Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Network Exploitation Tools aka Exploitation Engines
From: "Clarke, Tyronne (Contractor)" <Tyronne.Clarke.ctr () dcma mil>
Date: Fri, 3 Sep 2004 14:57:16 -0400

Based upon experienced findings during live testing, which product provides you with most clarity of comprehensive 
information( CANVAS or CORE Impact? ). You mentioned CANVAS allows you to look under the hood and analyze the exploits 
but what about CORE Impact. 

-----Original Message-----
From: Erik Birkholz [mailto:erik () foundstone com]
Sent: Wednesday, August 18, 2004 7:40 AM
To: Andy Cuff; pen-test () securityfocus com;
dailydave () lists immunitysec com
Cc: erik () specialopssecurity com; focus-ms () securityfocus com
Subject: RE: Network Exploitation Tools aka Exploitation Engines


QUICK NOTE: Andy, I want to thank you for the continued hard work you
have put into your well-researched and valuable product, tool and
service classification portal. Thank you. Please keep it up and let me
know if there is anything I can do to help out in the future.

*OK, back to the (long) post:

I think Exploitation Engine (or Exploit Engine) is an appropriate
classification or category.

*Now for a reasonably short rant:

-disclaimer: I haven't used metasploit or CORE so i can make no
assumptions about dev quality, QA and support they offer.

After extensive usage and testing of CANVAS, I can't help but see the
value these Exploitation Engines provide to the average IT/Security
Administrator, Engineer, Penetration Tester or Auditor. Not to mention
my theory that they would be invaluable to a recent CS grad or
experienced programmer looking to get into the vulnerability research
and exploitation field. Some of these tools are written in Python
(CANVAS is for sure), allowing the user to look at the source and learn
from some of the very best out there in vulnerability research and
exploitation.

When pitching this purchase (ROI, TCO) to your Management, I would take
a path similar to this, "Immunity's CANVAS is an exploit engine that can
be used to verify the implementation and effectiveness of patches pre or
post solution purchase." You can also use your trusted exploits to
verify the findings of your VA scanner(s).

I have recommended this tool many times to my customers and speech
attendees. It solves the very real problem of vulnerability verification
for customers who have neither the time and/or desire to achieve the
Black Belt level of exploit creation. This need inevitably forces them
to head to underground hacker sites to get untested and untrusted
exploits written by coders without accountability for their exploits
"true intention". Metasploit (i assume) and CANVAS (i know) offer
accountability by standing behind each exploit. 

Why would I recommend to my low-medium skill set IT/Security customers
that they pull down "dirty" and "wild" sploits off the net? By running
this code (probably on their desktops), they are at great risk of
getting more than they bargained for. It is probable this increased risk
out weighs the initial goal of achieving vulnerability validation to
convince an antagonistic business unit owner to patch or upgrade that
vulnerable internet facing legacy server. 

Ok, if you are saying, "these morons should test these exploits in a lab
environment first," then you are missing the point. Not everyone has the
interest, time, extra computer resources or knowledge of what they are
even looking for to know how to validate these dirty exploits. The
answer is that I never would recommend this when low cost (CANVAS) and
free (MetaSploit) Exploitation Engines allow vulnerability verification
without fear of running "assembly code from hell" or an evil hidden
rootkit.  The good news is that Dave Aitel and HD Moore have attached
their names and corporations to the quality of these products. If/When
something goes wrong, they will be there to help. Why? Because that is
how good people run good businesses.

        -Erik Pace Birkholz, CISSP
                www.SpecialOpsSecurity.com (erik () specialopssecurity com)
                www.Foundstone.com (erik () foundstone com)
                323-252-5916 cell







-----Original Message-----
From: Andy Cuff [mailto:lists () securitywizardry com] 
Sent: Monday, August 16, 2004 12:44 PM
To: pen-test () securityfocus com
Subject: Network Exploitation Tools


Hi,
I have just introduced another category on the site covering the various
exploitation tools out there.  To my knowledge there are only 3.
CANVAS, CORE IMPACT and Metasploit.  Firstly, have I captured them all
or are there some other products of this nature lurking about?
http://www.securitywizardry.com/exploit.htm
Secondly, what do we call them, or is Network Exploitation Tools the
appropriate name?

cheers for any time you can give
-andy cuff
PS there are loads of other pages with out of date info, I am currently
working my way through them

Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com


-----Original Message-----
From: Andy Cuff [mailto:lists () securitywizardry com] 
Sent: Monday, August 16, 2004 12:44 PM
To: pen-test () securityfocus com
Subject: Network Exploitation Tools


Hi,
I have just introduced another category on the site covering the various
exploitation tools out there.  To my knowledge there are only 3.
CANVAS, CORE IMPACT and Metasploit.  Firstly, have I captured them all
or are there some other products of this nature lurking about?
http://www.securitywizardry.com/exploit.htm
Secondly, what do we call them, or is Network Exploitation Tools the
appropriate name?

cheers for any time you can give
-andy cuff
PS there are loads of other pages with out of date info, I am currently
working my way through them

Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault