Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Core Impact Vs Manual Pen Test

from [bart] Network Security [Permanent Link]
Subject: Re: Core Impact Vs Manual Pen Test
Date: Fri, 01 Sep 2006 05:27:52 -0700 
J,

As a user of Core at my place of work I can tell you that there is no
substitute for good, manual, pen-testing.  Core enables us to speed
things up with the agents and documentation that it utilizes, but the
actual attacks are usually run by hand or in combination with
Metasploit.  The real beauty of Core comes into play usually "after"
the penetration, allowing you to deploy their agents and manipulate the
compromised system even further.

Don't get me wrong, Core is a great product and if your company is
willing to pay the dough for it, take it.  But, make no mistake...You
will NOT get a complete and accurate pen-test if you simply use the
"Rapid Penetration Test" wizards alone.  Using the "point and click"
approach with this tool may yield a few vulnerabilities and exploit
them for you, but without having the knowledge and experience of actual
pen-testing, all you would be doing is scratching the surface (low
hanging fruit).

Some businesses only require / want this type of test.  All they are
worried about is that proverbial "check in the box" to report that they
have officially had a penetration test performed.  If that is the case,
sad as it may be, then Core would be ideal for them.  It would save
them money in the long run.

If on the other hand a business wants to know how vulnerable they really
are (how deep the rabbit hole actually goes), then they still need to
hire a true pen-testing consultant to perform the test.  As a
consultant, using Core like I said before would speed up the process,
but you definitely cannot rely on it as the end all solution.

Hope this helps.  I have been using Core for a year now and wouldn't
trade it for the world.  The best approach I have found is a sort of
hybrid test, utilizing Metasploit, home brewed exploits, and Core
together.  They all have advantages and disadvantages, and when
combined, you get the best of all of them.

-Bart


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: Core Impact Vs Manual Pen Test, Joey Peloquin
Next by Thread:  Re: Core Impact Vs Manual Pen Test, Joey Peloquin
Indexes:  [Date] [Thread] [Top] [All Lists]