Penetration Testing mailing list archives
RE: nessus exceptions
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 6 Aug 2004 07:54:37 -0400
Isn't that just a bit harsh...on both sides. It's not unethical for a company to leave a vulnerability open just to see if a pen-tester finds it. I know that some companies that I consult for have had penetration tests done where things have been missed. One recent one looked like they just scanned the common ports (or at least some subset of all of them) 'cuz the didn't find a web server on an odd port....wasn't really hiding either. A few years ago, I knew that another guy had opened up tftp from the internet but I forgot about it. I got an alert when the testing company hit the tftp server...but they never put it in a report and they never "re-tested". I've always wondered why that never showed up. I do think that if a company were to put a server up with specific holes, they shouldn't complain if I "waste" time exploiting those conjured up holes. A pen-test is normally priced on a time basis so the pen-tester should be prioritizing exploitation attempts where the most gain seems likely. If you make this target too interesting, you may dilute the value of the pen-test. Chris: I'm not sure it's fair either to insist on the pen-tester using certain tools. It's really not the tool, it's the guy running the tool...or I would hope tools. If they do a test and ONLY run Nessus (or anything else for that matter), that's not a very good test. I'm wouldn't call it a pen-test either...vulnerability scan seems like a better term. It does seem to me that if a pen-tester runs Nessus as their 'base tool' and then follows that up with targeting exploit attempts at the discovered services to identify if they really are exploitable. Then a little bit of more detailed analysis of web servers, testing of the domain(s) DNS servers, searching the internet for confidential info, etc. If you really think they JUST run Nessus and then hand you the report...yeah, that's not a pen-test and it shouldn't be a terribly expensive vulnerability scan either. -----Original Message----- From: DokFLeed.Net [mailto:dokfleed () dokfleed net] Sent: Wednesday, August 04, 2004 1:19 AM To: Chris Griffin; pen-test () securityfocus com Subject: Re: nessus exceptions This is a very bad practice, First it is unethical , coz you actually added a Vulnerability to your company, despite that fact that its ONLINE, where it can be used by non-indented audience :) What you should do is, ask the Pen-Tester for the Remediation reports, and to use at least 3 different tools ( there are 4+ free good tools) if you are paying them good then ask for the commercial originally generated report by the tool. but testing with tools is not enough, so they have to offer you their methodology and approach in general before they sign NDA and you sign POA attached to the same contract. That almost work on all cases ========================= ----- Original Message ----- From: "Chris Griffin" <cgriffin () dcmindiana com> To: <pen-test () securityfocus com> Sent: Monday, August 02, 2004 10:58 PM Subject: nessus exceptions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Im trying to find some good holes, that aren't major security issues, that i can create on a machine to see if our testing company really uses anything other than nessus. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq cC69CeYr16OsfuYu6u1oe8U= =bGZi -----END PGP SIGNATURE-----
Current thread:
- RE: nessus exceptions, (continued)
- RE: nessus exceptions Jerry Shenk (Aug 03)
- Re: nessus exceptions Andres Riancho (Aug 03)
- Re: nessus exceptions Jacco Tunnissen (Aug 09)
- Re: nessus exceptions hellNbak (Aug 03)
- Re: nessus exceptions Mr. Rufus Faloofus (Aug 03)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Stefano Zanero (Aug 10)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Paul Johnston (Aug 05)
- RE: nessus exceptions Marc Heuse (Aug 05)
- Re: nessus exceptions DokFLeed.Net (Aug 05)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- RE: nessus exceptions R. DuFresne (Aug 09)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- Re: nessus exceptions Pete Herzog (Aug 05)
- Re: nessus exceptions Chris McNab (Aug 05)
- Re: nessus exceptions H Carvey (Aug 05)
- RE: nessus exceptions Strand, John (Aug 09)