Re: Pentesting tool - Commercial

On Wed, Feb 27, 2008 at 1:38 PM, Trygve Aasheim <trygve@xxxxxxxxxxxxx> wrote:
This doesn't mean I don't like or use Metasploit, Canvas or any
other...I just want to point out that the quality of a product is not
based a number, and Core Impact has proven its quality many times, and
in many ways.

The numbers show that Core Impact is superior to Canvas and Metasploit.

Unfortunately, it also shows that Impact is missing quite a lot. The
point I was trying to make is that you can't use only one exploitation
engine.

However, I also fail to see the point of using an exploitation engine
except in the case of testing IPS/IDS or similar. In this case,
anyone would clearly be better off using BreakingPoint Systems
BPS-1000.

Using exploits on production or IT networks is unethical. This isn't
the wild west. You're overpaying by about $19K-$26K for what you need
when you go with Core Impact. I don't know about ya'll, but the idea
of propagating a pseudo-worm through a corporate network seems about
as good of an idea as asking the power company to shut off electricity
to a hospital for "just a minute, to see what will happen".

Instead of RPT, I suggest asset management combined with regular,
good-old fashioned vulnerability scanning. Most of the "experts" I
know don't even understand the difference between a vulnerability and
an exploit. More of those people don't even understand how unreliable
exploits usually are (let alone scanning errors in vulnerability-only
scanners).

Core already lied once on this list about how many modules vs.
exploits vs. CVE's they support. They could make anything up. The
money numbers do not lie. Compare to Rapid7, Tenable, Lumension, or
McAfee for yourself.

If you have to raise awareness by running live exploits, try
Metasploit. It's free. Management still not convinced? Already
covered all the Metasploit exploits? Try Canvas, it's cheap.
Management still not convinced? Already covered the Canvas exploits,
too? Add an exploitation pack or two. Start writing your own
exploits. Management still not convinced? Already covered all of the
Canvas exploitation packs and started writing your own in-house
exploits specific to your architecture? Maybe Core Impact will help;
call them for a demo.

I have no idea why people are so quick to jump to Core Impact first.
You can't just throw money at these types of problems. Security is a
very careful and gradual process.

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: [fw-wiz] VA vs PT tool
    ... CORE IMPACT does exactly what you ask for, ... proof of concept code hacked together from mailing lists and archives), ... the infosecurity magazine review of the product is not especially good, ... >> vulnerability. ...
    (Firewall-Wizards)
  • Re: IDS Evaluation
    ... vulnerability scanning). ... We actually include a limited license copy of Core Impact with our ... Evaluation boxes that we ship so people can easily evaluate our IPS ... >> about the accuracy of the ids. ...
    (Focus-IDS)
  • Re: Re: Re: HTTP traffic
    ... Exploit specific means -> u have less idea about the vulnerability and u want to complete the rules fast?? ... exploit specific,IT dosent looks professional,U can bypassed by just changing AAA to BBB bobo.. ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)