|
Penetration Testing
mailing list archives
Re: Pen testing techniques
From: intel96 <intel96 () bellsouth net>
Date: Wed, 09 Apr 2008 19:41:47 -0400
Hi Atif,
While Core Impact is a great tool, it is only that a tool. For example,
Tool-vs-Human...not to long ago, I had to prove my professional salt to
a customer concerning a potential pentest project. My skills were
tested against a security tool vendor, which was using their tool as a
selling point. The security vendor lost, because their tool did not
find any vulnerabilities. The reason the tool lost was, because it
could not think like a human. Which is my main point!
Sometimes by stepping back and looking at the underlying site you may
find a vulnerability. For example, the tool vendor lost, because it
was not designed to identify or find vulnerabilities in SAP web-enabled
applications.
More non-tool examples:
Once, I found a major security issue by reviewing the source code on the
web site. Within the source code I found a username and password that
was left over by the development team.
Another time, I modified a web site's underlying source code to gain
access to multiple customer accounts.
Another time, I used Google to find customer usernames and passwords for
test site that linked into the production database.
I could continue this list, but why...my point is to take a step back
and look at the site(s) without any automated tools to see what may lay
underneath the covers.....
Sorry for the lecture, but I have had my share in the last few decades
too............
Good luck with the project!
Cheers,
Intel96
Atif Azim wrote:
Hello,
I am new to pen testing and am currently involved in doing an external
pen test for one of our clients.We are doing it through Core
Impact.Reconnaisance showed only port 80 as open and the web server
running IIS 6.0.Core Impact did not find any vulnerabilities in the
server and hence was unable to penetrate.The web application was also
tested for SQL Injection and PHP remote file inclusion and did not
find any vulnerabilities there either.
My question is what else can we do besides relying on Core Impact for
this pen test.And what impression can a client get if we say to them
that there are no vulnerabilites in your network or web app.Its
dificult to digest something like that for a security specialist that
everythings alright.
Looking forward to some great views.Thanks.
Regards,
Atif Azim
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: Pen testing techniques, (continued)
|
Intro
