lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Jan 19 19:52:33 2006
From: greybrimstone at aim.com (greybrimstone@....com)
Subject: Vulnerability/Penetration Testing Tools

Sk,
  I couldn't agree more. Nothing beats real results from real people. 
Having said that, the time to deliver can be reduced by using automated 
tools for reconnaissance. If automated scanners identify 
vulnerabilities in systems then those same services do not "need" to be 
fully re-evaluated. That means less work, more savings passed to the 
client.



 -Adriel

 -----Original Message-----
 From: GroundZero Security <fd@....org>
 To: greybrimstone@....com
 Cc: full-disclosure@...ts.grok.org.uk
 Sent: Thu, 19 Jan 2006 20:00:30 +0100
 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools

  or learn how to do such tests by hand as that is more accurate as any 
automated
 tool out there!
  a penetration test shouldnt be automated it would miss too many bugs 
i.e. in
 custom php/cgi scripts.
 a professional security audit can only be done by hand. period.
 too many people rip their customers off with cheap automated tests.

 -sk
 http://www.groundzero-security.com

 ----- Original Message -----
 From: <greybrimstone@....com>
  To: <mmadison@...i.com>; <fdlist@...italoffense.net>; 
<full-disclosure@...ts.grok.org.uk>
 Sent: Thursday, January 19, 2006 7:27 PM
 Subject: Re: [Full-disclosure] Vulnerability/Penetration Testing Tools


 > Madison,
 > See, thats the challenge. I am not looking for a tool that does
  > strict vulnerability assessments. I am looking for a tool that will 
do
 > an automated vulnerability assessment and then automated attacks
 > against those vulnerabilities. Core Impact has such a tool and it is
 > well worth the money. In fact, I already have that in my to-purchase
 > list. I am now searching for free tools however and haven't found
 > anything.
 >
 > My goal is to identify tools that have a high ROI... free == the
  > higest. Never the less, automation can only be used a limited amount 
as
 > it reduces quality and accuracy.... I know this.
 >
 >
 > -Adriel
 >
 > -----Original Message-----
 > From: Madison, Marc <mmadison@...i.com>
 > To: H D Moore <fdlist@...italoffense.net>;
 > full-disclosure@...ts.grok.org.uk
 > Sent: Wed, 18 Jan 2006 08:02:59 -0600
  > Subject: RE: [Full-disclosure] Vulnerability/Penetration Testing 
Tools
 >
 > I've looked at BidiBLAH (enfaces on the BLAH). Their product does
 > nothing more than take the results from
 > Nessus, Metasploit and such, then cram them all together in a easy to
 > understand format for your boss.
  > BidiBLAH IMHO is not a vulnerability assessment tool, rather a 
reporting
 > tool. If anyone can correct me
 > please do, since at one point I was in contact with BidiBLAH sales
 > asking what I got for $10,000.00 outside
  > Of the reporting? Their answer, well let's just say I'm still 
waiting.
 >
 > My two cent, Nessus. It's cheap, effective, and probably the most
 > supported network vulnerability assessment
 > tool on the market.
 >
 >
 >
 >
 > >>H D Moore wrote:
 >
 > >>Er, woops, misread - you want to scan and automatically exploit
 > systems.
 > >This can be easily done with a little scripting and the available
 > open-source tools. SensePost
  > >>has a project called BiDiBLAH that integrates Google-discovery, a 
TCP
 > port scanner, Nessus,
 > >>and Metasploit: - http://www.sensepost.com/research/bidiblah/
 >
 > >>The next version of the Metasploit Framework (v3) has support for
 > 'recon'
  > >>modules that technically you could use to automate this, but it 
will
 > take some time before this is usable.
 >
 > >>-HD
 >
 >
 > >On Tuesday 17 January 2006 18:04, H D Moore wrote:
 > > You should check out the Metasploit Framework:
 > > - http://metasploit.com/projects/Framework/
 >
 > _______________________________________________
 > Full-Disclosure - We believe in it.
 > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 > Hosted and sponsored by Secunia - http://secunia.com/
 >
 >
 > _______________________________________________
 > Full-Disclosure - We believe in it.
 > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 > Hosted and sponsored by Secunia - http://secunia.com/
 >
 >
  > 
________________________________________________________________________
 > Check Out the new free AIM(R) Mail -- 2 GB of storage and
 > industry-leading spam and email virus protection.
 >
 > _______________________________________________
 > Full-Disclosure - We believe in it.
 > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 > Hosted and sponsored by Secunia - http://secunia.com/
 >


________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and 
industry-leading spam and email virus protection.

Powered by blists - more mailing lists