On Tuesday 18 February 2003 04:13 am, Michael Scheidell wrote: > Yes, I could put our ip in the exclude/allow range, but that would not > test out any real work capability would it?
That depends. If they want to know what vulnerabilities exist on their network, then just add your IP range and do your scan/analysis. Blocking your scan only helps the admin who is scared of losing his job, it doesn't give you a clear picture of what IS vulnerable on their network. If they want to see whether you can bypass their IDS and break into their systems, you should probably put Nessus down and start manually compromising the target systems in a way that won't trigger the IDS. You could speed this up by first allowing your range and running a scan (fast-forward the long-term sneaky recon. work a real attacker will do), then remove your allowed range and try to exploit the vulnerabilities manually. IDS vendors absolutely infuriate me, many of them claim that the IDS is actually capable of *preventing* attacks through early warning, when in reality all they do is give the customer a warm fuzzy when they see a bunch of automated scripts triggering their alarms. The real attackers still get in, a vulnerability is a vulnerability, and the customer is out of pocket some large amount of money and time. Theres nothing quite as satisfying as compromising a system during a pen-test, going into the IDS configuration, and either adding your own allow rule or just disabling the bugger ;) </proactive_risk_assessment_rant> -HD
