PaulDotCom mailing list archives
Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?
From: arch3angel at gmail.com (Arch Angel)
Date: Wed, 29 Oct 2008 10:16:09 -0400
I personally have yet to listen to this podcast so I can only comment on what you have viewed his statements as meaning: Although I agree these tools can not be your primary solution, I have to disagree that they have no place, if he meant it in this fashion. These tools should be in additional to all the others, even the simple things like username/password audits on active directory. It will not stop ignorant users who simply refuse to learn better ways to do things. However, without the audits you would have to trust the users, without the scans you have to trust that what you designed works. Where is the practical exercise here? A perfect example is this new Windows exploit, you can patch it, but how do you know it truly worked? Trust Microsoft when they say it is fixed, I think not, test it yourself by trying to break it... These tools as all other tools are crucial in my opinion and should never be down played... Robert 2008/10/29 Bugbear <gbugbear at gmail.com>
So I was listening to the Risky Business Podcast this AM (#85) on my commute in (right after finishing part II of pauldotcom) and they had Tenable Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools such as Core and Metasploit had no usefulness in pen test. He emphasised that a design review and vulnerability scanning should be enough. While I may have misunderstood his statements and I do agree design/config reviews and vulnerability scanning needs to be the first and second step of any regular review, pen test, etc... I completely disagree on his comments on using such aforementioned tools in conjunction with products such as Nessus. i.e. Nessus is not going to tell me if my blackberry user is connecting to free wifi and is vulnerable to Karma, etc.. Thoughts, comments, opinions? Interested in what the viewpoint of the broad background of pauldotcom listeners! Or maybe someone can clarify his comments for me. Tim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/dadc562e/attachment.htm
Current thread:
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Bugbear (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? PJ McGarvey (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Paul Asadoorian (Oct 30)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)