Re: Penetration Testing or Vulnerability Scanning?

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Well, in the spirit of "Full Disclosure," I'm about to use this poor
innocent as a launching point for something that continues to disturb me.

Rizwan Ali Khan wrote:
> When usually we talk about penetration testing tools, people mosly
> refer to Vulnerability Scanners like iss, typhon, nessus, cybercop etc.

Well, these are indeed vulnerability scanners, but I don't think of them as
necessarily being part of a suite of tools for penetration testing. I
believe that having at least two different vulnerability assessment tools
(to offset the false positive and negative results from using just one,
such as ISS) is important for any organization that is attempting to be
secure.

If you are involved in penetration testing, and use these tools for
anything more than a beginning sweep of a new network or site, I am telling
you know that you are cheating your employer. Sure, you should know how to
use these, but you should also know how to write your own for the network
and packages you are looking at.

Part of penetration testing ought to be simple detective work, such as
reading Wall Street's opinions of the company. You might be looking for
email or usenet postings from current and past employees. Why do a
penetration test looking for vulnerabilities in a forward facing IIS
server, when their only DMZ entry is using Websphere on an AIX/Mainframe
combination?

> However penetration testing tools are those who penetrate as well, the
> above scanners do not do that.

There is good reason these scanners don't attempt to penetrate. This is
YOUR job, not Rene's. YOU find the vulnerability, and then YOU write (or
find) the exploit. If you are looking for a tool that attempts to exploit
various different possibilities, then you are looking in the wrong place.
They exist, I'm sure, but you won't find them on Security Focus.

> One needs to have a working version of SSH exploit for the SSH
> vulnerability detected by the vulnerability scanner, so is it necessary
> for penetration tester to have access to the latest of underground
> exploit? or could all this be done in an ethical manner too?

How on earth do you think this has anything to do with ethics? Either
you're attempting to break in, or you're not. Whether or not you have
permission, the technique remains the same. Why do you think that someone
in the "underground" is going to provide you tools? Ought you not to
provide those yourself? Do you truly think that anything you find is better
than rank amateur?

> please guide I am so confused between two of these methodologies.

In addition, I believe you are confused between penetration of networks or
computers for hire, and penetration testing of networks and computers for
hire. This is a subtle difference that many newcomers to the field seem to
miss. If you are working for someone who insists that a vulnerability is
not there until you show the exploit, explain that it is not your mission
to provide entertainment, but rather to help secure the network. A good pen
tester ought to be able to take pride in NOT breaking things. If you are
being paid to break in, that's another matter, but don't look for help
here.

In either case, WRITE your own plugins to Nessus if you want to go further
than identification, or ADD in a DoS to nmap. If you don't have the skill
to open things up, you don't have the skill to pen test in the first place.
Scanners such as ISS and Pandora simply point out problems. You need to
have the knowledge to understand that ISS appears to have a small buffer
overflow problem in TCP Predictability that causes it to misidentify BSD
stacks (being random) as being easily predictable, when in fact (as nmap
tells you), they are not.

--
This blackhat thing looks like a honeypot a little.
Or like a meeting of nuns and hookers to discuss sex.

           Georgi Guninski
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html