Information Gathering
Network Scanners and Discovery, Port scanners
Vulnerability Scanners, Integrated VA (Vulnerability Assessment) scanners
Windows Auditing
GOTO: https://eikonal.wordpress.com/2011/01/05/auditing-ms-windows/
Unix Auditing
GOTO: https://eikonal.wordpress.com/2011/07/08/auditing-unix/
Database auditing
GOTO: https://eikonal.wordpress.com/2011/02/24/database-security/
Web Applications and Web Services assessment
Lists of tools:
Application Assessment:
- Acunetix [COMERCIAL] – http://www.acunetix.com/
- AppScan [COMERCIAL] – http://www-306.ibm.com/software/awdtools/appscan/ | http://www-01.ibm.com/software/awdtools/appscan/
- Burp Proxy – http://portswigger.net/proxy/
- Burp Suite by PortSwigger: http://portswigger.net/suite/ (Commercial)
- CAT The manual Web Application Audit – http://cat.contextis.co.uk/
- Charles [COMMERICAL] – http://www.charlesproxy.com/ – an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
- DFF scanner – http://netsec.rs/70/tools.html – find files and folders on server
- Exploit-me – http://labs.securitycompass.com/index.php/exploit-me/
- Fiddler2 – http://www.fiddler2.com/fiddler2/
- FunkLoad – http://funkload.nuxeo.org/: functional and load web tester
- Grendel-Scan by David Byrne and Eric Duprey: http://grendel-scan.com/ (Free / Open Source) | blog – http://grendel-scan.com/blog
- IBM AppSCAN
- Nikto – http://www.cirt.net/nikto2 – [GPL] {Perl} – web server scanner. Infrequent updates of plugins. | mail list: https://attrition.org/mailman/listinfo/nikto-discuss and its archive – http://attrition.org/pipermail/nikto-discuss/
- N-Stalker [COMERCIAL] – http://www.nstalker.com/products/
- Netsparker
- NTOSpider [COMERCIAL] – http://www.ntobjectives.com/products/ntospider.php
- OWA (Outlook Web Access) attack tool – http://netsec.rs/70/tools.html – testing owa accounts
- Pantera (OWASP Pantera Web Assessment Studio Project) – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
- Paros proxy by Chinotec: http://parosproxy.org/ (Free / Open Source)
- ProxyMon (formerly ScarabMon) – http://code.google.com/p/proxmon/ | https://www.isecpartners.com/proxmon.html – monitors proxy logs and reports on security issues it discovers.
- Ratproxy – http://code.google.com/p/ratproxy/
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
- Samurai WTF – http://samurai.inguardians.com/
- Skipfish – http://code.google.com/p/skipfish/
- Tamper data – http://tamperdata.mozdev.org/
- Twill – http://twill.idyll.org/: browse the Web from a command-line interface. Supports automated Web testing
- W3AF by Andres Riancho: http://w3af.sourceforge.net/ [Free / Open Source]
- WebApp360 by nCircle: http://www.ncircle.com/index.php?s=products_webapp360 (Commercial)
- WebInspect by HP [COMERCIAL] – https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__ [SAAS = Software-as-a-Service]
- WebKing by Parasoft: http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319 (Commercial)
- WebSaint
- WebScanService by Elanize KG: http://www.german-websecurity.com/en/products/webscanservice/ (SAAS = Software-as-a-Service)
- WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project by OWASP
- WebSecurify – http://www.websecurify.com/: Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community.
- Wikto – http://www.sensepost.com/labs/tools/pentest/wikto – Very similar to Nikto, but with a few more features
- Windmill – http://trac.getwindmill.com/: web testing tool designed to let you painlessly automate and debug your web application
- Wmap – http://www.metasploit.com/redmine/projects/framework/wiki/WMAP: WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It’s a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation.
- WMAT – http://netsec.rs/70/tools.html – web mail attack tool | Readme file – http://replay.web.archive.org/20090630080119/http://security-net.biz/wmat/readme.txt
WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl. It takes a file containing usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.
- WSMap – https://www.isecpartners.com/wsmap.html: find web service endpoints and discovery files
Web services testing:
Fuzzing:
Using browsers as the webapp testing tools:
Misc info:
- Book: “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/
- The Web Application Security Consortium (WASC): http://www.webappsec.org/ | http://projects.webappsec.org/
- OSSTMM – “Open Source Security Testing Methodology Manual” by Pete Herzog – http://www.isecom.org/osstmm/
- OWASP: http://www.owasp.org/index.php/Main_Page
- Top 10 Web Vulnerability Scanners – http://sectools.org/web-scanners.html:
- #1 – Nikto : A more comprehensive web scanner:
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
- #2 – Paros proxy : A web application vulnerability assessment proxy
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
- #3 – WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
- #4 – WebInspect : A Powerful Web Application Scanner
SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
- #5 – Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library
Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
- #6 – Burpsuite : An integrated platform for attacking web applications
Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
- #7 – Wikto : Web Server Assessment Tool
Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
- #8 – Acunetix WVS : Commercial Web Vulnerability Scanner
Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
- #9 – Rational AppScan : Commercial Web Vulnerability Scanner
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM’s Rational division after IBM purchased it’s original developer (Watchfire) in 2007.
- #10 – N-Stealth : Web server scanner
N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
- Jeremiah Grossman blog on web applicaiton’s security: http://jeremiahgrossman.blogspot.com | RSS – http://feeds.feedburner.com/JeremiahGrossman:
- “Web Application Testing” by Russ Klanke (at Aggressive Virus Defense blog) – http://aggressivevirusdefense.wordpress.com/2009/08/02/web-application-testing/ – has numerous good links and tips.
- Browser Security Handbook – http://code.google.com/p/browsersec/wiki/Main
Browser Security Handbook is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.
The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6, 7, and 8), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser.
Open-source test cases provided alongside with this document permit any other browser implementations to be quickly evaluated in a similar manner.
- “Web Security Testing Cookbook” by Paco Hope – http://websecuritytesting.com/
(other) Specialized scanners
IPSec security
- IPSecScan (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipsecscan/ – IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.
Wireless Hacking and auditing
VoIP & Telephony auditing
Live CDs
Exploitation Frameworks
Tools:
Articles:
Penetration Testing and Exploitation
Network testers
See also: list of (other) security tools (in this blog) – https://eikonal.wordpress.com/2010/07/28/security-tools/.