Hey guys, what's up? It's been a while since I've had time to log in and check the forums, I've been pretty busy. A fast question came up for debate with a friend of mine and I was wondering what you would normally do during a pentest.

Let's say client-side attacks are not part of the rules of engagement, so you're left with service-side attacks, misconfigurations, web app, etc. If you find services that aren't part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren't very strong in exploit development/fuzzing/RE etc. Not saying that you can't do those, just aren't strong in them, so it may take a long time to actually find a vulnerability in the service.

Thanks for your reply MaXe, that was my side of the argument. I figured, if other vectors aren't possible (which should be rare) a custom exploit would be needed as last resort. Have any of you come across a situation?

Yup, thanks guys. That's pretty much what I said in my argument with my peer lol. But I just wanted to hear the voices of others out there. Good insight from both of you.