RE: Core Impact Vs Manual Pen Test



I use Core Impact and I have to say... it is a tool and a good one. But it won't exploit every possible vulnerabilities. Sometimes you can reach root access thru escalation, which is the coolest way of all.

Myself and my collegue once found a backup script that divulged the root password... the script was found via a anonymous FTP server :-) (And this was in a Scada environment)

Core impact won't do that for you! Catch my drift?



________________________________

From: jackal_pf0@xxxxxxxxx [mailto:jackal_pf0@xxxxxxxxx]
Sent: Thu 8/31/2006 2:55 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Core Impact Vs Manual Pen Test



Dear Members,



I've been doing Pen test for a quite while. I have used both Open source and Commercial tools for the activity. Now because of automated tools such as core Impact, Canvas, Qualys most of the clients are coming up with the Question of Whether to go fo Core Impact or hire some consultants to do the activity. These clients are not worried bout paying huge money to buy these tools.



Since I have not used Core Impact, I cant figure out the differences. I believe you guys can help me out.



Any comments appreciated.



Regds,



J

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ

Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • Re: pentest documentation
    ... I've heard of Core Impact and even tried to get a price info. ... It would be nice to have some open source tools for this tasks. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: Pen testing techniques
    ... While Core Impact is a great tool, it is only that a tool. ... My skills were tested against a security tool vendor, which was using their tool as a selling point. ... For example, the tool vendor lost, because it was not designed to identify or find vulnerabilities in SAP web-enabled applications. ... Within the source code I found a username and password that was left over by the development team. ...
    (Pen-Test)
  • Re: Pen testing techniques
    ... Running an automated assessment tool, however expensive, should only ... Tools such as Core Impact will help determine ... Yada yada yada. ... running IIS 6.0.Core Impact did not find any vulnerabilities in the ...
    (Pen-Test)
  • Core Impact Vs Manual Pen Test
    ... Since I have not used Core Impact, I cant figure out the differences. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Pen testing techniques
    ... pen test for one of our clients.We are doing it through Core ... Impact.Reconnaisance showed only port 80 as open and the web server ... running IIS 6.0.Core Impact did not find any vulnerabilities in the ... My question is what else can we do besides relying on Core Impact for ...
    (Pen-Test)