I'm doing a pentest (for edu purposes) on a single company server, and I'm stuck...
After doing my research using nmap, amap, nessus, nikto2 etc i've found this:
OS: Windows Server 2003
22: SSH(2) Not sure which sshd.
25: SMTP (xxxx.domain.local)
80: HTTP (IIS6-SP1, SSL2, Not hosting any websites that i know of)
389: LDAP (Nothing found mining...)
443: HTTPS (SSL from digicert.com)
444: SNPP (Found Fortinet/Fortigate firewall)
3389: MS-TERM (v4)
Internal IP found: 10.10.147.11
I found no exploits for the services (Im sure they exist...). The only thing i can think of atm is bruteforcing or fuzzing the SSH server.
Trojans, on-site (wlan), socialEng etc is out of the question. Just direct targeting remotely. Any thoughts on how to proceed, except bruteforcing which is kinda loud...
ps: All testing is done with "safe-checks" as they wouldnt be so happy if any services went down...