Re: a "good" vulnerability for educational purposes

[eldraco <eldraco () gmail com>]

hi all, 

we are teaching pentesting too, and we use:

Solution a:
1- webgoat (you can use the one in www.damnvulnerablelinux.org)
2- metasploit

Solution b:
We also use w3af, that comes with a lot of .php files (all what it can test) 
for apache, so you can test your w3af installation. This includes buffer 
overflows, sql injection and the like.

Solution c:
1- Old iis in an old win2k
2- metasploit

cheers

eldraco

El Monday 18 August 2008 17:55:27 Kelly Keeton escribió:
> Also there are Live Cd's with things your looking for...
>
> http://de-ice.net/
> http://www.damnvulnerablelinux.org/
>
> no so but some...
>
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>
> On Mon, Aug 18, 2008 at 12:07 PM, Andre Amorim <decouk () gmail com> wrote:
> > Dear Trajce,
> > My suggestion is ...
> > Download some old softwares with bugs.
> > https://www.securinfos.info/old_softwares_vulnerable.php
> >
> > then use metasploit to exploit it.
> > Also there is a nice intro tutorial here showing how to write a
> > exploit with metasploit framework.
> > http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit
> >
> >
> > All the best,
> > Andre Amorim
> > GnuPG KEY: 2048R/3E10FF47
> > Download:
> > http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x7C3B77763E10
> > FF47
> >
> > 2008/8/18  <dimkovtrajce () yahoo com>:
> > > Hi,
> > >
> > > Our goal is to teach master students in computer security in pen testing
> > > remote servers.
> > >
> > > As an exercise we want to introduce a vulnerability in IIS or Apache (or
> > > any other place you might suggest)which is recognizable with current
> > > vulnerability scanners(ex.nessus), but requires some coding/payload
> > > generation to exploit the vulnerability.
> > >
> > > I am considering bugtracq, but there are many vulnerabilities there
> > > which i can not filter with the requirements above.
> > >
> > > Can you point me to any "good" vulnerability for this purpose?
> > >
> > >
> > >
> > > Regards,
> > > Trajce
> > >
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Top 5 Common Mistakes in
> > > Securing Web Applications
> > > Get 45 Min Video and PPT Slides
> > >
> > > www.cenzic.com/landing/securityfocus/hackinar
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes in
> > Securing Web Applications
> > Get 45 Min Video and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------



-- 
Ing. Sebastián García
http://minsky.surfnet.nl:11371/pks/lookup?op=get&search=0x3E42ED27F864EDE6

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------