Penetration Testing mailing list archives
Re: [PEN-TEST] ISS not detecting unicode bug??
From: Eric Budke <budke () BUDKE COM>
Date: Fri, 17 Nov 2000 15:40:13 -0500
No opinion about Nessus, but the one thing that ISS and NAI have going for them is a way of pushing out (not technically pushing) updated. I've got hundreds of emails across a couple of mail clients of things to go back to, or to look at. There was a time I'd grab almost every linux kernel and upgrade all my boxes (until I moved to a laptop where kernel upgrades cause things like PCMCIA cards to stop working). It isn't really that practical. Nmap for a period (and I'm sure it will happen again) where there were updates every day or two. Few admins have the available bandwidth to deal with that. Especially if you aren't using it every day. I'm not disagreeing with the concept of open source, but I think open source works better if there is a way to fold everything back in to the original product with some sort of update. I think running a sniffer against the scanners, if you can get them down to one set of checks can work just as well to figure out what they are doing. Again, it is a case of who has the time and patience. I've run into a bunch of mdac susceptible, but unicode exploitable boxes lately. In the absence of unlimited time and the presence of experience (with particular tools or in general) you learn which results to accept and which are sketchy. At 11:07 PM 11/16/00 -0500, you wrote:
Agreed about Nessus. Its an awesome example of the speed and power of open source development. Another interesting advantage of going the open source security route is that you could easily work out how and what the check was trying to do and decide for yourself if it was a false positive. If it was only checking for /scripts as someone suggested, you could easily modify it as well, improve the check and share that back to the community so we could all benefit. ----- Original Message ----- From: "Alfred Huger" <ah () SECURITYFOCUS COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, November 16, 2000 10:25 PM Subject: Re: [PEN-TEST] ISS not detecting unicode bug?? > On Thu, 16 Nov 2000, Eric Budke wrote: > > > > There was some discussion a year or two ago on another list with the guys > > from ISS and NAI (and some others) going back and forth about how they > > actually test, the merits of basing it only off of a banner vs. going > > through with the actual penetration (especially in how it applies to DOS > > testing). Both ways have their merits, but neither tool is flawless. > > Wow, that brings back memories, the discussion was actually about 2 1/2 > years ago and if I remember correctly it got a bit ugly. > > The SNI/Ballista position was that checks should be more than a banner > grab and should actually (to a degree) exploit the problem to bring back > 'proof positive'. > > After being out of the business (of building scanners) for a while I still > actually feel the same way. Banner grabs to infer vulnerabilities are > sometimes required but they are not a good way to write the product. > However, in cases where you have (non) inetd driven services or other > services which will choke and not restart you have need other methods to > check. That is of course over simplifying it quite a bit, but that's a > microcosm of the issue. > > Scanners are of course a poor alternative to hand testing for the most > part but like most of us agree, are usefull for lare scale engagement and > quick problem spotting. > > If I were forced to buy a scanner today I would save my money and go with > Nessus. But of course, that is just me :>
-- PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt
Current thread:
- [PEN-TEST] ISS not detecting unicode bug?? John Doe (Nov 16)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Mark Curphey (Nov 18)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Fred Mobach (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 21)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Alfred Huger (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? batz (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Renaud Deraison (Nov 20)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Eric Budke (Nov 17)
- <Possible follow-ups>
- Re: [PEN-TEST] ISS not detecting unicode bug?? Covington, James (ISS California) (Nov 17)
- Re: [PEN-TEST] ISS not detecting unicode bug?? Claudio Pino (Nov 17)