Comments on: Automated Penetration Testing with the Metasploit Framework http://www.spylogic.net/2008/03/automated-penetration-testing-with-the-metasploit-framework/ Sun, 18 Sep 2011 21:48:21 +0000 hourly 1 By: Tom http://www.spylogic.net/2008/03/automated-penetration-testing-with-the-metasploit-framework/comment-page-1/#comment-22 Tom Fri, 21 Mar 2008 14:27:46 +0000 #comment-22 CG, thanks for the comments. Totally agree with you that running any automated tool like Core and autopwn can lead to irresponsibility by a pen tester. I have used autopwn only on a limited number of hosts and only to verify that these hosts could be exploited...mostly to supplement the manual testing that was also being done. Unfortunately we are sometimes limited with the time (and staff) we have to verify hosts that can be exploited. Tools like Core and autopwn can assist with this. I always mention in my talks that automated testing should never replace manual, detailed testing....use these tools sparingly to supplement your toolkit! :) CG, thanks for the comments. Totally agree with you that running any automated tool like Core and autopwn can lead to irresponsibility by a pen tester. I have used autopwn only on a limited number of hosts and only to verify that these hosts could be exploited…mostly to supplement the manual testing that was also being done. Unfortunately we are sometimes limited with the time (and staff) we have to verify hosts that can be exploited. Tools like Core and autopwn can assist with this. I always mention in my talks that automated testing should never replace manual, detailed testing….use these tools sparingly to supplement your toolkit! :)

]]> By: CG http://www.spylogic.net/2008/03/automated-penetration-testing-with-the-metasploit-framework/comment-page-1/#comment-21 CG Fri, 21 Mar 2008 14:03:24 +0000 #comment-21 I have the same comment about db_autopwn that i did about Core RPT. limited usefulness IMO, especially on a pentest. <br /> <br /> running that also lends a bit towards irresponsibility as well. if a tester doesnt have the skill to scan, enumerate, and pick exploits in a methodological manner, that "should" work based on version identification then i'm not sure i'd want them on a team with me.<br /> <br /> not to say that it isnt "neat" that tools can do that.<br /> <br /> pulled down the slides, looks like you are talking about good things in that local security group I have the same comment about db_autopwn that i did about Core RPT. limited usefulness IMO, especially on a pentest.

running that also lends a bit towards irresponsibility as well. if a tester doesnt have the skill to scan, enumerate, and pick exploits in a methodological manner, that "should" work based on version identification then i’m not sure i’d want them on a team with me.

not to say that it isnt "neat" that tools can do that.

pulled down the slides, looks like you are talking about good things in that local security group

]]> By: Tom http://www.spylogic.net/2008/03/automated-penetration-testing-with-the-metasploit-framework/comment-page-1/#comment-20 Tom Fri, 21 Mar 2008 09:25:55 +0000 #comment-20 Sorry about that. Please try downloading the file again. Sorry about that. Please try downloading the file again.

]]> By: Anthony Williams http://www.spylogic.net/2008/03/automated-penetration-testing-with-the-metasploit-framework/comment-page-1/#comment-19 Anthony Williams Fri, 21 Mar 2008 04:55:34 +0000 #comment-19 Tom,<br /> <br /> Nice post! I have attempted to download the .PDF of your presentation and keep getting "file damaged and can't be repaired errors". I seem to be able to open up other .PDF files just fine. Can you please verify your file?<br /> <br /> Thanks!<br /> <br /> -AW Tom,

Nice post! I have attempted to download the .PDF of your presentation and keep getting "file damaged and can’t be repaired errors". I seem to be able to open up other .PDF files just fine. Can you please verify your file?

Thanks!

-AW

]]>