QUICK NOTE: Andy, I want to thank you for the continued hard work you
have put into your well-researched and valuable product, tool and
service classification portal. Thank you. Please keep it up and let me
know if there is anything I can do to help out in the future.
*OK, back to the (long) post:
I think Exploitation Engine (or Exploit Engine) is an appropriate
classification or category.
*Now for a reasonably short rant:
-disclaimer: I haven't used metasploit or CORE so i can make no
assumptions about dev quality, QA and support they offer.
After extensive usage and testing of CANVAS, I can't help but see the
value these Exploitation Engines provide to the average IT/Security
Administrator, Engineer, Penetration Tester or Auditor. Not to mention
my theory that they would be invaluable to a recent CS grad or
experienced programmer looking to get into the vulnerability research
and exploitation field. Some of these tools are written in Python
(CANVAS is for sure), allowing the user to look at the source and learn
from some of the very best out there in vulnerability research and
exploitation.
When pitching this purchase (ROI, TCO) to your Management, I would take
a path similar to this, "Immunity's CANVAS is an exploit engine that can
be used to verify the implementation and effectiveness of patches pre or
post solution purchase." You can also use your trusted exploits to
verify the findings of your VA scanner(s).
I have recommended this tool many times to my customers and speech
attendees. It solves the very real problem of vulnerability verification
for customers who have neither the time and/or desire to achieve the
Black Belt level of exploit creation. This need inevitably forces them
to head to underground hacker sites to get untested and untrusted
exploits written by coders without accountability for their exploits
"true intention". Metasploit (i assume) and CANVAS (i know) offer
accountability by standing behind each exploit.
Why would I recommend to my low-medium skill set IT/Security customers
that they pull down "dirty" and "wild" sploits off the net? By running
this code (probably on their desktops), they are at great risk of
getting more than they bargained for. It is probable this increased risk
out weighs the initial goal of achieving vulnerability validation to
convince an antagonistic business unit owner to patch or upgrade that
vulnerable internet facing legacy server.
Ok, if you are saying, "these morons should test these exploits in a lab
environment first," then you are missing the point. Not everyone has the
interest, time, extra computer resources or knowledge of what they are
even looking for to know how to validate these dirty exploits. The
answer is that I never would recommend this when low cost (CANVAS) and
free (MetaSploit) Exploitation Engines allow vulnerability verification
without fear of running "assembly code from hell" or an evil hidden
rootkit. The good news is that Dave Aitel and HD Moore have attached
their names and corporations to the quality of these products. If/When
something goes wrong, they will be there to help. Why? Because that is
how good people run good businesses.
-Erik Pace Birkholz, CISSP
www.SpecialOpsSecurity.com (erik@specialopssecurity.com)
www.Foundstone.com (erik@foundstone.com)
323-252-5916 cell
-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Monday, August 16, 2004 12:44 PM
To: pen-test@securityfocus.com
Subject: Network Exploitation Tools
Hi,
I have just introduced another category on the site covering the various
exploitation tools out there. To my knowledge there are only 3.
CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all
or are there some other products of this nature lurking about?
http://www.securitywizardry.com/exploit.htm
Secondly, what do we call them, or is Network Exploitation Tools the
appropriate name?
cheers for any time you can give
-andy cuff
PS there are loads of other pages with out of date info, I am currently
working my way through them
Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com
-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Monday, August 16, 2004 12:44 PM
To: pen-test@securityfocus.com
Subject: Network Exploitation Tools
Hi,
I have just introduced another category on the site covering the various
exploitation tools out there. To my knowledge there are only 3.
CANVAS, CORE IMPACT and Metasploit. Firstly, have I captured them all
or are there some other products of this nature lurking about?
http://www.securitywizardry.com/exploit.htm
Secondly, what do we call them, or is Network Exploitation Tools the
appropriate name?
cheers for any time you can give
-andy cuff
PS there are loads of other pages with out of date info, I am currently
working my way through them
Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com
