.

Exploits

<<

cleanwithit0607

Newbie
Newbie

Posts: 49

Joined: Thu Mar 27, 2008 5:17 am

Post Thu Nov 20, 2008 6:47 am

Exploits

This may be a stupid question. I understand the concept of how exploits work.

But, If you need a exploit for the computer(Pen Test) you're trying to get into. Do you search Google for an exploit, and alter the code to fit your needs? Or do you write it on your own from start to finish? Metasploit aside.

Sorry for the noob question, I just wanted to know.
Last edited by cleanwithit0607 on Thu Nov 20, 2008 6:56 am, edited 1 time in total.
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Nov 20, 2008 7:46 am

Re: Exploits

Personally speaking (mostly lab work with some real-world experience):

  • Metasploit first (why reinvent the wheel? if it works, go with that and move on to something more interesting)
  • Modification of existing code (milw0rm, Packet Storm, etc.)
  • Handwritten as last option (unless practice at exploit dev is the goal)

If all you're looking for is access to the box I'd stick with this order.
<<

cleanwithit0607

Newbie
Newbie

Posts: 49

Joined: Thu Mar 27, 2008 5:17 am

Post Thu Nov 20, 2008 7:51 am

Re: Exploits

RoleReversal wrote:Personally speaking (mostly lab work with some real-world experience):

  • Metasploit first (why reinvent the wheel? if it works, go with that and move on to something more interesting)
  • Modification of existing code (milw0rm, Packet Storm, etc.)
  • Handwritten as last option (unless practice at exploit dev is the goal)

If all you're looking for is access to the box I'd stick with this order.


Thanks RR, you're always there when I need you, lol. I just figured if you're doing a penetration test for a company, would you write the whole thing, I mean that would seem to take a lot of time. But then again look at my title. i.e , "Newbie".

I don't really know if exploit development is the goal, because I'm still young into this, but it does sound very interesting to me.
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Nov 20, 2008 9:35 am

Re: Exploits

From a business perspective writing the exploit from scratch doesn't make sense (assuming an less intensive (Metasploit, modifying PoCs etc.) option works). All the business is interested in is if the vulnerability exists and the risk to the business.

Proving you're 3l1t3 and coding it yourself isn't going to gain you anything in the business world, and may actually reduce the impact the vulnerability has on the business people. However if you can demo freely downloading a point and click application that makes their essential web-server fall over revealing corporate secrets and client CC info in a few clicks, that can definitely get the point home :D
<<

shednik

Jr. Member
Jr. Member

Posts: 75

Joined: Thu Sep 11, 2008 7:30 am

Post Thu Nov 20, 2008 10:12 am

Re: Exploits

I'd have to agree with RR that if you can exploit something through metasploit then by all means try that first, and if it's on your own time for the sake of learning though go crazy with trying your own code. 
CCNA, MCP, A+, N+

WIP: Masters of Infosec, CEH, & Mastering C
<<

cleanwithit0607

Newbie
Newbie

Posts: 49

Joined: Thu Mar 27, 2008 5:17 am

Post Thu Nov 20, 2008 10:17 am

Re: Exploits

Thanks Guys!
A+, Network +, Security +, Linux +,

MCP/MCTS: Vista Config.

Work in progress: CEH

Currently Reading: Hacking-The Art Of Exploitation.

Recommended book: Counter Hack Reloaded.

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software