+ Reply to Thread
Results 1 to 8 of 8
  1. Senior Member
    Join Date
    Oct 2013
    Location
    Kigali-Rwanda
    Posts
    117

    Certifications
    CISA, CCNA, CCNA Security, CCNP, MCITP, MCSA 2012
    #1

    Default Penetration testing tools

    Hello all,

    I am an IT auditor and I would like to select to best tools to be used for penetration testing on web application and Network. On many websites they are recommending metasploit, wireshark, W3af but I am afraid of using these open source in our production environment. I would like to request you whether to use these open source software in security testing is secure or whether doesn't carry any other security risk to business environment. Anyone who has ever used them can advise me.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    May 2013
    Posts
    1,209

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #2
    It doesn’t sound like YOU should be using them on a production network.

    Many of the tools if not used with caution, sometimes even with caution, can cause systems to crash or have issues. Make sure somebody that knows what they are doing is the only person using the tools...with written permission.

    As far as the tools, those are some...also Burp, ZAP...there are tons of tools out there depending on what is being tested.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Feb 2015
    Location
    The Interwebs
    Posts
    150

    Certifications
    PMP, CISSP, CISA
    #3
    100% agree and second what TechGuru said.

    I'm less concerned with the open source tools than I am with operating the penetration testing tools correctly...tread lightly
    Reply With Quote Quote  

  5. Senior Member TeKniques's Avatar
    Join Date
    Jul 2004
    Location
    Oregon, USA
    Posts
    1,248

    Certifications
    OSCP, CISA, CISSP, SSCP, MCSA 2008, MCSE 2003: Security, MCDST, MCP, Security+, Network+, A+, Project+, CCENT, CCNA
    #4
    I agree with the others. You should hire a qualified consultant to assist with the audit(s) to perform penetration testing that's within the scope. Selecting the tool to use is one thing; knowing how to use the tool is something completely different, especially in a production environment.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Oct 2013
    Location
    Kigali-Rwanda
    Posts
    117

    Certifications
    CISA, CCNA, CCNA Security, CCNP, MCITP, MCSA 2012
    #5
    Thank you all for the advice
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jun 2016
    Posts
    109
    #6
    Back in the day (about 15 years ago) audit used to be mandated to actually test out the security posture of whatever they were auditing through the use of pen test tools (e.g. password cracking, wireless sniffing etc). From what I see I don't see them doing this anymore - anyone please correct me if I am wrong?

    Though speaking, pen test tools would be helpful with conducting audits - I very much doubt based on what I have seen this will shift back - quite unfortunate as all the fun has been taken away .
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    May 2013
    Posts
    1,209

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #7
    Audit and pentesting are two different functions now. Auditing generally focuses on policies, processes, and procedures now...think CISSP/CISA...and pentests are very specific in scope to evaluate the security posture...think OSCP/CEH etc. Generally, you won’t see people doing both, they usually specialize in one.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jun 2016
    Posts
    109
    #8
    Interesting, thanks for letting me know. One of the reasons why I moved away from auditing was because it took away that "technical" element and was more a policy based exercise.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks