Hi

Im not por @ security but on my way. still learning. ( These Forum helps alot )

So my question once more.
All over the world exploits gets released. I wanne test them an look how they work. But not at external victims ! I want maybe set up a box here @ home to test all these stuff.

Now have anybody expiriences in thtese way. I have open questions like. Where to get exploits ? Where to get the vuln software ( maybe dumb question sry).

Biggest problem is how to go on with unix based exploits? Im Unix (Linux) beginner installed soon.

Im wanna change job and go to it - security. School way is going on but ist more for IT generally not security specific and theorie isn't like when you do it in real.

THX

google

for testing ddos exploits, don't use your own box, use vmware or virtual pc. They are both commercial for windows, but AFAIK, vmware is free for linux users.
Same can be used for UNIX based exploits, also I mean vmware. If you don't want to use vmware for it, use live CDs like knoppix or auditor. They have everything you need to compile, and allow you to test. Auditor also includes some server apps to test exploits on it (Apache and some others).

Good advice all around!

I personally love using VMWare: can run linux in one window to exploit the windows env. running in the second window. perfection!

Additionally, these forums contain a lot of exploits that can be found through a little bit of simple searching. But, here are a few places to go that I always found very valuable:

h**p://www.securitytracker.com/ -- very basic site, catalogues all vuln, is very up-to-date, and pulls data from numerous sources.
h**p://www.metasploit.com/ -- tried, tested, and true exploit testing/developing environment. Extremely simple to use, and a great tool to learn the inner workings of exploits

Additionally, if you really want to learn how buffer overflows work, you might want to brush up on ASM and play around with live-debuggers.

Good luck!

a simple google for index of exploits or a varient of that will trigger many finds for you.

I would suggest the best way to set up a test environment is VMWare method,
But if you want a really ruggard testing and are looking forward to check the exploit offsets in memory and such you would go for a really good Internet In a Box Environment.

Ist Method:

1. The Best bet would be to set up an isolated network with all the required networking services like DNS,DHCP,WINS,SMB,NFS on a couple of server of *Nix and Win environment and their respective services.

2. Setup each of those systems with Integrity Checking tools like Tripwire to check for modified files and folders and service entries.

3. Setup a system with IDS and Sniffer to monitor all the traffic and capture it and send the logs to another firewall protected sytem.

4. Fire Live exploits on the system ( protect this system with a firewall, logs can also be stored in this system )

IInd Method

1. Setup an environment with exactly same settings.. and use tools like Metasploit etc.. to exploit.

*drool* It would be so hot to have a live test lab at home with real equipment, let alone dedicated access to a real test lab of any type!

The last company I worked for had a nice setup: it even an emulated "Internet" connecting multiple intranets. Problem was everyone would be trying to configure it "their way" all the time

easternerd, I am glad I happened upon this thread, I just got a hold of a couple older boxes and was going to trash them but after reading your response to r00t's question, I can see a very good use for these old computers. Would you mind if I contacted you about particulars of setting these up if I run into any snags?

Sure , I do this all the time,Ill sure help you set it up, add me to ICQ