RE: Know such a web's server tool? -- huh

From: Paul Vet (paul.vet_at_baldhead.com)
Date: 07/22/03

  • Next message: R. DuFresne: "RE: Know such a web's server tool? -- huh" 
    To: <Bojan.Zdrnja@LSS.hr>, "'Alvin Oga'" <alvin.sec@Mail.Linux-Consulting.com>
Date: Tue, 22 Jul 2003 12:37:19 -0400

    > > okay.... i'll bite ... why does everybody/somebody think that
    > "pen-test"
    > > means to run a port scan w/ nmap/nessus .. etc ..
    >
    > Exactly this is the reason why penetration testing isn't only running of
    > nmap/nessus/iss/whatever, but more important - interpretation of
    > results and
    > additional steps taken.
    >
    > Everyone can run tools, but only people who understand things can
    > interpret
    > their results and find additional possible or existing security problems.

    Agreed. However, anybody can just run the tools and say "oh crap, I'm
    terribly vulnerable" and maybe, just maybe, they'll go to Windows Update and
    we'll have one less machine spreading the next big worm.

    To go back in time a little, the original poster asked for a tool to
    enumerate hosts, scan them for vulnerabilities, and attempt to exploit them.
    I think we're all aware that that does not make a full pen-test, but it
    could have many uses. It could be that he's just become aware of security
    issues and wants to do a quick test of his LAN. Perhaps he's a black-hat
    trying to expand his bot-net. Who knows?

    I do think that it's important that we not just dismiss Nessus with "that's
    not a real pen-test." It's true, it isn't a full pen-test, but it doesn't
    claim to be. What it does do is give the end user a bit of a chance. Most
    people can't afford to either a) learn how to do a complete pen-test, or b)
    hire a team. Tools like Nessus are the first step in getting joe-user to
    secure his box.

    Paul.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: R. DuFresne: "RE: Know such a web's server tool? -- huh"

    Relevant Pages

    • Re: Penetration tester or Ethical hacker future?
      ... I'd say that the pen-test market as we know it today has another 5-10 years ... I do not believe that penetration testing is a waste of money. ... vulnerabilities you need skilled persons to do the job who cost alot... ... and will probably not be replaced by automated tools. ...
      (Pen-Test)
    • RE: Penetration tester or Ethical hacker future?
      ... I'd say that the pen-test market as we know it today has another 5-10 years ... people and write custom tools in addition to the commercial scanners. ... for penetration testing. ...
      (Pen-Test)