Re: Core Impact Vs Manual Pen Test

From: bart@packetjunkie.com
Date: Fri Sep 01 2006 - 08:27:52 EDT

• Next message: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Previous message: 3 shool: "Re: C# Exceptions"
• Maybe in reply to: jackal_pf0@lycos.com: "Core Impact Vs Manual Pen Test"
• Next in thread: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Reply: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

J,

As a user of Core at my place of work I can tell you that there is no
substitute for good, manual, pen-testing. Core enables us to speed
things up with the agents and documentation that it utilizes, but the
actual attacks are usually run by hand or in combination with
Metasploit. The real beauty of Core comes into play usually "after"
the penetration, allowing you to deploy their agents and manipulate the
compromised system even further.

Don't get me wrong, Core is a great product and if your company is
willing to pay the dough for it, take it. But, make no mistake...You
will NOT get a complete and accurate pen-test if you simply use the
"Rapid Penetration Test" wizards alone. Using the "point and click"
approach with this tool may yield a few vulnerabilities and exploit
them for you, but without having the knowledge and experience of actual
pen-testing, all you would be doing is scratching the surface (low
hanging fruit).

Some businesses only require / want this type of test. All they are
worried about is that proverbial "check in the box" to report that they
have officially had a penetration test performed. If that is the case,
sad as it may be, then Core would be ideal for them. It would save
them money in the long run.

If on the other hand a business wants to know how vulnerable they really
are (how deep the rabbit hole actually goes), then they still need to
hire a true pen-testing consultant to perform the test. As a
consultant, using Core like I said before would speed up the process,
but you definitely cannot rely on it as the end all solution.

Hope this helps. I have been using Core for a year now and wouldn't
trade it for the world. The best approach I have found is a sort of
hybrid test, utilizing Metasploit, home brewed exploits, and Core
together. They all have advantages and disadvantages, and when
combined, you get the best of all of them.

-Bart

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Previous message: 3 shool: "Re: C# Exceptions"
• Maybe in reply to: jackal_pf0@lycos.com: "Core Impact Vs Manual Pen Test"
• Next in thread: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Reply: Joey Peloquin: "Re: Core Impact Vs Manual Pen Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:53 EDT