-1

I'm using Veil Evasion and Metasploit.

HenryC
  • 31
  • 3
  • 1
    You have the makings of a very good question. But to the best of my knowledge the only really valid answer to what you have posted is "It depends on the defenses that you believe/expect/know the target network you're testing has in place." If you could provide some elaboration anything you know about whether the target is using network-based IDS/IDPS, proxy server with DPI for outbound traffic (ie. from inside the target's network to the Internet), intercepting to decrypt & monitor outbound SSL/TLS-protected traffic, etc. that would certainly be helpful & relevant. – mostlyinformed Mar 18 '16 at 20:44
  • If you're doing a "black box" test and are starting with no tactical-level knowledge about any of those things, you obviously can look at the scope of the organization's resources, the business/activtities it is engaged in, whether it's in a regulated vertical category (eg. financial) and other consideration to come to a guestimate about the sophistication of defenses the target network may have in place in the worst (ie. most heavily defended) plausible scenario. (Of course, a target's network can surprise you. Most often by lacking defenses that "should" be there, sure...) – mostlyinformed Mar 18 '16 at 20:59
  • I can summarize with a simple response "use whichever will not be blocked" - knowing which will be blocked is an exercise up to each environment. – schroeder Mar 18 '16 at 22:18

1 Answers1

1

I believe the good comments already added make it clear that there isn't a simple a or b answer here. It will depend on the environment and what information you are able to collect in your research prior to starting the pen test (which is perhaps the most important step - you gather as much information on your target as possible before you do anything and that will often provide the answers you need).

My own 'rule of thumb' is to start at the highest abstraction level first. HTTP is a protocol which sits on top of TCP, so if I'm trying to penetrate a site via its web based services, I will start with HTTP rather than TCP (assuming all other factors are equal and nothing in my research indicated TCP would be a better start - for example, if I was able to determine the target infrastructure had a known and easy to exploit TCP vulnerability, then I might start with TCP even when targeting web services)

Tim X
  • 3,242
  • 13
  • 13