Both of these ideas would be awesome. Perhaps too awesone for real life.

Its not a workplace...its a guthub repo. Also you implied its not okay to have an unpopular opinion outside of the workplace...why wouldnt the "cant have an opinion brigade" jump on you?

What happens when you have a dissenting, unpopular opinion? In you're ideal world you wouldnt be able to express it. Wouldnt that bother you?

Haha I was thinking of the morrowind lizard-thing daedrics when I read this.

Surprisingly norton is relatively lightweight these days. Ghost and 360 screwed the pooch and people are unforgiving.

Which is exactly why I pointed out that it satisfies PCI WAFs catch automated tools. Thats it

People shouldn't be punished for sleeping it off in their car. I was under the impression that it wasn't a DUI if the keys weren't in the ignition though.

The issue I was getting at in response to the person I responded to was pretty simple: alcohol destroys your judgement. So you may care about the license being lost when sober, but then your inhibitions are gone, and you don't.

Some of the folks responding got a little crazy with it o-o

I've actually gotten to the point where I think WAFs are absolutely useless. As far as WAFs go though I would recommend against mod_security, as fingerprinting it via it's helpful errors is a cakewalk.

The upside to WAFs is that they prevent automated attacks...buuut snort's dynamic preprocessors seem to do this FAR better.

Either way an IDS/IPS/WAF just isn't enough. In a non-automated attack bypassing them is trivial. Half the time I can simply use URL encoding for an attack string. Some poor WAFs don't even do recursive checking, so things like nested XSS code works.

On one pen-test a client had WAFwoof, and I was doing union injection, and iterating tables..like 20 requests a second. Not one. Single. Alert.

Rules-based filtering with regexes/etc just won't keep a determined attacker out. It's a good idea to have, but fixing the underlying applications is far more important. If I have PUT permissions on a directory it doesn't matter how good the ruleset is.

It just pisses me off the the PCI council, and similar rules for HIPPA, say "oh hey vulnerable apps? Don't worry about it you've got a WAF!"

It may not enable you to command respect from everyone, but GSE is an insanely difficult certification to get.

You have to have 5 provable years in IT security just to take the exam, the exam is extremely difficult, and the 48 hour lab is ridiculously hard. If you can't read packet dumps, you won't pass, if you can't write exploits yourself..you won't pass.

You get nmap, nessus, wireshark, metasploit, the SNORT source, and some low-level command-line tools. The boxes are pretty hardened so nessus and metasploit are basically a waste of time. Some of the nmap scripts were very useful, but alot of it involved very, very low level vulnerabilities.

No custom tools...that was a big problem for me.

Most pen testers wouldn't be able to identify OR exploit them. So having the certification means you are better than 90% (or more) of the pen testers you'd run into. On it's own it may not garner respect, but it should certainly hint that the GSE knows what he/she is doing.

All GIAC certifications are solid. They are expensive, but they are very worth it. And if you can get a GSE you have a gold star something like only 50 people period have.

Most pen testers are there to fulfill pen test requirements in standards like PCI where something like Metasploit would be a sufficient "best effort", and actually pretty decent if you have someone who really knows how to use it.

Pentester: "Authentication bypass, and remote code execution were found in your joomla installation, and SQL injection in just..every..field."

Admin: "So...what you're trying to say is put a WAF up?"

Pentester: "No..god no. Fix the issues, just run a couple patches and convert to prepared statements"

Admin: "But we don't have to do that for PCI compliance right? The PCI council said a WAF and/or SNORT is enough"

Pentester: "Sigh..."

We still run nmap scans with sN and sV flags up, but it's more of a formality for the assessment report. The most useful portion of nmap these days are the NSE scripts.

We also run generally run metasploit (particular for web crawling), and nessus, but they will only find (very) low hanging fruit. We also use metasploit to generate shellcode for payloads, because that's a huge pain in the ass.

By necessity everything is indeed automated, but the tools you are using is the most important part. We have our own (mostly) custom toolkit. So we may be fuzzing a target, but we aren't just sending "A" a bunch of times. Further, we don't even bother fuzzing well-known applications. Proprietary applications typically are going to "blow up" when they are fuzzed properly. Note that this isn't always the case..I once fuzzed a skype node (by accident) and figured out that A) it was the supernode and B) It was leaking usernames when given an arbitrary 4 bytes over TCP.

Most of our footholds are gained at layer 7. We have a ton of scanners we've written for wordpress, joomla, drupal, custom metasploit modules for advanced SQLi (order 2 SELECT injection, multi-byte character injection, etc.) Also custom implementations of existing scripts/modules we've modified for WAF/SNORT/Nagios evasion.

The most important thing is simply having a bunch of unique tools at each phase of the engagement. A bunch of fancy post-exploitation tools are useless if you can't get in...likewise discovery/enumeration tools help tremendously, but if you can't write an exploit for real-world-slightly-not-perfect-to-exploit vulnerabilities...you're firm is sub-par.

That being said we do IT consulting...vulnerability assessments are just one of our services, and we only have 2 people that handle it. That being said..we will find something to gain a foothold. Every. Time. CIOs, admins, devs, and engineers aren't perfect. Like one poster here said being able to think maliciously is half the battle.

To get PCI having vulnerable apps behind a WAF is apparently sufficient. Because rule based detection is always effective.

I think these days the big security risk is layer 7. SQLi is still very common...especially 2nd order injection and injection into GET parameters. Admins know they need to sanitize POST/update/insert but they miss get/select.

Wordpress is generaly run without htaccess rewrites on WP-plugins..an attacker enumerates your plugins and finds an exploit.

Ive seen get parameters with filenames..oh yes thanks for letting me change that to web.config or ../../etc

Client side filtering is another, equally hilarious issue. As joe mccray says "youre putting the filtering in the hackers browser which he controls...does that pass the common sense test?"

The list goes on and on...its easy to patch everything else. Web apps on the other hand...are often written by the people in charge of the site.

Nikto, BURP as you said; and ZED are faar more useful than metasploit now. Novices just dont know what to do with the info.

And lets not forget sqlmap ;)

For the most part nmap and metasploit will not suffice to pentest corporate networks.

Slightly less obvious things like WGETting wp-config.php, web.config, WebDAV methods enabled on the wrong dirs, using csrf+social engineering, fuzzing proprietary apps for stack overflows, etc.

That part is a little hard...exploit development is the REAL hard part though.

"Did this code get written into thr EIP register?" is hard to anwer remotely.

--- security SME at a consulting firm

They just get drunk and stop caring about not having a license. Then drive drunk again.