Re: Core Impact Vs Manual Pen Test

From: Joey Peloquin (joeyp@cotse.net)
Date: Fri Sep 01 2006 - 16:57:25 EDT

• Next message: marylee@m6.dion.ne.jp: "Re: webtrust/systrust info"
• Previous message: bart@packetjunkie.com: "Re: Core Impact Vs Manual Pen Test"
• In reply to: bart@packetjunkie.com: "Re: Core Impact Vs Manual Pen Test"
• Next in thread: crazy frog crazy frog: "Re: Core Impact Vs Manual Pen Test"
• Reply: crazy frog crazy frog: "Re: Core Impact Vs Manual Pen Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

bart@packetjunkie.com wrote:
> J,
>
> As a user of Core at my place of work I can tell you that there is no
> substitute for good, manual, pen-testing. Core enables us to speed
> things up with the agents and documentation that it utilizes, but the
> actual attacks are usually run by hand or in combination with
> Metasploit. The real beauty of Core comes into play usually "after"
> the penetration, allowing you to deploy their agents and manipulate the
> compromised system even further.
>
> Don't get me wrong, Core is a great product and if your company is
> willing to pay the dough for it, take it. But, make no mistake...You
> will NOT get a complete and accurate pen-test if you simply use the
> "Rapid Penetration Test" wizards alone. Using the "point and click"
> approach with this tool may yield a few vulnerabilities and exploit
> them for you, but without having the knowledge and experience of actual
> pen-testing, all you would be doing is scratching the surface (low
> hanging fruit).
>
> Some businesses only require / want this type of test. All they are
> worried about is that proverbial "check in the box" to report that they
> have officially had a penetration test performed. If that is the case,
> sad as it may be, then Core would be ideal for them. It would save
> them money in the long run.
>
> If on the other hand a business wants to know how vulnerable they really
> are (how deep the rabbit hole actually goes), then they still need to
> hire a true pen-testing consultant to perform the test. As a
> consultant, using Core like I said before would speed up the process,
> but you definitely cannot rely on it as the end all solution.
>
> Hope this helps. I have been using Core for a year now and wouldn't
> trade it for the world. The best approach I have found is a sort of
> hybrid test, utilizing Metasploit, home brewed exploits, and Core
> together. They all have advantages and disadvantages, and when
> combined, you get the best of all of them.
>
> -Bart

VERY well said, B., and the same goes for any hack-in-the-box platform out
there.

-jp

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: marylee@m6.dion.ne.jp: "Re: webtrust/systrust info"
• Previous message: bart@packetjunkie.com: "Re: Core Impact Vs Manual Pen Test"
• In reply to: bart@packetjunkie.com: "Re: Core Impact Vs Manual Pen Test"
• Next in thread: crazy frog crazy frog: "Re: Core Impact Vs Manual Pen Test"
• Reply: crazy frog crazy frog: "Re: Core Impact Vs Manual Pen Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:53 EDT