SQLninja denial
Eric "Sparks" Christensen
sparks at fedoraproject.org
Mon Nov 15 16:39:29 UTC 2010
On Mon, Nov 15, 2010 at 10:45, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Mon, 15 Nov 2010, Eric "Sparks" Christensen wrote:
>
>> 2010/11/15 Máirín Duffy <duffy at fedoraproject.org>:
>> > On Sun, 2010-11-14 at 18:05 -0800, David Wagner wrote:
>> >> The minutes also suggest confusion about penetration
>> >> testing tools in general.
>> >
>> > What confusion did you see?
>> >
>> >> I saw in the minutes the objection that
>> >> SQLninja is advertised as 'get root on remote systems'. Are the board
>> >> members aware that many penetration testing tools can be used to get
>> >> root on remote systems, and it is precisely for this reason that they
>> >> are useful for (legal, lawful, authorized) penetration testing?
>> >
>> > It may not have been clear from the minutes, but it's pretty safe to say
>> > the board members are & were aware of this.
>> >
>> >> Are the
>> >> board members aware that legal penetration testing can, and sometimes
>> >> does, include getting root on remote systems?
>> >
>> > Do you use SQLninja for penetration testing? Had you heard of it before?
>> > What penetration testing tools do you use? Is the language they use to
>> > explain & advertise their tools similar to that used for SQLninja? How
>> > do you find out about penetration testing tools? How many of the ones
>> > you use are GPL?
>>
>> So the problem is that it can be used to hack into a system and isn't
>> passive like Nessus (is this really passive?), nmap, telnet (the
>> client), airsnort, and wireshark, just to name a few?
>>
>
> Actually nessus has a non-passive mode as well. I think there's some key
> differences here that people are ignoring because it's convenient for them
> to do so.
Yes it does... :)
>
> I should be clear about this. I do think banning sqlninja is an
> overreaction, but this isn't as clear cut as I think many of us want it to
> be. Nessus does have destructive scans but sends up warnings as a part of
> using those scans. Looking at the sqlninja demo, you have to be clear
> about one thing, sqlninja is not a scanner / detection tool. It's a
> takeover tool. Its designed as a takeover tool, the website targets
> people wanting to use takeover tools and the demo shows you how to get
> shell access to a remote machine and then ends the demo with:
>
> "happy hacking ... :) :) :)..." [1]
>
> Comparing sqlninja to telnet, nmap, wireshark is a pretty big leap in
> logic in my opinion. Is this partially a marketing issue? Yes, I think
> absolutely if the website were written differently and the authors of the
> tool had not been so reckless in how creating the tool that we wouldn't be
> having this conversation but all of that stuff matters to a jury of
> non-technical people who have no reference point to know what telnet, nmap
> or wireshark even are.
>
> IMHO: Tools like this are easy to misuse and as such should be created
> respectfully. This tool was not.
When I was in school learning information assurance/information
security my professor let us know what "tools" were out there in the
wild so we would try them and learn how they work so we can protect
ourselves from them. That's what a lot of these hacker conferences
are about... sharing exploits so you can protect yourself from them.
I don't actively talk about what I use to test my systems with for
obvious reasons but the software I listed are basically "passive" and
allows me to use other tools to exploit the findings found.
Basically we are protecting ourselves from hackers that can't build
from source. We are also preventing IT professionals who want to just
yum install a package instead of taking the time to build from source.
It would have been better, IMHO, if the Board had just said that there
were significant legal liabilities with including this software in the
Fedora repos and left it at that.
>
> -Mike
>
> [1] http://sqlninja.sourceforge.net/sqlninjademo1.html
--Eric
More information about the advisory-board
mailing list