RE: Core Impact Vs Manual Pen Test

[andy cuff <lists () securitywizardry com>]

Core is a cool product as are Metasploit and Canvas, though I don't feel that 
any of them would replace a manual Pen Test, though they will complement one 
and indeed speed one up.  Perhaps the client could use an exploitation engine 
prior to employing Pen Testers to remove the low hanging fruit, forcing the Pen 
Testers to think outside the box in order to demonstrate their Leetness and 
attract repeat business.

Best Regards
-- 
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com


Quoting Philippe Dumont <philippe.dumont () abovesecurity com>:

> I use Core Impact and I have to say... it is a tool and a good one. But it
> won't exploit every possible vulnerabilities. Sometimes you can reach root
> access thru escalation, which is the coolest way of all.
>  
> Myself and my collegue once found a backup script that divulged the root
> password... the script was found via a anonymous FTP server :-) (And this was
> in a Scada environment)
>  
> Core impact won't do that for you! Catch my drift?
>  
>  
>
> ________________________________
>
> From: jackal_pf0 () lycos com [mailto:jackal_pf0 () lycos com]
> Sent: Thu 8/31/2006 2:55 AM
> To: pen-test () securityfocus com
> Subject: Core Impact Vs Manual Pen Test
>
>
>
> Dear Members,
>
>
>
> I've been doing Pen test for a quite while. I have used both Open source and
> Commercial tools for the activity. Now because of automated tools such as
> core Impact, Canvas, Qualys most of the clients are coming up with the
> Question of Whether to go fo Core Impact or hire some consultants to do the
> activity. These clients are not worried bout paying huge money to buy these
> tools.
>
>
>
> Since I have not used Core Impact, I cant figure out the differences. I
> believe you guys can help me out.
>
>
>
> Any comments appreciated.
>
>
>
> Regds,
>
>
>
> J
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
> AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 
>
> Le présent message est à l'usage exclusif du ou des destinataires mentionnés
> ci-dessus. Son contenu est confidentiel et peut être assujetti au secret
> professionnel. Si vous avez reçu le présent message par erreur, veuillez nous
> en aviser immédiatement et le détruire en vous abstenant d'en faire une
> copie, d'en divulguer le contenu ou d'y donner suite.
>
> CONFIDENTIALITY NOTICE
>
> This communication is intended for the exclusive use of the addressee
> identified above. Its content is confidential and may contain privileged
> information. If you have received this communication by error, please notify
> the sender and delete the message without copying or disclosing it.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?
camp=701600000008bOW
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------