Wednesday, 14 November 2012

Being accurate...

I'm trying to put together a list of posts for new pentesters, I think that may be helpful to some people. If you are new to pentesting, you probably want to read the following posts as well:


One of the key issue new pentesters have is accuracy, it mostly annoys me when I'm working remotely with people and can only discuss through IRC.

One of the most common example is: "I can't access the web application".

I can't access means nothing...
  • Do you have DNS resolution for the host?
  • Is the TCP port accessible (hping FTW)?
  • Is the web server available but you have the wrong vhost?
  • Is the web server available but the application errors?


In the same way: "I can't log in".

It does not mean anything:
  • Can you access the application (see above)?
  • Can you access the application and can't log in because the credentials are wrong?
  • Can you access the application and can't log in because the application crashes?
  • Do you have a message saying why?

A key skill to work (remotely) on the same pentest is accuracy in the information you provide, so as a new pentester being accurate is easy and will make working with you easier ;)

No comments: