PaulDotCom mailing list archives
Re: Testing exploits
From: Zate Berg <zate75 () gmail com>
Date: Tue, 18 Jan 2011 11:34:21 -0500
If the CTO is requesting it then you are over a major hurdle already, getting management to understand what it means when you can pop a box easily and allowing you to test like this. I have had luck with taking Nessus scans and trying to exploit weaknesses with Metasploit to prove a point. I have also had success with just filtering Nessus output on "exploitable" vulnerabilities (can do that in filters in the web client). Nessus will show you in the results vulnerabilities that have confirmed exploits in metasploit/canvas/core. I think the key here is presenting your findings in a format that says more than "ha we got shell". Being able to frame up exactly what the impact to the business of that particular system getting compromised is. Does it hold important data? Is it a trusted system with access to other more important systems? The context of what you have compromised is really important. Good luck. Zate On Mon, Jan 17, 2011 at 11:16 PM, Steve <spassino () mac com> wrote:
I am curious to everyone's opinion on the following ....We have a small group of servers in our environment that run out of date operating systems, primarily windows 2000 and redhat 3. We are doing the dance with business teams, migration is happening but slow. Our CTO has asked the security team to begin testing exploit code against these servers - a successful exploit would move that server up the priority list of getting it migrated off onto a supported operating system. Our tests only hit non-production servers so production is not impacted. Does anyone else have a similar process or tried something similar and was it successful ? --Steve _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Testing exploits Steve (Jan 18)
- Re: Testing exploits Zate Berg (Jan 18)
- Re: Testing exploits Mike Patterson (Jan 18)
- Re: Testing exploits Zate Berg (Jan 18)