Open and Closed Source tools for pen testing

Viewing 12 reply threads
  • Author
    Posts
    • #4646
      rattis
      Participant

      While reading Hacking for Dummies (both 2nd and 3rd editions), I’ve noticed that Kevin Beaver (the author) tends to have a commercial tool bias. Going so far as to implying on page 56 that most of the good tools require buying.

      I’m wondering what peoples experiences are here. Do they agree that the best tools are the commercial ones?

      The closest I found on this topic was a thread from 2006, called Linux Vs Windows.

    • #28872
      hayabusa
      Participant

      I go both ways on this, chrisj.

      I like scripts and open source tools, as I tend to have a bit more say in exactly what they do, and I LIKE to be able to do some custom scripting, etc.  However…

      The closed source (for pay) tools often have advantages in that they keep a closer track on the latest vulerabilities, etc, whereas the free tools often have a short (or long) delay in release of the latest ones.  Additionally, the right paid tools will save you a lot of time on some tests, where they have so many tools integrated into one utility and can run them all simultaneously, or in order of need, saving the pentester time and energy that he can then focus on other things.  (Such as finding what data, etc, is available to him / her after a successful exploit has been run.)  They also tend to have built in, pre-canned reporting of all of their findings, helping to ‘clean up’ and polish the end reports to customers.

      So there are obvious advantages and disadvantages of both types, and I personally use either / both for any given test scenario, just depending on time available, needs / wants, and depth of reporting / testing required versus time alotted.

      HTH, and makes sense.  (clear as mud?)   🙂

    • #28873
      rattis
      Participant

      hayabusa,

      Actually that does help some. Hope to get a larger sampling still, of other people’s views.

      While I’m an open source advocate in general, I also believe in using the best tool for the job.

      My testing has been limited (still learning) and usually I’m just looking for boxes on the network I maintain that are not supposed to be there, services that shouldn’t be on, and the like. The tools I use most are nmap, look@lan, and Backtrack, but BT is mostly for learning purposes.

    • #28874
      UNIX
      Participant

      I agree with hayabusa – both types have advantages and disadvantages. Personally it doesn’t matter for me if it is a freeware or commercial program, as long as it does what I want in a good way. If the money budget doesn’t matter, and there is a commercial tool which can do something better than a freeware tool, why not use it? Time is money.

    • #28875
      dtoliaferro
      Participant

      I’m no professional, but in my own network lab adventures I tend to use open source tools.

    • #28876
      unsupported
      Participant

      In my experience it depends on the type of tool and service.  If you are looking for a vulnerability scanner, you can get the most up to date vulnerability signatures from a commercial vendor.  Or wait a month and get the open source version.  Same thing with IDS, antivirus, etc.

      A lot of time I choose open source just because of my budget (free). 🙂

    • #28877
      hayabusa
      Participant

      @unsupported wrote:

      A lot of time I choose open source just because of my budget (free). 🙂

      amen…

      I think for a lot of us, that’s the case, unless we really have a big contracted job coming up, etc.  But I generally use free tools where I can, again, if time and opportunity allow.

    • #28878
      rattis
      Participant

      @unsupported wrote:

      A lot of time I choose open source just because of my budget (free). 🙂

      Yeah… One of my reasons for reading the books, is to gain new skills. I’m doing it on my own time, but I don’t have the money to go out and buy all the tools he’s talking about being the really great ones in the book.

    • #28879
      dtoliaferro
      Participant

      I have a question for the closed source/Windows guys.

      I’ve read that it’s not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it’s best to use a server, like Server 2003, for hacking from Windows.

      Which version of Windows do you guys find works best in your ethical hacking practice?

    • #28880
      unsupported
      Participant

      @dtoliaferro wrote:

      I have a question for the closed source/Windows guys.

      (soapbox)Just to make a distinction, open source runs on Windows too.  I prefer to use a majority of open source tools under Windows in my personal use.  Even though I have plenty of extended licenses through school and work.  (Firefox for browsing, ClamWin for Anti-virus, OpenOffice for productivity, 7zip for compression, Notepad++ for basix text editing, PuTTy for connectivity)(/soapbox)

      I’ve read that it’s not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it’s best to use a server, like Server 2003, for hacking from Windows.

      I’ve never heard of that relating to XP SP2 or Server.  I could not even think of something that Microsoft could have removed.  As long as you have admin rights on either version, they are usable platforms.

      Which version of Windows do you guys find works best in your ethical hacking practice?

      I’ve used a variety of platforms in my lab, server, XP, 98 (yes, really!).  Hacking to and fro.  I’ve also used Linux.  Just depends on what my needs are.  I’m sure someone has a completely different experience.

    • #28881
      dtoliaferro
      Participant

      ^ Sorry, by closed source/Windows I meant the OS only. I should have worded that better.

      Thanks for replying, your insight was helpful.

    • #28882
      Ketchup
      Participant

      I’ve read that it’s not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it’s best to use a server, like Server 2003, for hacking from Windows.

      I think that he may be referring to some of the TCP/IP connection throttling that MS likes to do and Fyodor keeps fighting.  I think that most security software vendors have overcome these limitations. 

      Whatever shortcomings you may find in XP, I don’t think it’s worth the licensing costs to go server.  Then you also may run into driver issues on laptops and netbooks. 

      Those are just my two cents.

    • #28883
      dtoliaferro
      Participant

      How would Windows XP fair against Windows 7 for penetration testing?

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?