"Do you have good perimeter security keeping bad guys from coming in the front door? Unfortunately for you, there are other ways of gaining access. Specifically, having your untrained users browse to places they shouldn't, open emails they shouldn't, and downloading and executing things they shouldn't. This presentation will address some of those issues and and describe why and how to go about testing your environment for this very likely vulnerability. Client Sides are the new remote exploit. If you aren't allowing client side attacks during your vulnerability assessments or penetration tests your are ignoring a huge attack vector and the current attack method. You are also failing to exercise your internal and host based exploitation countermeasures (HIDS/HIPS), you ability to test and respond to client side attacks and internal attackers and missing a valuable opportunity for user awareness training. This talk will focus on justifying why you should be allowing client side penetration testing, giving penetration testers a basic methodology to conduct client side attacks during their penetration test, and give (mostly real-world) examples we used during client side penetration tests to go with our methodology. Outline: Stats on Client Side Attacks The New Remote Exploit Why Client Side Attacks The User's Desktop Client Side Pen Test Methodology Common Client Side Pen Test Scenarios Common Scopes Within Our Scenarios Your Entry Points Delivery Methods Examples Of The Delivery Methods