Penetration Testing mailing list archives
RE: Network Exploitation Tools aka Exploitation Engines
From: "Clarke, Tyronne (Contractor)" <Tyronne.Clarke.ctr () dcma mil>
Date: Fri, 3 Sep 2004 14:57:16 -0400
Based upon experienced findings during live testing, which product provides you with most clarity of comprehensive information( CANVAS or CORE Impact? ). You mentioned CANVAS allows you to look under the hood and analyze the exploits but what about CORE Impact. -----Original Message----- From: Erik Birkholz [mailto:erik () foundstone com] Sent: Wednesday, August 18, 2004 7:40 AM To: Andy Cuff; pen-test () securityfocus com; dailydave () lists immunitysec com Cc: erik () specialopssecurity com; focus-ms () securityfocus com Subject: RE: Network Exploitation Tools aka Exploitation Engines QUICK NOTE: Andy, I want to thank you for the continued hard work you have put into your well-researched and valuable product, tool and service classification portal. Thank you. Please keep it up and let me know if there is anything I can do to help out in the future. *OK, back to the (long) post: I think Exploitation Engine (or Exploit Engine) is an appropriate classification or category. *Now for a reasonably short rant: -disclaimer: I haven't used metasploit or CORE so i can make no assumptions about dev quality, QA and support they offer. After extensive usage and testing of CANVAS, I can't help but see the value these Exploitation Engines provide to the average IT/Security Administrator, Engineer, Penetration Tester or Auditor. Not to mention my theory that they would be invaluable to a recent CS grad or experienced programmer looking to get into the vulnerability research and exploitation field. Some of these tools are written in Python (CANVAS is for sure), allowing the user to look at the source and learn from some of the very best out there in vulnerability research and exploitation. When pitching this purchase (ROI, TCO) to your Management, I would take a path similar to this, "Immunity's CANVAS is an exploit engine that can be used to verify the implementation and effectiveness of patches pre or post solution purchase." You can also use your trusted exploits to verify the findings of your VA scanner(s). I have recommended this tool many times to my customers and speech attendees. It solves the very real problem of vulnerability verification for customers who have neither the time and/or desire to achieve the Black Belt level of exploit creation. This need inevitably forces them to head to underground hacker sites to get untested and untrusted exploits written by coders without accountability for their exploits "true intention". Metasploit (i assume) and CANVAS (i know) offer accountability by standing behind each exploit. Why would I recommend to my low-medium skill set IT/Security customers that they pull down "dirty" and "wild" sploits off the net? By running this code (probably on their desktops), they are at great risk of getting more than they bargained for. It is probable this increased risk out weighs the initial goal of achieving vulnerability validation to convince an antagonistic business unit owner to patch or upgrade that vulnerable internet facing legacy server. Ok, if you are saying, "these morons should test these exploits in a lab environment first," then you are missing the point. Not everyone has the interest, time, extra computer resources or knowledge of what they are even looking for to know how to validate these dirty exploits. The answer is that I never would recommend this when low cost (CANVAS) and free (MetaSploit) Exploitation Engines allow vulnerability verification without fear of running "assembly code from hell" or an evil hidden rootkit. The good news is that Dave Aitel and HD Moore have attached their names and corporations to the quality of these products. If/When something goes wrong, they will be there to help. Why? Because that is how good people run good businesses. -Erik Pace Birkholz, CISSP www.SpecialOpsSecurity.com (erik () specialopssecurity com) www.Foundstone.com (erik () foundstone com) 323-252-5916 cell -----Original Message----- From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Monday, August 16, 2004 12:44 PM To: pen-test () securityfocus com Subject: Network Exploitation Tools Hi, I have just introduced another category on the site covering the various exploitation tools out there. To my knowledge there are only 3. CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all or are there some other products of this nature lurking about? http://www.securitywizardry.com/exploit.htm Secondly, what do we call them, or is Network Exploitation Tools the appropriate name? cheers for any time you can give -andy cuff PS there are loads of other pages with out of date info, I am currently working my way through them Talisker's Computer Security Portal Computer Network Defence Ltd http://www.securitywizardry.com -----Original Message----- From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Monday, August 16, 2004 12:44 PM To: pen-test () securityfocus com Subject: Network Exploitation Tools Hi, I have just introduced another category on the site covering the various exploitation tools out there. To my knowledge there are only 3. CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all or are there some other products of this nature lurking about? http://www.securitywizardry.com/exploit.htm Secondly, what do we call them, or is Network Exploitation Tools the appropriate name? cheers for any time you can give -andy cuff PS there are loads of other pages with out of date info, I am currently working my way through them Talisker's Computer Security Portal Computer Network Defence Ltd http://www.securitywizardry.com ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Network Exploitation Tools aka Exploitation Engines Clarke, Tyronne (Contractor) (Sep 04)
- Re: [Dailydave] RE: Network Exploitation Tools aka Exploitation Engines Kurt Seifried (Sep 07)
- RE: [Dailydave] RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 07)
- RE: [Dailydave] RE: Network Exploitation Tools aka ExploitationEngines Clement Dupuis (Sep 10)
- <Possible follow-ups>
- RE: Network Exploitation Tools aka Exploitation Engines Todd Towles (Sep 10)
- Re: [Dailydave] RE: Network Exploitation Tools aka Exploitation Engines Kurt Seifried (Sep 07)