Re: Pentesting tool - Commercial

From: Andre Gironda (andreg@gmail.com)
Date: Tue Feb 26 2008 - 11:45:08 EST


On Tue, Feb 26, 2008 at 1:29 AM, Ramki B <bramkie@gmail.com> wrote:
> No specific problem but the need is a comprehensive tool that can test
> network devices also in addition to OS and Web apps.

Full-knowledge assessments are better for the customer than zero or
low-knowledge assessments. If you want "comprehensive", you won't be
using many tools because these concepts are contradictory.

In your situation, I would use the free version of Nessus with Nikto
integration to raise awareness, especially when combined with the
open-source web application scanner, Paros. Notice how I said "raise
awareness" and not "solve problems".

For testing firewalls, IPS/IDS, and other network/host protections, I
would simulate real attacks in a lab using free tools such as
Metasploit, w3af, and Eicar. Consultants who had access to Core
Impact, CANVAS, the CANVAS sharing alliance, and the full
Gleg/Argeniss/D2 packs would be brought in to test this
infrastructure. Additionally, different consultants should be brought
in to fuzz test the infrastructure with commercial suites such as
Codenomicon, beSTORM, BreakingPoint Systems, and Mu-Security (although
it's possible to use open-source such as PROTOS, ISIC, and custom fuzz
testing with frameworks such as EFS, Peach, Sulley, and SPIKE). All
of this can be replayed often (after every configuration change or
firmware/OS/application update) with Tomahawk or Traffic IQ Pro so
that you don't need to bring in costly consultants with costly tools
every time.

After a baseline such as the above, you can then make recommendations
on specific state and configuration related issues/checks for
vulnerability management. A lot of these recommendations are very
dependent on the client - e.g. which compliance standards they are
required (or want) to follow, where they fit in comparison to their
competitors, and what resources/gaps they have.

However, I wouldn't be surprised to see proposals for solutions from
Symantec, McAfee, ESET, Kaspersky, Lumension, BigFix, ConfigureSoft,
HP Opsware, Skybox, RedSeal, Tenable, Rapid7, Qualys, nCircle,
Agiliance, Archer, ControlPath, ArcSight, Guidance, AccessData, et al
- especially the products/solutions that are OVAL-Compatible.

It's not "all about" the commercial solutions - clearly you can do all
of this with free or open-source products. AntiVir, CentOS, Nipper,
CIS-CAT, OSSEC, OSSIM, Beltane, TSK, etc.

> Since we are offering this commercially as a service there are certain
> customers who object using Open source/Free tools.

In my case (and I know this strategy isn't for anyone), if they
insisted on commercial-only software then I would simply drop them as
customers.

Case in point: the Metsaploit open-source framework has over 110
exploits (*) that cannot be found in any of the commercial
exploitation engines, nor any of their add-on "packs". Can you
customers afford to get hit with one of these by script-kiddies?

Cheers,
Andre

(*) P.S. Here's the list just so you know what should keep you up late at night:
NOTE THAT THIS LIST IS NOT THE COMPLETE EXPLOIT LIST. THIS IS A LIST
OF METASPLOIT EXPLOITS THAT ARE NOT AVAILABLE IN CANVAS OR CORE IMPACT
CVE-1999-0874, CVE-2000-0665, CVE-2001-0311, CVE-2001-0800,
CVE-2001-1583, CVE-2002-1359, CVE-2002-2226, CVE-2003-0213,
CVE-2003-0264, CVE-2003-0344, CVE-2003-0471, CVE-2003-0727,
CVE-2003-082, CVE-2003-1336, CVE-2004-0297, CVE-2004-0326,
CVE-2004-0330, CVE-2004-0430, CVE-2004-0636, CVE-2004-0695,
CVE-2004-0798, CVE-2004-1135, CVE-2004-1211, CVE-2004-1373,
CVE-2004-1520, CVE-2004-1558, CVE-2004-1595, CVE-2004-2221,
CVE-2004-2271, CVE-2004-2687, CVE-2005-0043, CVE-2005-0116,
CVE-2005-0277, CVE-2005-0353, CVE-2005-0455, CVE-2005-0478,
CVE-2005-0491, CVE-2005-0511, CVE-2005-0595, CVE-2005-0768,
CVE-2005-1018, CVE-2005-1323, CVE-2005-1415, CVE-2005-1543,
CVE-2005-1547, CVE-2005-1812, CVE-2005-1815, CVE-2005-1921,
CVE-2005-2148, CVE-2005-2287, CVE-2005-2297, CVE-2005-2373,
CVE-2005-2535, CVE-2005-2551, CVE-2005-2612, CVE-2005-2773,
CVE-2005-2847, CVE-2005-3277, CVE-2005-3314, CVE-2005-3683,
CVE-2005-3757, CVE-2005-4411, CVE-2005-4734, CVE-2006-0295,
CVE-2006-0460, CVE-2006-0848, CVE-2006-1148, CVE-2006-1551,
CVE-2006-1652, CVE-2006-2407, CVE-2006-3252, CVE-2006-3524,
CVE-2006-3677, CVE-2006-3838, CVE-2006-3961, CVE-2006-4305,
CVE-2006-4777, CVE-2006-4847, CVE-2006-5112, CVE-2006-5216,
CVE-2006-5882, CVE-2006-5972, CVE-2006-6055, CVE-2006-6063,
CVE-2006-6076, CVE-2006-6332, CVE-2006-6423, CVE-2006-6424,
CVE-2006-6425, CVE-2006-6761, CVE-2007-0348, CVE-2007-0449,
CVE-2007-1286, CVE-2007-1373, CVE-2007-1676, CVE-2007-1819,
CVE-2007-1868, CVE-2007-2446, CVE-2007-2508, CVE-2007-2711,
CVE-2007-2918, CVE-2007-3147, CVE-2007-3614, CVE-2007-3778,
CVE-2007-3926,
CVE-2007-4006, and I'm probably missing some of the most recent ones
on this list

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT