>On Tue, Jul 08, 2003 at 11:38:58PM -0700, Kurt Seifried wrote: >> typically are just banner harvesting tools (i.e. Nessus) and not actually >> "exploit the service, and run shell code on the remote end". > >I won't reply to the list, but this is a gross mis-statement. > >-- Renaud I have to agree and I apologize, it was late and I couldn't think of another example quickly. The basic issue however reamins that the majority of pen testing tools do not actually break into the server, they typically harvest a banner ("Sendmail 8.foo, you got bugs!") which can cuase them to spew if you're like me and have Bind report binary junk data to version requests (which causes a lot of pen testing tools to choke) or they execute part of the attack (i.e. cause an error message, whatever). Nessus does have the denial of service tests, however last I checked none of the tests will actually give you a remote shell (although they could be could be modified to do so but then you're back to basically writing all your exploits from scratch). The ability for Core IMPACT to actually break into something is a critical distinction, once i break into a DMZ systemm or a firewall for example you can typically rampage through the network, or exploit trust relationships, not something most pen testing tools allow. I think the problem is most of us tend to lump "security scanners" in with "pen testing tools" when they are in fact apples and oranges. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ --------------------------------------------------------------------------- The Lightning Console aggregates IDS events, correlates them with vulnerability info, reduces false positives with the click of a button, anddistributes this information to hundreds of users. Visit Tenable Network Security at http://www.tenablesecurity.com to learn more. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 15:16:23 PDT