Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Opinions of automated testers
From: "Lee Lawson" <leejlawson () gmail com>
Date: Tue, 8 May 2007 15:58:37 +0100

Quite agree.  We use WebInspect here, not that the reporting matters
for any of them as I write my own.  I don't like the Americanization
of the spelling for our UK clients.

But as Erin also pointed out, these are purely web application
scanners.  If you are performing a test of the entire attack surface
(the amount of systems/services/ports that are accessible to external
attackers) then you will also need to use infrastructure testing

The obvious choice for a starter would be Nessus.  It is freely
available from tenable security and works on a number of operating
systems.  Other choices would be Retina and GFI Languard, but you will
have to pay for them!

I would not jump straight in with Core Impact (although it's a
fantastic tool if you can afford the cost) or Metasploit as they will
guide you toward actually exploiting a system to gain full control.  I
would not recommend that you do that until you have more experience
and can control the probable effects.

I would also have a look for free web application scanners to start
off with.  With web apps though, you really need to pay for a scanner
such as WebInspect, Cenzic or Watchfire as the free tools are no way
near as good!

You should also consider a methodology.  This is the framework that
all pen testers follow to assess the security of any system/network
etc.  There is not real global methodology although the pentest
mindmap (www.vulnerabilityassessment.co.uk) has gone someway to
achieving that.  I am biased though as I helped write it!

I would say that you should:
1) Port scan your target systems.
      Use Nmap for this   -   nmap -sT -P0 -v -p 1-65535
   You should see some open, closed or filtered ports.  Filtered
simply means that no response was received, probably because of a

2) Vulnerability scan your target systems.
      Use Nessus for this.  I cannot go through how to install, set
up and use it here, but it's pretty intuitive for the Windows

3) Compare the results of the two to ensure that open/closed &
filtered ports match up.

4) Compile that information into some kind of report for you
management, reporting each discovered vulnerability in order of

5) Get yourself on a pen testing course as soon as possible as blindly
running these tools could cause unforeseen results such as crashing
servers etc.  I would never recommend that someone jumps in with this
subject without the most basic of training.

Good luck,

On 5/8/07, Dotzero <dotzero () gmail com> wrote:
On 8 May 2007 03:58:22 -0000, zackpeters75 () yahoo com
<zackpeters75 () yahoo com> wrote:
> Hi,
> My manager gave me our pen testing project and I'm still coming up to speed so forgive me if this question is not 
100% list appropriate.
> From what I can tell the top 3 automated pen testing programs are from SPI Dynamics, Cenzic and Watchfire. I haven't 
evaled any of them quite yet but they each seem to have their advantages and disadvantages. Cenzic is claiming to be the most 
accurate at least according to their 20/20 marketing program http://www.cenzic.com/forms/ec.php?pubid=10076 but I'm wondering 
what people have actually seen.

Erin gave an excellent response to you.... read carefully. Not too
long ago I did an in-depth evaluation of all 3 products. I had looked
at them in the past and we were finally in a position to make a
purchase decision. Each of the products has strengths and weaknesses.
They all do a pretty good job and from day to day one will be ahead of
the others and then a different one.

Most of the differences show up in the bells and whistles, report
presentation, etc. For me it almost comes down to flavors of ice
cream. I prefer vanilla but you may prefer chocolate. We ultimately
chose WebInspect (SpiDynamics) but it was a close decision all the way

One important caveat is that these are tools and if the person using
the tool doesn't understand how to use the tool properly then their
mileage may vary.

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]