Re: Newbie Hacker Tools

[Spigga <spigga () gmail com>]

WARNING!! I like to hear myself type so this will be long winded yet I
hope provide some insight.  I think there is a critical point being
missed here, first I perform penetration tests and vulnerability scans
as part of my position for a well known Service Provider and I used to
write signatures for one of the many new "Patch Remediation: companies
so I know a little about "security scanners".  There are an untold
number of tools out there that will give you a canned report that you
then will send to your client with no understanding whatsoever of how
secure or insecure they are. Classes are a great idea but have you
seen the price tags on some of these"ethical hacker" coarses? In my
opinion security evaluation of any kind is all in how its performed,
not what tools you used. If Nessus shows a vuln do you take it at face
value or do you verify that the version of the application is actually
vulnerable? When you run a port scan, is it the box you are hitting or
some security device in front of it performing a NAT? These and a
million more things need to be considered for a complete "Penetration
Test" or "Vulnerability Assessment". And make sure you know which of
these two popular services you are selling. If you didn't attempt to
exploit the service in a lab environment or under other controlled
conditions then you are NOT performing a penetration test.   Do you
tell them that the version of IIS they are running is outdated or do
you inform them that the custom ASP they are running allows SQL
injection and show them the bogus entry you put into their sample
"Northwind" database on the SQL server?  Security is a process,
testing security should be too. Try looking at
http://www.isecom.org/osstmm/ or other similar testing methodologies. 
This will allow you to get a fair price for performing a fair service
and not giving your client a false sense of security, or insecurity. 
A complete security evaluation fetches a better price and gives the
client a better product as well as maybe even making their networks
and applications more secure.


On Wed, 05 Jan 2005 20:46:06 -0500, Edmond Chow <echow () videotron ca> wrote:
> Hello all,
>
> My name is Ed and I run a technology consulting company.  I have begun
> offering computer security audits to my clients and, as I am not experienced
> in hacking, have been subcontracting this work out.
>
> The written reports that I have received back from the hackers leave much to
> be desired!  Not knowing too much about intrusion detection but realizing
> that when almost nothing is found wrong (from a security viewpoint) with a
> client's network, I am in big trouble!  Either the hacker does not have the
> experience to find any problems or there really are not any problems.
>
> On my first few audit assignments, I was barely able to break even as I had
> to hire two independent hackers for each  i.e., a second hacker had to be
> hired to give me an independent assessment of the network.  I then cut and
> pasted the two reports into a final "acceptable" one.
>
> I am at a crossroads where I can either give up on the security audits or
> learn to do them myself.  I have chosen the latter and was hoping to get
> some help from experts like you.  I realize that I will have a steep hill to
> climb but I feel confident that I can learn enough to be much more
> proficient that the hackers that I am currently paying.
>
> I'm really confused about what tools I need in my "toolkit" for
> Windows-related audits.  I've heard a lot about Nessus as a freeware program
> but am confused when I go on the nessus.org site and see that it might not
> be free.  Other programs I've heard of include nmap, SAINT, Newt.
>
> And, perhaps, there are tools out there (either free or not) that would
> provide me with an "audit in a box?"  I'm guessing that the pros have a
> select few tools of the trade that they use.  You've listed a bunch of tools
> on your site as well.  I realize that ethical hacking is an art and that no
> two hackers will use exactly the same tools but I am hoping to learn to use
> the tools they most often use.
>
> Thanks for any help that you can shed on this subject.
>
> Regards,
>
> Ed