PaulDotCom mailing list archives
Re: Tenable PVS on a pen test
From: David Maynor <dave () erratasec com>
Date: Mon, 6 Jan 2014 05:44:35 +0000
Simple seems best for me. I like to run PVS on a VM running at the same time as my attack VM. That way it doesn’t matter where my target is I am getting the front/back analysis. It works really well in this config along with a Kali image. You have no idea when a ../../.. at the most random time will get you a word file back. PVS is really good a keeping this straight for you. I am trying to finish up a blog post about pentesting with PVS that covers a lot of this. On Jan 2, 2014, at 9:08 AM, Ron Gula <rgula () tenable com> wrote:
We’ve had a lot of interest in PVS from the pen tester community. As a sniffer, you should deploy it on a span port, but that isn’t always an option. If you can deploy it on a heavily visited system, you can run it there. The PVS runs fine on Sharepoint, Exchange, .etc and it will fingerprint and record the vulns of all systems that visit it over HTTP, SMB, .etc. The most ideal deployment of the PVS is with cooperation from the team you are doing the audit on. I’m obviously a big fan of PVS’s ability to find vulns, but what is more valuable is finding targets for the pen test including enumeration of all web sites, active but fire-walled hosts and management ports like SSH, SNMP & Telnet. Ron From: Larry Petty <lspetty () gmail com> Reply-To: PaulDotCom List <pauldotcom () mail pauldotcom com> Date: Monday, December 23, 2013 at 6:57 PM To: PaulDotCom List <pauldotcom () mail pauldotcom com> Subject: [Pauldotcom] Tenable PVS on a pen test I'm a long time nessus user and love it. (I am forced to use Qualys for MSSP clients due to Tenable licensing, but that's a different topic.) I recently purchased a PVS license and have been using it with great success on security arch reviews and internal vulnerability assessments. I know some are using PVS on pen tests. How is this being employed without the use of a network tap or span port? In my experience, most customers won't allow these on a pen test. If only I had a sonic screwdriver. :) Sent from my Nexus 7 _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Tenable PVS on a pen test Ron Gula (Jan 02)
- Re: Tenable PVS on a pen test David Maynor (Jan 06)