Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CORE-Impact license bypass

From: fd () ew nsci us
Date: Tue, 27 Sep 2005 18:13:37 -0700 (PDT)
On Tue, 27 Sep 2005, Bernhard Mueller wrote:


Exibar wrote:

      I didn't mean to imply that the consultants create their own exploits,
not many I know could even begin to do that, only a couple are talented
enough to do just that.  Even for those very few, it's just not feasable
from a time perspective.  Much quick and cost effective to use what's out
there.



so what use is a pentest if the consultant isn't even talented enough to
find / create exploits for unknown vulnerabilities?
any average admin can install and run an automatic security scanner.
furthermore, a common nessus report contains 99% useless garbage. and
most of the time, you can not apply generic exploits like these from
metasploit to a specific customer situation.


It should also be noted that many security flaws in Customer networks are
in design and therefore implementation.  The real issue comes down to
client-side security.  Most pentests are are trivial after an attack from
Eve, even if the first person she emails in the organization sees through
it ...


X-From: Eve
From: Bob

Hi Alice!  

Can you get me a quote for the parts we need in the attached spreadsheet?

Thank you!

-Bob

<<Attachment:parts.xls.exe>>


--Eric
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: