Penetration Testing mailing list archives
Re: Vulnerability scanners don't work
From: ArcSighter Elite <arcsighter () gmail com>
Date: Thu, 08 Jan 2009 09:07:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adriel T. Desautels wrote:
Greetings all. I've finished another entry on our blog. This time the entry was about why vulnerability scanners do not work. It goes into a little bit of detail and is intended for the average reader. My goal was to help to educate people about what vulnerability scanning really is. For the record, I did add the email address of this list to my blogger so that entries are automatically posted to this list. If anyone is against me doing that, or if that is a violation of the list policy then please let me know and I'll stick with this method of letting people know. (I'm not sure if it worked hence why I'm writing this email). Anyway, here's the latest entry: http://snosoft.blogspot.com/2009/01/vulnerability-scanning-doesnt-work.html As always, comments are more than welcome. Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com
I agree up to a certain point. We all know a vulnerability scanner won't find what it doesn't know about; but think about a minute. These identified vulnerabilities that vuln-scanners show and detect, obviously still exist in most targets. No pen-tester would actually spend moths reversing ex. apache for a 0day vulnerability because they have identified this software as the implemented web server. In fact, software vulnerability research is one of the most obscure and difficult topics that could fall into the penetration testing category, and as far as I know, most successful people achieving this task, devote its time almost exclusively to research. So, you should have entitled your post in another way. Yes, they work, but the average pen-tester should not DEPEND only of them, as does many people we have read in this list. Be honest, you as a self-claimed expert haven't increased your pen-test time by using some tool like nessus or acunetix to point of the known vulnerabilities before trying to achieve something else? I think you've done this over and over. In fact, I'm relegating the use of vuln-scanners, yes, and its a fact that comes with experience to be able to drop such tools, but please don't tell the world they're useless, because they aren't. Yes, they are rigid tools, pattern-based, software implementations (I should remark software, because of a simply AI principle: software don't think like humans), that in most cases will report a long of false-positives and false-negatives, because in the software security world, in most cases you can't truly test for a vulnerability without exploiting it; although this is a little less true when it comes to web apps. They're signature-based, banner-based or fingerprint-based to report its findings, couldn't be accurate 100%. This is particularly true in the unix world where patches are ported instead of upgrades are performed in most cases. And about the responsible disclosure policy you're talking about; I think most security gurus - the ones and only the ones that should be doing pen-testing, although in the real world doesn't happen this way - already have an arsenal of techniques/knowledge/vulnerabilities not exposed to the public, so they won't spend months like you say. The black market of 0day will exist forever, but they're also good ways of managing the issue, known as contributor programs or responsible disclosure, such as iDefense, TippingPoint and the like. Take the md5 issue, hot topic this days, for example. Alex Sotirov and its co-workers in the md5-collision issue have developed a way to collapse md5 and create rogue CA certificates. They spent almost 6 months in the research, and even when we got its presentation, you're able to reproduce the attack? I know is a little bit extreme example, but with this I'm trying to say that unpublished vulnerabilities aren't always unknown. They're gray hats, true, but the fact is that even the black hat won't spend months like you say trying to break a firewall, you must known that what truly makes a hacker is achieving this philosophy: your network is as weak as its weakest link. That's it, they'll find the target's weakest link and exploit it; although they may have to deal with the firewall. And if you know something about how this people thinks, then you should know that most attacks aren't random, they're distributed, they're many people, they're zombies or pivoters; in many cases they don't need months in compromising, if you call attack to all its phases from inception to compromising, then yes, it could take months, but the attack itself, I don't think so. Vuln-scanners go after community in most cases. I've almost never seen an interesting vulnerability present in such tool before a public advisory is released, the makers follow responsible disclosure. Even en the case of related research/programming teams such as CoreSecurity, release advisories and only after the vendor has been contacted and a time-line has been established, and the public advisory is online, they release into CoreIMPACT, for instance. Now think. What is vuln-scanners pose zero-days? Then it comes the script-kiddie plague, vendor loses, customers loses and the like. So this fact that vuln-scanners are late isn't a problem from my point of view. Some people in this list, I think, could develop an exploit from a simple advisory, but script-kiddies need a PoC, don't they? What if you provide them with a full exploit they could misuse? I don't even want to think about it. So, this post it's getting long. They're many things I agree and disagree but I need to work. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJZgiXH+KgkfcIQ8cRAoQdAJ98bnV5rhp79FQqiP09Vp937lXv5ACbByuK u/xZCPPuHG/MSojLg/haaPE= =lXS3 -----END PGP SIGNATURE-----
Current thread:
- Vulnerability scanners don't work Adriel T. Desautels (Jan 08)
- Re: Vulnerability scanners don't work security curmudgeon (Jan 09)
- Re: Vulnerability scanners don't work Adriel T. Desautels (Jan 09)
- Re: Vulnerability scanners don't work security curmudgeon (Jan 09)
- Re: Vulnerability scanners don't work Adriel T. Desautels (Jan 09)
- Re: Vulnerability scanners don't work Adriel T. Desautels (Jan 09)
- Re: Vulnerability scanners don't work security curmudgeon (Jan 09)
- Re: Vulnerability scanners don't work ArcSighter Elite (Jan 09)
- RE: Vulnerability scanners don't work McAllister, Andrew (Jan 09)
- RE: Vulnerability scanners don't work Kevin Reiter (Jan 09)
- <Possible follow-ups>
- Re: Vulnerability scanners don't work Erin Carroll (Jan 09)