Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Mpack

from [Erin Carroll] Network Security [Permanent Link]
Subject: RE: Mpack
Date: Tue, 26 Jun 2007 22:40:35 -0700 
All,

Any discussion or information on where to obtain the Mpack tookit for
purchase or malicious means will be rejected outright. The pen-test list
will not be used to facilitate illegal activities.

That said, I don't see danger in discussing the capabilities and potential
of this or similar toolkits. I'm interested in malicious code. I need to be
interested in malicious code to know how to help clients defend against it.
Some of the newest malware out there is amazingly complex and sophisticated.
To be blunt, the "bad guys" will always be slightly ahead of the "good guys"
in this arms race. I have pondered for quite some time the potential of
using "malware" toolkit platforms (Mpack, Agobot, etc) for legitimate
pen-testing purposes and this thread does provide a nice segue into that
realm. To paraphrase an oft-quoted phrase, "the tool isn't the problem, it's
how it is applied."

If the scope and legal contractual needs are such from a client to approve
utilizing social engineering or other "grey" methodologies which would
normally be construed as illegal (depending on local laws... yadda yadda
yadda) outside of that legal agreement, how is creating custom exploits
using Mpack different than creating exploit payloads for a Metasploit or
Core Impact toolkit? Are there practicing pen-test professionals out there
who have done this legally? I'm aware that the "bad guys" use "good guy"
tools for nefarious purposes... Is using the "bad guy" tools for "good guy"
purposes wrong? And if so, where do we draw the line?

I'm interested to hear your responses.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 



-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com] On Behalf Of Kish Pent
Sent: Tuesday, June 26, 2007 9:56 PM
To: Nikolaj; pen-test@securityfocus.com
Subject: Re: Mpack

Please go away :)

It's a polite request, and you've come to the other side, to 
ask what you want. This is a list for professionals, not 
people who are interested in malicious code.

Cheers :)
Kish

PS: Erin, delete this thread ASAP, in the best interest of 
the list's reputation. ;)

--- Nikolaj <lorddoskias@gmail.com> wrote:


Anyone has some first-hand info about this exploitation toolkit? Or 
any info where it can be bought?




Kishore
Penetration Tester
Smart Security
T.Nagar , Chennai
Phone: 91 98841 80767


 
______________________________________________________________
______________________
Finding fabulous fares is fun.  
Let Yahoo! FareChase search your favorite travel sites to 
find flight and hotel bargains.
http://farechase.yahoo.com/promo-generic-14795097

--------------------------------------------------------------
----------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic See HOW Now with 
our 20/20 program!

http://www.cenzic.com/c/2020
--------------------------------------------------------------
----------




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Mpack, Kish Pent
Next by Date:  rose fragmentation attack, Justin Ferguson
Previous by Thread:  Re: Mpack, Kish Pent
Next by Thread:  RE: Mpack, Matt Steer
Indexes:  [Date] [Thread] [Top] [All Lists]