pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Cross testing exploit with vulnerability scan results

from [John M. Martinelli] [Permanent Link][Original]
To: Chroot <chrooted@gmail.com>
Subject: Re: Cross testing exploit with vulnerability scan results
From: "John M. Martinelli" <john@martinelli.com>
Date: Fri, 27 Jul 2007 20:29:54 -0400
Cc: pen-test@securityfocus.com
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
In-reply-to: <20b0a0170707270525m548e299dtd0643c9e0e2ef49d@mail.gmail.com>
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
References: <20b0a0170707270525m548e299dtd0643c9e0e2ef49d@mail.gmail.com>
Resent-date: Sat, 28 Jul 2007 12:21:18 -0600 (MDT)
Resent-from: pen-test-return-1078484717@securityfocus.com
Resent-message-id: <20070728182118.AE1581438D9@outgoing2.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com
Well, sadly, this is why you should not completely depend on vulnerability scanners to conduct a full penetration test - they don't catch everything you like, and sometimes they make false- negatives, as well as false-positives, and other times faulty code can impact your audit severely. 

Regards,
John Martinelli
RedLevel.org Security

On Jul 27, 2007, at 8:25 AM, Chroot wrote:


Hi Fellow testers,

I've been conducting pen tests since 4 yrs now... the methodology I
follow is that we exploit or attempt to exploit ONLY those
vulnerabilities that a vulnerability scanner identifies. What if the
appropriate check or signature in the vulnerability scanner was not up
to date or had some coding issue or was not comprehensiveness enough
(or anything else) to identify a real existing vulnerability on a
system. This can result in serious false negatives. Would downloading,
installing and cross testing all available exploits for an identified
service be a good idea to minimize such a case? How many people have
faced such an issue or a similar issue? For me I faced this issue with
some  bug in Nessus recently.

This is something like my NMAP says there is IIS6.0 running on port
443 of a target server. I do a Nessus scan on it and it doesn't report
anything. I then download all available exploits for IIS6.0 (or for
all version of IIS? would this make sense) from securityfocus.com or
securiteam.com or similar source and run it manually on the target
system.

Eagerly await opinions.

THNX
---------------------------------------------------------------------- -- 
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
---------------------------------------------------------------------- -- 




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SV: Brute-forcing cached Windows login password hashes, Per Thorsheim
Next by Date:  Re: SAS 70, Paul Melson
Previous by Thread:  Cross testing exploit with vulnerability scan results, Chroot
Next by Thread:  Re: Cross testing exploit with vulnerability scan results, Morning Wood
Indexes:  [Date] [Thread] [Top] [All Lists]