[WEB SECURITY] RE: Metasploit

Hayes, Bill Bill.Hayes at owh.com
Thu Dec 28 12:16:25 EST 2006


Rather than rely just on the statement, "exploit tools exist", I try to
include URLs with embedded cross-site scripting exploits or URLs that
can produce server errors. This is often the proof that gets developers
out of "Bathing in de Nile". :-)

Bill...

-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us] 
Sent: Thursday, December 21, 2006 2:52 PM
To: Hauser, Donald; websecurity at webappsec.org
Subject: [WEB SECURITY] RE: Metasploit

Donald,
 
Please call me Al.  I am not offended and thank you for your input.  I
also can understand how dangerous these tools can be in inexperienced
hands.  I have been auditing IT security for 7 years.  My Office is
currently considering penetration testing for audits to demonstrate the
impact of audit findings.  Sometimes it can be difficult to have an
audit finding, if we cannot demonstrate how a weakness can be exploited.
Even if I do not use the tools, I can reference them in my work papers.
The audit finding can state that there are free tools on the internet
that can exploit existing vulnerabilities.
 
Al S.

________________________________

From: Hauser, Donald [mailto:DHauser at nas.edu]
Sent: Thu 12/21/2006 3:33 PM
To: Schmidt, Albert E
Subject: Metasploit



Albert,

 

Metasploit is a fine tool. You have indicated that you would ensure the
engagement was authorized and that you would become proficient with the
tool prior to using it. I work in Network Security and have for over 8
years now. I watch lots of web groups and have grown a little tired of
open source hacker tools being recommended with the caveat that anyone
can use them. Clearly most folks on this group or any other you might
subscribe to could care less if the tool is used correctly. Clearly most
folks subscribing to these groups don't care if a pen-test is performed
correctly including establishing clearly defined rules of engagement. I
do. If your department has the money I would recommend Core Impact-it is
pricey although unlike Metasploit it comes with support. Regardless with
any open source tool you clearly understand the need to test in a lab
until you are proficient. If I offended you I apologize.

 

Donald Hauser

Network Security Engineer

The National Academies

202/334-1303 


------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list