Penetration Testing mailing list archives
Re: Opinions of automated testers
From: "Lee Lawson" <leejlawson () gmail com>
Date: Tue, 8 May 2007 15:58:37 +0100
Quite agree. We use WebInspect here, not that the reporting matters for any of them as I write my own. I don't like the Americanization of the spelling for our UK clients. But as Erin also pointed out, these are purely web application scanners. If you are performing a test of the entire attack surface (the amount of systems/services/ports that are accessible to external attackers) then you will also need to use infrastructure testing tools. The obvious choice for a starter would be Nessus. It is freely available from tenable security and works on a number of operating systems. Other choices would be Retina and GFI Languard, but you will have to pay for them! I would not jump straight in with Core Impact (although it's a fantastic tool if you can afford the cost) or Metasploit as they will guide you toward actually exploiting a system to gain full control. I would not recommend that you do that until you have more experience and can control the probable effects. I would also have a look for free web application scanners to start off with. With web apps though, you really need to pay for a scanner such as WebInspect, Cenzic or Watchfire as the free tools are no way near as good! You should also consider a methodology. This is the framework that all pen testers follow to assess the security of any system/network etc. There is not real global methodology although the pentest mindmap (www.vulnerabilityassessment.co.uk) has gone someway to achieving that. I am biased though as I helped write it! I would say that you should: 1) Port scan your target systems. Use Nmap for this - nmap -sT -P0 -v -p 1-65535 192.168.1.1 You should see some open, closed or filtered ports. Filtered simply means that no response was received, probably because of a firewall. 2) Vulnerability scan your target systems. Use Nessus for this. I cannot go through how to install, set up and use it here, but it's pretty intuitive for the Windows installation. 3) Compare the results of the two to ensure that open/closed & filtered ports match up. 4) Compile that information into some kind of report for you management, reporting each discovered vulnerability in order of priority. 5) Get yourself on a pen testing course as soon as possible as blindly running these tools could cause unforeseen results such as crashing servers etc. I would never recommend that someone jumps in with this subject without the most basic of training. Good luck, On 5/8/07, Dotzero <dotzero () gmail com> wrote:
On 8 May 2007 03:58:22 -0000, zackpeters75 () yahoo com <zackpeters75 () yahoo com> wrote: > Hi, > > > My manager gave me our pen testing project and I'm still coming up to speed so forgive me if this question is not 100% list appropriate. > > > From what I can tell the top 3 automated pen testing programs are from SPI Dynamics, Cenzic and Watchfire. I haven't evaled any of them quite yet but they each seem to have their advantages and disadvantages. Cenzic is claiming to be the most accurate at least according to their 20/20 marketing program http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm wondering what people have actually seen. > > Erin gave an excellent response to you.... read carefully. Not too long ago I did an in-depth evaluation of all 3 products. I had looked at them in the past and we were finally in a position to make a purchase decision. Each of the products has strengths and weaknesses. They all do a pretty good job and from day to day one will be ahead of the others and then a different one. Most of the differences show up in the bells and whistles, report presentation, etc. For me it almost comes down to flavors of ice cream. I prefer vanilla but you may prefer chocolate. We ultimately chose WebInspect (SpiDynamics) but it was a close decision all the way around. One important caveat is that these are tools and if the person using the tool doesn't understand how to use the tool properly then their mileage may vary. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
-- Lee J Lawson leejlawson () gmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- RE: Opinions of automated testers, (continued)
- RE: Opinions of automated testers Erin Carroll (May 09)
- Re: Opinions of automated testers Joern Ahrens (May 10)
- RE: Opinions of automated testers John Reno (May 09)
- Re: Opinions of automated testers Lee Lawson (May 10)
- RE: Opinions of automated testers Kevin Reiter (May 09)
- Re: Opinions of automated testers Benny Tsai (May 09)
- Re: Opinions of automated testers Joey Peloquin (May 10)
- RE: Opinions of automated testers Vishal Garg (May 10)
- Re: Opinions of automated testers rajat swarup (May 15)
- Re: Opinions of automated testers Lee Lawson (May 08)