lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Sep 27 20:45:45 2005
From: asimmons at messagelabs.com (Andrew Simmons)
Subject: CORE-Impact license bypass

Bernhard Mueller wrote:
> Exibar wrote:
> 
>>      I didn't mean to imply that the consultants create their own exploits,
>>not many I know could even begin to do that, only a couple are talented
>>enough to do just that.  Even for those very few, it's just not feasable
>>from a time perspective.  Much quick and cost effective to use what's out
>>there.
>>
> 
> 
> so what use is a pentest if the consultant isn't even talented enough to
> find / create exploits for unknown vulnerabilities?
> any average admin can install and run an automatic security scanner.
> furthermore, a common nessus report contains 99% useless garbage. 


A good pentester will not just hand over a Nessus (or ItsStillShit, 
CANVAS,..) report. The results of a Nessus scan (as with Nmap, firewalk, 
document grinding, google searches, *plus* the results of all the manual 
scouting about that's done) are data that need to be analysed and placed 
in context by the pentester.

A pentester who hands over nothing but an automated report, isn't.
A pentester who doesn't bother using Nessus is either extraordinarily 
good, has a very small target, or is perhaps doing something slightly 
different.

It's important to draw a distinction between an attempt to find *any* 
way into the target network / plant a flag file / get root on the target 
system, or whatever, versus an attempt to find as many ways onto the 
target as possible in the time.

Many pentest customers think they want the latter, but get the former.

Some people would call this a "vulnerability assessment" rather than a 
pentest. I guess it depends whether you're joesbaitshop.com or the USAAF 
Strategic Air Command (nuclear strike group), who were one of the first 
orgs to use pentest / tiger team methods.


\a

-- 
Andrew Simmons
Technical Security Consultant
MessageLabs

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ