I go both ways on this, chrisj.

I like scripts and open source tools, as I tend to have a bit more say in exactly what they do, and I LIKE to be able to do some custom scripting, etc.  However...

The closed source (for pay) tools often have advantages in that they keep a closer track on the latest vulerabilities, etc, whereas the free tools often have a short (or long) delay in release of the latest ones.  Additionally, the right paid tools will save you a lot of time on some tests, where they have so many tools integrated into one utility and can run them all simultaneously, or in order of need, saving the pentester time and energy that he can then focus on other things.  (Such as finding what data, etc, is available to him / her after a successful exploit has been run.)  They also tend to have built in, pre-canned reporting of all of their findings, helping to 'clean up' and polish the end reports to customers.

So there are obvious advantages and disadvantages of both types, and I personally use either / both for any given test scenario, just depending on time available, needs / wants, and depth of reporting / testing required versus time alotted.

HTH, and makes sense.  (clear as mud?)  

I agree with hayabusa - both types have advantages and disadvantages. Personally it doesn't matter for me if it is a freeware or commercial program, as long as it does what I want in a good way. If the money budget doesn't matter, and there is a commercial tool which can do something better than a freeware tool, why not use it? Time is money.

In my experience it depends on the type of tool and service.  If you are looking for a vulnerability scanner, you can get the most up to date vulnerability signatures from a commercial vendor.  Or wait a month and get the open source version.  Same thing with IDS, antivirus, etc.

A lot of time I choose open source just because of my budget (free).

Yeah... One of my reasons for reading the books, is to gain new skills. I'm doing it on my own time, but I don't have the money to go out and buy all the tools he's talking about being the really great ones in the book.

(soapbox)Just to make a distinction, open source runs on Windows too.  I prefer to use a majority of open source tools under Windows in my personal use.  Even though I have plenty of extended licenses through school and work.  (Firefox for browsing, ClamWin for Anti-virus, OpenOffice for productivity, 7zip for compression, Notepad++ for basix text editing, PuTTy for connectivity)(/soapbox)


I've never heard of that relating to XP SP2 or Server.  I could not even think of something that Microsoft could have removed.  As long as you have admin rights on either version, they are usable platforms.


I've used a variety of platforms in my lab, server, XP, 98 (yes, really!).  Hacking to and fro.  I've also used Linux.  Just depends on what my needs are.  I'm sure someone has a completely different experience.

I think that he may be referring to some of the TCP/IP connection throttling that MS likes to do and Fyodor keeps fighting.   I think that most security software vendors have overcome these limitations.   

Whatever shortcomings you may find in XP, I don't think it's worth the licensing costs to go server.  Then you also may run into driver issues on laptops and netbooks.   

Those are just my two cents.