Penetration Testing mailing list archives
RE: nessus exceptions
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 9 Aug 2004 11:04:27 -0400 (EDT)
On Fri, 6 Aug 2004, Jerry Shenk wrote:
Isn't that just a bit harsh...on both sides. It's not unethical for a company to leave a vulnerability open just to see if a pen-tester finds it. I know that some companies that I consult for have had penetration tests done where things have been missed. One recent one looked like they just scanned the common ports (or at least some subset of all of them) 'cuz the didn't find a web server on an odd port....wasn't really hiding either. A few years ago, I knew that another guy had opened up tftp from the internet but I forgot about it. I got an alert when the testing company hit the tftp server...but they never put it in a report and they never "re-tested". I've always wondered why that never showed up.
That's pretty shoddy work, and hopefully the company offering these "tests" is not getting glowing recommendations from their clients, and might actually go out of business or hire some folks with a clue.
I do think that if a company were to put a server up with specific holes, they shouldn't complain if I "waste" time exploiting those conjured up holes. A pen-test is normally priced on a time basis so the pen-tester should be prioritizing exploitation attempts where the most gain seems likely. If you make this target too interesting, you may dilute the value of the pen-test. Chris: I'm not sure it's fair either to insist on the pen-tester using certain tools. It's really not the tool, it's the guy running the tool...or I would hope tools. If they do a test and ONLY run Nessus (or anything else for that matter), that's not a very good test. I'm wouldn't call it a pen-test either...vulnerability scan seems like a better term.
The key here though remains, if the 'testing' company has folks merely scanning a system with nessus and/or nmap or a tool ot two other then these, this is not, and I repeat not a pentest, it is a simple vuln scan, and the most simple and basic of vuln scans, unless they are actually working in conjunction with the sysadmins of the systems in question to coordinate anddefine their discoveries; such as checking sstem configurations and such against the canned reports of the scanner<s>. Calling these mere vuln scans a pentest in any fashion is a disservice to the pentesting side of the security industry and should make many stand up and take notice of the snake-oil being peddled by these charlatans. Nessus and a few of it's canned sploits being loosed upon a set of servers or a network is not a pentest, and marketing it as thus is really base. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Re: nessus exceptions, (continued)
- Re: nessus exceptions Andres Riancho (Aug 03)
- Re: nessus exceptions Jacco Tunnissen (Aug 09)
- Re: nessus exceptions hellNbak (Aug 03)
- Re: nessus exceptions Mr. Rufus Faloofus (Aug 03)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Stefano Zanero (Aug 10)
- Re: nessus exceptions FocusHacks (Aug 05)
- Re: nessus exceptions Paul Johnston (Aug 05)
- RE: nessus exceptions Marc Heuse (Aug 05)
- Re: nessus exceptions DokFLeed.Net (Aug 05)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- RE: nessus exceptions R. DuFresne (Aug 09)
- RE: nessus exceptions Jerry Shenk (Aug 09)
- Re: nessus exceptions Pete Herzog (Aug 05)
- Re: nessus exceptions Chris McNab (Aug 05)
- Re: nessus exceptions H Carvey (Aug 05)
- RE: nessus exceptions Strand, John (Aug 09)
- Re: nessus exceptions Andres Riancho (Aug 03)