lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 Sep 2010 21:08:13 +0200
From: Mario Vilas <mvilas@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: New tool for pentesting

To be fair, both Canvas and Impact had the same pivoting features years
before Metasploit (and yes, that includes the entire Windows API too). It's
no wonder really, since Metasploit is newer too (Impact was created some ten
odd years ago and Canvas came shortly later, if I'm not wrong). But IMHO if
a community, open source project like Metasploit can reach the quality of
it's big budget, closed source competitors, that alone is quite impressive!

What I think is really wrong here is someone made a poorly designed (at
least judging from the GUI), Windows-only commercial tool by ripping off a
few public exploits... What's the added value here? What are these people
trying to charge money for, exactly? This looks like snake oil to me.

On Fri, Sep 17, 2010 at 6:54 PM, <rdsears@....edu> wrote:

> Seriously. The only reason CANVAS and IMPACT are still used is because
> of the 0-days that come packaged with them. Metasploit if far superior
> not only in exploitation, but post exploitation, persistance,
> networking pivioting, and just generally being a badass!
>
> Can ANYTHING really compare to the meterpreter for pwning windows?
> They implemented remote kernel calls for gods sake! You have the
> ENTIRE windows API at your disposal with it, assuming you don't want
> to use one of the very awesome ruby scripts that come with it to
> manipulate your tokens or do remote route additions!
>
> If I'm going to use any 'enterprise level vulnerability
> scanner' ::shudders:: it'll be Metasploit express, or MAYBE Nessus.
> Mainly just my brain though, which costs me nothing! If you're going
> to try to sell stuff like this, I wouldn't go where ACTUAL security
> people dwell, I'd go back to the netstumbler forums. You'd have better
> luck there.
>
> On Sep 17, 2010, at 11:31 AM, Eyeballing Weev
> <eyeballing.weev@...il.com> wrote:
>
> > Looking at that webpage is making me rage. I'm sending him an invoice
> > for a new keyboard.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
HONEY: I want to… put some powder on my nose.
GEORGE: Martha, won’t you show her where we keep the euphemism?

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ