[WEB SECURITY] RE: Metasploit

Schmidt, Albert E AES at ola.state.md.us
Thu Dec 21 15:52:10 EST 2006


Donald,
 
Please call me Al.  I am not offended and thank you for your input.  I also can understand how dangerous these tools can be in inexperienced hands.  I have been auditing IT security for 7 years.  My Office is currently considering penetration testing for audits to demonstrate the impact of audit findings.  Sometimes it can be difficult to have an audit finding, if we cannot demonstrate how a weakness can be exploited.  Even if I do not use the tools, I can reference them in my work papers.  The audit finding can state that there are free tools on the internet that can exploit existing vulnerabilities.
 
Al S.

________________________________

From: Hauser, Donald [mailto:DHauser at nas.edu]
Sent: Thu 12/21/2006 3:33 PM
To: Schmidt, Albert E
Subject: Metasploit



Albert,

 

Metasploit is a fine tool. You have indicated that you would ensure the engagement was authorized and that you would become proficient with the tool prior to using it. I work in Network Security and have for over 8 years now. I watch lots of web groups and have grown a little tired of open source hacker tools being recommended with the caveat that anyone can use them. Clearly most folks on this group or any other you might subscribe to could care less if the tool is used correctly. Clearly most folks subscribing to these groups don't care if a pen-test is performed correctly including establishing clearly defined rules of engagement. I do. If your department has the money I would recommend Core Impact-it is pricey although unlike Metasploit it comes with support. Regardless with any open source tool you clearly understand the need to test in a lab until you are proficient. If I offended you I apologize.

 

Donald Hauser

Network Security Engineer

The National Academies

202/334-1303 


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list