0

I just started seriously playing around with Metasploit, and a question kept coming into my mind.

In the case of Adobe Flash for example, there are thousands of Flash vulnerabilities in CVEdetails.com but only a couple of them are built-in exploits in Metasploit. Are these few exploits inteded for real use or only for demonstration purposes?

Besides, they all seem to have been patched by newer brower versions, almost all of them work only on IE (even if the Flash version is REALLY old in other navigators). Do real-life pentesters really work with such limitations?

Just to be clear, I'm not asking for ready to use exploits or scripts. After 10+ years of Windows/Linux coding, I'm really interested in learning the internals to create my own tools. So, I'm just asking for pointers on how real things are done, not the traditional pentesting books PoCs which seem to me like just some kind "Hello world" exploits.

Ryan B.
  • 101
  • 2
  • The tools are lacky, outdated and the results are not robust. You observed that correctly. This is why finding anything in pentesting is a bad sign and finding nothing in pentesting does not say much. – eckes Jul 09 '17 at 23:21
  • 1
    Pentesters are not normally looking to exploit flash in browsers. – schroeder Jul 10 '17 at 06:17
  • I'm not asking if the pentesters use tools **like** Metasploit, I'm rather asking if while **actually** using Metasploit, they use its built-in (very few) exploits or they write their own. Hence, my question is really Metasploit-specific and not about other tools used while real-life pentesting. – Ryan B. Jul 10 '17 at 13:33
  • 3
    pentesters, like hackers, use whatever tool will do the job – schroeder Jul 10 '17 at 15:07

0 Answers0