From: Lee Lawson (leejlawson@gmail.com)
Date: Thu May 10 2007 - 03:25:33 EDT
You could also download the Foundstone hacmebank, hacmebooks and
hacmecasino applications. You will need .Net and MSDE installed but
they work quite well.
On 5/9/07, John Reno <jreno@cenzic.com> wrote:
> Mathijs,
>
> Cenzic provides a sample application called CrackMeBank modeled after a
> financial services site that is useful for conducting assessments and
> evaluating products. It can be found at http://crackme.cenzic.com.
>
> The product itself is Cenzic Hailstorm. We have a broad cross-section
> of users, but in the pen-test area what customers have found powerful is
> the ability to specify parameters on an attack by attack basis to meet
> their particular needs. The ability to render the response in the
> product's browser is also useful in the validation and remediation
> process. There are many other capabilities, you can try for yourself.
>
> John Reno
> Cenzic
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of M. Groen
> Sent: Tuesday, May 08, 2007 11:28 PM
> To: pen-test@securityfocus.com
> Subject: RE: Opinions of automated testers
>
> Thanks for the clear explanation.
>
> One other question, does anyone happen to know if there are sites on
> which
> you can try "pen testing" products, like WebInspect, or Hailstorm? I
> mean
> a " playground" on which it is allowed to do pen-tensting (and make
> mistakes)?
>
> Mathijs
>
> > Zack,
> >
> > First of all, it depends on what you want in a pen-test tool. Second,
> it
> > also depends on what you mean by pen-testing. In my opinion, unless
> there
> > is an actual exploit leveraged and a payload or injection of some
> sort,
> > you
> > are talking Vulnerability Assessment and not pen-testing. It's a
> semantic
> > difference to some but there is a procedural difference between
> > identifying
> > potential vulnerabilities and actively exploiting found
> vulnerabilities.
> >
> > The 3 tools you list are all web application-centric in their focus
> and
> > are
> > not what I would consider true pen-testing tools per se; they are more
> > Application layer vulnerability scanners with limited exploit payloads
> to
> > reduce false positive findings (XSS and SQL injection checks etc).
> > Watchfire's AppScan, Cenzic's Hailstorm, and SPI's WebInspect are all
> > great
> > tools but they do not test the full gamut of OS or services. If you
> are
> > focused solely on application layer assessment then any of these 3
> should
> > suit your needs. I personally prefer WebInspect due to some of the
> extra
> > tools and functionality it provides, as well as the various
> customizable
> > report patterns and compliancy-directed scanning but each has it's
> strong
> > points.
> >
> > If you are looking for what most on the list would consider broad
> spectrum
> > pen-testing tools you should take a look at Core Impact or Metasploit.
> > There
> > are other pen-testing tools available but these two are probably the
> most
> > widely used. Core=commercial, Metasploit=OSS so if your organization
> needs
> > support not found in a chat room or online forum Core is the way to
> go.
> > I'm
> > fond of how Impact's payload is a memory-resident compromise so there
> is
> > no
> > actual change to the target compromised system and it can use any
> > exploited
> > box found to search out other machines it can see which is valuable in
> > moving your penetration farther into the private network.
> >
> > While automated tools are getting better and easier to use, nothing
> beats
> > an
> > experienced pen-testing services company. The better ones go beyond
> > automated tool runs and can offer services that include social
> > engineering,
> > custom exploit coding, and other company-specific scope needs.
> Depending
> > on
> > your budget you may also want to look into that avenue.
> >
> > Hope that helps and welcome to the list.
> >
> >
> > --
> > Erin Carroll
> > Moderator
> > SecurityFocus pen-test list
> > "Do Not Taunt Happy-Fun Ball"
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: listbounce@securityfocus.com
> >> [mailto:listbounce@securityfocus.com] On Behalf Of
> >> zackpeters75@yahoo.com
> >> Sent: Monday, May 07, 2007 8:58 PM
> >> To: pen-test@securityfocus.com
> >> Subject: Opinions of automated testers
> >>
> >> Hi,
> >>
> >> My manager gave me our pen testing project and I'm still
> >> coming up to speed so forgive me if this question is not 100%
> >> list appropriate.
> >>
> >> >From what I can tell the top 3 automated pen testing
> >> programs are from SPI Dynamics, Cenzic and Watchfire. I
> >> haven't evaled any of them quite yet but they each seem to
> >> have their advantages and disadvantages. Cenzic is claiming
> >> to be the most accurate at least according to their 20/20
> >> marketing program
> >> http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm
> >> wondering what people have actually seen.
> >>
> >> And if any of you posters from SPI, Cenzic or Watchfire want
> >> to email me directly and tell me your benefits, that's fine.
> >> I don't want the thread to be a sales pitch, just looking to
> >> benefit from the knowledge of others.
> >>
> >> Thanks everyone!
> >>
> >> Zack
> >>
> >> --------------------------------------------------------------
> >> ----------
> >> This List Sponsored by: Cenzic
> >>
> >> Are you using SPI, Watchfire or WhiteHat?
> >> Consider getting clear vision with Cenzic See HOW Now with
> >> our 20/20 program!
> >>
> >> http://www.cenzic.com/c/2020
> >> --------------------------------------------------------------
> >> ----------
> >>
> >
> >
> >
> ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Are you using SPI, Watchfire or WhiteHat?
> > Consider getting clear vision with Cenzic
> > See HOW Now with our 20/20 program!
> >
> > http://www.cenzic.com/c/2020
> >
> ------------------------------------------------------------------------
> >
> >
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
-- Lee J Lawson leejlawson@gmail.com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT