Penetration Testing: Re: nessus exceptions

[Pete Herzog <pete () isecom org>]

Chris,

Is the problem nessus or are you wondering if they are just running an 
automated scanner?  I've actually seen this issue quite a bit where the 
client wants confirmation of the thoroughness of the verification 
process of test results.  Running a scanner in and of itself is not a 
bad thing but the results should be properly verified before they go 
into the report.
If it's just about nessus, then look at the ports they list as open, 
closed, and filtered as well as the services they assigned to them. 
It's usually a dead giveaway if they list the default services for the 
responding service ports without actually having investigated what is 
really there.  I have to laugh whenever I see "Blackjack" listed in the 
service list and I wonder how they have the audacity to sell that 
report.  The other is the listing of ports as open, closed, and filtered 
instead of giving you the real information of verified services, 
responding ports, what the response was and from which IP, as well as 
which did not respond at all.  Especially for UDP and ICMP types.
The safest thing you could do is run nessus yourself from the same 
perspective and compare the reports.  The next safest option you have is 
is to place a text file in the cgi-bin of your webserver with the name 
of a "dangerous" cgi (no point in saying which one as your pen testers 
may be reading this too) and will report it as a vulnerability without 
having actually tried to verify it.  Obviously there are some which are 
better than others.
If you just want to know if the report your receiving has value, I would 
be happy to take a look at it for you.  It's something we get asked to 
do quite a bit these days.  We can talk about that offline though.
Anyways, thanks for a great topic we can add to the OPSA certification 
training and exam ;)
--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.


Chris Griffin wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
> Im trying to find some good holes, that aren't major security issues,
> that i can create on a machine to see if our testing company really
> uses anything other than nessus.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq
> cC69CeYr16OsfuYu6u1oe8U=
> =bGZi
> -----END PGP SIGNATURE-----