Pentesting : what should one do if nothing is returned from Vulnerability Assessment

A typicall pentesting activity has the following step :

   1 - information gathering + enumeration    2 - vulnerability assessment (vulnerability scanning)    3 - exploitation    4 - post exploitation (persistence, clearing tracks, etc...)    5 - report writing 

Step 1 to 4 can be a cycle after getting a foothold.

But what do you do if you don’t get that foothold. That is, on the iteration, Step 2 (Vulnerability scanning) does not return any vulnerable service nor configuration. If social engineering is not part of the deal, does it mean it’s pretty much game over ?

Pentesting Webserver Dead End (MySQL White Listing Bypass)

I am currently pentesting a webserver running MySQL, managed to obtain its db configuration (w/ login credentials) but the hostname is in a Local Area Network. The server has white listing enabled, so i cannot login remotely.

Is there anyway to bypass the servers MySQL whitelisting?

“ERROR 1130 (HY000: Host ‘XX.XX.XXX.XXX’ is not allowed to connect to this MySQL Server”

Which web vulnerabilities should I test for when pentesting a static site?

I have a static-page website that I need to pentest. What I mean by this is that the site does not have a database, and it has no area to submit user input except for to a third party payment service that is managed entirely by them.

I have actually done web app pentesting before and found vulnerabilities such as XSS, CSRF, IDOR, and DoS. However, these were web apps where content was being reflected back to the page, and a user was “logged in.”

Off the top of my head, I can think of:

  1. Exposed/improperly protected admin panels
  2. Directory traversal
  3. Weak admin credentials on the host accounts/admin controls

Aside from those issues, I am having a difficult time coming up with other vulnerabilities to look for on a static site where user input is not collected or reflected, there is no notion of an “account”, and etc… The site does use PHP 7 on Apache, but the site is rather basic compared to many of the modern “web app” sites which utilize OAuth, social media login, reflect content back to the page, and so on.

Note: I did see Which security measures make sense for a static web site? but that post is more from a “blue team” standpoint, whereas I am asking for pentesting advice, not advice for how to secure the site.

Need Guidance with java thick client pentesting

So i have a jnlp application that is launched through a java web launcher. Setup:

– I have burp running in a vm

– The thick client is running on my windows base machine.

– I’ve got the referred jar files.

– The application establishes connection with a remote server(say, 1.2.3.4) to 443 port, which i got through wireshark and verified through the logs as well.

– I am trying to intercept the traffic through burp, invisible proxying is not possible because the app refers to the ip directly.

        – Also tried to route all system traffic through the vm running kali, still i couldn’t intercept the 443 traffic.

– Fiddler failed to intercept the said communication as well. (Not sure why as it is supposed to just act as a tunnel and catch any and every damn packet traversing)

I implore the Titans of thick client pentesting to shed some words of wisdom to a peasant.

SDR and pen-testing

I am looking to develop my skills in SDR pentesting. I have read some online article discussing how SDR attacks work, however, I have been unable to find a valid comprehensive tutorial on SDR pen-testing. Does anyone have any recommendations?

Is pentesting my own LAN violates ISP rules?

I want to learn and practice penetration testing on my own network, and I want to be sure I’m making it legal. So my question is the following: Is there a system, which reports to my ISP that I’m making suspicious activities, even if I never leave the LAN? If there is, would they report me? I’m speaking about “hacks” which ones don’t affect the hosts outside my local network (such as DHCP starvation, WiFi password cracking, ARP spoofing, DoS, etc). Or the ISP doesn’t care what I’m doing, until I don’t confront their system (which I never will)?

Maybe my question is nonsense, but I want to be sure I don’t miss anything.