Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Exploit Repositories and Due Diligence

from [Sahir Hidayatullah] Network Security [Permanent Link]
Subject: RE: Exploit Repositories and Due Diligence
Date: Fri, 10 Jun 2005 12:19:30 +0530 
 
Good question!

Personally, I feel exploit repositories only speed up the time it takes to
identify whether an exploit exists or not. You'll invariably find that the
exploit code itself gives insufficient information about the vulnerability
in the comments, so you'll hit Securityfocus' or similar for more
information. You *could* just get the exploit from there, but when you're in
the middle of a test and you discover something not so standard (for example
some random embedded device) you want to quickly look up whether an exploit
exists.

If you have testers that are just gcc'ing the exploit and firing it at a
target without understanding the source, you're asking for trouble
especially with respect to non-standard systems.

What I have noticed is people relying too much on exploit repositories, they
will identify a system, search the repository, and if they don't find a
match, move on. This totally skips the creative process of approaching the
system manually looking for 'common' problems -- broken authentication,
default passwords etc.

The way I like to work is ID the systems and their services, and make a
table of exploits that I could tentatively use against each service. Then
move to manual testing, if nothing comes out of that, pick an exploit,
understand it, and if it passes the test, give it a shot.

That said, updatable exploit repositories like SecurityForest (CVS based)
are a godsend for managing your collection, and a great start for building
one.

Regards,

Sahir Hidayatullah
Technical Consultant - Information Security
--------------------------------------
MIEL e-Security Pvt. Ltd.
C- 611 / 612, Floral Deck Plaza,
MIDC Central Road, Andheri (E),
Mumbai 400 093, India.
Tel No:+ 91 (022) 2821 5050
PGP KeyID: 0x4F5EC345
Fingerprint: F4C2 7274 792E 8E39 D90D  BA02 C070 B4BF 4F5E C345


-----Original Message-----
From: Jeff [mailto:jb@jbware.net] 
Sent: Friday, June 10, 2005 6:50 AM
To: pen-test@securityfocus.com
Subject: Exploit Repositories and Due Diligence

I have a question regarding the use of exploit repositories (including
projects like Metaploit, and compliations on bootable distros like Whoppix).
With all of the large exploit repositories used to make pen testing faster
and easier, what methods do you use to ensure you've done your due diligence
in not unleashing something actually harmful on your clients?  I have my own
thoughts, such as googling and superficial|deep code reviews, but ultimately
my concern is over the malcious hiding of intentions.  Thanks for any
insights and suggestions.

- Jeff
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  A suggestion from the Moderator, Erin Carroll
Next by Date:  AW: SQL injection, Julian Totzek
Previous by Thread:  RE: Exploit Repositories and Due Diligence, Leandro Reox
Next by Thread:  RE: Exploit Repositories and Due Diligence, Carl Tucker
Indexes:  [Date] [Thread] [Top] [All Lists]