[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <df8ba96d05092710111d529451@mail.gmail.com>
Date: Tue Sep 27 18:12:43 2005
From: c0ntexb at gmail.com (c0ntex)
Subject: CORE-Impact license bypass
I agree with most of your comments, but it may be prudent to recall
that not every attack is performed by a "script kid". Do remember that
skilled attackers exsist and are active in penetrating networks,
usually those same ones that Nessus "monitor" ;))))
On 27/09/05, Martin Mkrtchian <dotsecure@...il.com> wrote:
> I think automated tools should be used for penentration testing when it is
> possible. Why should the penetration tester use manual means and waste time?
> After all your average script kiddie will be using CORE like applications
> such as Metasploit to exploit a system. I do understand that for the
> techies out there automated tool is not a respectable way to do pen testing
> because it does not show your true skills, but bottom line is business
> doesnt care if you use manual or automated tools, what business cares about
> is for you to take all the possible appraoch to hack proof a system. Just
> because you are running automated tool doesnt mean you do not have the
> expertise. In fact tool may do the job, but it is security analyst's
> responsibility to analyze and develop high level and technical plan in how
> to remediate the issue. So therefore it is my personal opinion that
> automated tools save time from analysts perspective and money from business
> perspective.
>
> Thanks
>
> -- Martin
>
> Visit my security blog:
>
> http://dotsecure.blogspot.com
>
>
> On 9/27/05, Bernhard Mueller <research@...-consult.com> wrote:
>
> > Exibar wrote:
> > > I didn't mean to imply that the consultants create their own
> exploits,
> > > not many I know could even begin to do that, only a couple are talented
> > > enough to do just that. Even for those very few, it's just not feasable
> > > from a time perspective. Much quick and cost effective to use what's
> out
> > > there.
> > >
> >
> > so what use is a pentest if the consultant isn't even talented enough to
> > find / create exploits for unknown vulnerabilities?
> > any average admin can install and run an automatic security scanner.
> > furthermore, a common nessus report contains 99% useless garbage. and
> > most of the time, you can not apply generic exploits like these from
> > metasploit to a specific customer situation.
> > in my experience, nearly all sites have some serious security flaws even
> > if tools like nessus say the contrary. there may be self-coded
> > applications or software that is not widely known or tested so they're
> > not found in any vulnerability database. or, if that is not the case,
> > you may even find new flaws in well-established software.
> > IMHO you can not deliver a reasonable security assessment until you have
> > checked everything by hand.
> >
> >
> > regards,
> > --
> > _____________________________________________________
> >
> > ~ DI (FH) Bernhard Mueller
> > ~ IT Security Consultant
> >
> > ~ SEC-Consult Unternehmensberatung GmbH
> > ~ www.sec-consult.com
> >
> > ~ A-1080 Wien Blindengasse 3
> > ~ Tel: +43/676/840301718
> > ~ Fax: +43/(0)1/4090307-590
> > ______________________________________________________
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
regards
c0ntex
Powered by blists - more mailing lists