Penetration Testing mailing list archives

Re: nessus exceptions

From: H Carvey <keydet89 () yahoo com>
Date: 5 Aug 2004 17:27:49 -0000

In-Reply-To: <20040803210137.GF4161 () bozorky foofus net>

This plan has a flaw: what if they don't detect the holes?  It gives
you no information about whether or not they use anything besides 
Nessus; it only tells you that they didn't detect the hole.

A better plan might be to ask them which portions of their output
came from tools other than Nessus.


I like Foofus's approach.  I've been involved with far too many audits and assessments (from both sides), where this 
technical approach to foiling or fooling the auditor ends up blowing up in your face.

If you're concerned about the tools that are used, sit down with the testing company and ask them.  They should tell 
you.

Are you concerned that the testing company is using only one tool?  Tools like this are only as good as the person who 
uses them.  Do the testers understand the NASL scripts?  Have they written their own custom scripts?  If so, have any 
of these scripts been released back to the community (so that you can verify it)?  Having a clueless operator run ISS 
and Nessus, rather than just one, really doesn't give you much.

Current thread:

Re: nessus exceptions, (continued)
- Re: nessus exceptions Mr. Rufus Faloofus (Aug 03)
  - Re: nessus exceptions FocusHacks (Aug 05)
    - Re: nessus exceptions Stefano Zanero (Aug 10)
- Re: nessus exceptions Paul Johnston (Aug 05)
- RE: nessus exceptions Marc Heuse (Aug 05)
- Re: nessus exceptions DokFLeed.Net (Aug 05)
  - RE: nessus exceptions Jerry Shenk (Aug 09)
    - RE: nessus exceptions R. DuFresne (Aug 09)
- Re: nessus exceptions Pete Herzog (Aug 05)
- Re: nessus exceptions Chris McNab (Aug 05)
- Re: nessus exceptions H Carvey (Aug 05)
- RE: nessus exceptions Strand, John (Aug 09)