Security Basics mailing list archives

Re: Server Penetration Testing

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 27 Sep 2011 07:17:47 -0500

"Femi Mogaji" <olufemimogaji () gmail com> writes:

Hi list,

So we just had our annual audit, and one of the findings that came
up is server-side pen-tests. We already carry out quarterly ASV
scans & yearly pentest of our external IP addresses, where we fell
short was the lack of internal pentests. The question is: what tools
can I use to carry out these tests? Especially tests directed at SQL
servers & file servers etc. A tool that can generate easy to read
reports would be really nice. Any input will be appreciated.

If you, like most organizations, may lack the time, staff or expertise
or the political latitude to do real internal penetration testing at
scale, you can get a lot of bang out of internal credentialed
vulnerability scans. As a bonus, you'll get some metrics where you
can measure and report on progress.

Tenable Security Center (which leverages the Nessus scanner) is where
it's at there for vuln scanning and metrics, IME.

If you do have the resources to have an internal penetration testing
team, Metasploit is a great exploit framework. The Metasploit Pro
product takes a wack at allowing teams to work together into a shared
knowledge base and assists with reporting--deserves a look. The same
company also sells a vulnerability scanner.

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Server Penetration Testing Femi Mogaji (Sep 23)
- [Spam] Re: Server Penetration Testing Gichuki John Chuksjonia (Sep 26)
- Re: Server Penetration Testing J Teddy (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)