Re: Exploit Archive

[Jacob Uecker <jacob () juecker net>]

I agree.  If you want up to date, you'll have to do twice as much work 
with Knoppix.  Does anyone out there have a set of tools that they use 
to build a knoppix cd when they need to upgrade a single (or small set) 
of utilities within the distro?

Jacob

Todd Towles wrote:

> Knoppix is good and very useful, but has drawbacks. You can't keep it
> very up-to-date and you have to run it all the CD. The new version of
> Nmap (3.55) has really good OS detection and of course you wouldn't have
> that in Knoppix. I use Knoppix and Knoppix-STD for Kismet and Airsnort
> mostly. Or just messsing around at Startbucks ;)
>
> But to really get the newest tools, you need to have a linux box and
> learn to work with apps on it.
>
> Just 2c 
>
> -----Original Message-----
> From: Jacob Uecker [mailto:jacob () juecker net] 
> Sent: Wednesday, August 18, 2004 11:32 AM
> To: DeMott Jared; pen-test () securityfocus com
> Subject: Re: Exploit Archive
>
> I don't personally have an exploit library per se but you can check out
> www.packetstormsecurity.org  They post exploits as they are published. 
> As far as methodology is concerned, take a look at
> http://www.isecom.org/projects/osstmm.shtml
>
> VMware is good for some applications, but it doesn't allow you the guest
> OS control over the hardware like you could have if you were running it
> right off the box.  A lot of people use KNOPPIX on their Windows boxes.
>
> Regards,
>         Jacob
>
> DeMott Jared wrote:
>
>
> > Gang:
> >
> > I was wondering if anyone has a nice archive of Windows, Unix, etc.
> > exploits (fully functional) they'd be willing to share.  I'm about to 
> > do the first pen-test of our network.  I know that I can identify 
> > "potential" flaws using Nessus, but my boss has asked that I prove to 
> > him each and every "potential" weakness.  I've been told that you can 
> > find many exploits out on the web, but it's been such a hassle trying 
> > to find all of what I'm looking for!
> >
> > Also, I've been reading the discussion about methodology some people 
> > have been having:
> >
> > 1.) Vulnerability Assessment                  2.) Penetration Test
> >    -Gather data                                            -Pretend
>
> not
>
> > to know data
> >    -Assess potential weakness                      -Try to Hack into
> > the network
> >    -Determine what current patch levels are   -Report successes or
> > failures
> >     (does someone have this data?)
> >    -Recommend all necessary corrections
> >
> > Does anyone have a more complete methodology paper?  I've been hearing
>
>
> > some of the pros and cons of the above two.  Do you normally do both, 
> > or just whatever people what?  I assume the first is more difficult 
> > and time consuming; is that true?
> >
> > The approach is certainly important, but even more intimidating:  I 
> > feel like I need to know everything about varying brands of firewalls,
>
>
> > routers, switches/hubs, VLANs, VPNs, Web Applications, Windows, Unix, 
> > Netware, etc., etc., etc.!  I'm pretty experienced in Unix and 
> > Firewalls, but does anyone have any advise on dealing with the shear 
> > magnitude of data necessary?  Also, from the more practical tools 
> > stand point, do you guys just have everything loaded on one "attack"
>
> laptop.
>
> > Dual boot, or VmWare?
> >
> > Thanks so much!
> >
> > Jared DeMott
> > Vulnerability Analyst
> > Booz | Allen | Hamilton
>
>
>
> ------------------------------------------------------------------------
> ------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one
> interaction with one of our expert instructors. Check out our Advanced
> Hacking course, learn to write exploits and attack security
> infrastructure. Attend a course taught by an expert instructor with
> years of in-the-field pen testing experience in our state of the art
> hacking lab. Master the skills of an Ethical Hacker to better assess the
> security of your organization.
>
> http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
> ------------------------------------------------------------------------
> -------


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------