Skip to content
This repository has been archived by the owner on Aug 7, 2020. It is now read-only.

Eliminate the list of dependencies or make it optional at least #6

Open
blshkv opened this issue Aug 11, 2017 · 7 comments
Open

Eliminate the list of dependencies or make it optional at least #6

blshkv opened this issue Aug 11, 2017 · 7 comments

Comments

@blshkv
Copy link

blshkv commented Aug 11, 2017
edited
Loading

My first impression was: a great tool. But after I saw the list of dependencies I started to wonder.

Do you really expect it to be installed on a compromised machine??
First of all, it might be no internet in the intranet. Second, you will not be allowed to install all these on a client's machine (unless you developed a tool for hackers which is totally illegal)

Is any solution for this problem?
@mike-bailey
Copy link

mike-bailey commented Aug 21, 2017
edited
Loading

you will not be allowed to install all these on a client's machine

Why? Most/none of these tools actually disrupt system performance unless it's a shit system

@eightbit-io
Copy link
Contributor

eightbit-io commented Aug 21, 2017
edited
Loading

With respect to the dependencies we are working to minimise them as much as possible as well as a better way to manage them. Any contributions are welcome.

With respect to the authorisation - this tool is designed for penetration testing and security assessment. When you conduct a penetration test professionally you are given permission by the client to the extent allowed by the scope agreed with them. I don’t see this as an issue.

EDIT: Grammer.

@blshkv
Copy link
Author

blshkv commented Aug 21, 2017
edited
Loading

@mike-bailey you can presume that it is a shit system to get back to the topic ;-)

Basically, as a security consultant you need to make minimal distraction and make sure that your client's system is in the same shape as before your test it.

You can probably argue that apt-get will be able to uninstall installed packages (but I'm not certain how clean and would it uninstall dependencies?) but my clients (at least) will not allow to do it even this.

However, your install.sh script does not do only that. It runs bunch of

git clone
./synclibs.sh
./autogen.sh
python setup.py install

which basically will pollute clients system with developer tools, hackers tools and some other shit which never supposed to be in the production system and you will not be able to clean up that garbage after you have done your job.

So you will either get fired or lose a client.

@mike-bailey
Copy link

mike-bailey commented Aug 21, 2017
edited
Loading

which basically will pollute clients system with developer tools, hackers tools and some other shit which never supposed to be in the production system and you will not be able to clean up that garbage after you have done your job.

This definitely isn't the case, it should be uninstallable

So you will either will get fired or lose a client.

Not if it's within scope...?

@mike-bailey
Copy link

@eightbit-io what if you just carried the dependencies as git submodules and didn't actually install them?

@blshkv
Copy link
Author

blshkv commented Aug 21, 2017
edited
Loading

Yes, an alternative way would be to keep all required software in the same folder (as an option) without installing it so it would be possible to delete that folder after you are done.

@DanMcInerney
Copy link

Submodules are the way to go!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blshkv @eightbit-io @DanMcInerney @mike-bailey