On Tue, Jul 12, 2011 at 2:00 PM, Mike Gatti <ekim.ittag@gmail.com> wrote:
Has anyone used Nessus PF (www.nessus.org) as a tool to run a self audit preparing for a PenTest Audit? I wanted to get your opinion on the tool and if it was useful preparing for a PenTest Audit?
Nessus is mostly used for information security systems audits (of the vulnerability assessment one-shot type e.g. OCTAVE Allegro ; or possibly the on-going vulnerability management type e.g. NIST SP 800-30). It is not useful for external, unauthenticated scans or black-box "pen-tests". Nessus works best when given credentials so that it can authenticate to systems or network devices. Many of the plugins for Nessus are in a specific language (NASL) and have been imported for use in the open-source vulnerability assessment scanner, OpenVAS. If you are going to check out OpenVAS, I suggest you get the guest VM and load it with ESXi, VMware Workstation/Server, VirtualBox, or VirtualPC. It's also mainly used for credentialed scans. If you are looking for external, "black-box" vulnerability assessments or on-going vulnerability management -- I suggest that you check out Qualys QualysGuard (QG) or Rapid7 NeXpose. An alternative to Nessus for credentialed scans would be nCircle IP360 (just to complete this market space, although certain US-Gov/DoD sites use Lumension/Harris Stat instead). For web applications, you will need to add a specific sort of scanner, such as HP WebInspect, as well as some open-source tools to determine exploitability (e.g. Wapiti, Grabber, OWASP Zed Attack Proxy, XSSer, sqlmap, etc). This web application security scanner would be in addition to Qulays QG and OpenVAS/Nessus. While many "network" vulnerability scanners claim to find issues such as SQL injection -- in reality they do not actually do so to any degree of completeness (for more information, see the WIVET.googlecode.com and WAVSEP.googlecode.com scanner benchmarks, or run them for yourself). If you are looking for penetration-testing, this cannot be done with a single tool, or even multiple tools. You need strong people with a good track record of experience in penetration-testing. I have seen a few shops run some free tools (e.g. Cain & Abel) along with some commercial tools (e.g. Paterva Maltego, Metasploit Pro, Core Impact, and Burp Suite Professional), with some added open-source tools (e.g. BackTrack 5 and the Social Engineering Toolkit). WiFi penetration-testing is often done with two USB Alfa Networks cards and a guest VM, such as Immunity Security's SILICA. However, depending on your industry vertical and/or specific requirements -- you'll want a custom pen-test that will involve strategy consulting and threat-modeling beforehand. I don't recommend trying to do this on your own. If you do want to attempt pen-testing on your own, I recommend the BlackHat conference official training for Maltego and Burp Suite Professional, in addition to deep technical knowledge of all of the modules and features available in BackTrack and the Metasploit Framework (the new NoStach Press book on Metasploit -- and the less useful but handy Packt Publishing book on BackTrack Penetration Testing -- would be a good start). Cheers, Andre