Some good discussions posted on the SecLists.org penetration testing mailing list today. The following is an email from a apparently novice penetration tester regarding the use of CORE IMPACT in a penetration test:
“Hello, I am new to pen testing and am currently involved in doing an external pen test for one of our clients.We are doing it through Core Impact.Reconnaisance showed only port 80 as open and the web server running IIS 6.0.Core Impact did not find any vulnerabilities in the server and hence was unable to penetrate.The web application was also tested for SQL Injection and PHP remote file inclusion and did not find any vulnerabilities there either.
My question is what else can we do besides relying on Core Impact for this pen test.And what impression can a client get if we say to them that there are no vulnerabilites in your network or web app.Its dificult to digest something like that for a security specialist that everythings alright. “
I know, I know…where do you possibly begin with this one right? 🙂
Some points to consider from this (as others on the list have pointed out). Never rely on one tool to conduct a penetration test. Sure, CORE IMPACT is an awesome tool and does provide a ton of value in a penetration test, however, CORE won’t tell you all the vulnerabilities on a network nor will it give you a comprehensive overview of the security posture of an organization. You have to use a diverse toolkit. Your toolkit should include a mix of commercial, open source, and proprietary tools. Most proprietary tools come in the flavor or custom built scripts to make a penetration testers job easier. Don’t forget that the biggest asset to your toolkit is your brain! Sometimes you don’t need any tools at all…think like a hacker, think of even the obscure ways to compromise a host. That is why there are penetration testing methodology’s…each phase of a penetration test (from reconnaissance to exploitation) can reveal information to help you compromise a host/network/application and reveal vulnerabilities. Put your brain to work…it can be better then any tool out there.
CORE works extremely well to find “the easiest way” to get root or administrator access on a host. I did a few talks on automated penetration testing with CORE IMPACT and the Metasploit Framework over the last few months and I always mention that you can’t fully automate a penetration test…there is a time and place for automated penetration testing but you still need manual, detailed testing.
Finally, you should provide your clients and/or organization with a comprehensive report of all the possible ways you found to compromise the network (within the scope of course). Yes, there are differences between a “vulnerability assessment” and a “penetration test”, however, you still need to provide your client/organization of a report of all vulnerabilities found rated by risk even in a penetration test. Don’t forget about the human element as well. Client side phishing (which CORE does a great job of), calling users via telephone posing as a help desk employee, or coming up with other social engineering scenarios all can assist with determining the current security posture and also to get you access hosts on the network.