulnerabilities and you also know how to exploit them,

E.g with a remote connection, command terminal execution or a buffer overflow.

How far do you go?

- Do you leave it as that, write/export your report and send it off.
- You exploit the system and then write your report, showing that you did the exploit (risking damage?)
- You perform the exploit and then have a look around? You might find something interesting...

What are your thoughts?

[Stackprotector]

That depends on the job. If you are allowed to exploit you exploit, if you can look at their data you look at their data.

[Nortcele]

I go by what they requested, what would you do if you were just trawling?

[Phage]

Just trawling? I don't pentest random sites, get a contract or stay the heck away; otherwise you'll most likely end up in troubles.

[Nortcele]

My job is a Ethical Hacker/Administrator , I was just wandering if people Trawl?

I mean I do sometimes but usually only sites that are related to my work...

[Phage]

My job is a Ethical Hacker/Administrator , I was just wandering if people Trawl?

I mean I do sometimes but usually only sites that are related to my work...

No chances taken from my side.

If they want a pentest, they can sign me a contract.

[Nortcele]

No chances taken from my side.

If they want a pentest, they can sign me a contract.

Fair play, that's how I usually do things.

[Stackprotector]

[Pak_Track]

^yep, that's what crossed my mind when I saw this thread

[Nortcele]

Thats what I was intending people to think, hence the winky face