6- Throughout my scan, I found 14 vulnerabilities that could be classified as a high in Hailstorm while in N-Stalker did not see any

high risk vulnerabilities. Besides, Hailstorm saw about 10 vulnerabilities that are classified as medium, while the N-Stalker saw about 94.07 % as medium vulnerabilities. However, N-Stalker saw about 5.93% as informational vulnerabilities. It is worth mentioning that in the Hailstorm the vulnerabilities are listed based on their severity level. On the other hand, in the N-Stalker, the vulnerabilities are listed under their subsection types. Thus each program organizes its vulnerabilities. Each way has its own pros and cons though personally I prefer the first kind. There were 3119 attacks launched against target in N-Stalker and in the Hailstorm there were more than 3625. The N-Stalker failed to scan some types of vulnerabilities due to the free version that we have in the lab. With help of the commercial version we will be able to detect them more efficiently. On the whole, both are great tools for the penetration testing with some advantages and disadvantages. As a user I would prefer Hailstorm though. 7- A study about the features of AccessDiver and Brutus reveals that AccessDriver is better than Brutus. AccessDiver, with its capability of easily setting its advance features, has more options and features that allow the tester to customize the attack.

8The CVE number is 2000-0884 for the first exploit. It worked for the DIR command though I faced some difficulties with some other commands. This exploit works on the IIS 4.0 and 5.0. It allows the attacker to have entrance to documents outside of the web root. Also, the attacker can execute arbitrary command via malformed URLs which has UNICODE encoded characters such as the web server folder traversal vulnerability. 9As this vulnerable features can allow the attacker execute any command on the victim, it gives attacker the opportunity to collect information for further use since he is already inside the system. More importantly, he can do privilege escalation attack so he get administrator privileges. Furthermore, the hacker can open a backdoor or install malicious files that may damage the system and install the rootkit to make it harder for the security consultants to map him out . This device can be used as zombie bot to attack other computers and wait for the further commands form the hacker. The attacker can also run keylogger script that can log the username and password for the system administrator.

10- In fine I would like to mention that I tried this simple HTML script in the search field at the (default.asp) page and it worked. This made me able to insert this information at the field.