| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Sep 27 18:12:43 2005 From: c0ntexb at gmail.com (c0ntex) Subject: CORE-Impact license bypass I agree with most of your comments, but it may be prudent to recall that not every attack is performed by a "script kid". Do remember that skilled attackers exsist and are active in penetrating networks, usually those same ones that Nessus "monitor" ;)))) On 27/09/05, Martin Mkrtchian <dotsecure@...il.com> wrote: > I think automated tools should be used for penentration testing when it is > possible. Why should the penetration tester use manual means and waste time? > After all your average script kiddie will be using CORE like applications > such as Metasploit to exploit a system. I do understand that for the > techies out there automated tool is not a respectable way to do pen testing > because it does not show your true skills, but bottom line is business > doesnt care if you use manual or automated tools, what business cares about > is for you to take all the possible appraoch to hack proof a system. Just > because you are running automated tool doesnt mean you do not have the > expertise. In fact tool may do the job, but it is security analyst's > responsibility to analyze and develop high level and technical plan in how > to remediate the issue. So therefore it is my personal opinion that > automated tools save time from analysts perspective and money from business > perspective. > > Thanks > > -- Martin > > Visit my security blog: > > http://dotsecure.blogspot.com > > > On 9/27/05, Bernhard Mueller <research@...-consult.com> wrote: > > > Exibar wrote: > > > I didn't mean to imply that the consultants create their own > exploits, > > > not many I know could even begin to do that, only a couple are talented > > > enough to do just that. Even for those very few, it's just not feasable > > > from a time perspective. Much quick and cost effective to use what's > out > > > there. > > > > > > > so what use is a pentest if the consultant isn't even talented enough to > > find / create exploits for unknown vulnerabilities? > > any average admin can install and run an automatic security scanner. > > furthermore, a common nessus report contains 99% useless garbage. and > > most of the time, you can not apply generic exploits like these from > > metasploit to a specific customer situation. > > in my experience, nearly all sites have some serious security flaws even > > if tools like nessus say the contrary. there may be self-coded > > applications or software that is not widely known or tested so they're > > not found in any vulnerability database. or, if that is not the case, > > you may even find new flaws in well-established software. > > IMHO you can not deliver a reasonable security assessment until you have > > checked everything by hand. > > > > > > regards, > > -- > > _____________________________________________________ > > > > ~ DI (FH) Bernhard Mueller > > ~ IT Security Consultant > > > > ~ SEC-Consult Unternehmensberatung GmbH > > ~ www.sec-consult.com > > > > ~ A-1080 Wien Blindengasse 3 > > ~ Tel: +43/676/840301718 > > ~ Fax: +43/(0)1/4090307-590 > > ______________________________________________________ > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- regards c0ntex
Powered by blists - more mailing lists