Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Patch management tool

from [R. DuFresne] Network Security [Permanent Link]
Subject: RE: Patch management tool
Date: Thu, 9 Sep 2004 19:11:22 -0400 (EDT) 

which is a shame and a headache for admins doing more then a home desktop.
trying to determine pacht levels in redhat is a game unto itself, and is
perhaps one reason that it has not penetrated further into the corporate
world then it has.  Course, I have many other horor stories to tell about
redhat <smile>...

Thanks,

Ron DuFresne

On Tue, 7 Sep 2004, Harper, Patrick wrote:


Redhat has always had a habit of patching the vulnerability not the
version.  While it shows an older version it could be patched.

My FC2 system says

[root@xxx root]# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-1.99-OpenSSH_3.6.1p2

But if you go to:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/

Or check here for any advisories
http://secunia.com/search/?search=fedora+ssh&w=0

There is no update for SSH.  You need to try the actual exploit against
the box to see if it is really vulnerable, for redhat/fedora systems an
old rev number does not mean an exploitable system


 
-----Original Message-----
From: Todd Towles [mailto:toddtowles@brookshires.com] 
Sent: Tuesday, September 07, 2004 11:31 AM
To: roman one
Cc: pen-test@securityfocus.com
Subject: RE: Patch management tool

Yum works really well, but it shouldn't be your only tool to check for
updates. Yum only works with special list of rpm updates. 

I use Yum on my FC2 box. I modified my yum.conf to use all the mirrors
and everything. After doing a Nessus scan on my own box, I saw that my
SSH verion was pre-3.7.1

Not good, yum didn't see it and I had to update my OpenSSH myself.

Yum is good, but keeping up with software versions, knowing what is
installed on your box and what is running, and watching vuln news is one
of the best ways. 

I know this isn't the place for his question, but it isn't totally OT.
Vuln scanning your computer with Nessus and other tools can help you
find programs that need patches.

Everyone on this list knows that you should test what will be used
against you. The essence of Pen-Testing.

-----Original Message-----
From: roman one [mailto:roman@pointyhats.com]
Sent: Saturday, September 04, 2004 7:24 PM
To: 'Milind Nanal'; pen-test@securityfocus.com
Subject: RE: Patch management tool

As mentioned by another on this list, this isn't really the appropriate
list for such an inquiry, however, not to leave you without an answer,
for any linux distro that uses rpm's, yum - Yellow dog Updater, Modified
would fit the need. It's used extensively and is relatively straight
forward in implementation. You can find it here:

http://linux.duke.edu/projects/yum/

In the future, the focus-linux@securityfocus.com would be a better place
for a linux related inquiry.

HTH

roman
emperor@ensecure.org

He who fights with monsters might take care lest he thereby become a
monster. And if you gaze for long into an abyss, the abyss gazes also
into you.
                     -Friedrich Nietzsche, Jenseits von Gut und Bose
(1886)



-----Original Message-----
From: Milind Nanal [mailto:milindyn@rolta.com]
Sent: Friday, September 03, 2004 5:46 AM
To: pen-test@securityfocus.com
Subject: Patch management tool


List,

Looking for best free tool /open source solution for Linux operating 
system patches management. There are commercial tools available like 
Novell zenworks, Shavlik Technologies.
But I am looking for non commercial option.

Some thing like patch distribution server which possibly push the 
recent OS patches to other linux systems. Linux distribution should 
covering RedHat, Suse other linux flavors.

Quick response is highly appreciated.

Regards,

Milind

--------------------------------------------------------------
----------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are 
guaranteed to be 12 students or less to facilitate one-on-one 
interaction with one of our expert instructors.
Check out our Advanced Hacking course, learn to write exploits and 
attack security infrastructure. Attend a course taught by an expert 
instructor with years of in-the-field pen testing experience in our 
state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security 
of your organization.


http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------


------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Check out our Advanced
Hacking course, learn to write exploits and attack security
infrastructure. Attend a course taught by an expert instructor with
years of in-the-field pen testing experience in our state of the art
hacking lab. Master the skills of an Ethical Hacker to better assess the
security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------


------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Check out our Advanced
Hacking course, learn to write exploits and attack security
infrastructure. Attend a course taught by an expert instructor with
years of in-the-field pen testing experience in our state of the art
hacking lab. Master the skills of an Ethical Hacker to better assess the
security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------







Disclaimer:
This electronic message, including any attachments, is confidential and 
intended solely for use of the intended recipient(s). This message may 
contain information that is privileged or otherwise protected from disclosure 
by applicable law. Any unauthorized disclosure, dissemination, use or 
reproduction is strictly prohibited. If you have received this message in 
error, please delete it and notify the sender immediately. 




------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Dailydave] RE: Network Exploitation Tools akaExploitationEngines & FUD, Chuck Fullerton
Next by Date:  RE: Achilles proxy for linux, Alexandre Skyrme
Previous by Thread:  RE: Patch management tool, Harper, Patrick
Next by Thread:  RE: Patch management tool, Todd Towles
Indexes:  [Date] [Thread] [Top] [All Lists]