Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Penetration Testing or Vulnerability Scanning?

From: "Rob Shein" <shoten () starpower net>
Date: Fri, 7 Mar 2003 15:03:15 -0500
Vulnerability scanning and penetration testing are largely confused with
each other, and differ in a couple of different ways.  One, penetration
testing does indeed usually seek to "bust root" on a server or network from
the outside. Vulnerability scanning doesn't go this far, but instead seeks
to enumerate all possible vulnerabilities related to configuration
(including what the firewall lets through) and _known_ weaknesses in
software.  Penetration testing is almost always done from outside a network,
as a hacker would likely be, while vulnerability scanning is often done
locally as well as remotely.

As for tools, vulnerability scanning usually relies heavily on one or more
of a tool that scans for many different things, while pen-testing usually
uses any of the numerous more specialized tools (like buffer overflow
exploit code, for example), and you never know what tools you're going to
use until you're done.  It's a bit like a car mechanic going into work...he
doesn't know what cars he's going to see that day yet, or what needs to be
done to them, so he doesn't know what tools he'll use for the most part.
He'll almost assuredly be using a socket wrench (or nmap), but he might not
be needing his special-use spanner (or fragroute).

Finally, there's nothing unethical in of itself about using exploit code.
The ethics are about HOW you use it, and WHY.  If your client is fully aware
that you are going to break in, and they are comfortable with the potential
downtime resulting from a buffer overflow, for example, then it's not much
of a problem.  If you surprise them by taking a box or service down
accidentally though, without having let them know that it might happen (and
without planning for this possibility), then that's not so good.


-----Original Message-----
From: Rizwan Ali Khan [mailto:rizwanalikhan74 () yahoo com] 
Sent: Friday, March 07, 2003 1:08 AM
To: pen-test () securityfocus com
Subject: Penetration Testing or Vulnerability Scanning?


When usually we talk about penetration testing tools, 
people mosly 
refer to Vulnerability Scanners like iss, typhon, 
nessus, cybercop etc. 


However penetration testing tools are those who 
penetrate as well, the 
above scanners do not do that. 


One needs to have a working version of SSH exploit for

the SSH 
vulnerability detected by the vulnerability scanner, 
so is it necessary for 
penetration tester to have access to the latest of 
underground exploit? or 
could all this be done in an ethical manner too? 


please guide I am so confused between two of these 
methodologies. 




__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more 

http://taxes.yahoo.com/

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report? Manage the
entire remediation process with StillSecure VAM's Vulnerability Repair
Workflow. Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html
Previous By Date Next
Previous By Thread Next

Current thread: