Penetration Testing mailing list archives
Re: Cross testing exploit with vulnerability scan results
From: Chroot <chrooted () gmail com>
Date: Mon, 30 Jul 2007 18:32:41 +0530
Hmmm... I have been using Nessus since years now.. right from older versions to 3.x both in windows and linux... I have tried different set of configurations... and done a fair bit of tweaking... wrote few NASL scripts and modified many based on target requirements... The point is not about being able to use or not... it is about a genuine issue in the vul. scanner that might be temporary ... and is not limited to Nessus.. with due respect to Nessus it is widely used and hence there are always more chances of people finding issues in it... this kind of issue can happen with any Vul. scanner that is not Nessus.. Regarding Christine's query, yes I understand what I mean by "all possible exploits". My definition would be those that have maximum chance of compromising a system and not doing something out of the agreement.. Having said that, yes, there would be a whole set of issues where you need to use your imagination, past experience and lateral thinking ... but that's not where I'm coming from.. My question if I take an example is WHAT IF A VULNERABLE IIS RUNNING ON TARGET WITH A VUNERABILITY DESCRIBED IN http://www.securityfocus.com/bid/18858/exploit GOES UNIDENTIFIED IN NESSUS OR ANY OTHER SCANNER? Probability might be 1 out of 100 but what to do if this happens? On 7/29/07, Sol_Invictus <sol () haveyoubeentested org> wrote:
Sounds to me like there's a lot of people that know how to run nessus but don't know how to USE nessus properly. That's all I have to say. Sol. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Armstrong Sent: Saturday, July 28, 2007 4:04 PM To: pen-test () securityfocus com Subject: RE: Cross testing exploit with vulnerability scan results Chroot, I believe you should always check and cross check your scans. Check for false positives and ensure your scanning has been conducted in the correct circumstances without some external factor injecting unknown factors. Also, remember that vulnerability scanning with an automated scanner is using some one else's check sheet to check a system, so yes there could be errors and problems with its code and implementation. You should do you own checks too, otherwise what value are you adding to the test? I personally would not scan someone's network and then download the list of possible exploits of the web and run them against the client system, not unless you have very understanding professional indemnity insurers! You should obtain you code from good sites and cross check where possible with dns records, md5, sha1, sha256 hashs and other integrity assurance methods, else you may download 'bad code'. Plan ahead and collect good code and exploits, some you will have to modify yourself, but always check to see what it does on a test lan - not the clients! As to your example try running a manual banner grab or run another port scanning tools (Scanrand or Unicom scanner for example). And to start the flames as I leave, running a vulnerability scanner and only exploiting or attacking what is says I what I would call a basic vulnerability analysis - not a penetration test. A Penetration test requires you to think out of the box and to try other stuff that many VA tools just don't cover. And how would you penetration test a bespoke program or application if your VA tool does not carry checks for it? Running for cover . . . . . Steve A -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chroot Sent: 27 July 2007 13:26 To: pen-test () securityfocus com Subject: Cross testing exploit with vulnerability scan results Hi Fellow testers, I've been conducting pen tests since 4 yrs now... the methodology I follow is that we exploit or attempt to exploit ONLY those vulnerabilities that a vulnerability scanner identifies. What if the appropriate check or signature in the vulnerability scanner was not up to date or had some coding issue or was not comprehensiveness enough (or anything else) to identify a real existing vulnerability on a system. This can result in serious false negatives. Would downloading, installing and cross testing all available exploits for an identified service be a good idea to minimize such a case? How many people have faced such an issue or a similar issue? For me I faced this issue with some bug in Nessus recently. This is something like my NMAP says there is IIS6.0 running on port 443 of a target server. I do a Nessus scan on it and it doesn't report anything. I then download all available exploits for IIS6.0 (or for all version of IIS? would this make sense) from securityfocus.com or securiteam.com or similar source and run it manually on the target system. Eagerly await opinions. THNX ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Cross testing exploit with vulnerability scan results Chroot (Jul 27)
- Re: Cross testing exploit with vulnerability scan results John M. Martinelli (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Morning Wood (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Jan Heisterkamp (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Christine Kronberg (Jul 29)
- RE: Cross testing exploit with vulnerability scan results Steve Armstrong (Jul 28)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Chroot (Jul 30)
- Looking to set up an infosec lab John M. Martinelli (Jul 30)
- RE: Cross testing exploit with vulnerability scan results Sol_Invictus (Jul 28)
- Re: Cross testing exploit with vulnerability scan results Anders Thulin (Jul 29)
- Re: Cross testing exploit with vulnerability scan results jussi jaakonaho (Jul 29)