[WEB SECURITY] Tools or software for hacking windows/iis.

Schmidt, Albert E AES at ola.state.md.us
Thu Dec 21 15:16:55 EST 2006


I will respond to your questions, but have no need to justify myself or the information shared by members within this group.  I though the purpose of this group is to share information and experience to promote web security.

Q1. Why is a senior information system auditor (CPA) running VA tools?
To demonstrate a weakness exist, and I am not yet running them just getting an ideal.

Q2. Why not hire a professional who has an expert level of technical
understanding?
We are developing this in house.

Q3. Shouldn't an "audit" focus on security controls, such as configuration
management (patching), access control, administrative rights, secure build, change
control, etc?
Yellow book indicates that we should test the controls if they are weak or none existant.

Q4. Do you think it is wise to announce to the world that the Maryland
Assembly has an unpatched system. We hope it is on the Intranet.
I am not an internal auditor for the Assembly - I audit all non-Legislative state agencies.
 
 
Q5. Why are helpful readers encouraging the user to employ Metasploit, or
any other powerful tool?
This is an open group used to exand knowledge between group members.  If am able to help other individuals in the group expand their knowledge I would.  However, I can see why a consulting group would not want knowledge to be disceminated.  If entities would evaluate and use tools then there would be no need for consultants.

Q6. Why would you think iishack(the executable) help you in any way?
See Q3.



________________________________

From: GeminiConsulting [mailto:geminiconsulting at comnet.ca]
Sent: Thu 12/21/2006 2:57 PM
To: Schmidt, Albert E; 'Web Security'
Subject: RE: [WEB SECURITY] Tools or software for hacking windows/iis.



I have heard that dynamite is effective and efficient when you go fishing.

Q1. Why is a senior information system auditor (CPA) running VA tools?
Q2. Why not hire a professional who has an expert level of technical
understanding?
Q3. Shouldn't an "audit" focus on security controls, such as configuration
management
(patching), access control, administrative rights, secure build, change
control, etc?
Q4. Do you think it is wise to announce to the world that the Maryland
Assembly has an
unpatched system. We hope it is on the Intranet.
Q5. Why are helpful readers encouraging the user to employ Metasploit, or
any other powerful tool?
Q6. Why would you think iishack(the executable) help you in any way?


-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us]
Sent: Thursday, December 21, 2006 12:30 PM
To: Web Security
Subject: [WEB SECURITY] Tools or software for hacking windows/iis.

Hello group, I am auditing a Windows 2000 web server that has not been
patched for 2 years.  I am looking for tools that could be used to exploit
know vulnerabilities - I do not want to damage the server, but would like to
demonstrate the security weakness for my work papers.  I have heard that
there are tools such as iishack.exe that may be able to help.  I would like
an easy tool, as I am not that technical.  I have a basic understanding of
web application security.

Thank you,

Albert E. Schmidt, CPA
Senior Information System Auditor
Office of Legislative Audits
Department of General Services
Maryland General Assembly

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]





----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list