Penetration Testing mailing list archives
RE: Re: Core Impact vs. Canvas vs. Metasploit
From: "Sahir Hidayatullah" <sahirh () mielesecurity com>
Date: Tue, 2 May 2006 12:58:40 +0530
commercial grade is richer with attacks
Are you refering to the number of exploits provided? Don't forget that Metasploit is designed as an exploitation framework, it also makes it significantly easier to put together an exploit. I also find that just about every worthwhile exploit makes it into a metasploit module pretty soon.
more developed GUI
Being addressed for Framework 3.0 -- Web GUI with AJAX as well as WxRuby standalone GUI. See page 10 of Moore's CSW presentation here: http://www.cansecwest.com/slides06/csw06-moore.pdf
ability to use "syscall proxies"
Once again, framework 3.0 has a heavily ramped up meterpreter module. You'll essentially get a complete programmatic shell (Ruby's IRB for those familiar) on exploitation. This lets you do some extremely nifty things (imagine having the complete power of ruby in your hands), refer to: http://metasploit.blogspot.com/2006/04/post-exploitation-fun-in-metasploit-3 0.html Other interesting developments for Metasploit 3.0 include session sharing among many users (great for testing as a team), ability to concurrently attack and manage multiple victim sessions, aux modules will allow recon and integration with your other tools (nmap, nessus etc). The key here is extensibility of the tool -- I would say if you can code, Metasploit gives you significantly more flexibility over most of the commercial alternatives. Not to mention there is a rather obvious price difference as well. Cheers, Sahir Hidayatullah. http://metasploit.blogspot.com/2006/04/post-exploitation-fun-in-metasploit-3 0.html -----Original Message----- From: alphafreq () yahoo com [mailto:alphafreq () yahoo com] Sent: Sunday, April 30, 2006 1:52 AM To: pen-test () securityfocus com Subject: Re: Re: Core Impact vs. Canvas vs. Metasploit I believe besides the more obvious (commercial grade is richer with attacks and more developed GUI), in short the biggest functional difference between Metasploit and Canvas/Core is the ability to use "syscall proxies" that Core Impact I beleive originally developed that overcomes limitation of pre-packaged payloads. This is described in detail by Maximiliano Cáceres from Core. I have not personally used Canvas yet, but know that Dave Aitel developed this capability in MOSDEF (free) as well as Canvas. ---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: Re: Core Impact vs. Canvas vs. Metasploit Sahir Hidayatullah (May 02)
- <Possible follow-ups>
- Re: Re: Core Impact vs. Canvas vs. Metasploit Greg Leclercq (May 02)
- Re: Core Impact vs. Canvas vs. Metasploit Ivan Arce (May 02)
- Re: Core Impact vs. Canvas vs. Metasploit Paul Asadoorian (May 03)