Re: Vulnerability scanners don't work

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adriel T. Desautels wrote:
> Greetings all. I've finished another entry on our blog. This time the
> entry was about why vulnerability scanners do not work. It goes into a
> little bit of detail and is intended for the average reader. My goal was
> to help to educate people about what vulnerability scanning really is.
>
> For the record, I did add the email address of this list to my blogger
> so that entries are automatically posted to this list. If anyone is
> against me doing that, or if that is a violation of the list policy then
> please let me know and I'll stick with this method of letting people
> know.  (I'm not sure if it worked hence why I'm writing this email).
>
> Anyway, here's the latest entry:
>
> http://snosoft.blogspot.com/2009/01/vulnerability-scanning-doesnt-work.html
>
> As always, comments are more than welcome.
>
>
>     Adriel T. Desautels
>     ad_lists () netragard com
>         --------------------------------------
>
>     Subscribe to our blog
>         http://snosoft.blogspot.com

I agree up to a certain point.
We all know a vulnerability scanner won't find what it doesn't know
about; but think about a minute.
These identified vulnerabilities that vuln-scanners show and detect,
obviously still exist in most targets.
No pen-tester would actually spend moths reversing ex. apache for a 0day
vulnerability because they have identified this software as the
implemented web server.
In fact, software vulnerability research is one of the most obscure and
difficult topics that could fall into the penetration testing category,
and as far as I know, most successful people achieving this task, devote
its time almost exclusively to research.
So, you should have entitled your post in another way. Yes, they work,
but the average pen-tester should not DEPEND only of them, as does many
people we have read in this list.
Be honest, you as a self-claimed expert haven't increased your pen-test
time by using some tool like nessus or acunetix to point of the known
vulnerabilities before trying to achieve something else? I think you've
done this over and over.
In fact, I'm relegating the use of vuln-scanners, yes, and its a fact
that comes with experience to be able to drop such tools, but please
don't tell the world they're useless, because they aren't. Yes, they are
rigid tools, pattern-based, software implementations (I should remark
software, because of a simply AI principle: software don't think like
humans), that in most cases will report a long of false-positives and
false-negatives, because in the software security world, in most cases
you can't truly test for a vulnerability without exploiting it; although
this is a little less true when it comes to web apps.
They're signature-based, banner-based or fingerprint-based to report its
findings, couldn't be accurate 100%. This is particularly true in the
unix world where patches are ported instead of upgrades are performed in
most cases.
And about the responsible disclosure policy you're talking about; I
think most security gurus - the ones and only the ones that should be
doing pen-testing, although in the real world doesn't happen this way -
already have an arsenal of techniques/knowledge/vulnerabilities not
exposed to the public, so they won't spend months like you say.
The black market of 0day will exist forever, but they're also good ways
of managing the issue, known as contributor programs or responsible
disclosure, such as iDefense, TippingPoint and the like.
Take the md5 issue, hot topic this days, for example. Alex Sotirov and
its co-workers in the md5-collision issue have developed a way to
collapse md5 and create rogue CA certificates. They spent almost 6
months in the research, and even when we got its presentation, you're
able to reproduce the attack? I know is a little bit extreme example,
but with this I'm trying to say that unpublished vulnerabilities aren't
always unknown. They're gray hats, true, but the fact is that even the
black hat won't spend months like you say trying to break a firewall,
you must known that what truly makes a hacker is achieving this
philosophy: your network is as weak as its weakest link. That's it,
they'll find the target's weakest link and exploit it; although they may
have to deal with the firewall. And if you know something about how this
people thinks, then you should know that most attacks aren't random,
they're distributed, they're many people, they're zombies or pivoters;
in many cases they don't need months in compromising, if you call attack
to all its phases from inception to compromising, then yes, it could
take months, but the attack itself, I don't think so.

Vuln-scanners go after community in most cases. I've almost never seen
an interesting vulnerability present in such tool before a public
advisory is released, the makers follow responsible disclosure. Even en
the case of related research/programming teams such as CoreSecurity,
release advisories and only after the vendor has been contacted and a
time-line has been established, and the public advisory is online, they
release into CoreIMPACT, for instance.


Now think. What is vuln-scanners pose zero-days?
Then it comes the script-kiddie plague, vendor loses, customers loses
and the like. So this fact that vuln-scanners are late isn't a problem
from my point of view.

Some people in this list, I think, could develop an exploit from a
simple advisory, but script-kiddies need a PoC, don't they? What if you
provide them with a full exploit they could misuse? I don't even want to
think about it.

So, this post it's getting long. They're many things I agree and
disagree but I need to work.

Sincerely.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJZgiXH+KgkfcIQ8cRAoQdAJ98bnV5rhp79FQqiP09Vp937lXv5ACbByuK
u/xZCPPuHG/MSojLg/haaPE=
=lXS3
-----END PGP SIGNATURE-----