Security Basics mailing list archives
Re: Newbie Hacker Tools
From: James Eaton-Lee <james.mailing () gmail com>
Date: Mon, 10 Jan 2005 00:34:34 +0000
Not quite sure what other responses you've got on this topic as I haven't had a change to read through the whole thread, but for my 2c.. ..in my experience (both doing this sort of work and on the receiving end, managing IT), companies are looking for security auditing because they don't have the necessary base of experience to carry them out inhouse. The majority of businesses these days (in my experience) are starting to be more and more on the ball, security-wise, so a security audit is considerably more complicated than simply checking for unnecessary services and missing patches (unless their IT is *really* flagging, in which case they have larger problems). The usefulness of 'audit in a box' tools *on their own*, therefore, is limited. Nessus does just this - it scans a given host or set of hosts based on a database of known misconfigurations and vulnerabilities - but what you will get out of it is a fairly dumb list of problems which require further investigation, with a lot of false positives. Running a nessus scan is a good start for a security audit, but it doesn't go much further - a *good* security analyst needs the expertise not only to analyse the nessus output and determine what reaction is appropriate (usually a combination of investigation followed by patching, reconfiguration, or ignoring false positives). Even with a clean bill of health from nessus (or having successfully ticked the 'false positive' box for any results it does kick up), there is a great deal more which is required for a comprehensive security audit, which should extend to IT policy, physical factors (physical security on infrastructure resources, machines, network security which nessus has no way of assessing, etc), and a few other things. With a windows network (which you're presumably going to have a significant number of clients for), you also have to consider yet more aspects for which nessus isn't useful, such as group policy and the layout of active directory. Again, this all depends upon exactly *how* comprehensive you want to be. Bearing that in mind, therefore, I think it's important to underline the need for a penetration tester or security analyst who has configured, broken through, and administered a significant number of the components which I've mentioned - and I haven't even mentioned the most basic of application penetration testing methods which are necessary nowadays (such as SQL injections and cross-site-scripting problems) or other similarly recent problems, such as rogue wireless access points. Although your cause is an admirable one, I think you'd be best served by trying to understand security in a more holistic way, so that when you *do* start to approach your own security audits, you can do so with the confidence in your own abilities and in the knowledge that you're not missing anything or making any large mistakes. Companies contract out security audits because they don't have the necessary expertise or perspective to carry them out themselves - and they assume that the third party they choose to carry them out has the necessary expertise and experience not only to do the job properly, but to make sure that they don't run into severe problems further down the line as a result of a shoddy job (it's quite possible that if a client of yours was broken into and they decided it was because you hadn't done the job properly, you could find yourself on the receiving end of legal action). If you're already having problems with 'hackers' you've hired to do this, you're probably aware of these issues already - it may either be worth investing in new staff, or finding yourself a strategic partner who have experience doing this and have more of a reputation than an 'I used to be a hacker' card. If you have any queries, feel quite free to ask them on or offlist! Happy to help as much as I can! - James Eaton-Lee. On Wed, 2005-01-05 at 20:46 -0500, Edmond Chow wrote:
Hello all, My name is Ed and I run a technology consulting company. I have begun offering computer security audits to my clients and, as I am not experienced in hacking, have been subcontracting this work out. The written reports that I have received back from the hackers leave much to be desired! Not knowing too much about intrusion detection but realizing that when almost nothing is found wrong (from a security viewpoint) with a client's network, I am in big trouble! Either the hacker does not have the experience to find any problems or there really are not any problems. On my first few audit assignments, I was barely able to break even as I had to hire two independent hackers for each i.e., a second hacker had to be hired to give me an independent assessment of the network. I then cut and pasted the two reports into a final "acceptable" one. I am at a crossroads where I can either give up on the security audits or learn to do them myself. I have chosen the latter and was hoping to get some help from experts like you. I realize that I will have a steep hill to climb but I feel confident that I can learn enough to be much more proficient that the hackers that I am currently paying. I'm really confused about what tools I need in my "toolkit" for Windows-related audits. I've heard a lot about Nessus as a freeware program but am confused when I go on the nessus.org site and see that it might not be free. Other programs I've heard of include nmap, SAINT, Newt. And, perhaps, there are tools out there (either free or not) that would provide me with an "audit in a box?" I'm guessing that the pros have a select few tools of the trade that they use. You've listed a bunch of tools on your site as well. I realize that ethical hacking is an art and that no two hackers will use exactly the same tools but I am hoping to learn to use the tools they most often use. Thanks for any help that you can shed on this subject. Regards, Ed
Current thread:
- Re: Newbie Hacker Tools, (continued)
- Re: Newbie Hacker Tools Vijay Vikram (Jan 07)
- RE: Newbie Hacker Tools James McGee (Jan 07)
- RE: Newbie Hacker Tools skill2die4 (Jan 07)
- Re: Newbie Hacker Tools AdMod (Jan 07)
- Re: Newbie Hacker Tools Mordread Wallas (Jan 07)
- Re: Newbie Hacker Tools Corey LeBleu (Jan 07)
- Re: Newbie Hacker Tools Yann Autissier (Jan 07)
- Re: Newbie Hacker Tools Leif Ericksen (Jan 07)
- RE: Newbie Hacker Tools Edmond Chow (Jan 07)
- Re: Newbie Hacker Tools Spigga (Jan 10)
- Re: Newbie Hacker Tools James Eaton-Lee (Jan 10)
- RE: Newbie Hacker Tools Brunner, Mark (Jan 07)
- Re: Newbie Hacker Tools H Carvey (Jan 07)