Penetration Testing mailing list archives
Re: Cross testing exploit with vulnerability scan results
From: Anders Thulin <anders.thulin () sentor se>
Date: Sun, 29 Jul 2007 09:29:47 +0200
Chroot wrote:
I've been conducting pen tests since 4 yrs now... the methodology I follow is that we exploit or attempt to exploit ONLY those vulnerabilities that a vulnerability scanner identifies.
It's a sound methodology in so far as you have a very clear reason for not doing certain tests, and you also have a clear reason for stopping the test. You need to know and trust your vulnerability scanner to do what you want, though. That needs lots of preparation. And you need to know the vulnerabilities themselves, of course.
What if the appropriate check or signature in the vulnerability scanner was not up to date or had some coding issue or was not comprehensiveness enough (or anything else) to identify a real existing vulnerability on a system. This can result in serious false negatives.
But a pen test is not about finding negatives: it's about finding positives. It's a catch-the-flag exercise: if you catch the flag there should be no if or buts about it: you should be able to show the flag. False negatives are less important: if a pen test does not show any vulnerable spots, it does not mean the system is secure, and should not be assumed to mean that. It may show up lack of knowledge in the tester, though --- and that can be important to the tester, but rarely to the customer. That said, there is a great deal of vagueness and ambiguity in current terminlogy, and the term 'pen test' is sometimes use to mean anything from a vulnerability scan (but no followup penetration attempts) to an exercise involving not only computer penetration, but also physical penetration as well as social engineering, and also involve to little time to do a proper job to more time than is economically sound. You need to know what you mean, and you need to ensure that your customers know what you mean.
Would downloading, installing and cross testing all available exploits for an identified service be a good idea to minimize such a case? How many people have faced such an issue or a similar issue? For me I faced this issue with some bug in Nessus recently.
Yes, ... well, ... but not at show time. You should know the exploits before you test the system. (Well, ... everyone takes chances now and then. They just don't rely on it for doing a decent job.)
This is something like my NMAP says there is IIS6.0 running on port 443 of a target server. I do a Nessus scan on it and it doesn't report anything. I then download all available exploits for IIS6.0 (or for all version of IIS? would this make sense) from securityfocus.com or securiteam.com or similar source and run it manually on the target system.
Ah ... no. Personally, never. Question no 1: Is NMAP's report related to a vulnerability? Is Nessus's? (I assume you have configured Nessus correctly, and don't run the Nessus server in a way or on a platform that is liable to cause loss of traffic.) My own preference is that early scans are only for vulnerabilities I know are reliable and successfu., Low-hanging fruit first. If that fails, and there is time left, scan for vulnerabilities you don't have an exploit for, take a break, go and research these vulnerabilities and exploits, and come back if and when you have found something new to try. (This is why computer penetration testing ultimately is a dead end. Security can't rely on penetration testing for anything but reports of bad security.) Question no 2: What IIS6.0 exploits do you have in your toolkit? Question no 3: What related exploits (PHP, SQL, Webapps, etc.) do you have in that toolbox that are relevant to this particular server set-up? If your toolbox is empty, work on filling it with exploits that you know how to use, and trust not to damage the target system more than you have to. There are exploits that are incredibly fragile, and essentially only give you one chance, after which the system crashes. Yes, that means you have to have an IIS6.0 system of your own somewhere to experiment on. -- Anders Thulin anders.thulin () sentor se 070-757 36 10 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Cross testing exploit with vulnerability scan results Chroot (Jul 27)
- Re: Cross testing exploit with vulnerability scan results John M. Martinelli (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Morning Wood (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Jan Heisterkamp (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Christine Kronberg (Jul 29)
- RE: Cross testing exploit with vulnerability scan results Steve Armstrong (Jul 28)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 30)
- Looking to set up an infosec lab John M. Martinelli (Jul 30)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Anders Thulin (Jul 29)
- Re: Cross testing exploit with vulnerability scan results jussi jaakonaho (Jul 29)