Penetration Testing mailing list archives
RE: Opinions of automated testers
From: "John Reno" <jreno () cenzic com>
Date: Wed, 9 May 2007 14:20:23 -0700
Mathijs, Cenzic provides a sample application called CrackMeBank modeled after a financial services site that is useful for conducting assessments and evaluating products. It can be found at http://crackme.cenzic.com. The product itself is Cenzic Hailstorm. We have a broad cross-section of users, but in the pen-test area what customers have found powerful is the ability to specify parameters on an attack by attack basis to meet their particular needs. The ability to render the response in the product's browser is also useful in the validation and remediation process. There are many other capabilities, you can try for yourself. John Reno Cenzic -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of M. Groen Sent: Tuesday, May 08, 2007 11:28 PM To: pen-test () securityfocus com Subject: RE: Opinions of automated testers Thanks for the clear explanation. One other question, does anyone happen to know if there are sites on which you can try "pen testing" products, like WebInspect, or Hailstorm? I mean a " playground" on which it is allowed to do pen-tensting (and make mistakes)? Mathijs
Zack, First of all, it depends on what you want in a pen-test tool. Second,
it
also depends on what you mean by pen-testing. In my opinion, unless
there
is an actual exploit leveraged and a payload or injection of some
sort,
you are talking Vulnerability Assessment and not pen-testing. It's a
semantic
difference to some but there is a procedural difference between identifying potential vulnerabilities and actively exploiting found
vulnerabilities.
The 3 tools you list are all web application-centric in their focus
and
are not what I would consider true pen-testing tools per se; they are more Application layer vulnerability scanners with limited exploit payloads
to
reduce false positive findings (XSS and SQL injection checks etc). Watchfire's AppScan, Cenzic's Hailstorm, and SPI's WebInspect are all great tools but they do not test the full gamut of OS or services. If you
are
focused solely on application layer assessment then any of these 3
should
suit your needs. I personally prefer WebInspect due to some of the
extra
tools and functionality it provides, as well as the various
customizable
report patterns and compliancy-directed scanning but each has it's
strong
points. If you are looking for what most on the list would consider broad
spectrum
pen-testing tools you should take a look at Core Impact or Metasploit. There are other pen-testing tools available but these two are probably the
most
widely used. Core=commercial, Metasploit=OSS so if your organization
needs
support not found in a chat room or online forum Core is the way to
go.
I'm fond of how Impact's payload is a memory-resident compromise so there
is
no actual change to the target compromised system and it can use any exploited box found to search out other machines it can see which is valuable in moving your penetration farther into the private network. While automated tools are getting better and easier to use, nothing
beats
an experienced pen-testing services company. The better ones go beyond automated tool runs and can offer services that include social engineering, custom exploit coding, and other company-specific scope needs.
Depending
on your budget you may also want to look into that avenue. Hope that helps and welcome to the list. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of zackpeters75 () yahoo com Sent: Monday, May 07, 2007 8:58 PM To: pen-test () securityfocus com Subject: Opinions of automated testers Hi, My manager gave me our pen testing project and I'm still coming up to speed so forgive me if this question is not 100% list appropriate.From what I can tell the top 3 automated pen testingprograms are from SPI Dynamics, Cenzic and Watchfire. I haven't evaled any of them quite yet but they each seem to have their advantages and disadvantages. Cenzic is claiming to be the most accurate at least according to their 20/20 marketing program http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm wondering what people have actually seen. And if any of you posters from SPI, Cenzic or Watchfire want to email me directly and tell me your benefits, that's fine. I don't want the thread to be a sales pitch, just looking to benefit from the knowledge of others. Thanks everyone! Zack -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 -------------------------------------------------------------- ----------
------------------------------------------------------------------------
This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020
------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Opinions of automated testers zackpeters75 (May 07)
- RE: Opinions of automated testers Erin Carroll (May 07)
- RE: Opinions of automated testers M. Groen (May 09)
- RE: Opinions of automated testers Erin Carroll (May 09)
- Re: Opinions of automated testers Joern Ahrens (May 10)
- RE: Opinions of automated testers John Reno (May 09)
- Re: Opinions of automated testers Lee Lawson (May 10)
- RE: Opinions of automated testers M. Groen (May 09)
- RE: Opinions of automated testers Kevin Reiter (May 09)
- Re: Opinions of automated testers Benny Tsai (May 09)
- Re: Opinions of automated testers Joey Peloquin (May 10)
- RE: Opinions of automated testers Erin Carroll (May 07)
- RE: Opinions of automated testers Vishal Garg (May 10)
- Re: Opinions of automated testers rajat swarup (May 15)
- Re: Opinions of automated testers Lee Lawson (May 08)