Comments on: Automated Penetration Testing with CORE IMPACT http://www.spylogic.net/2008/02/automated-penetration-testing-with-core-impact/ Sun, 18 Sep 2011 21:48:21 +0000 hourly 1 By: agent0x0 http://www.spylogic.net/2008/02/automated-penetration-testing-with-core-impact/comment-page-1/#comment-13 agent0x0 Mon, 25 Feb 2008 23:26:24 +0000 #comment-13 Good call on SAINT. I always thought that SAINT was just a vulnerability scanner like Nessus but I do see that they have a penetration testing tool called "SAINTexploit" integrated in the product. I would be interested in hearing how this product differs from CORE or Canvas.<br /> <br /> You are right, CORE doesn't do well with patched and hardened hosts. However, I have found that the client side exploits are really the best part of the product. Just having the ability to email "fake" phishing emails or SPAM to users and exploit the local system pays for itself. Sure, you can do this on your own without CORE but having everything integrated into a single product speeds things up. I have successfully used CORE to test the "human element" and it does this very well. Good call on SAINT. I always thought that SAINT was just a vulnerability scanner like Nessus but I do see that they have a penetration testing tool called "SAINTexploit" integrated in the product. I would be interested in hearing how this product differs from CORE or Canvas.

You are right, CORE doesn’t do well with patched and hardened hosts. However, I have found that the client side exploits are really the best part of the product. Just having the ability to email "fake" phishing emails or SPAM to users and exploit the local system pays for itself. Sure, you can do this on your own without CORE but having everything integrated into a single product speeds things up. I have successfully used CORE to test the "human element" and it does this very well.

]]> By: CG http://www.spylogic.net/2008/02/automated-penetration-testing-with-core-impact/comment-page-1/#comment-12 CG Mon, 25 Feb 2008 22:56:52 +0000 #comment-12 you forgot about SAINT.<br /> <br /> I personally have had little luck on "real" networks using Core, Canvas or SAINT. By real i mean networks that aren't vuln to DCOM and are actually patching and hardening. not saying anything bad about any of the products, just something to keep in mind when its time to put those tools to test in a real environment. If you have had success i'd be interested to hear/read about it.<br /> <br /> -CG you forgot about SAINT.

I personally have had little luck on "real" networks using Core, Canvas or SAINT. By real i mean networks that aren’t vuln to DCOM and are actually patching and hardening. not saying anything bad about any of the products, just something to keep in mind when its time to put those tools to test in a real environment. If you have had success i’d be interested to hear/read about it.

-CG

]]>