Security Basics mailing list archives

Re: Server Penetration Testing

From: J Teddy <jteddylists () gmail com>
Date: Tue, 27 Sep 2011 10:21:07 +1000

In Answer to your question.  Exploit frameworks you have Metasploit
and Core Impact.  VA scanners you could use Nessus with Nikto or
Nexpose. For web you have IBM Rational AppScan and w3af.

PCI-DSS v2 states that

11.3 Perform external and internal penetration testing at least once a
year and after any significant infrastructure or application upgrade
or modification (such as an operating system upgrade, a sub-network
added to the environment, or a web server added to the environment).
These penetration tests must include the following:......

Organisations I have worked for never allow you to exploit
mission/business critical servers.
Annual pen-tests for PCI compliance in my experience have just been VA
scans for network/server and manual testing for OWASP top 10
vulnerabilities.

On Sat, Sep 24, 2011 at 6:06 AM, Femi Mogaji <olufemimogaji () gmail com> wrote:

Hi list,

So we just had our annual audit, and one of the findings that came up is server-side pen-tests. We already carry out 
quarterly ASV scans & yearly pentest of our external IP addresses, where we fell short was the lack of internal 
pentests. The question is: what tools can I use to carry out these tests? Especially tests directed at SQL servers & 
file servers etc. A tool that can generate easy to read reports would be really nice. Any input will be appreciated.

Thanks in advance,

Femi
Sent from my BlackBerry® smartphone provided by Airtel Nigeria.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Server Penetration Testing Femi Mogaji (Sep 23)
- [Spam] Re: Server Penetration Testing Gichuki John Chuksjonia (Sep 26)
- Re: Server Penetration Testing J Teddy (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)