.

Open and Closed Source tools for pen testing

<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Feb 09, 2010 1:40 pm

Open and Closed Source tools for pen testing

While reading Hacking for Dummies (both 2nd and 3rd editions), I've noticed that Kevin Beaver (the author) tends to have a commercial tool bias. Going so far as to implying on page 56 that most of the good tools require buying.

I'm wondering what peoples experiences are here. Do they agree that the best tools are the commercial ones?

The closest I found on this topic was a thread from 2006, called Linux Vs Windows.
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Feb 09, 2010 1:46 pm

Re: Open and Closed Source tools for pen testing

I go both ways on this, chrisj.

I like scripts and open source tools, as I tend to have a bit more say in exactly what they do, and I LIKE to be able to do some custom scripting, etc.  However...

The closed source (for pay) tools often have advantages in that they keep a closer track on the latest vulerabilities, etc, whereas the free tools often have a short (or long) delay in release of the latest ones.  Additionally, the right paid tools will save you a lot of time on some tests, where they have so many tools integrated into one utility and can run them all simultaneously, or in order of need, saving the pentester time and energy that he can then focus on other things.  (Such as finding what data, etc, is available to him / her after a successful exploit has been run.)  They also tend to have built in, pre-canned reporting of all of their findings, helping to 'clean up' and polish the end reports to customers.

So there are obvious advantages and disadvantages of both types, and I personally use either / both for any given test scenario, just depending on time available, needs / wants, and depth of reporting / testing required versus time alotted.

HTH, and makes sense.  (clear as mud?)   :)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Feb 09, 2010 2:07 pm

Re: Open and Closed Source tools for pen testing

hayabusa,

Actually that does help some. Hope to get a larger sampling still, of other people's views.

While I'm an open source advocate in general, I also believe in using the best tool for the job.

My testing has been limited (still learning) and usually I'm just looking for boxes on the network I maintain that are not supposed to be there, services that shouldn't be on, and the like. The tools I use most are nmap, look@lan, and Backtrack, but BT is mostly for learning purposes.
OSWP, Sec+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Feb 10, 2010 5:27 am

Re: Open and Closed Source tools for pen testing

I agree with hayabusa - both types have advantages and disadvantages. Personally it doesn't matter for me if it is a freeware or commercial program, as long as it does what I want in a good way. If the money budget doesn't matter, and there is a commercial tool which can do something better than a freeware tool, why not use it? Time is money.
<<

dtoliaferro

Newbie
Newbie

Posts: 7

Joined: Fri Dec 18, 2009 7:30 pm

Post Wed Feb 17, 2010 9:34 pm

Re: Open and Closed Source tools for pen testing

I'm no professional, but in my own network lab adventures I tend to use open source tools.
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Feb 18, 2010 6:50 am

Re: Open and Closed Source tools for pen testing

In my experience it depends on the type of tool and service.  If you are looking for a vulnerability scanner, you can get the most up to date vulnerability signatures from a commercial vendor.  Or wait a month and get the open source version.  Same thing with IDS, antivirus, etc.

A lot of time I choose open source just because of my budget (free). :)
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 18, 2010 8:51 am

Re: Open and Closed Source tools for pen testing

unsupported wrote:A lot of time I choose open source just because of my budget (free). :)


amen...

I think for a lot of us, that's the case, unless we really have a big contracted job coming up, etc.  But I generally use free tools where I can, again, if time and opportunity allow.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Feb 19, 2010 1:48 pm

Re: Open and Closed Source tools for pen testing

unsupported wrote:A lot of time I choose open source just because of my budget (free). :)


Yeah... One of my reasons for reading the books, is to gain new skills. I'm doing it on my own time, but I don't have the money to go out and buy all the tools he's talking about being the really great ones in the book.
OSWP, Sec+
<<

dtoliaferro

Newbie
Newbie

Posts: 7

Joined: Fri Dec 18, 2009 7:30 pm

Post Mon Feb 22, 2010 8:51 pm

Re: Open and Closed Source tools for pen testing

I have a question for the closed source/Windows guys.

I've read that it's not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it's best to use a server, like Server 2003, for hacking from Windows.

Which version of Windows do you guys find works best in your ethical hacking practice?
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Mon Feb 22, 2010 9:54 pm

Re: Open and Closed Source tools for pen testing

dtoliaferro wrote:I have a question for the closed source/Windows guys.


(soapbox)Just to make a distinction, open source runs on Windows too.  I prefer to use a majority of open source tools under Windows in my personal use.  Even though I have plenty of extended licenses through school and work.  (Firefox for browsing, ClamWin for Anti-virus, OpenOffice for productivity, 7zip for compression, Notepad++ for basix text editing, PuTTy for connectivity)(/soapbox)

I've read that it's not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it's best to use a server, like Server 2003, for hacking from Windows.


I've never heard of that relating to XP SP2 or Server.  I could not even think of something that Microsoft could have removed.  As long as you have admin rights on either version, they are usable platforms.

Which version of Windows do you guys find works best in your ethical hacking practice?


I've used a variety of platforms in my lab, server, XP, 98 (yes, really!).  Hacking to and fro.  I've also used Linux.  Just depends on what my needs are.  I'm sure someone has a completely different experience.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

dtoliaferro

Newbie
Newbie

Posts: 7

Joined: Fri Dec 18, 2009 7:30 pm

Post Mon Feb 22, 2010 10:24 pm

Re: Open and Closed Source tools for pen testing

^ Sorry, by closed source/Windows I meant the OS only. I should have worded that better.

Thanks for replying, your insight was helpful.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Feb 22, 2010 10:25 pm

Re: Open and Closed Source tools for pen testing

I've read that it's not good to use XP as a hacking platform because Microsoft took out some of the networking features in Service Pack 2. Additionally I read on a forum some where that it's best to use a server, like Server 2003, for hacking from Windows.


I think that he may be referring to some of the TCP/IP connection throttling that MS likes to do and Fyodor keeps fighting.  I think that most security software vendors have overcome these limitations. 

Whatever shortcomings you may find in XP, I don't think it's worth the licensing costs to go server.  Then you also may run into driver issues on laptops and netbooks. 

Those are just my two cents.
~~~~~~~~~~~~~~
Ketchup
<<

dtoliaferro

Newbie
Newbie

Posts: 7

Joined: Fri Dec 18, 2009 7:30 pm

Post Wed Feb 24, 2010 9:24 pm

Re: Open and Closed Source tools for pen testing

How would Windows XP fair against Windows 7 for penetration testing?

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software