.

Vulnerability scanning / pentesting tools

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Tue Nov 09, 2010 3:12 pm

Vulnerability scanning / pentesting tools

Hello guys,

I need your help in choosing some security tools. We will improve our security program and I have to propose some vulnerability scanning / penetration testing tools that we will buy.
Our network has around 3000 active IPs, and we have almost 40 IPs in the DMZ.
I have thought about some tools, and I should provide my managers some reasons why I did choose a particular one (for example in category Networks scanners I chose Nessus, and I can justify this on a Forrester research). Here are my categories and my picks:

Network scanning:
1. Nessus (cheaper ~ 3600$ for 3 licenses, very good product, and we already have it)
2. Nexpose (very good but will cost us 40.000$ /year)
3. Qualys

Database vulnerability scanners
1. DB Audit – good reviews; 4500$ for 10 servers
2. Appdetective – more expensive
3. Pangolin – amazing SQL injection tool. It costs 2000$ and maybe I will convince them to buy it together with DB Audit

Web application
1. Burpsuite pro – 225$ plus Accunetix – 5000$
2. Webinspect – 6000$
3. Appscan – 15.000$

Penetration testing
1. Core impact – 20.000$ plus Metasploit framework
2. Metasploit express – 3000$
3. Saint exploit – 20.000$ ?

Besides this we will use some open source tools, but we need also good commercial tools (management get excited about support  8) )

If I miss some categories please tell me.
So, I would like hear your suggestions and opinions.
Thanks!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Nov 09, 2010 4:24 pm

Re: Vulnerability scanning / pentesting tools

If I had to do it my way in your situation on the pay for play + freeware model I would go for:

Network and vulnerability scanning:
1.  Nessus (cheaper ~ 3600$ for 3 licenses, very good product, and we already have it)
+ OpenVAS
+ Metasploit Express
+Hailstorm

Database vulnerability scanners
SQL Ninja http://sqlninja.sourceforge.net/
Typhon III (http://www.ngssoftware.com/services/sof ... onIII.aspx)
NGS *anything* (http://www.ngssoftware.com/services/sof ... urity.aspx)


Web application
1.  Burpsuite pro – 225$ plus Accunetix – 5000$
2.  Webinspect – 6000$
Wikto
N-Stalker over Acunetix

Penetration testing
1.  Core impact
Canvas (period)

For the reasoning... Metasploit + OpenVAS alongside Nessus for network mapping AND vulnerability scanning. OpenVAS because its free and sometimes their signatures are more accurate on the "low day" exploits... What the heck is low day? Low day is a term I'm throwing out there for exploits that are in the wild yet have no defined CVE, author, etc., for example, my mushroomcloud is not necessarily 0day because I semi disclosed it. It is a known problem that affects Trend Micro which in turn messes up VMWare. So "low day" it is a visible threat and sort of known... Hailstorm is an excellent (albeit pricey) tool which complements the other two... Now why Metasploit for scanning/vuln testing? Its capable of accurately finding the low hanging fruit quickly.

DB Vuln Testing tools... I selected SQL Ninja because its free and a kick .... tool.  Typhoon and anything else from NGS. I say this because of Dave Litchfield. He is the defacto db pimp and knows his stuff

Web app tools: Burpsuite is worth the money and Webinspect is a little noisy not to mention you HAVE TO (repeat HAVE TO) fiddle with your timing variables and depth of scanning otherwise it WILL take out your servers. Wikto is a definitive must. Acunetix you can do without if you'd like me to I can make you a quickie video using a real time comparison of a known to be vulnerable server of mine using Acunetix versus N-Stalker. N-Stalker is capable of finding and drilling down into a lot more than Acunetix can. While Acunetix WVS is ok, its not all that.
N-Stalker over Acunetix

Core Impact if you can afford it but a MUST is Canvas period. If you can fork out for the exploit packs even better (D2 Exploit pack, etc.)
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Wed Nov 10, 2010 9:21 am

Re: Vulnerability scanning / pentesting tools

THANK YOU VERY MUCH!

I am analyzing your list, and I will see what I will propose (maybe next week).

I think I wasn't specific enough with my list. For each category only the fist element is chosen; the others are just to do an analysis of the available products.

Anyway, my company will not invest so much money in vulnerability management. Also, it will be very difficult to convince them to buy Canvas or Core Impact. I need an excellent business case for this.

Lucian
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Nov 10, 2010 9:32 am

Re: Vulnerability scanning / pentesting tools

Canvas is 1/10th the cost of Core ;)
<<

ckirsch

Newbie
Newbie

Posts: 10

Joined: Mon Sep 27, 2010 8:25 am

Post Thu Nov 11, 2010 9:46 am

Re: Vulnerability scanning / pentesting tools

Hi Lucian,

Have you also tried the Metasploit Pro, which came out last month? If you are a professional penetration tester, it may be the right tool for you. List price is $15,000. If cost is an option, you can opt for Metasploit Express at $3,000 with less features. Both licenses include exploits so you don't need to spend money on additional exploit packs.

Here's feature comparison between the two:
http://www.rapid7.com/products/metasploit/compare-and-buy.jsp

I'd recommend you give Metasploit Pro a test drive. Free trial is available at:
http://www.rapid7.com/downloads/metasploit-pro.jsp

Chris
<<

ckirsch

Newbie
Newbie

Posts: 10

Joined: Mon Sep 27, 2010 8:25 am

Post Thu Nov 11, 2010 5:36 pm

Re: Vulnerability scanning / pentesting tools

BTW - for full disclosure: I work for Rapid7, the company behind the Metasploit Project and the commercial editions of Metasploit.

Chris

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software