Metasploit mailing list archives
Pen-Testing and Metasploit Question
From: metafan at intern0t.net (metafan at intern0t.net)
Date: Mon, 20 Apr 2009 04:29:12 -0400
Hi Professor 0110, Pentesting is harder than you might believe though you've begun to realize :) In short words about Penetration Testing: You usually have enough time for anything, but when it comes to Vulnerability Assesments you might not have much time. Basically there is always a timelimit and it's hard to keep (trust me even a simple assesment internally over 2 hours is hard enough if there's a lot of computers etc). I suggest you read Penetration Frameworks like: NIST SP800-42 (i know it's outdated but i liked it and just took the concepts) and there's also OSSTMM: www.isecom.org/osstmm/ and a few more i didn't like so much. When the new version of OSSTMM comes out i guess i'll read it, it's quite good though it takes ages to get through, at least the first time but the point of view in it is really great, it makes you a better Pentester if you don't have any Mentor ;-) Now about the tools, BackTrack is sufficient though if your company (or yourself) has enough money then go buy Core Impact. Then you'll have everything you need and you don't really need any skills. Of course you wont learn much but you'll be able to do quite a lot in a very short amount of time. Alternatives could also be Immunity Canvas and perhaps SAINT, even though SAINT is included in BackTrack. Immunity Inc and CORE are both quite quick at implementing new exploits to their platforms from what i've seen. Of course there's much more about this, but to be honest yes you can use BackTrack, Nessus and Metasploit. Best Regards, MaXe ? Hi everyone,? I'm hoping to officially break into the Penetration Testing/Ethical Hacking/Information Security sector within the next couple of years. I was wondering if just having the Metasploit Framework for exploitation would be enough in a Pen Testing situation - along with Port Scanners, Vulnerability Scanners, and Back-Track of course. :)? The reason I ask is that Metasploit doesn't cover every single remote exploit, and to compile an exploit off places such as Milw0rm can be time consuming and inefficient in a Pen testing situation. Especially if the source code is broken and needs tweaking/rewriting to compile properly.? Thanks. :) Professor 0110 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090420/fa0a2996/attachment.htm>
Current thread:
- Pen-Testing and Metasploit Question, (continued)
- Pen-Testing and Metasploit Question Simon Taplin (Apr 22)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Kevin Beaver (Apr 23)
- Pen-Testing and Metasploit Question Ben Nell (Apr 23)
- Pen-Testing and Metasploit Question pandini pandini (Apr 29)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 30)
- Pen-Testing and Metasploit Question chuks Jonia (May 02)
- Pen-Testing and Metasploit Question Matt Gardenghi (May 04)
- Pen-Testing and Metasploit Question Kevin Beaver (May 04)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Simon Taplin (Apr 22)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 23)
- Pen-Testing and Metasploit Question Edward Bjarte Fjellskål (Apr 22)
- Pen-Testing and Metasploit Question MaXe (Apr 22)