From: Christine Kronberg (seeker@shalla.de)
Date: Sun Jul 29 2007 - 06:12:00 EDT
On Sun, 29 Jul 2007, Chroot wrote:
>
*snip*
>
> Let's take this scenario:
>
> 1. We run NMAP and find that target runs IIS6.0 (through banner
> grabbing and telneting)
> 2. We run Nessus and find that it doesn't report any holes
> 3. We run WebInspect and manually test for SQL Injection, XSS and similar issues
>
> Let's assume a scenario where Nessus had an issue with some NASL
> script and it couldn't catch a issue in this IIS6.0 ...
>
> To counter such scenarios I can think of three cases:
> 1. Run Retina on the target and cross check results
> 2. Download all possible exploits for IIS6.0 and manually test them
> against target (ofcourse I'll test them on my test network first)
Are you sure you understand what "all possible exploits" do?
The art of penetration testing is to select the proper exploit
for a target. Or to write an exploit if none is available.
I never rely on scanners. They only give me hint where to hit
first, but from there anything else is done manually. Some
exploits need some afterwork to function - not so much because
of script kiddy protection but because the target system is
behaving differently to the one the exploit was originally
written for.
> 3. Install another version of Nessus may be 2.x or 3.x on a Windows
> system and cross check...
>
> My query with fellow testers is is there a fourth option and what is a
> preferred option from 3 above and why..
Yes, of course there is a fourth option and it is to be preferred above
all others: Use your knowledge and your imagination to find a hole. Play
with the answer from the server. Never blindly use one exploit after the
other in the hope that one will work. Check the results and modify the
exploits depending on the answers of the server. Most exploits may be
useless, but not necessarily all.
With your options you are basically testing the scanners not the target
server. Your question boils down to "If scanner one does not give this
or that result will scanner two do?". I have to agree to Wood: this is
not penetration testing. It's vulernability scanning.
Cheers,
Christine Kronberg.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT