[WEB SECURITY] Tools or software for hacking windows/iis.

GeminiConsulting geminiconsulting at comnet.ca
Thu Dec 21 14:57:36 EST 2006


I have heard that dynamite is effective and efficient when you go fishing.

Q1. Why is a senior information system auditor (CPA) running VA tools?
Q2. Why not hire a professional who has an expert level of technical
understanding?
Q3. Shouldn't an "audit" focus on security controls, such as configuration
management
(patching), access control, administrative rights, secure build, change
control, etc?
Q4. Do you think it is wise to announce to the world that the Maryland
Assembly has an
unpatched system. We hope it is on the Intranet.
Q5. Why are helpful readers encouraging the user to employ Metasploit, or
any other powerful tool?
Q6. Why would you think iishack(the executable) help you in any way?
 

-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us] 
Sent: Thursday, December 21, 2006 12:30 PM
To: Web Security
Subject: [WEB SECURITY] Tools or software for hacking windows/iis.

Hello group, I am auditing a Windows 2000 web server that has not been
patched for 2 years.  I am looking for tools that could be used to exploit
know vulnerabilities - I do not want to damage the server, but would like to
demonstrate the security weakness for my work papers.  I have heard that
there are tools such as iishack.exe that may be able to help.  I would like
an easy tool, as I am not that technical.  I have a basic understanding of
web application security.
 
Thank you,
 
Albert E. Schmidt, CPA
Senior Information System Auditor
Office of Legislative Audits
Department of General Services
Maryland General Assembly

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list