How do you get your exploits?

[wenghon828 at yahoo.com (Wayne Ho)]

HD,

Is there any good reference/book for Ruby for security
you can recommend for me to get up to speed on the
MSF3?

Thanks,

Wayne
--- H D Moore <hdm at metasploit.com> wrote:

> On Friday 14 September 2007 08:51, Mr Gabriel wrote:
> > To me, the concept, and idea of pen testing, is to
> find holes *before*
> > some crack fueled script kiddie does - but how can
> I do this if I don't
> > have the latest exploits to hand?
>
> Most of the "vlad" style exploits you see are
> client-side or depend on 
> user interaction. Metasploit supports quite a few of
> these, but there 
> just aren't that many server-side code execution
> bugs in XP SP2. For the 
> most part, the script kids are using old and well
> published exploits to 
> wreak their mayhem. The M-PACK kit for example, is
> based on a handful of 
> known vulnerabilities (metasploit 3 supports most of
> them).
>
> > Which brings me to my second point, the exploits
> that are included with
> > MS3 - where they created just for MS3, or have
> they been adapted from
> > exploits found in the wild?
>
> Some of each. It depends who wrote the exploit
> first.  Even when exploits 
> are adapted from an existing program, they tend to
> be improved after they 
> are ported to the framework (more reliable, less
> bugs, support for any 
> shellcode, etc).
>
> -HD



      ____________________________________________________________________________________
Check out the hottest 2008 models today at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html