yatz wrote:Have you used this kind of stuff sil in actual pentests or is that not what you do?
Yatz, sorry for the delay in responses. I use all sorts of experiments on pentests. Remember, my point of view is, as a pentester, my role is to get in as responsibly as possible. I dictate the tools to use as its my role to be the attacker. In no shape form or fashion is someone ever going to be able to say: "Ok scriptkiddiots, we know you're out there, if you hit our networks, can you preferably ONLY use metasploit!" The reality is, many tools have different pros and cons.
In fiddling around with networking, studying, tampering in my labs, on my work network (I do in-house pentesting for my company, SIG audits for ourselves and clients) I'm always playing this strange game with myself called: "I can beat myself!" Where on the one hand I'm attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks... Trial and error.
Besides, as some have seen on the Metasploit versus Canvas, no one tool fits all and I've found when I fiddle with my own tools sometimes, I get more tuned results and I can tinker with parameters more granularly to give me either complete stealth (bounce/idle scans) or complete immunity (decoy + target's_networks_hosts_in_the_mix)
As for false positives, again, it depends. Because I know what I'd be targetting, I can focus specifics after it. This is something that many tools don't do. Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS. False positives are pretty easy to weed out since my attack space is so low when I'm actually attacking.
Think about the following for a moment. Say I run nmap against a machine which yields 20 services running... I add -sV for version information and in the end, I end up with say 10 potential exploits per service. I now have 200 possibilities. By doing my own tests to validate what nmap or whatever other scanner I'm using, I might be able to find say 2 exploits for only 5 ports. I have 10 exploits to tinker with/test and weed out those fp's as opposed to wondering what to do with 200.