Penetration Testing mailing list archives
Re: Pen testing techniques
From: "Nathan Sportsman" <nsportsman () gmail com>
Date: Fri, 11 Apr 2008 14:22:08 -0500
Too add to this, it is important to remember the capabilities of the tool. Many other tools exists that perform these basic tests too, but they are often not even sophisticated enough to identify and bypass client side validation. Nathan Sportsman On Thu, Apr 10, 2008 at 3:18 PM, v3nd3rs5uck <ntpeck () yahoo com> wrote:
Even paros proxy can do the basics of XSS and injection testing and its my favorite price :) Dude, tools are only part of the battle, I agree with Atif --- On Wed, 4/9/08, Jason <securitux () gmail com> wrote:From: Jason <securitux () gmail com> Subject: Re: Pen testing techniques To: "Atif Azim" <azim.atif () gmail com> Cc: pen-test () securityfocus com Date: Wednesday, April 9, 2008, 2:11 PMOh boy... let me intercept this before some others do, lol. You cannot rely on Core or any one tool for a pen test AT ALL. It's a great tool but there is SO much more to pen testing than relying on one single tool, in fact that is the cardinal sin. You need to follow a methodology and use an array of tools and manual techniques to make sure the test is thorough. When I do a web app pen test, the tools never find some of the nastiness that I do manually. Never. Web apps are a curious breed because they are usually custom coded in some way so every single one is different, making standard tools less useful. I am not surprised by your Core Impact results, it is a great tool but they are new to the web app game, and it hasn't been thoroughly developed yet. No fault of theirs, it just hasn't matured the way others have. For web apps I prefer a web app vulnerability scanner like Cenzic Hailstorm for the automated dumb stuff like XFS / XSS and basic authentication bypass. You definitely need to do manual checks, regardless of what the tools find. Try some injections and authentication bypass techniques, and, well, everything else too. Might want to do a search for the OWASP guide, they have great info on web app testing. Besides all this, have you used anything like nmap to find open ports and verify your results? Perhaps Core missed something. Is a stealth approach required to emulate a malicious hacker and therefore your checks need to be quiet and evade detection? I highly recommend if you are new to this to take a course or at least get some good books. A person really can't jump into pen testing like they can jump into product deployment / administration. Might want to search this list as well, you will find some helpful information I am sure. Good luck. -J On Wed, Apr 9, 2008 at 3:48 PM, Atif Azim <azim.atif () gmail com> wrote:Hello, I am new to pen testing and am currently involved indoing an externalpen test for one of our clients.We are doing itthrough CoreImpact.Reconnaisance showed only port 80 as open andthe web serverrunning IIS 6.0.Core Impact did not find anyvulnerabilities in theserver and hence was unable to penetrate.The webapplication was alsotested for SQL Injection and PHP remote fileinclusion and did notfind any vulnerabilities there either. My question is what else can we do besides relying onCore Impact forthis pen test.And what impression can a client get ifwe say to themthat there are no vulnerabilites in your network orweb app.Itsdificult to digest something like that for a securityspecialist thateverythings alright. Looking forward to some great views.Thanks. Regards, Atif Azim------------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilitiesfast.Click to try it, buy it or download a solution FREEtoday!http://www.cenzic.com/downloads------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: Pen testing techniques, (continued)
- RE: Pen testing techniques Shenk, Jerry A (Apr 09)
- Re: Pen testing techniques Nathan Sportsman (Apr 09)
- Re: Pen testing techniques Jason (Apr 09)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques Atif Azim (Apr 09)
- Re: Pen testing techniques Erik Harrison (Apr 11)
- Re: Pen testing techniques Joey Peloquin (Apr 11)
- Re: Pen testing techniques vtlists (Apr 11)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques v3nd3rs5uck (Apr 11)
- RE: Pen testing techniques Jason (Apr 12)
- Re: Pen testing techniques Nathan Sportsman (Apr 12)
- Re: Pen testing techniques intel96 (Apr 09)
- get MD5-Hash from /etc/shadow file markus sesser (Apr 11)
- Re: get MD5-Hash from /etc/shadow file Razi Shaban (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Larry Offley (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Morgan Reed (Apr 12)
- Re: get MD5-Hash from /etc/shadow file Peter Kosinar (Apr 14)
- Re: Pen testing techniques Rafael Nuñez (Apr 11)
- Re: Pen testing techniques v3nd3rs5uck (Apr 11)
- Re: Pen testing techniques Tommy May (Apr 09)