Penetration Testing mailing list archives
Re: Penetration Testing Services
From: Andre Gironda <andreg () gmail com>
Date: Tue, 3 Aug 2010 11:40:01 -0500
On Mon, Aug 2, 2010 at 6:18 AM, cribbar <crib.bar () hotmail co uk> wrote:
Penetration Testing Community - I am interested in getting an expert response to a discussion that keeps raising up in our company. management, if we have an IT Security section who are using the most common vulnerability scanning / penetration testing tools –what is the point in investing significant $$$ in buying in a 3rd party to do exactly the same?
Scans don't find the vulns that adversaries really use. Only penetration-testers do this. Scans find the vulns that a script kiddie from 10 years ago could find. For example, scanners such as Nessus, Qualys, Rapid7, et al -- they only find CVEs against metastructure. They do not focus on the infostructure (apps and data). They usually do nothing with client-side exploits, or drive-by exploits. They don't figure out how to break your authentication in your web applications or the session management, or bypass your firewalls and antivirus completely by using an XSS proxy (or a man-in-the-browser technique like formjacking, clickjacking, strokejacking, etc). They do not perform risk management or threat-modeling for you. Penetration-testing, if done well (e.g. by a CHECK certified company), does all of this.
I fully appreciate that penetration testing is an area of high skill, as a 3rd party you provide an independent neutral security review, it takes years to master the topic, and once mastered you need to stay up to date with all the current vulnerabilities and exploits, and it is your guy’s area of expertise, whereas a security admin is not specific to penetration testing.
Nah. It's not that hard. You have to know enough to run a tool such as Burp Suite Pro or ProxyFuzz. You can learn these by picking up a few books such as "The Web Application Hacker's Handbook" or "Fuzzing: Software Security Testing & Quality Assurance". I might also suggest "The Art of Software Security Assessments". You can get by doing most app assessments and penetration-tests (or just general ethical hacking activities) using these 3 books. There aren't a lot of good books on client-side exploits or drive-by exploits yet. You'll have to dig through the Metasploit project yourself. However, some books cover these subjects, such as recent ones from the Hacking Exposed or Seven Deadliest Attacks series (however, the quality of McGrawHill and Syngress security books are extremely low compared to the first three book's publishers that I mentioned). Things like Karma, Karametasploit, Metasploit, Drivesploit, et al.
• I trawled through the archives of this forum and others, and it seems some pen testing companies use the exact same tools such as nmap and nessus, and
Not these ones -- http://www.cesg.gov.uk/products_services/iacs/check/index.shtml Penetration-testing requires a threat-model and this threat-model should be attacked in production using social engineering, app assessments (especially including web applications), database privilege escalation, and generalized posture assessments. Penetration-tests also require an agreed-upon target asset, such as a copy of the 2009 financial report locked in the CEO's safe and using an agreed-upon methodology. Nmap and Nessus can certainly be used during penetration-testing, but they are not the start or end of the activities and tools used. I do more ethical hacking than penetration-testing, which is usually open-ended (no target assets) but using a timeboxed period similar to how Agile developers use sprints. My toolbox is more Nikto, Burp Suite Pro, and Netsparker. All of these tools can be tied together using The Dradis Framework.
in some cases simply pass across a Nessus report for a specific IP range and that’s the report they use. This to me sounds a complete rip off, and I
Gartner or Forrester can give you a large list of companies that do not do this and do not rip you off. You must be using the wrong penetration-testing companies. Or you can use companies certified by http://www.cesg.gov.uk/products_services/iacs/check/index.shtml
can’t see the benefit. So where is the added benefit in having an internal security guy run nessus, and paying a 3rd party pen tester x amount of $$$ money to do exactly the same? Why not just stick with the internal guy? Or
Why not replace the internal guy with Qualys? Any manager can setup the IP information on the front panel of the box they give you.
am I missing something? I really would appreciate real examples of whereby just running Nessus is simply not enough as it wont catch a, b and c! I look forward to your comments.
You're kidding, right? Like I said before, most of the adversaries are focused on attacks made popular in the past 6 years; not 10 years ago. Nessus or any of these scanners are focused on CVE type vulnerabilities in metastructure. They do not focus on CWEs in infostructure. They mostly or only work on the server-side, not the client-side. Adversaries switched major focus to the client-side and now use a very basic model that includes using affiliate web-framework tools like Fragus (whitehats would use Drivesploit/Metasploit) combined with spamming-tools like Cutwail (whitehats would use SET/Maltego) to focus attention on to certain key individuals, and then infect their browsers using ZeuS (or their memory both inside and outside of the browser using Meterpreter from Metasploit -- usually performed by whitehats). Antivirus, firewalls, and most IPS systems have been shown to not be able to prevent these attacks (I am guessing 100 percent of the time, but it's probably more like 95-99%). Once in, adversaries using an initial IE 0-day exploit will perform a full "Aurora" style infiltration, which usually involves breaking admin (using auth/sess-mgmt/XSS) panels on web applications (through various means usually involving SQLi, RFI/LFI, and file upload vulnerabilities -- usually in this order), accessing web servers & databases (to insert Fragus -- or whitehats might use Metasploit's "Lucky Punch"), and grabbing as many source-code repository credentials as possible, probably in order to insert their own hidden source-code based backdoors into your custom applications and/or steal intellectual property, financial records, payment card data, etc (although this is easier to do long-term if the adversary inserts his or herself into the custom apps that your business depends on by becoming a silent, illegal developer). If the adversary is not capable of performing the attacks in the last paragraph (and only able to use tools like Fragus, Cutwail, and ZeuS -- which are very easy GUI tools that have many equivalents in China and other places around the world), then he or she will usually find a way to sell their botnet in order to create a SQLi or RFI botnet themselves or angel investors, or to sell to another adversary with advanced enough expertise to pull of the final Aurora style attacks. It's an underground economy that excels at finding every vulnerable nook and cranny. If you're not getting hit by it, then you've probably performed a lot of penetration-testing. ;> Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Penetration Testing Services cribbar (Aug 02)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services Justin Klein Keane (Aug 03)
- Re: Penetration Testing Services k.x86 (Aug 03)
- Re: Penetration Testing Services Robin Wood (Aug 03)
- RE: Penetration Testing Services Jason Hurst (Aug 03)
- Re: Penetration Testing Services Andre Gironda (Aug 03)
- Re: Penetration Testing Services Richard Miles (Aug 16)
- RE: Penetration Testing Services Mathew Sealy (Aug 03)
- Message not available
- Re: Penetration Testing Services Jonathan Leigh (Aug 03)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services BMF (Aug 03)
- Re: Penetration Testing Services Todd Hughes (Aug 03)
- RE: Penetration Testing Services Hugo V. Garcia R. (Aug 03)
- Re: Penetration Testing Services MAlMozaiyn (Aug 08)
- RE: Penetration Testing Services Khalid Lakdawala (Aug 12)
- Re: Penetration Testing Services cribbar (Aug 12)