Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Cross testing exploit with vulnerability scan results

from [Christine Kronberg] Network Security [Permanent Link]
Subject: Re: Cross testing exploit with vulnerability scan results
Date: Sun, 29 Jul 2007 12:12:00 +0200 (CEST)
On Sun, 29 Jul 2007, Chroot wrote:

*snip* 

Let's take this scenario:

1. We run NMAP and find that target runs IIS6.0 (through banner
grabbing and telneting)
2. We run Nessus and find that it doesn't report any holes
3. We run WebInspect and manually test for SQL Injection, XSS and similar issues

Let's assume a scenario where Nessus had an issue with some NASL
script and it couldn't catch a issue in this IIS6.0 ...

To counter such scenarios I can think of three cases:
1. Run Retina on the target and cross check results
2. Download all possible exploits for IIS6.0 and manually test them
against target (ofcourse I'll test them on my test network first)


  Are you sure you understand what "all possible exploits" do?
  The art of penetration testing is to select the proper exploit
  for a target. Or to write an exploit if none is available.
  I never rely on scanners. They only give me hint where to hit
  first, but from there anything else is done manually. Some
  exploits need some afterwork to function - not so much because
  of script kiddy protection but because the target system is
  behaving differently to the one the exploit was originally
  written for.

3. Install another version of Nessus may be 2.x or 3.x on a Windows
system and cross check...

My query with fellow testers is is there a fourth option and what is a
preferred option from 3 above and why..


  Yes, of course there is a fourth option and it is to be preferred above
  all others: Use your knowledge and your imagination to find a hole. Play
  with the answer from the server. Never blindly use one exploit after the
  other in the hope that one will work. Check the results and modify the
  exploits depending on the answers of the server. Most exploits may be
  useless, but not necessarily all.

  With your options you are basically testing the scanners not the target
  server. Your question boils down to "If scanner one does not give this
  or that result will scanner two do?". I have to agree to Wood: this is
  not penetration testing. It's vulernability scanning.

  Cheers,

  Christine Kronberg.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Basic facilities required to establish a pen test lab, Jan Heisterkamp
Next by Date:  Re: Cross testing exploit with vulnerability scan results, jussi jaakonaho
Previous by Thread:  Re: Cross testing exploit with vulnerability scan results, Chroot
Next by Thread:  RE: Cross testing exploit with vulnerability scan results, Steve Armstrong
Indexes:  [Date] [Thread] [Top] [All Lists]