RE: Exploit Repositories and Due Diligence

["Carl Tucker" <manuscity () hotmail com>]

Jeff, you raise an interesting point, I have been growing a list of exploit 
files and regularly found many of them not to deliver what they claimed. I 
have been using metasploits for a while and got on ok with it, many of those 
files are not correct either and having to do a hand audit can be a pain in 
the ass.

I started using a pretty cool app called traffic iq from www.karalon.com a 
while ago and that has got a big library in it and I havent found any 
problems.

CT

> From: "Jeff" <jb () jbware net>
> Reply-To: <jb () jbware net>
> To: <pen-test () securityfocus com>
> Subject: Exploit Repositories and Due Diligence
> Date: Thu, 9 Jun 2005 21:19:52 -0400
>
> I have a question regarding the use of exploit repositories (including
> projects like Metaploit, and compliations on bootable distros like 
> Whoppix).
> With all of the large exploit repositories used to make pen testing faster
> and easier, what methods do you use to ensure you've done your due 
> diligence
> in not unleashing something actually harmful on your clients?  I have my 
> own
> thoughts, such as googling and superficial|deep code reviews, but 
> ultimately
> my concern is over the malcious hiding of intentions.  Thanks for any
> insights and suggestions.
>
> - Jeff

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963