Pentesting: Day 1

Occasionally I get the opportunity to do something interesting, and today was one of those days. As part of a customer engagement, we are scanning parts of their public interfaces for vulnerabilities. We are stopping short of actual pen-testing, but are going through the discovery and audit phases to identify vulnerabilities. Last week I had identified two tools I wanted to look at; W3AF and OpenVAS. A critical point – the services we are scanning are web apps / web services. Today was a big day because the customer provided me with an email indicating that i was authorized to scan a certain set of their addresses from a specific address of mine. Not quite a Get Out of Jail Card, but close. This means I can go in with my scanner and be as noisy as I want to be without being too concerned about the FBI showing up at my door.

In any case, I installed and configured both of them today from respective sources (ie http://w3af.org/ and http://www.openvas.org/). Initial impressions are that OpenVAS looks and acts like it could support a continuous monitoring program on a network in a fairly automated manner (post setup), and could scale well. It provided a broad range of network port scanning capabilities against a large number of configured targets – all individually configurable. The W3AF application on the other hand is focused on web-apps vulnerabilities, and works best against a single URL / IP address or target.

Regarding the results, the OpenVAS was very fast (i.e. less than 5 minutes) to scan the target but produced no significant vulnerabilities. This can be contrasted with W3AF which took about an hour to run the OWASP Top 10 Scan and produced a 100+ low / moderate priority findings.

Bottom line – If you considering internal continuous monitoring for your network OpenVAS has a low pain threshold to implement. If on the other hand you are looking to protect your Internet based webapp – regular scans with W3AF is a better tool.