The need for a diverse toolkit and manual pen testing

Filed under Penetration Testing

Some good discussions posted on the penetration testing mailing list today. The following is an email from a apparently novice penetration tester regarding the use of CORE IMPACT in a penetration test:

“Hello, I am new to pen testing and am currently involved in doing an external pen test for one of our clients.We are doing it through Core Impact.Reconnaisance showed only port 80 as open and the web server running IIS 6.0.Core Impact did not find any vulnerabilities in the server and hence was unable to penetrate.The web application was also tested for SQL Injection and PHP remote file inclusion and did not find any vulnerabilities there either.

My question is what else can we do besides relying on Core Impact for this pen test.And what impression can a client get if we say to them that there are no vulnerabilites in your network or web app.Its dificult to digest something like that for a security specialist that everythings alright. “

I know, I know…where do you possibly begin with this one right? 🙂

Some points to consider from this (as others on the list have pointed out). Never rely on one tool to conduct a penetration test. Sure, CORE IMPACT is an awesome tool and does provide a ton of value in a penetration test, however, CORE won’t tell you all the vulnerabilities on a network nor will it give you a comprehensive overview of the security posture of an organization. You have to use a diverse toolkit. Your toolkit should include a mix of commercial, open source, and proprietary tools. Most proprietary tools come in the flavor or custom built scripts to make a penetration testers job easier. Don’t forget that the biggest asset to your toolkit is your brain! Sometimes you don’t need any tools at all…think like a hacker, think of even the obscure ways to compromise a host. That is why there are penetration testing methodology’s…each phase of a penetration test (from reconnaissance to exploitation) can reveal information to help you compromise a host/network/application and reveal vulnerabilities. Put your brain to work…it can be better then any tool out there.

CORE works extremely well to find “the easiest way” to get root or administrator access on a host. I did a few talks on automated penetration testing with CORE IMPACT and the Metasploit Framework over the last few months and I always mention that you can’t fully automate a penetration test…there is a time and place for automated penetration testing but you still need manual, detailed testing.

Finally, you should provide your clients and/or organization with a comprehensive report of all the possible ways you found to compromise the network (within the scope of course). Yes, there are differences between a “vulnerability assessment” and a “penetration test”, however, you still need to provide your client/organization of a report of all vulnerabilities found rated by risk even in a penetration test. Don’t forget about the human element as well. Client side phishing (which CORE does a great job of), calling users via telephone posing as a help desk employee, or coming up with other social engineering scenarios all can assist with determining the current security posture and also to get you access hosts on the network.


  1. CG says:

    you mean passing your CEH/CPTS doesnt automatically make you ready to do pentests?

    the other key thing is "experience" which this person most obviously lacks. if running core is the best his shop can do they need to find a different line of work

  2. Tyler says:

    Awesome. I agree 100%. I’ve dealt with many a "tester" who relies on one tool (nessus, metasploit, core, etc) and thinks it will do it all for them.

    The best training I ever took was one where we were given 10 different scenarios and had to use what we had and knew to break in. Not one of them used an exploit and required us to think. The best advice from that course, "The more you know the more you can hack."

Post a Comment

Your email is never published nor shared. Required fields are marked *