I'm just curious how often anyone else uses stand-alone exploits from sources such as Exploit DB in professional tests. I think I've only done so once.

If so, do you expect to have internet (unfiltered) access while on site?

Do you maintain an archive that you bring with you?

Or do you primarily stick to Metasploit, Canvas, Core Impact, etc.?

Thanks for the response. I do the same thing

I have an OpenBSD VPS ($10/mo with ARP Networks - They ROCK), and I have SSH listening on 443, amongst others. It's pretty nasty as I only get stopped if they're doing application-level inspection or are a deny-all shop and are only allowing specific IPs/URLs.

I used to do port-redirection to TinyProxy until I found out about the ssh -D option. That's been working out great. It's nice for keeping away from eavesdroppers on Hilton's network too.

If all else fails, I can often just get back online once I return to the hotel and prepare for the next day. It'd be nice if work would spring for some sort of air card though.

I think the issue I run into is simply a lack of time. Like this week, I had to perform social engineering, a security assessment with physical inspection, and a pen test in three days. I'm not even going to be able to get all the low-hanging fruit on this one, let alone go after anything more obscure.

Shame on you!...

mkdir /usr/work/exploits/{linux,bsd,solaris,windows}
mkdir /usr/work/exploits/bsd/{open,net,free}
mkdir /usr/worl/exploits/windows/{xp,vista,nt,9x,2003,2008}

I have a large repository of stuff not found on typical sites (exploit-db, packetstorm, etc) stored in both compiled and uncompiled modes for both x86 and 64bits under as many operating systems as it's portable to get it running on. I try to find as much exploit code as I can and further divide it into remote/local folder inside the operating system folders. It's a pain but definitely handy in tight situations. Just make sure you hit

It pays to put together a sandbox of most operating systems to test against, I have most operating systems with the exception of things like z/OS, Tru64 and a few others. Each sandbox (VMWare by the way) has a snapshot so I can download w/e I want, unhook the sandbox from network to avoid it cooking my network/malware(reversed)exploits, run it, fix it if need be, then throw it into the tool kit if it accomplishes what I need.

PITA it is, but it will save you time in the long run. When you need them, plop them on a USB key... Re-writeable DVD/CD and instamagic access Who cares if you have no connectivity to download. The downside is sorting them out and trying to fix toasty sploits (ones that don't work for those unaccustomed to slang).


http://www.0xdeadbeef.info/ (Solaris stuff rocks)
http://inj3ct0r.com/ (wanna be milw0rm)
http://rawlab.mindcreations.com/#exploit
http://www.exploit-db.com/
http://triviasecurity.net/exploits

Best bet to find hardcore PoC's and exploits, follow the coder or mesh another coder's work into your own. Why reinvent wheels


Prematurely hit the save button...

Just make sure you hit "Take Snapshot" ALL the time I've learned this the hard way.

Kind of have to hit the main sites, and download to your heart's content, dynamik, archiving those sploits for rainy days.  I do the same, as time and resources permit.  Saves a whole lot of time and energy, in the end.  Make sure you understand what you're playing with, anytime you're using someone else's sploits from a site you're not used to, however, as I've seen a few people do serious damage because of malware, fronted as a sploit.  I've been called in after the fact, on quite a few occasions, to explain what someone (not working with me) had done to hork up someone's servers...  Nothing like knowing the competition isn't on the ball, though! 

It's just like having rainbow tables for windows password security, etc.  The more you have, even when you don't need them immediately, the better off you'll be, when you DO need them.

I just noticed that Exploit DB provides an Archive. That simplifies things a bit. I really should pay more attention to navigational menus...