On Tue, 27 Sep 2005, Bernhard Mueller wrote: > Exibar wrote: > > I didn't mean to imply that the consultants create their own exploits, > > not many I know could even begin to do that, only a couple are talented > > enough to do just that. Even for those very few, it's just not feasable > > from a time perspective. Much quick and cost effective to use what's out > > there. > > > > so what use is a pentest if the consultant isn't even talented enough to > find / create exploits for unknown vulnerabilities? > any average admin can install and run an automatic security scanner. > furthermore, a common nessus report contains 99% useless garbage. and > most of the time, you can not apply generic exploits like these from > metasploit to a specific customer situation.
It should also be noted that many security flaws in Customer networks are in design and therefore implementation. The real issue comes down to client-side security. Most pentests are are trivial after an attack from Eve, even if the first person she emails in the organization sees through it ... X-From: Eve From: Bob Hi Alice! Can you get me a quote for the parts we need in the attached spreadsheet? Thank you! -Bob <<Attachment:parts.xls.exe>> --Eric _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
