Re: Penetration testing via shrinkware

[Vanja Hrustic <vanja () siamrelay com>]

At 19:22 02/09/98 -0400, Stout, Bill wrote:
> What are the opinions on the thoroughness of shrinkwrap software
> penetration testing?  Is today's shrinkware more capable for penetration
> testing (a single machine) than a human?

[This is VERY PERSONAL opinion. Flames in private please :]

Never.

I prefer to use term "Policy Manager" rather than "Security Scanner" or
whatever:) Yes, it can be very useful tool if you want to check that all
hosts on the network are implementing some policies (let's say, scan all
hosts to see if fingerd is running somewhere). Penetration testing? Nope.

Plenty of reasons, but... Few.

It won't detect telnetd running at port 79, it won't yell about connection
at port 37337 that welcomes you with "Welcome to secret backdoor. Press 1
for root shell, 2 for sniff logs".

It won't check for many vulnerabilities that exist (no matter what anyone
says, but "600-700 checks" sounds funny when you compare it to a database
that was filled during 5 years, almost every day). It won't try 99% of
crazy usernames/passwords that you'll imagine (scanner doesn't know if your
client is insurance company, or food manufacturer, or hospital, or ...).

It won't try to "play with" daemons that are not shipped with OS, or are
not at standard ports.

I yet have to see scanner that works on/against x.25 machines (erm, anybody
implemented x25d buffer overflow checks? ;-). Scanner that works against
VAX/VMS machine (is there such a thing? Anybody knows?).

Some of the most famous x.25 hackers were scanning x.25 by hand (try to
explain to scanner what to do when RPE appears :). Some of the most famous
phreakers were scanning phone system by hand (yes, wardialer is nice, but
misses heaps of things). Some of the most famous hackers didn't/don't use
mscan, satan and similar tools to get what they want.

Why should people (that are supposed to protect the network from those
guys) use automated tools then!?

And not to forget: social engineering :)

At the end, many people are doing "that" for money only. It takes less time
and bring more money (probably, I really don't know - I just guess :) if
you use automated tools, and get new audit every day.

This was, anyway, only about "penetration testing". And it usually comes to
the point when you're inside and have to find all the holes. Scanner? No,
thanx.

And of course, we were talking about "humans" that are experts, with lots
of experience. If you have "I-got-2-day-training-and-certificate" type of
guy (girl) in charge for testing... Good luck ;)

[This is the end of VERY PERSONAL opinion. Flames in private please :]

<joke>
The only situation when you need scanner is against NT. OS w/o logic can't
be scanned by a human (you can crash it by accident ;).
</joke>

Regards,

Vanja Hrustic
Information Systems Manager
Siam Relay Ltd.
http://www.siamrelay.com
vanja () siamrelay com
Phone: +662-616-8628
Fax: +662-272-6516