September 15, 2006

Do you Pen-Test? (Updated: 20060926)

I have always thought that penetration testing is a very important part of the continous improvement of security and also an effective way to make clear that the risk of being hacked isn't theoretical.

We have been doing penetration testing for some time, now. Every time we get the right combination of fun and challenge, creativity and technical knowledge. However, not every company has its basic security needs covered and for such companies isn't worth to have to have their systems tested periodically or even ocasionally.

Fortunately security awareness is improving and companies like Microsoft, that did not have security as one of its strengths, has now its own internal penetration testing team, has formalized and systematized the process and is even conducting internal confences about hacking (named Bluehat sessions as a reminder of the blackhat sessions).

Other companies have their own penetration testing teams for their own use or to deliver that service for others. Many of those teams use different sets of programs that gather pieces of information or test specific vulnerabilities (both home developed and downloaded from the Internet). Some others are using free tools, like Metasploit, that only cover the exploitation of vulnerabilities, or comercial tools that integrate most of the required functionality, like the wonderful Core Impact. What I haven't found yet is a FREE tool (GPL) that integrates all the functionalities that are required for the different stages of a penetration test (maybe using existing tools as modules) and that can also be extended if needed.

Is it posible to find such utility? Do you know of any such wonder? Is the free software business model appliable in this case? Can the source be available and still have people/companies interested in paying for support/update? I would love to read your opinions and learn from your experience on this subject.

Begin UPDATE by Raul on 20060926

During our penetration testing activities over the last years we have always dreamt with the free tool that would integrate all the open-source pen-testing tools mentioned by Jorge. Even we started a prototype of the mentioned framework to complement our customized pen-testing Linux-based Live CD, but it never saw the light...

Prior to Jorge publishing this post, I didn't have the chance to talk about this with Jorge and David and let them know that, perhaps, in a near future, such a tool will be released...

The Security Tools Integration Framework (STIF), developed by Fyodor and Meder, promises to automate the pen-testing process (specially the most basic and boring tasks) by integrating commonly used tools and sharing data between them using STIF messages (XML-based).

The framework consists of two components:
  • Unified output format for security tools (unified language)
  • Inference engine based on the STIF format (real time data analysis, data proccessing and data exchange)
You can get the latest README file, tool version and source code from the official Web page (the project Web page has being recently updated). The tool was initially presented during the HackIntheBox 2004 conference and the video for the presentation is available from a big Bit Torrent pack of 1.9GB.

End UPDATE by Raul on 20060926

3 Comments:

Anonymous Anonymous said...

Thank for the blog. It's great to see really bright security professionals sharing information and ideas with the community.

I haven't yet come across such a magical tool, one that combines all the elements of a penetration test. However, I did find a very nice pentration test framework (outline) with links to all the tools used at various phases. This is a really nice starting road map.

Link:

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Regards,

Doug Hitchen
dhitchen |at| earlink (dot) net

3:17 PM  
Blogger Jorge Ortiz said...

Thanks a lot Doug.
For us is also very interesting to share the info and get valuable inputs. I really liked yours a lot.

Best regards,

Jorge

9:21 PM  
Anonymous Term Papers said...

Excellent Blog every one can get lots of information for any topics from this blog nice work keep it up.

12:41 PM  

Post a Comment

<< Home