On Wed, 5 Sep 2001, Dave Wray wrote: This is not directed at you Dave...just used your message as a "jumping off point". > Nessus is a great tool, I use it frequently and personally prefer it to many > commercial tools which I also use, but there are *MANY* reasons for doing > parts of a test manually. Yes. Nessus is an excellent tool...more on that later. > Only two weeks ago, one of our clients was tested according to our internal > procedure. Several automated tools came back all clear. Within 15 minutes of > manual testing we found the web server to be vulnerable to both the UTF-8 > and double decode vulnerabilities. The reason for this was simply that the > tools (which I will not name) presumed that Windows NT is always installed > in a directory called winnt, when in this case it was installed in a > directory called winnt40. This was enough to throw the automated tools way > off of the scent. That's what is so nice about Nessus. You can modify the scripts to pick up on things like this. > I think a more suitable question is why would you pay a 'Consultant' good > money to hit a big green go button and print the results? Because the consultant might have spent lots of time modifying the code behind the "big green go button". I'm not knocking manual testing. There's no way to eliminate the need for it. But some consultants have HUGE libraries of Nessus plugins written based on previous discoveries at other customer's sites. They dont necessarily disclose these to every Tom, Dick and Harry. Of course, discovering those vulnerabilities required manual testing...but that doesn't mean you re-invent the wheel next time around. Map the network, run an automated scanner (or several), rule out false positives manually, then spend the rest of your time poking around manually. If your automatic scanner pass leads to total compromise of every system (hypothetically speaking), you can save all that time spent poking around with netcat and just give yourself a shell (or cmd prompt) and turn the pen-test into an internal audit. The bottom line is... There will always be those who deplore the use of automated tools. They will always claim that anyone who does is a charlatan. They will always believe that anyone who is doing things differently than they are has got it all wrong. At the end of the day, a security consultant's job is to give the customer the most bang for the buck. You have to cover as much ground as possible in the time you are allowed. If the customer asks you to spend an hour on the whole network, you should assess the situation. If, after taking a look at things, you feel you need more time...ask. If the customer says no, so be it. The customer is always right...remember. Do the best job you possibly can, and point out what you could have done if allotted more time. What do you think would happen if the local security company showed up and refused to install a burglar alarm unless the customer payed them to put up a 10 foot razor wire fence??? -- Jonathan Rickman X Corps Security http://www.xcorps.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:57:36 PDT