Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flash that simulates virus scan

From: reepex <reepex () gmail com>
Date: Sun, 9 Dec 2007 14:17:30 -0600
here is adriel from netragard spouting about his lame company that uses
nessusd for all their testing... notice his signature has multiple emails
and phone numbers because his is incapable of passing his cissp

On Nov 1, 2007 9:31 AM, Adriel Desautels <adriel () netragard com> wrote:


We rely on manual testing for everything. Our philosophy is that
automation is not nearly as effective as human talent. Human talent
produces high quality reports.

What is the name of your company?



Regards,
       Adriel T. Desautels
       Chief Technology Officer
       Netragard, LLC.
       Office : 617-934-0269
       Mobile : 617-633-3821
       http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
reepex wrote:

I work at a less known security company that bans use of any automated
tools unless under extreme circumstances. These include times such as
when have 1000s of ip addresses all alive and running random windows
versions so we use mass scans to find any unpatched machines. We
strictly do not allow 'web scanners' no matter how large the size
because they are all crap and its quicker to find the bugs yourself
then verify all the false positives any web app scanner creates.

How does your company handle these things?

On 10/31/07, Simon Smith <simon () snosoft com> wrote:
Reepex,
        What company are you with? I'm actually interested in finding

infosec

companies that perform real work as opposed to doing everything
automated. Nice to hear that you're a real tester.

        With respect to your question, doesn't msf3 have some of that
functionality already built into it? Have you already hit all their
web-apps?

reepex wrote:

resulting to se in a pen test cuz you cant break any of the actual

machines?


lulz

On 10/31/07, Joshua Tagnore <joshua.tagnore () gmail com> wrote:

List,

    Some time ago I remember that someone posted a PoC of a small

site that

had a really nice looking flash animation that "performed a virus

scan" and

after the "virus scan" was finished, the user was prompted for a

"Download

virus fix?" question. After that, of course, a file is sent to the

user and

he got infected with some malware. Right now I'm performing a

penetration

test, and I would like to target some of the users of the corporate

LAN, so

I think this approach is the best in order to penetrate to the LAN.

    I searched google but failed to find the URL, could someone send

it to

me ? Thanks!

Cheers,
--
Joshua Tagnore
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: