HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 9 guests online

ik_xray_google_125x600.gif
IronKey

EH-Net Donations

Enter Amount:
$
EH-Net News Feeds
Latest Additions
Google Ads
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Programmingarrow Exploits
EH-Net
July 04, 2009, 10:24:25 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2009s - Training May 4 - 8, Ethical Hacking Conference May 8 - 9. www.chicagocon.com
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Exploits  (Read 2630 times)
0 Members and 1 Guest are viewing this topic.
cleanwithit0607
Newbie
*
Offline Offline

Posts: 47


View Profile
« on: November 20, 2008, 05:47:59 AM »
This may be a stupid question. I understand the concept of how exploits work.

But, If you need a exploit for the computer(Pen Test) you're trying to get into. Do you search Google for an exploit, and alter the code to fit your needs? Or do you write it on your own from start to finish? Metasploit aside.

Sorry for the noob question, I just wanted to know.
« Last Edit: November 20, 2008, 05:56:38 AM by cleanwithit0607 » Logged
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 692


aka RoleReversal


View Profile WWW
« Reply #1 on: November 20, 2008, 06:46:02 AM »
Personally speaking (mostly lab work with some real-world experience):

  • Metasploit first (why reinvent the wheel? if it works, go with that and move on to something more interesting)
  • Modification of existing code (milw0rm, Packet Storm, etc.)
  • Handwritten as last option (unless practice at exploit dev is the goal)

If all you're looking for is access to the box I'd stick with this order.
Logged
-- http://www.infosanity.co.uk
-- http://infosanity.blogspot.com
cleanwithit0607
Newbie
*
Offline Offline

Posts: 47


View Profile
« Reply #2 on: November 20, 2008, 06:51:51 AM »
Quote from: RoleReversal on November 20, 2008, 06:46:02 AM
Personally speaking (mostly lab work with some real-world experience):

  • Metasploit first (why reinvent the wheel? if it works, go with that and move on to something more interesting)
  • Modification of existing code (milw0rm, Packet Storm, etc.)
  • Handwritten as last option (unless practice at exploit dev is the goal)

If all you're looking for is access to the box I'd stick with this order.

Thanks RR, you're always there when I need you, lol. I just figured if you're doing a penetration test for a company, would you write the whole thing, I mean that would seem to take a lot of time. But then again look at my title. i.e , "Newbie".

I don't really know if exploit development is the goal, because I'm still young into this, but it does sound very interesting to me.
Logged
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 692


aka RoleReversal


View Profile WWW
« Reply #3 on: November 20, 2008, 08:35:57 AM »
From a business perspective writing the exploit from scratch doesn't make sense (assuming an less intensive (Metasploit, modifying PoCs etc.) option works). All the business is interested in is if the vulnerability exists and the risk to the business.

Proving you're 3l1t3 and coding it yourself isn't going to gain you anything in the business world, and may actually reduce the impact the vulnerability has on the business people. However if you can demo freely downloading a point and click application that makes their essential web-server fall over revealing corporate secrets and client CC info in a few clicks, that can definitely get the point home Cheesy
Logged
-- http://www.infosanity.co.uk
-- http://infosanity.blogspot.com
shednik
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #4 on: November 20, 2008, 09:12:07 AM »
I'd have to agree with RR that if you can exploit something through metasploit then by all means try that first, and if it's on your own time for the sake of learning though go crazy with trying your own code. 
Logged
CCNA, MCP, A+, N+

WIP: Masters of Infosec, CEH, & Mastering C
cleanwithit0607
Newbie
*
Offline Offline

Posts: 47


View Profile
« Reply #5 on: November 20, 2008, 09:17:54 AM »
Thanks Guys!
Logged
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.052 seconds with 22 queries.
 
Polls
My next training will be:
 
Support EH-Net

eh-net_amazonstore.jpg
Help Support EH-Net with Our Amazon Store

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
windows7_assoc_125x125.png
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.