Penetration Testing mailing list archives
Re: Cross testing exploit with vulnerability scan results
From: Christine Kronberg <seeker () shalla de>
Date: Sun, 29 Jul 2007 12:12:00 +0200 (CEST)
On Sun, 29 Jul 2007, Chroot wrote:
*snip*
Let's take this scenario: 1. We run NMAP and find that target runs IIS6.0 (through banner grabbing and telneting) 2. We run Nessus and find that it doesn't report any holes 3. We run WebInspect and manually test for SQL Injection, XSS and similar issues Let's assume a scenario where Nessus had an issue with some NASL script and it couldn't catch a issue in this IIS6.0 ... To counter such scenarios I can think of three cases: 1. Run Retina on the target and cross check results 2. Download all possible exploits for IIS6.0 and manually test them against target (ofcourse I'll test them on my test network first)
Are you sure you understand what "all possible exploits" do? The art of penetration testing is to select the proper exploit for a target. Or to write an exploit if none is available. I never rely on scanners. They only give me hint where to hit first, but from there anything else is done manually. Some exploits need some afterwork to function - not so much because of script kiddy protection but because the target system is behaving differently to the one the exploit was originally written for.
3. Install another version of Nessus may be 2.x or 3.x on a Windows system and cross check... My query with fellow testers is is there a fourth option and what is a preferred option from 3 above and why..
Yes, of course there is a fourth option and it is to be preferred above all others: Use your knowledge and your imagination to find a hole. Play with the answer from the server. Never blindly use one exploit after the other in the hope that one will work. Check the results and modify the exploits depending on the answers of the server. Most exploits may be useless, but not necessarily all. With your options you are basically testing the scanners not the target server. Your question boils down to "If scanner one does not give this or that result will scanner two do?". I have to agree to Wood: this is not penetration testing. It's vulernability scanning. Cheers, Christine Kronberg. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Cross testing exploit with vulnerability scan results Chroot (Jul 27)
- Re: Cross testing exploit with vulnerability scan results John M. Martinelli (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Morning Wood (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Jan Heisterkamp (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Christine Kronberg (Jul 29)
- RE: Cross testing exploit with vulnerability scan results Steve Armstrong (Jul 28)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 30)
- Looking to set up an infosec lab John M. Martinelli (Jul 30)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Anders Thulin (Jul 29)
- Re: Cross testing exploit with vulnerability scan results jussi jaakonaho (Jul 29)