Re: [Full-Disclosure] Penetration Testing or Vulnerability Scanning?

From: hellNbak (hellnbakat_private)
Date: Sun Mar 02 2003 - 21:21:24 PST

Next message: H D Moore: "Re: Finding real host in Nmap -D Scans"

Previous message: Ryan: "Finding real host in Nmap -D Scans"
In reply to: Rizwan Ali Khan: "[Full-Disclosure] Penetration Testing or Vulnerability Scanning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Typical methodologies include the footprinting process which is basically
gathering information on the target hosts be that a Nmap scan or simple
information gathering from ARIN records.  Then a vuln scan is usually done
using Nessus or whatever.  From this step is where you seperate the real
"pen-testers" vs. the script kiddies in suits.  Some will take their
scanner reports slap their logo on it and call it a day while others will
have the abilities to use exploits be that borrowed from other sources or
created in house.  I guess it depends on what the customer wants and the
skill level of the team doing the work is............ but don't get me
started...........

On Sun, 2 Mar 2003, Rizwan Ali Khan wrote:

> Date: Sun, 2 Mar 2003 01:08:26 -0800 (PST)
> From: Rizwan Ali Khan <rizwanalikhan74at_private>
> To: pen-testat_private
> Cc: full-disclosureat_private
> Subject: [Full-Disclosure] Penetration Testing or Vulnerability Scanning?
>
>
> When usually we talk about penetration testing tools, people mosly refer to Vulnerability Scanners like iss, typhon, nessus, cybercop etc.
>
> However penetration testing tools are those who penetrate as well, the above scanners do not do that.
>
> One needs to have a working version of SSH exploit for the SSH vulnerability detected by the vulnerability scanner, so is it necessary for penetration tester to have access to the latest of underground exploit? or could all this be done in an ethical manner too?
>
> please guide I am so confused between two of these methodologies.
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, and more

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbakat_private
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: H D Moore: "Re: Finding real host in Nmap -D Scans"
Previous message: Ryan: "Finding real host in Nmap -D Scans"
In reply to: Rizwan Ali Khan: "[Full-Disclosure] Penetration Testing or Vulnerability Scanning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 02 2003 - 21:29:46 PST