Re: Exploit Archive

From: Jacob Uecker (jacob@juecker.net)
Date: Thu Aug 19 2004 - 12:09:50 EDT


I agree. If you want up to date, you'll have to do twice as much work
with Knoppix. Does anyone out there have a set of tools that they use
to build a knoppix cd when they need to upgrade a single (or small set)
of utilities within the distro?

Jacob

Todd Towles wrote:

> Knoppix is good and very useful, but has drawbacks. You can't keep it
> very up-to-date and you have to run it all the CD. The new version of
> Nmap (3.55) has really good OS detection and of course you wouldn't have
> that in Knoppix. I use Knoppix and Knoppix-STD for Kismet and Airsnort
> mostly. Or just messsing around at Startbucks ;)
>
> But to really get the newest tools, you need to have a linux box and
> learn to work with apps on it.
>
> Just 2c
>
> -----Original Message-----
> From: Jacob Uecker [mailto:jacob@juecker.net]
> Sent: Wednesday, August 18, 2004 11:32 AM
> To: DeMott Jared; pen-test@securityfocus.com
> Subject: Re: Exploit Archive
>
> I don't personally have an exploit library per se but you can check out
> www.packetstormsecurity.org They post exploits as they are published.
> As far as methodology is concerned, take a look at
> http://www.isecom.org/projects/osstmm.shtml
>
> VMware is good for some applications, but it doesn't allow you the guest
> OS control over the hardware like you could have if you were running it
> right off the box. A lot of people use KNOPPIX on their Windows boxes.
>
> Regards,
> Jacob
>
> DeMott Jared wrote:
>
>
>>Gang:
>>
>>I was wondering if anyone has a nice archive of Windows, Unix, etc.
>>exploits (fully functional) they'd be willing to share. I'm about to
>>do the first pen-test of our network. I know that I can identify
>>"potential" flaws using Nessus, but my boss has asked that I prove to
>>him each and every "potential" weakness. I've been told that you can
>>find many exploits out on the web, but it's been such a hassle trying
>>to find all of what I'm looking for!
>>
>>Also, I've been reading the discussion about methodology some people
>>have been having:
>>
>>1.) Vulnerability Assessment 2.) Penetration Test
>> -Gather data -Pretend
>
> not
>
>>to know data
>> -Assess potential weakness -Try to Hack into
>>the network
>> -Determine what current patch levels are -Report successes or
>>failures
>> (does someone have this data?)
>> -Recommend all necessary corrections
>>
>>Does anyone have a more complete methodology paper? I've been hearing
>
>
>>some of the pros and cons of the above two. Do you normally do both,
>>or just whatever people what? I assume the first is more difficult
>>and time consuming; is that true?
>>
>>The approach is certainly important, but even more intimidating: I
>>feel like I need to know everything about varying brands of firewalls,
>
>
>>routers, switches/hubs, VLANs, VPNs, Web Applications, Windows, Unix,
>>Netware, etc., etc., etc.! I'm pretty experienced in Unix and
>>Firewalls, but does anyone have any advise on dealing with the shear
>>magnitude of data necessary? Also, from the more practical tools
>>stand point, do you guys just have everything loaded on one "attack"
>
> laptop.
>
>>Dual boot, or VmWare?
>>
>>Thanks so much!
>>
>>Jared DeMott
>>Vulnerability Analyst
>>Booz | Allen | Hamilton
>>
>
>
>
> ------------------------------------------------------------------------
> ------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Check out our Advanced
> Hacking course, learn to write exploits and attack security
> infrastructure. Attend a course taught by an expert instructor with
> years of in-the-field pen testing experience in our state of the art
> hacking lab. Master the skills of an Ethical Hacker to better assess the
> security of your organization.
>
> http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
> ------------------------------------------------------------------------
> -------
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:59 EDT