RE: Penetration Testing Software

["Eggleston, Mark" <meggleston () HEALTHPART COM>]

Hmmm.  What is your distinction between tools vs. software?  I can
indeed launch an RPT (Rapid Pen Test) from Core Impact to perform social
engineering or client side attacks.  Once the automated test scenario
completes I will have a nice report.  This can be very helpful indeed;
not a cheap tool and a very skilled pen tester with an arsenal of other
lower costs tools may be able to do better.  Nonetheless, such automated
tools can be a very effective pen test.

Regards,

Mark  

-----Original Message-----
From: AK [mailto:platsakos () gmail com] 
Sent: Thursday, September 22, 2011 7:28 PM
To: Eggleston, Mark
Cc: security-basics () securityfocus com; dhilton () theitguy us
Subject: Re: Penetration Testing Software

Hi all,

I am not convinced. What you describe can *at best* be described as
tools. See, without wanting to re-heat the age-old argument, penetration
testing is a complicated process, well defined in scope, requiring an
exact methodology and exploitation (in which the tools you described can
play a part) is only a part of it. How about client side attacks, social
engineering and data exfiltration? If you do anything less, you are
doing VA, with result verification, which, while it has its own merits,
it is not pen-testing.

Regarding reporting, while VA reporting might be easier, I do not think
that pen-testing reporting can be fully automated, pen-testing teams
judgement indeed does play a significant role in this one. It goes
without saying that if a "pen-testing" technical process consists of a
number of  point and click, verify and then off to the PDF writer with
the customized company logo, this ain't a pen-test.

On 09/21/2011 08:40 PM, Eggleston, Mark wrote:
> Yes, there is indeed such a thing as penetration testing software.  If

> this is specifically what you are looking for you'll quickly find 
> there are much less pen testing software out there vs. vulnerability 
> assessment software.  In addition to what is already listed as pen 
> test tools (Core Impact, w3f, Nexpose/Metasploit) you may also be 
> interested in evaluating Saint.
>
> Depending upon the target of your pen testing (network versus web 
> apps) you may find more tools to specifically pen test web apps.  For 
> example Nikto or I'm becoming a big fan of Qualys web app testing as 
> they have a nice module within Qualys Guard that will run the SQL 
> injection, XSS and other exploits.
>
> My hope is that leading vendors will continue to evolve their products

> such that vulnerability assessment and pen testing modules are 
> packaged together which will in turn generate concise and valuable
reports.
> Hope this helps.
>
> Mark Eggleston, CISSP, GSEC, CHPS
> Manager, Security and Business Continuity
>
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com]
> On Behalf Of AK
> Sent: Wednesday, September 21, 2011 12:34 PM
> To: Dimitrios Hilton
> Cc: security-basics () securityfocus com
> Subject: Re: Penetration Testing Software
>
> Hi all,
> is there such a thing as "penetration testing software"? I understand 
> tools and other software products that might be used by pen-testers, 
> but I believe that the term you are looking for is "vulnerability 
> assessment software".
>
> On 09/21/2011 06:45 PM, Dimitrios Hilton wrote:
> > Does anyone have a recommendation for a low cost Penetration Testing 
> > Software that can produce nice client reports
> >
> > Dimitrios Hilton
> > President & Senior Consultant
> > The IT Guy, Ltd.
> > 413 Wacouta Street, Suite 350
> > St. Paul, MN 55101
> > (Cell) 651-226-6112
> > (Dispatch)  651-298-0037
> > (FAX) 651-917-9239
> > dhilton () theitguy us
> > www.theitguy.us
> >  
> >  
> >  
> >
> >
> > ---------------------------------------------------------------------
> > -
> > -- Securing Apache Web Server with thawte Digital Certificate In this

> > guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company 
> and how your customers can tell if a site is secure. You will find out

> how to test, purchase, install and use a thawte Digital Certificate on

> your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your 
> encryption keys and digital certificates.
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be
> > 4
> > 42f727d1
> > ---------------------------------------------------------------------
> > -
> > --
> --
> What is the air-speed velocity of an unladen swallow? 
>
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company 
> and how your customers can tell if a site is secure. You will find out

> how to test, purchase, install and use a thawte Digital Certificate on

> your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your 
> encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42
> f727d1
> ----------------------------------------------------------------------
> --
>
> This message, together with any attachments, is intended only for the 
> use of the individual or entity to which it is addressed. It may 
> contain information that is confidential and prohibited from 
> disclosure. If you are not the intended recipient, you are hereby 
> notified that any dissemination or copying of this message or any 
> attachment is strictly prohibited. If you have received this message 
> in error, please notify the original sender immediately by telephone 
> or by return e-mail and delete this message along with any 
> attachments, from your computer.
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --

--
What is the air-speed velocity of an unladen swallow? 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------