Penetration Testing mailing list archives
Re: Pentesting tool - Commercial
From: "Andre Gironda" <andreg () gmail com>
Date: Tue, 26 Feb 2008 09:45:08 -0700
On Tue, Feb 26, 2008 at 1:29 AM, Ramki B <bramkie () gmail com> wrote:
No specific problem but the need is a comprehensive tool that can test network devices also in addition to OS and Web apps.
Full-knowledge assessments are better for the customer than zero or low-knowledge assessments. If you want "comprehensive", you won't be using many tools because these concepts are contradictory. In your situation, I would use the free version of Nessus with Nikto integration to raise awareness, especially when combined with the open-source web application scanner, Paros. Notice how I said "raise awareness" and not "solve problems". For testing firewalls, IPS/IDS, and other network/host protections, I would simulate real attacks in a lab using free tools such as Metasploit, w3af, and Eicar. Consultants who had access to Core Impact, CANVAS, the CANVAS sharing alliance, and the full Gleg/Argeniss/D2 packs would be brought in to test this infrastructure. Additionally, different consultants should be brought in to fuzz test the infrastructure with commercial suites such as Codenomicon, beSTORM, BreakingPoint Systems, and Mu-Security (although it's possible to use open-source such as PROTOS, ISIC, and custom fuzz testing with frameworks such as EFS, Peach, Sulley, and SPIKE). All of this can be replayed often (after every configuration change or firmware/OS/application update) with Tomahawk or Traffic IQ Pro so that you don't need to bring in costly consultants with costly tools every time. After a baseline such as the above, you can then make recommendations on specific state and configuration related issues/checks for vulnerability management. A lot of these recommendations are very dependent on the client - e.g. which compliance standards they are required (or want) to follow, where they fit in comparison to their competitors, and what resources/gaps they have. However, I wouldn't be surprised to see proposals for solutions from Symantec, McAfee, ESET, Kaspersky, Lumension, BigFix, ConfigureSoft, HP Opsware, Skybox, RedSeal, Tenable, Rapid7, Qualys, nCircle, Agiliance, Archer, ControlPath, ArcSight, Guidance, AccessData, et al - especially the products/solutions that are OVAL-Compatible. It's not "all about" the commercial solutions - clearly you can do all of this with free or open-source products. AntiVir, CentOS, Nipper, CIS-CAT, OSSEC, OSSIM, Beltane, TSK, etc.
Since we are offering this commercially as a service there are certain customers who object using Open source/Free tools.
In my case (and I know this strategy isn't for anyone), if they insisted on commercial-only software then I would simply drop them as customers. Case in point: the Metsaploit open-source framework has over 110 exploits (*) that cannot be found in any of the commercial exploitation engines, nor any of their add-on "packs". Can you customers afford to get hit with one of these by script-kiddies? Cheers, Andre (*) P.S. Here's the list just so you know what should keep you up late at night: NOTE THAT THIS LIST IS NOT THE COMPLETE EXPLOIT LIST. THIS IS A LIST OF METASPLOIT EXPLOITS THAT ARE NOT AVAILABLE IN CANVAS OR CORE IMPACT CVE-1999-0874, CVE-2000-0665, CVE-2001-0311, CVE-2001-0800, CVE-2001-1583, CVE-2002-1359, CVE-2002-2226, CVE-2003-0213, CVE-2003-0264, CVE-2003-0344, CVE-2003-0471, CVE-2003-0727, CVE-2003-082, CVE-2003-1336, CVE-2004-0297, CVE-2004-0326, CVE-2004-0330, CVE-2004-0430, CVE-2004-0636, CVE-2004-0695, CVE-2004-0798, CVE-2004-1135, CVE-2004-1211, CVE-2004-1373, CVE-2004-1520, CVE-2004-1558, CVE-2004-1595, CVE-2004-2221, CVE-2004-2271, CVE-2004-2687, CVE-2005-0043, CVE-2005-0116, CVE-2005-0277, CVE-2005-0353, CVE-2005-0455, CVE-2005-0478, CVE-2005-0491, CVE-2005-0511, CVE-2005-0595, CVE-2005-0768, CVE-2005-1018, CVE-2005-1323, CVE-2005-1415, CVE-2005-1543, CVE-2005-1547, CVE-2005-1812, CVE-2005-1815, CVE-2005-1921, CVE-2005-2148, CVE-2005-2287, CVE-2005-2297, CVE-2005-2373, CVE-2005-2535, CVE-2005-2551, CVE-2005-2612, CVE-2005-2773, CVE-2005-2847, CVE-2005-3277, CVE-2005-3314, CVE-2005-3683, CVE-2005-3757, CVE-2005-4411, CVE-2005-4734, CVE-2006-0295, CVE-2006-0460, CVE-2006-0848, CVE-2006-1148, CVE-2006-1551, CVE-2006-1652, CVE-2006-2407, CVE-2006-3252, CVE-2006-3524, CVE-2006-3677, CVE-2006-3838, CVE-2006-3961, CVE-2006-4305, CVE-2006-4777, CVE-2006-4847, CVE-2006-5112, CVE-2006-5216, CVE-2006-5882, CVE-2006-5972, CVE-2006-6055, CVE-2006-6063, CVE-2006-6076, CVE-2006-6332, CVE-2006-6423, CVE-2006-6424, CVE-2006-6425, CVE-2006-6761, CVE-2007-0348, CVE-2007-0449, CVE-2007-1286, CVE-2007-1373, CVE-2007-1676, CVE-2007-1819, CVE-2007-1868, CVE-2007-2446, CVE-2007-2508, CVE-2007-2711, CVE-2007-2918, CVE-2007-3147, CVE-2007-3614, CVE-2007-3778, CVE-2007-3926, CVE-2007-4006, and I'm probably missing some of the most recent ones on this list ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pentesting tool - Commercial bramkie (Feb 21)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- RE: Pentesting tool - Commercial Foster, Matt (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- Re: Pentesting tool - Commercial Erin Carroll (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 27)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 28)
- Re: Pentesting tool - Commercial Chris McNab (Feb 28)
- Re: Pentesting vs VA - was Pentesting tool - Commercial Robert E. Lee (Feb 28)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- AW: Pentesting tool - Commercial puppe (Feb 27)