First, a disclaimer. I work doing primarily security for a BIG corporation. This is just a bit of rambling that in no way consitutes advice. I'd do a lot of reading before you try anything mentioned below. Or ask your local $(r1p+ |<1dd13.Here are my thoughts.
Before you do anything related to this, get a document in writing from the company you are testing for. I can't stress how important this can be. Most of the time it is a formality, but if something goes wrong, you need to CYA.
If the server is in production, get a testing window. Many of the methods for compromising servers can hang or crash the service, or the server itself. You don't want to kill a production box (especially if it is an ecommerce type of site).
From you asking about .ASP, I'm assuming they are running IIS. The list of vulnerabilities for IIS is long, and the list of working exploits for those vulnerabilities is sizeable as well.
For really old installations of IIS (that shouldn't be running at all) there are a couple of explots from the l0pht http://www.l0pht.com, but I think they were directed at IIS3.0 / very early IIS 4.0. They were things like appending .Data or $ to the end of a filename to show the code. If you want a scanning tool you can demo, try eEye, http://www.eeye.com. It will show you a list of vulnerabilities that the server has (the ColdFusion 3.0/4.0 default install was my favorite that I found on a live system).
Finally, go to the Bugtraq archives at http://www.securityfocus.com. There have been three or for IIS exploits in the last week. That should give you a place to start.
Anyway, that's just me talking. Reply if you have questions
