Choosing the correct exploit

Hi Guys,

I'm getting start in the Pen testing field of security and have been
playing with Backtrack (4 R2).

I'm working through the 'metasploit unleashed' and have been watching
some video's here and there.

The one thing I'm trying to understand is how best to determine which
exploit to use based on the results from basic information gathering.

For example I can use NMAP to determine hosts,services and do some basic
OS and application finger printing and from that, and from there I guess
its possible to kind of line up what exploits to try.

So if its a windows box I can 'use' exploit/windows/......

For the testing I'm doing I'm not able to use any type of auto_pwn feature.

The other thing I guess I can do is use a tool like nessus or nexpose to try to get the 'MS' vulnerability
numbers and look for exploits?

Are there any other tips that anyone can provide a n00bie with?

Many thanks.

Well, as you said you could do an nmap scan to determine the services and their versions or telnet or nc, after you get the service and the version you could actually check them on exploit-db to see if there are some exploits for them or use the search function from metasploit, there also is SHODAN who can search for such things.

bobg2010 you pretty much got the idea, the other option is once services are identified to start coding your own exploits, using buffer over flows and under runs etc to exploit an architecture may sound daunting at first but theres plenty of good reads and tutorials. Learning python will give you a massive advantage in mostly what ever you do, however, once paired with the knowledge of a low level language like c++ ,(debatable), the world of exploitation really is open to your imagination.

sickness, excellent mention on shodan, I'll second that.

Thanks to both of you, your feedback is very much appreciated.

I'll definitely have a look at SHODAN and down the track once I have the basics out of the way at developing my own exploits( I have a C/ASM background)

I had a question in regards to this

"after you get the service and the version you could actually check them on exploit-db to see if there are some exploits for them or use the search function from metasploit"

When I do a 'search' in metasploit it is only searching the exploits form within the framework3 directory correct? i.e on the backtrack install there is an 'exploitdb' directory as well which has the source code to a lot of exploits PLUS some metasploit ones ( .rb files)

If I want to use some of the prebuilt .rb files from the exploit directory what is the best way to call them from metasploit? Do I have to copy them across to the metasploits exploit directory first?

cheers.

Actually you should look at the Metasploit Unleashed guide from offsec, that might give you the info you need on this.

Quote:

---

Originally Posted by sickness

Actually you should look at the Metasploit Unleashed guide from offsec, that might give you the info you need on this.

---

Thanks it doesn't. but thanks anyway.

Please learn to read before actually saying "it doesn't"

http://www.offensive-security.com/me...rting_Exploits

My question was.

"If I want to use some of the prebuilt .rb files from the exploit directory what is the best way to call them from metasploit? Do I have to copy them across to the metasploits exploit directory first? "

That section which I had already read through talks about porting over exploits.
I was just asking if you can call the existing .rb files which are already porter from metasploit directly without having to copy them accross.

Than I think you need them in the directory, not sure though, why don't you try it?