Re: Exploit Archive

From: Jacob Uecker (jacob_at_juecker.net)
Date: 08/19/04

  • Next message: Senser: "Re: Exploit Archive"
    Date: Thu, 19 Aug 2004 09:09:50 -0700
    To: pen-test@securityfocus.com
    
    

    I agree. If you want up to date, you'll have to do twice as much work
    with Knoppix. Does anyone out there have a set of tools that they use
    to build a knoppix cd when they need to upgrade a single (or small set)
    of utilities within the distro?

    Jacob

    Todd Towles wrote:

    > Knoppix is good and very useful, but has drawbacks. You can't keep it
    > very up-to-date and you have to run it all the CD. The new version of
    > Nmap (3.55) has really good OS detection and of course you wouldn't have
    > that in Knoppix. I use Knoppix and Knoppix-STD for Kismet and Airsnort
    > mostly. Or just messsing around at Startbucks ;)
    >
    > But to really get the newest tools, you need to have a linux box and
    > learn to work with apps on it.
    >
    > Just 2c
    >
    > -----Original Message-----
    > From: Jacob Uecker [mailto:jacob@juecker.net]
    > Sent: Wednesday, August 18, 2004 11:32 AM
    > To: DeMott Jared; pen-test@securityfocus.com
    > Subject: Re: Exploit Archive
    >
    > I don't personally have an exploit library per se but you can check out
    > www.packetstormsecurity.org They post exploits as they are published.
    > As far as methodology is concerned, take a look at
    > http://www.isecom.org/projects/osstmm.shtml
    >
    > VMware is good for some applications, but it doesn't allow you the guest
    > OS control over the hardware like you could have if you were running it
    > right off the box. A lot of people use KNOPPIX on their Windows boxes.
    >
    > Regards,
    > Jacob
    >
    > DeMott Jared wrote:
    >
    >
    >>Gang:
    >>
    >>I was wondering if anyone has a nice archive of Windows, Unix, etc.
    >>exploits (fully functional) they'd be willing to share. I'm about to
    >>do the first pen-test of our network. I know that I can identify
    >>"potential" flaws using Nessus, but my boss has asked that I prove to
    >>him each and every "potential" weakness. I've been told that you can
    >>find many exploits out on the web, but it's been such a hassle trying
    >>to find all of what I'm looking for!
    >>
    >>Also, I've been reading the discussion about methodology some people
    >>have been having:
    >>
    >>1.) Vulnerability Assessment 2.) Penetration Test
    >> -Gather data -Pretend
    >
    > not
    >
    >>to know data
    >> -Assess potential weakness -Try to Hack into
    >>the network
    >> -Determine what current patch levels are -Report successes or
    >>failures
    >> (does someone have this data?)
    >> -Recommend all necessary corrections
    >>
    >>Does anyone have a more complete methodology paper? I've been hearing
    >
    >
    >>some of the pros and cons of the above two. Do you normally do both,
    >>or just whatever people what? I assume the first is more difficult
    >>and time consuming; is that true?
    >>
    >>The approach is certainly important, but even more intimidating: I
    >>feel like I need to know everything about varying brands of firewalls,
    >
    >
    >>routers, switches/hubs, VLANs, VPNs, Web Applications, Windows, Unix,
    >>Netware, etc., etc., etc.! I'm pretty experienced in Unix and
    >>Firewalls, but does anyone have any advise on dealing with the shear
    >>magnitude of data necessary? Also, from the more practical tools
    >>stand point, do you guys just have everything loaded on one "attack"
    >
    > laptop.
    >
    >>Dual boot, or VmWare?
    >>
    >>Thanks so much!
    >>
    >>Jared DeMott
    >>Vulnerability Analyst
    >>Booz | Allen | Hamilton
    >>
    >
    >
    >
    > ------------------------------------------------------------------------
    > ------
    > Ethical Hacking at the InfoSec Institute. All of our class sizes are
    > guaranteed to be 12 students or less to facilitate one-on-one
    > interaction with one of our expert instructors. Check out our Advanced
    > Hacking course, learn to write exploits and attack security
    > infrastructure. Attend a course taught by an expert instructor with
    > years of in-the-field pen testing experience in our state of the art
    > hacking lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization.
    >
    > http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
    > ------------------------------------------------------------------------
    > -------
    >

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. All of our class sizes are
    guaranteed to be 12 students or less to facilitate one-on-one interaction
    with one of our expert instructors. Check out our Advanced Hacking course,
    learn to write exploits and attack security infrastructure. Attend a course
    taught by an expert instructor with years of in-the-field pen testing
    experience in our state of the art hacking lab. Master the skills of an
    Ethical Hacker to better assess the security of your organization.

    http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
    -------------------------------------------------------------------------------


  • Next message: Senser: "Re: Exploit Archive"