RE: Cross testing exploit with vulnerability scan results

From: Steve Armstrong (stevearmstrong@logicallysecure.com)
Date: Sat Jul 28 2007 - 16:03:56 EDT


Chroot,

I believe you should always check and cross check your scans. Check for
false positives and ensure your scanning has been conducted in the
correct circumstances without some external factor injecting unknown
factors.

Also, remember that vulnerability scanning with an automated scanner is
using some one else's check sheet to check a system, so yes there could
be errors and problems with its code and implementation.

You should do you own checks too, otherwise what value are you adding to
the test? I personally would not scan someone's network and then
download the list of possible exploits of the web and run them against
the client system, not unless you have very understanding professional
indemnity insurers! You should obtain you code from good sites and
cross check where possible with dns records, md5, sha1, sha256 hashs and
other integrity assurance methods, else you may download 'bad code'.

Plan ahead and collect good code and exploits, some you will have to
modify yourself, but always check to see what it does on a test lan -
not the clients!

As to your example try running a manual banner grab or run another port
scanning tools (Scanrand or Unicom scanner for example).

And to start the flames as I leave, running a vulnerability scanner and
only exploiting or attacking what is says I what I would call a basic
vulnerability analysis - not a penetration test. A Penetration test
requires you to think out of the box and to try other stuff that many VA
tools just don't cover. And how would you penetration test a bespoke
program or application if your VA tool does not carry checks for it?

Running for cover . . . . .

Steve A

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Chroot
Sent: 27 July 2007 13:26
To: pen-test@securityfocus.com
Subject: Cross testing exploit with vulnerability scan results

Hi Fellow testers,

I've been conducting pen tests since 4 yrs now... the methodology I
follow is that we exploit or attempt to exploit ONLY those
vulnerabilities that a vulnerability scanner identifies. What if the
appropriate check or signature in the vulnerability scanner was not up
to date or had some coding issue or was not comprehensiveness enough
(or anything else) to identify a real existing vulnerability on a
system. This can result in serious false negatives. Would downloading,
installing and cross testing all available exploits for an identified
service be a good idea to minimize such a case? How many people have
faced such an issue or a similar issue? For me I faced this issue with
some bug in Nessus recently.

This is something like my NMAP says there is IIS6.0 running on port
443 of a target server. I do a Nessus scan on it and it doesn't report
anything. I then download all available exploits for IIS6.0 (or for
all version of IIS? would this make sense) from securityfocus.com or
securiteam.com or similar source and run it manually on the target
system.

Eagerly await opinions.

THNX

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT