Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Pentesting

  1. #11
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Pentesting

    No one ever seems to mention W3AF which in my opinion is an excellent and somewhat configurable front end web vuln scanner.
    To answer the op`s question "In a real world pentest, how many of you prefer to use vulnerability scanners", I would have to say, 99% of the people 99% of the time. Securityxxxpert you mention pentest, now, even if you read a banner, throw the corresponding exploit at it, and pwn a box inside of 60 seconds, there could still be another 10 underlying problems on the front end of the "website"/etc/etc, I am sure maybe back in the past you could do a "web" security audit manually, but these days with new platforms,apps,programs,etc being created, deployed and implemented like theres no tomorrow, pentesting, (the front end of a website for example), manually AND ACCURATELY WITHOUT MISSING A THING, if possible at all, would be a waste of time.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  2. #12
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: AW: Pentesting

    Quote Originally Posted by Thorn View Post
    There are a stupendous number of skriddies who come in to these forums and seem to think that "pen test" equals "unauthorized attack", and that they must be quiet to avoid getting caught, and MartinBishop's post seems to reflect that all too common attitude. If I took post out of context, I apologize. My point to him was that a legitimate tester doesn't usually need to be stealthy unless they're also testing the admins ability.
    Thats the way I took it too. In my mind there is a sutble difference between issues of "noise" which is connected with being detected and issues of malformed traffic and traffic volume, which are more likely to be the cause of fragile servers going down.

    I'll admit though that the distinction is minor and that ahjohnston25 made a good point.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #13
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: AW: Pentesting

    Quote Originally Posted by Thorn View Post
    Noise is only an problem if you're running a "black ops" test against both the actual network as well as the security abilities of the admins.
    I think you hit on a very important note right there, that some may easily glance over. The ability of the admin(s) running things.
    If they don't understand what is in their logs then all the noise in the world is not going to matter. 1 exploitable service or a hundred is not going to make a whole lot of difference if they don't know what's coming at them, and how to mitigate it.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #14
    Senior Member
    Join Date
    Feb 2010
    Posts
    146

    Default Re: AW: Pentesting

    definitely use both for effectiveness and accuracy, doing a pentest/vuln ass. by manually would inflate the LOE/SOW hourly to astronomical proportions. also archangel makes a great point, assuming you have client xyz that has some sort of monitoring staff and/or SIM in place, it's better for them to see the traffic and escalate it so you know they are doing their job and understand the difference between "good" and "bad" traffic
    open source = open minds, human knowledge belongs to the world

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Help with pentesting.
    By vbnet in forum OLD Pentesting
    Replies: 18
    Last Post: 10-01-2009, 05:23 PM
  2. Pentesting an OS
    By UndeniablyRexer in forum OLD Newbie Area
    Replies: 7
    Last Post: 07-24-2009, 09:34 AM
  3. New to pentesting
    By taffy-nay in forum OLD Pentesting
    Replies: 12
    Last Post: 07-12-2009, 01:21 AM
  4. Pentesting help
    By WWJudasD in forum OLD BT4beta HowTo's
    Replies: 0
    Last Post: 03-04-2009, 07:07 PM
  5. SMB and RPC Pentesting?
    By tylenol187 in forum OLD Newbie Area
    Replies: 8
    Last Post: 12-08-2008, 03:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •