Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] ISS not detecting unicode bug??
From: batz <batsy () VAPOUR NET>
Date: Fri, 17 Nov 2000 07:12:10 -0500

On Thu, 16 Nov 2000, Alfred Huger wrote:

:The SNI/Ballista position was that checks should be more than a banner
:grab and should actually (to a degree) exploit the problem to bring back
:'proof positive'.

Indeed. From the perspective of using anautomated scanner, the banner
grab (if it is available from the service) is vulnerable to false
positives. However, if an exploit fails, which is quite common on the
first try, especially with overflows and race conditions you run the
risk of a false negative.

False positives can be verified manually, false negatives are a serious

I would say that the best thing a scanner can do is advise the operator
of the possibility of a vulnerability, and suggest actions further action.
Whisker does this nicely, as does Nessus.

IMHO, the most valuble product on the scanning market will be the one that
is kept relatively current,
has an interactive process where manual intervention and verification
can be intergrated into an open, machine parsable reporting format,
built in XML or something,
and that doesn't require a custom/proprietary viewer.

In the hands of a good intrusion team, something that doesn't have
up to the minute exploits doesn't matter. It's whether the data
and analysis from the intrusion team can be integrated into the
report, and the data can be organized _any_ way the team needs it.

The team can use their own clue to deal with 0-day problems and methods,
it's just that they have to be able to document it.

This does not mean 35 choices in how to order or generate the report.
It means extracting data from the report and being able to parse it
into SQL, XML, hell even awk would be nice, and repackage it as a

Nessus is alot like this. Unfortunately, even though nessus is probably
the best tool out there for many tasks, many companies believe they only get
what they pay for.

I'm going to stop here before I start ranting about Godel, espistemology,
and determinism, lest I sound completely insane. ;)

Reluctant Ninja
Defective Technologies

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]