Re: Vulnerability/Penetration Testing Tools

[greybrimstone () aim com]

Sk,
 I couldn't agree more. Nothing beats real results from real people. 
Having said that, the time to deliver can be reduced by using automated 
tools for reconnaissance. If automated scanners identify 
vulnerabilities in systems then those same services do not "need" to be 
fully re-evaluated. That means less work, more savings passed to the 
client.



-Adriel

-----Original Message-----
From: GroundZero Security <fd () g-0 org>
To: greybrimstone () aim com
Cc: full-disclosure () lists grok org uk
Sent: Thu, 19 Jan 2006 20:00:30 +0100
Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools

 or learn how to do such tests by hand as that is more accurate as any 
automated
tool out there!
 a penetration test shouldnt be automated it would miss too many bugs 
i.e. in
custom php/cgi scripts.
a professional security audit can only be done by hand. period.
too many people rip their customers off with cheap automated tests.

-sk
http://www.groundzero-security.com

----- Original Message -----
From: <greybrimstone () aim com>
 To: <mmadison () fnni com>; <fdlist () digitaloffense net>; 
<full-disclosure () lists grok org uk>
Sent: Thursday, January 19, 2006 7:27 PM
Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools


> Madison,
> See, thats the challenge. I am not looking for a tool that does
 > strict vulnerability assessments. I am looking for a tool that will 
do
> an automated vulnerability assessment and then automated attacks
> against those vulnerabilities. Core Impact has such a tool and it is
> well worth the money. In fact, I already have that in my to-purchase
> list. I am now searching for free tools however and haven't found
> anything.
>
> My goal is to identify tools that have a high ROI... free == the
 > higest. Never the less, automation can only be used a limited amount 
as
> it reduces quality and accuracy.... I know this.
>
>
> -Adriel
>
> -----Original Message-----
> From: Madison, Marc <mmadison () fnni com>
> To: H D Moore <fdlist () digitaloffense net>;
> full-disclosure () lists grok org uk
> Sent: Wed, 18 Jan 2006 08:02:59 -0600
 > Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing 
Tools
>
> I've looked at BidiBLAH (enfaces on the BLAH). Their product does
> nothing more than take the results from
> Nessus, Metasploit and such, then cram them all together in a easy to
> understand format for your boss.
 > BidiBLAH IMHO is not a vulnerability assessment tool, rather a 
reporting
> tool. If anyone can correct me
> please do, since at one point I was in contact with BidiBLAH sales
> asking what I got for $10,000.00 outside
 > Of the reporting? Their answer, well let's just say I'm still 
waiting.
>
> My two cent, Nessus. It's cheap, effective, and probably the most
> supported network vulnerability assessment
> tool on the market.
>
>
>
>
> >>H D Moore wrote:
>
> >>Er, woops, misread - you want to scan and automatically exploit
> systems.
> >This can be easily done with a little scripting and the available
> open-source tools. SensePost
 > >>has a project called BiDiBLAH that integrates Google-discovery, a 
TCP
> port scanner, Nessus,
> >>and Metasploit: - http://www.sensepost.com/research/bidiblah/
>
> >>The next version of the Metasploit Framework (v3) has support for
> 'recon'
 > >>modules that technically you could use to automate this, but it 
will
> take some time before this is usable.
>
> >>-HD
>
>
> >On Tuesday 17 January 2006 18:04, H D Moore wrote:
> > You should check out the Metasploit Framework:
> > - http://metasploit.com/projects/Framework/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
 > 
________________________________________________________________________
> Check Out the new free AIM(R) Mail -- 2 GB of storage and
> industry-leading spam and email virus protection.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and 
industry-leading spam and email virus protection.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/