Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Vanja Hrustic <vanja () siamrelay com>
Date: Fri, 04 Sep 1998 02:40:25
At 19:22 02/09/98 -0400, Stout, Bill wrote:
What are the opinions on the thoroughness of shrinkwrap software penetration testing? Is today's shrinkware more capable for penetration testing (a single machine) than a human?
[This is VERY PERSONAL opinion. Flames in private please :] Never. I prefer to use term "Policy Manager" rather than "Security Scanner" or whatever:) Yes, it can be very useful tool if you want to check that all hosts on the network are implementing some policies (let's say, scan all hosts to see if fingerd is running somewhere). Penetration testing? Nope. Plenty of reasons, but... Few. It won't detect telnetd running at port 79, it won't yell about connection at port 37337 that welcomes you with "Welcome to secret backdoor. Press 1 for root shell, 2 for sniff logs". It won't check for many vulnerabilities that exist (no matter what anyone says, but "600-700 checks" sounds funny when you compare it to a database that was filled during 5 years, almost every day). It won't try 99% of crazy usernames/passwords that you'll imagine (scanner doesn't know if your client is insurance company, or food manufacturer, or hospital, or ...). It won't try to "play with" daemons that are not shipped with OS, or are not at standard ports. I yet have to see scanner that works on/against x.25 machines (erm, anybody implemented x25d buffer overflow checks? ;-). Scanner that works against VAX/VMS machine (is there such a thing? Anybody knows?). Some of the most famous x.25 hackers were scanning x.25 by hand (try to explain to scanner what to do when RPE appears :). Some of the most famous phreakers were scanning phone system by hand (yes, wardialer is nice, but misses heaps of things). Some of the most famous hackers didn't/don't use mscan, satan and similar tools to get what they want. Why should people (that are supposed to protect the network from those guys) use automated tools then!? And not to forget: social engineering :) At the end, many people are doing "that" for money only. It takes less time and bring more money (probably, I really don't know - I just guess :) if you use automated tools, and get new audit every day. This was, anyway, only about "penetration testing". And it usually comes to the point when you're inside and have to find all the holes. Scanner? No, thanx. And of course, we were talking about "humans" that are experts, with lots of experience. If you have "I-got-2-day-training-and-certificate" type of guy (girl) in charge for testing... Good luck ;) [This is the end of VERY PERSONAL opinion. Flames in private please :] <joke> The only situation when you need scanner is against NT. OS w/o logic can't be scanned by a human (you can crash it by accident ;). </joke> Regards, Vanja Hrustic Information Systems Manager Siam Relay Ltd. http://www.siamrelay.com vanja () siamrelay com Phone: +662-616-8628 Fax: +662-272-6516
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware tqbf (Sep 17)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)