RE: Core Impact Vs Manual Pen Test



Core is a cool product as are Metasploit and Canvas, though I don't feel that
any of them would replace a manual Pen Test, though they will complement one
and indeed speed one up. Perhaps the client could use an exploitation engine
prior to employing Pen Testers to remove the low hanging fruit, forcing the Pen
Testers to think outside the box in order to demonstrate their Leetness and
attract repeat business.

Best Regards
--
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com


Quoting Philippe Dumont <philippe.dumont@xxxxxxxxxxxxxxxxx>:

I use Core Impact and I have to say... it is a tool and a good one. But it
won't exploit every possible vulnerabilities. Sometimes you can reach root
access thru escalation, which is the coolest way of all.

Myself and my collegue once found a backup script that divulged the root
password... the script was found via a anonymous FTP server :-) (And this was
in a Scada environment)

Core impact won't do that for you! Catch my drift?



________________________________

From: jackal_pf0@xxxxxxxxx [mailto:jackal_pf0@xxxxxxxxx]
Sent: Thu 8/31/2006 2:55 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Core Impact Vs Manual Pen Test



Dear Members,



I've been doing Pen test for a quite while. I have used both Open source and
Commercial tools for the activity. Now because of automated tools such as
core Impact, Canvas, Qualys most of the clients are coming up with the
Question of Whether to go fo Core Impact or hire some consultants to do the
activity. These clients are not worried bout paying huge money to buy these
tools.



Since I have not used Core Impact, I cant figure out the differences. I
believe you guys can help me out.



Any comments appreciated.



Regds,



J

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ

Le présent message est à l'usage exclusif du ou des destinataires mentionnés
ci-dessus. Son contenu est confidentiel et peut être assujetti au secret
professionnel. Si vous avez reçu le présent message par erreur, veuillez nous
en aviser immédiatement et le détruire en vous abstenant d'en faire une
copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee
identified above. Its content is confidential and may contain privileged
information. If you have received this communication by error, please notify
the sender and delete the message without copying or disclosing it.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?
camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • Re[4]: Informing Companies about security vulnerabilities...
    ... They send out HTML formatted email, I use a POP client that can be toggled to not render HTML. ... conduct a pen test? ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: pentest documentation
    ... I've heard of Core Impact and even tried to get a price info. ... It would be nice to have some open source tools for this tasks. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • cracking Y2k DC Admin password
    ... cannot even dump the sam from a 2k box, as I would condiser this a basic ... for a pen test in doing I got control on the server and logged as the ... the local ADMIN$ shere. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: Core Impact Vs Manual Pen Test
    ... I use Core Impact and I have to say... ... But it won't exploit every possible vulnerabilities. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • Re: The legal / illegal line?
    ... Offer to do a free lightweight pen test for the company. ... Varun V Nair ... On 05/03/07, Philosophil wrote: ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)