From: Chris McNab (chris.mcnab@trustmatta.com)
Date: Wed Aug 04 2004 - 14:44:54 EDT
Hi,
Recently we've have a lot of experience in this field (by analysing and
benchmarking various vulnerability assessment tools), and I can tell you
that Nessus, and other automated tools, have mixed results when:
- Identifying MSRPC issues. Nessus lists the endpoints from TCP/135 and then
lists them as all 'low-risk' issues. Here you'd set up some accessible MSRPC
interface endpoints (TCP 1026, 1029, 1035, UDP 1028, etc.), but filter
access to the portmapper on TCP and UDP port 135, and watch Nessus miss the
vulnerable endpoints.
- Identifying custom web application issues. Set up some simple accessible
PHP or CGI script on a web service that allows you to list directories and
open files on the operating system
(http://1.2.3.4/cgi/images.php?dir=images/) and see if they try setting that
dir to /etc/ or others.
- Enumerating valid user accounts. There are a buckletload of ways to
enumerate valid user accounts, including Sendmail EXPN/VRFY/RCPT TO, Solaris
FTP globbing, Apache /~user testing, etc. I haven't seen any automated
systems do this well.
These type of elements seperate professional hands-on testers from clonws
that just run vulnerability scanning software. Nessus, ISS Internet Scanner,
eEye Retina, all have their strengths and weaknesses, but it's often about
how the tester uses the data thats spat out, and qualifies issues manually.
Hope this helps,
Chris
Chris McNab
Technical Director
Matta Consulting Limited
18 Noel Street
London W1F 8GN
08700 77 11 00
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT