Let's say client-side attacks are not part of the rules of engagement, so you're left with service-side attacks, misconfigurations, web app, etc. If you find services that aren't part of metasploit or other online exploit DBs, do you normally take the time to fuzz the service and create a custom exploit? Or do you move on and try to find a different point of entry? The scope of time is between 2-3 weeks of a large organization. This is just something a friend and I were trying to determine. I especially look forward to reponses from those who aren't very strong in exploit development/fuzzing/RE etc. Not saying that you can't do those, just aren't strong in them, so it may take a long time to actually find a vulnerability in the service.
eLearnSecurity Team Member.