Security Basics mailing list archives
RE: Penetration Testing Software
From: "Eggleston, Mark" <meggleston () HEALTHPART COM>
Date: Thu, 22 Sep 2011 23:19:50 -0400
Hmmm. What is your distinction between tools vs. software? I can indeed launch an RPT (Rapid Pen Test) from Core Impact to perform social engineering or client side attacks. Once the automated test scenario completes I will have a nice report. This can be very helpful indeed; not a cheap tool and a very skilled pen tester with an arsenal of other lower costs tools may be able to do better. Nonetheless, such automated tools can be a very effective pen test. Regards, Mark -----Original Message----- From: AK [mailto:platsakos () gmail com] Sent: Thursday, September 22, 2011 7:28 PM To: Eggleston, Mark Cc: security-basics () securityfocus com; dhilton () theitguy us Subject: Re: Penetration Testing Software Hi all, I am not convinced. What you describe can *at best* be described as tools. See, without wanting to re-heat the age-old argument, penetration testing is a complicated process, well defined in scope, requiring an exact methodology and exploitation (in which the tools you described can play a part) is only a part of it. How about client side attacks, social engineering and data exfiltration? If you do anything less, you are doing VA, with result verification, which, while it has its own merits, it is not pen-testing. Regarding reporting, while VA reporting might be easier, I do not think that pen-testing reporting can be fully automated, pen-testing teams judgement indeed does play a significant role in this one. It goes without saying that if a "pen-testing" technical process consists of a number of point and click, verify and then off to the PDF writer with the customized company logo, this ain't a pen-test. On 09/21/2011 08:40 PM, Eggleston, Mark wrote:
Yes, there is indeed such a thing as penetration testing software. If
this is specifically what you are looking for you'll quickly find there are much less pen testing software out there vs. vulnerability assessment software. In addition to what is already listed as pen test tools (Core Impact, w3f, Nexpose/Metasploit) you may also be interested in evaluating Saint. Depending upon the target of your pen testing (network versus web apps) you may find more tools to specifically pen test web apps. For example Nikto or I'm becoming a big fan of Qualys web app testing as they have a nice module within Qualys Guard that will run the SQL injection, XSS and other exploits. My hope is that leading vendors will continue to evolve their products
such that vulnerability assessment and pen testing modules are packaged together which will in turn generate concise and valuable
reports.
Hope this helps. Mark Eggleston, CISSP, GSEC, CHPS Manager, Security and Business Continuity -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of AK Sent: Wednesday, September 21, 2011 12:34 PM To: Dimitrios Hilton Cc: security-basics () securityfocus com Subject: Re: Penetration Testing Software Hi all, is there such a thing as "penetration testing software"? I understand tools and other software products that might be used by pen-testers, but I believe that the term you are looking for is "vulnerability assessment software". On 09/21/2011 06:45 PM, Dimitrios Hilton wrote:Does anyone have a recommendation for a low cost Penetration Testing Software that can produce nice client reports Dimitrios Hilton President & Senior Consultant The IT Guy, Ltd. 413 Wacouta Street, Suite 350 St. Paul, MN 55101 (Cell) 651-226-6112 (Dispatch) 651-298-0037 (FAX) 651-917-9239 dhilton () theitguy us www.theitguy.us --------------------------------------------------------------------- - -- Securing Apache Web Server with thawte Digital Certificate In this
guide we examine the importance of Apache-SSL and who needs an SSLcertificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be 4 42f727d1 --------------------------------------------------------------------- - ---- What is the air-speed velocity of an unladen swallow? ---------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42 f727d1 ---------------------------------------------------------------------- -- This message, together with any attachments, is intended only for the use of the individual or entity to which it is addressed. It may contain information that is confidential and prohibited from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination or copying of this message or any attachment is strictly prohibited. If you have received this message in error, please notify the original sender immediately by telephone or by return e-mail and delete this message along with any attachments, from your computer. ---------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 ---------------------------------------------------------------------- --
-- What is the air-speed velocity of an unladen swallow? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Penetration Testing Software Dimitrios Hilton (Sep 21)
- RE: Penetration Testing Software Sheldon Malm (Sep 21)
- RE: Penetration Testing Software Bahrs, Art (Sep 21)
- Re: Penetration Testing Software AK (Sep 21)
- RE: Penetration Testing Software Eggleston, Mark (Sep 21)
- Re: Penetration Testing Software AK (Sep 23)
- RE: Penetration Testing Software Eggleston, Mark (Sep 23)
- RE: Penetration Testing Software Eggleston, Mark (Sep 21)
- Re: Penetration Testing Software ted fred (Sep 21)
- Re: Penetration Testing Software Todd Haverkos (Sep 23)
- Re: Penetration Testing Software Nirin Rattanaubol (Sep 26)
- Re: Penetration Testing Software Richard Thomas (Sep 26)
- <Possible follow-ups>
- Re: Penetration Testing Software krymson (Sep 22)