Home page logo
/

basics logo Security Basics mailing list archives

Re: Penetration Testing Software
From: AK <platsakos () gmail com>
Date: Fri, 23 Sep 2011 02:27:40 +0300

Hi all,

I am not convinced. What you describe can *at best* be described as
tools. See, without wanting to re-heat the age-old argument, penetration
testing is a complicated process, well defined in scope, requiring an
exact methodology and exploitation (in which the tools you described can
play a part) is only a part of it. How about client side attacks, social
engineering and data exfiltration? If you do anything less, you are
doing VA, with result verification, which, while it has its own merits,
it is not pen-testing.

Regarding reporting, while VA reporting might be easier, I do not think
that pen-testing reporting can be fully automated, pen-testing teams
judgement indeed does play a significant role in this one. It goes
without saying that if a "pen-testing" technical process consists of a
number of  point and click, verify and then off to the PDF writer with
the customized company logo, this ain't a pen-test.

On 09/21/2011 08:40 PM, Eggleston, Mark wrote:
Yes, there is indeed such a thing as penetration testing software.  If
this is specifically what you are looking for you'll quickly find there
are much less pen testing software out there vs. vulnerability
assessment software.  In addition to what is already listed as pen test
tools (Core Impact, w3f, Nexpose/Metasploit) you may also be interested
in evaluating Saint.  

Depending upon the target of your pen testing (network versus web apps)
you may find more tools to specifically pen test web apps.  For example
Nikto or I'm becoming a big fan of Qualys web app testing as they have a
nice module within Qualys Guard that will run the SQL injection, XSS and
other exploits.

My hope is that leading vendors will continue to evolve their products
such that vulnerability assessment and pen testing modules are packaged
together which will in turn generate concise and valuable reports.

Hope this helps.

Mark Eggleston, CISSP, GSEC, CHPS
Manager, Security and Business Continuity 




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of AK
Sent: Wednesday, September 21, 2011 12:34 PM
To: Dimitrios Hilton
Cc: security-basics () securityfocus com
Subject: Re: Penetration Testing Software

Hi all,
is there such a thing as "penetration testing software"? I understand
tools and other software products that might be used by pen-testers, but
I believe that the term you are looking for is "vulnerability assessment
software".

On 09/21/2011 06:45 PM, Dimitrios Hilton wrote:
Does anyone have a recommendation for a low cost Penetration Testing 
Software that can produce nice client reports

Dimitrios Hilton
President & Senior Consultant
The IT Guy, Ltd.
413 Wacouta Street, Suite 350
St. Paul, MN 55101
(Cell) 651-226-6112
(Dispatch)  651-298-0037
(FAX) 651-917-9239
dhilton () theitguy us
www.theitguy.us
 
 
 


----------------------------------------------------------------------
-- Securing Apache Web Server with thawte Digital Certificate In this 
guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f727d1
----------------------------------------------------------------------
--


--
What is the air-speed velocity of an unladen swallow? 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

This message, together with any attachments, is intended only for
the use of the individual or entity to which it is addressed. It
may contain information that is confidential and prohibited from
disclosure. If you are not the intended recipient, you are hereby
notified that any dissemination or copying of this message or any
attachment is strictly prohibited. If you have received this
message in error, please notify the original sender immediately by
telephone or by return e-mail and delete this message along with
any attachments, from your computer.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



-- 
What is the air-speed velocity of an unladen swallow? 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]