Penetration Testing mailing list archives

Re: Different methods of obtaining exploits

From: FocusHacks <focushacks () gmail com>
Date: Sat, 28 Jan 2006 22:19:52 -0600

I'd say 100% of pen testers use exploits found on mailing lists and
security sites, and I would be willing to bet a good 25% of them are
getting exploits from friends and other limited-distribution channels
on top of using published exploits.

Honestly I'd bet the number of pen-testers actively finding holes to
exploit is probably in the single-digit percentages.  There may be 25%
who take an advisory and reverse engineer the app to code an exploit
for it, or re-vamp some POC code to be useable in the field, but I
doubt 25% are actually finding the bugs to begin with.

On 1/26/06, yawgmoth7 <yawgmoth7 () gmail com> wrote:

I've always wondered about this, I do not know why. But just the
different ways that pen-testers get their exploits/vullnerabilities. I
think it would go something like this:
50% From online security sites
25% Find their own
25% From their friends

Have I left any out? If so, go ahead and add it, this is just about
what I think it would be. This has always interesting me for some
reason.

See ya
--
gurusnetwork.org
Gurus'Network - Are you a guru?

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



--
http://www.FocusHacks.com - The Ford Focus Modification Site!

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Different methods of obtaining exploits yawgmoth7 (Jan 28)
- Re: Different methods of obtaining exploits Ali Akbar (Jan 30)
- RE: Different methods of obtaining exploits security (Jan 30)
- Re: Different methods of obtaining exploits FocusHacks (Jan 30)
- Re: Different methods of obtaining exploits Dharmendra (Jan 31)
- Re: Different methods of obtaining exploits Roman Medina-Heigl Hernandez (Jan 31)
- <Possible follow-ups>
- Re: Different methods of obtaining exploits barcajax (Jan 30)