From: crazy frog crazy frog (i.m.crazy.frog@gmail.com)
Date: Sat Sep 02 2006 - 02:50:14 EDT
it is core impact or canvas or any other automated tools. they work
on a predefined logic they can not take a decision on what is the best
way to exploit a vulnerability.but if you hire a experinced pentester
then based up on his experiance he can decide what is the best method
to perform the pentest.as all other said automated tools are good to
have but they can not replace the humans.
HTH
_CF
http://www.secgeeks.com
On 9/2/06, Joey Peloquin <joeyp@cotse.net> wrote:
> bart@packetjunkie.com wrote:
> > J,
> >
> > As a user of Core at my place of work I can tell you that there is no
> > substitute for good, manual, pen-testing. Core enables us to speed
> > things up with the agents and documentation that it utilizes, but the
> > actual attacks are usually run by hand or in combination with
> > Metasploit. The real beauty of Core comes into play usually "after"
> > the penetration, allowing you to deploy their agents and manipulate the
> > compromised system even further.
> >
> > Don't get me wrong, Core is a great product and if your company is
> > willing to pay the dough for it, take it. But, make no mistake...You
> > will NOT get a complete and accurate pen-test if you simply use the
> > "Rapid Penetration Test" wizards alone. Using the "point and click"
> > approach with this tool may yield a few vulnerabilities and exploit
> > them for you, but without having the knowledge and experience of actual
> > pen-testing, all you would be doing is scratching the surface (low
> > hanging fruit).
> >
> > Some businesses only require / want this type of test. All they are
> > worried about is that proverbial "check in the box" to report that they
> > have officially had a penetration test performed. If that is the case,
> > sad as it may be, then Core would be ideal for them. It would save
> > them money in the long run.
> >
> > If on the other hand a business wants to know how vulnerable they really
> > are (how deep the rabbit hole actually goes), then they still need to
> > hire a true pen-testing consultant to perform the test. As a
> > consultant, using Core like I said before would speed up the process,
> > but you definitely cannot rely on it as the end all solution.
> >
> > Hope this helps. I have been using Core for a year now and wouldn't
> > trade it for the world. The best approach I have found is a sort of
> > hybrid test, utilizing Metasploit, home brewed exploits, and Core
> > together. They all have advantages and disadvantages, and when
> > combined, you get the best of all of them.
> >
> > -Bart
>
> VERY well said, B., and the same goes for any hack-in-the-box platform out
> there.
>
> -jp
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
-- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:53 EDT