Auditing MS Windows

Articles

• “Using PowerShell to Continuously Audit Security of Active Directory” by Derek Melber (WindowsSecurity.com; 2010.12.15+20) – http://www.windowsecurity.com/articles/Using-PowerShell-Continuously-Audit-Security-Active-Directory.html
  • Get-AD by Niklas Goude (2010.01.04) – http://gallery.technet.microsoft.com/scriptcenter/en-us/81865fd8-6bdf-44d6-844b-01f262dc853e
  • “Checklist: Top 5 Windows domain settings to audit” by Derek Melber (SearchWindowsServer.com; 2005.12.08) – http://searchwindowsserver.techtarget.com/feature/Checklist-Top-5-Windows-domain-settings-to-audit
    • 1) Domain Account Policy: Password Policy, Account Lockout Policy and Kerberos Policy. Password complexity, minimal length of the passwords, password expiration, password reuse.
    • 2) Local user rights on domain member servers.
    • 3) Anonymous Connections: Computer Configuration > Windows Settings > Security Settings > Local Policies >Security Options
    • 4) Authentication Protocols
    • 5) Administrator Account
  • “Windows 2000 Auditing” – http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
  • “Windows & Active Directory Auditing” by Derek Melber (WindowsSecurity.com; 2005.11.22) – http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
  • “Auditing user accounts ” by Derek Melber (WindowsSecurity.com; 2005.08.04)- http://www.windowsecurity.com/articles/auditing-user-accounts.html
  • “Auditing Users and Groups with the Windows Security Log” by Randall F. Smith (WindowsSecurity.com; 2004.09.02) – http://www.windowsecurity.com/articles/auditing-users-groups-windows-security-log.html
  • SANS Institute: Automated Auditing in a Windows 2000 Environment – http://www.sans.org/security-resources/auto_audit.php

---

Tools

• Windows Inventory – Windows PC Auditing Software – http://winventory.sourceforge.net/ – superseded by Open-AudIT [OR NOT since that project still does not have available Windows script]
• Open-AudIT – http://www.open-audit.org/ – the replacement for Windows Inventory
• Script Repository (Microsoft TechNet) – http://gallery.technet.microsoft.com/ScriptCenter/
• WMI tools:
  • Scriptomatic 2.0 (Microsoft) – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12028 – Utility that helps you write WMI scripts for system administration.
  • Windows PowerShell Scriptomatic – http://www.microsoft.com/download/en/details.aspx?id=24121
  • WMI Administrative Tools – http://www.microsoft.com/download/en/details.aspx?id=24045
  • The WMI Diagnosis Utility – http://www.microsoft.com/download/en/details.aspx?id=7684
  • WMI Code Creator v1.0 – http://www.microsoft.com/download/en/details.aspx?id=8572
• MBSA – http://technet.microsoft.com/en-us/security/cc184924.aspx [FREE}
• Shavlik’s NetCheck – http://www.shavlik.com/products.aspx [COMMERCIAL]
• Oval Interpreter – http://oval.mitre.org
• Nessus Local Plug-ins
• Use of Powershell in Nessus scripts:
  • “Compliance Auditing with PowerShell” by Paul Asadoorian (Tenable blog; 2012.04.26) – http://blog.tenablesecurity.com/2012/04/compliance-auditing-with-microsoft-powershell.html
  • “File Integrity Auditing with Nessus” by Paul Asadoorian (Tenable blog; 2012.05.18) – http://blog.tenablesecurity.com/2012/05/file-integrity-auditing-with-nessus.html
• Sysinternals suite – http://technet.microsoft.com/sysinternals [FREE}

What to audit

• 1) List of domain users. Their user groups (who belongs to what groups).
• 2) Logging parameters: number of unsuccessful retries before account lock-out, number of minutes the account is temporary disabled (due to sequence of failed logon attempts), …
• 3) Password parameters: minimal password length, used character sets, password complexity requirement (is it enforced or not), password expiration, …
• 4) Auditing parameters: are all account logon attempts being logged? Are changes in account privileges (e.g. adding users to different groups) being logged? Are additions, removals or renaming of accounts being logged? Are privilege violations being logged (e.g. user trying to access resources [files, applications, shares] that they do not have right to access)? Are changes to security policies being logged? Are changes to user passwords being logged? Are changes in account status (e.g. disabling and enabling accounts) logged? etc
• 5) Inspect the content of system logs.
  • Manual inspection
  • use dumpevt by SomarSoft (http://www.systemtools.com/somarsoft/?somarsoft.com)
• 6) List of services
• 7) Look at the open network connections.
  • netstat -a
  • netstat -a -b -o -v
  • FPort by FoundStone – http://www.mcafee.com/us/downloads/free-tools/index.aspx
  • APorts – http://download.cnet.com/1770-20_4-0.html?query=Active+Ports&searchtype=downloads
• \8) Registry checkup
  • DumpReg (dump registry) by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com

---

Tools

DumpSec

SomarSoft’s DumpSec/DumpAcl – http://www.systemtools.com/somarsoft/?somarsoft.com

DumpEvt

DumpEvt is a command line tool by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com

Syntax:

c:>dumpevt 2011.01.06 13:23:28 Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc. Copy 07353, registered to (this program is now free of charge) ==>Missing /logfile parameter Dump eventlog in format suitable for importing into database Messages written to stdout Dump output written to file specified by /outfile or /outdir Parameters: /logfile=type eventlog to dump; can be app, sec, sys, dns, dir, or rpl /logfile=type=path backed up eventlog file to dump /outfile=path create new file or append to end of existing file /outdir=path create new .tmp file in specified directory /all dump all recs (default is recs added since last dump /computer=name dump eventlog for specified computer (default is local) /reg=local_machine use HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER /clear clear event log after successful dump Specify formatting parameters in DUMPEVT.INI file See dumpevt.hlp for complete documentation Visit http://www.somarsoft.com for latest version

Example:

c>dumpevt /logfile=sec /outfile=20100106-system7-seclog.txt 2011.01.06 13:31:36 Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc. Copy 07353, registered to (this program is now free of charge) LogType=Security Computer=(local) SystemRoot=C:\WINDOWS Outfile=20100106-system7-seclog.txt Use HKEY_CURRENT_USER for saving record number Format=yes DateFormat=(locale dependent) TimeFormat=HH':'mm':'ss FieldSeparator=, ReplaceFieldSeparator= (blank) ReplaceCR=^ ReplaceLF=` StringSeparator=; MaxMessageLen=32000 MaxFragmentLen=32000 DumpData=none SplitDateTime=yes UseGmtTime=no DumpRecnum=no ==>LastProcessed (0) < Oldest (1), log records lost process event log records starting with 1 last event log record processed = 1018 Elapsed time= 0.594 seconds, NumRecs=1018

Fport

Example:

c>fport FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 508 -> 135 TCP 4 System -> 139 TCP 4 System -> 445 TCP 1644 dirmngr -> 1059 TCP C:\Program Files\GNU\GnuPG\dirmngr.exe 4084 -> 1080 TCP 3856 -> 1192 TCP 2428 ccApp -> 1202 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 0 System -> 1212 TCP 3652 firefox -> 2036 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2037 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2044 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2045 TCP C:\Program Files\Mozilla Firefox\firefox.exe 4 System -> 6846 TCP 3652 firefox -> 6896 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3856 -> 6938 TCP 3856 -> 6939 TCP 0 System -> 6945 TCP 4456526 -> 123 UDP 4 System -> 123 UDP 5177412 -> 137 UDP 4 System -> 137 UDP 6029362 -> 138 UDP 4 System -> 138 UDP 3652 firefox -> 138 UDP C:\Program Files\Mozilla Firefox\firefox.exe 508 -> 445 UDP 4 System -> 500 UDP 3652 firefox -> 1069 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1103 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1357 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1520 UDP C:\Program Files\Mozilla Firefox\firefox.exe 4 System -> 2576 UDP 3856 -> 62514 UDP

netstat

On Windows XP:

c>netstat -a Active Connections Proto Local Address Foreign Address State TCP server7:epmap interesting.website.org:0 LISTENING TCP server7:microsoft-ds interesting.website.org:0 LISTENING TCP server7:5556 interesting.website.org:0 LISTENING TCP server7:1059 interesting.website.org:0 LISTENING TCP server7:1080 interesting.website.org:0 LISTENING TCP server7:1202 interesting.website.org:0 LISTENING TCP server7:2036 localhost:2037 ESTABLISHED TCP server7:2037 localhost:2036 ESTABLISHED TCP server7:2044 localhost:2045 ESTABLISHED TCP server7:2045 localhost:2044 ESTABLISHED TCP server7:62514 interesting.website.org:0 LISTENING TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:1192 strangemachine:netbios-ssn ESTABLISHED TCP server7:6846 alphaomega.com:microsoft-ds ESTABLISHED TCP server7:7061 server2:8585 ESTABLISHED TCP server7:7062 server2:8585 ESTABLISHED TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:7067 strangemachine:netbios-ssn SYN_SENT TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:7068 strangemachine:netbios-ssn SYN_SENT UDP server7:microsoft-ds *:* UDP server7:isakmp *:* UDP server7:4500 *:* UDP server7:52311 *:* UDP server7:ntp *:* UDP server7:1025 *:* UDP server7:1069 *:* UDP server7:1103 *:* UDP server7:1357 *:* UDP server7:1520 *:* UDP server7:1900 *:* UDP server7:2576 *:* UDP server7:62514 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:*

Getting list of users and groups

Inside Cygwin, there are commands mkpasswd and mkgroup. These can build the Cygwin’s /etc/passwd and /etc/group from either local system or from the domain the system is on.

mkpasswd -l > local-users.txt mkpasswd -d -l > domain-users.txt mkgroup -l > local-groups.txt mkgroup -d -l > domain-groups.txt

Powershell

• PowerTab by PowerShell Guy – http://thepowershellguy.com/blogs/posh/pages/powertab.aspx
• PowerTab for PowerShell v2.0 – http://powertab.codeplex.com/
• “Using PowerTab for NestedPrompt” (ITBloggen) – http://itbloggen.se/cs/blogs/bjrn_stermans_blog/archive/2007/08/04/582.aspx
• The PowerShell Guy blog – http://thepowershellguy.com/blogs/posh/
• Pash – open source reimplementation of Powershell – http://pash.sourceforge.net/ | http://sourceforge.net/projects/pash/
• http://www.boot-land.net/forums/index.php?showtopic=5420
• “Multiple ways to open PowerShell in the current Explorer window” (Blogging on Technology blog; 2008.10.14) – http://techblogging.wordpress.com/2008/10/14/multiple-ways-to-open-powershell-in-the-current-explorer-window/
• “Context sensitive auto-completion using PowerShell, PowerTab and GIT” (Blogging on Technology blog; 2008.10.13) – http://techblogging.wordpress.com/2008/10/13/context-sensitive-auto-completion-using-powershell-powertab-and-git/
• Powershell postings at ITBloggen blog – http://itbloggen.se/cs/blogs/bjrn_stermans_blog/archive/tags/PowerShell/default.aspx
• Use of Powershell in Nessus scripts:
  • “Compliance Auditing with PowerShell” by Paul Asadoorian (Tenable blog; 2012.04.26) – http://blog.tenablesecurity.com/2012/04/compliance-auditing-with-microsoft-powershell.html
  • “File Integrity Auditing with Nessus” by Paul Asadoorian (Tenable blog; 2012.05.18) – http://blog.tenablesecurity.com/2012/05/file-integrity-auditing-with-nessus.html

Portable Powershell:

• Portable PowerShell – Surveyhttp://blogs.msdn.com/b/powershell/archive/2009/07/31/portable-powershell-survey.aspx
• ShellTool’s Portable PowerShell – Description, Survey and Private Beta – http://karlprosser.com/coder/2009/07/21/shelltools-portable-powershell-description-survey-and-private-beta/
• http://shelltools.wik.is/Portable_PowerShell

Vulnerability Assessment tools

Information Gathering

• Maltego – http://www.paterva.com/web4/index.php/maltego
• Binging – http://www.blueinfy.com/

Network Scanners and Discovery, Port scanners

• AutoScan – http://autoscan-network.com/
• Angry IP Scanner – http://www.angryip.org | http://sourceforge.net/projects/ipscan/
• IPEye (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipeye/ – IPEye is a TCP port scanner that can do SYN, FIN, Null and Xmas scans.
• Netifera – http://netifera.com/
• nmap (~”Network Mapper”): nmap.org, http://www.insecure.org/nmap/
  • “NMap – Notes” – http://wikihead.wordpress.com/2010/06/23/nmap-notes/
  • Discussion on nmap – http://www.secguru.com/forum/viewtopic.php?t=68
  • Cheatsheet – http://www.secguru.com/index.php/content/view/535/
  • Nmap tutorial at EDUCAUSE – http://www.educause.edu/Nmap/1295
  • SQL Comes to Nmap: Power and Convenience/ by Hasnain Atique (Fri, 2004-10-01 01:00. SysAdmin) – http://www.linuxjournal.com/article/7314
  • Nmap Technical Guide/ by Michael Cobb (2006.10.17; SeachSecurity) – http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1224310,00.html
  • short blurb on nmap by Eric Lubow (2006.08.21) – http://www.linuxsecurity.com/content/view/124599/177/
  • TAZ Tutorials:
    • NMAP Lesson 1 – The Basics – http://www.thetazzone.com/tutorial-nmap-lesson-1-the-basics/
    • NMAP Lesson 2 – More Basics – http://www.thetazzone.com/edit-post-report-this-post-warn-user-information-reply-with-quote-tutorial-nmap-348-lesson-2-more-basics/
    • NMAP Lesson 3 – Common Output – http://www.thetazzone.com/tutorial-nmap-348-lesson-3-common-output/
    • NMAP Lesson 4 – Stealth Scans – http://www.thetazzone.com/tutorial-nmap-348-lesson-4-stealth-scans/
    • NMAP Lesson 5 – Fingerprinting & scannin – http://www.thetazzone.com/tutorial-nmap-348-lesson-5-fingerprinting-scannin/
  • Scanning network for open ports with nmap command (nixcraft) – http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
  • Nmap Online – http://nmap-online.com/
  • nmap Cookbook’s blog – http://nmapcookbook.blogspot.com/
    • nmap Cheatsheet – http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html
  • HERE (=at this blog): Nmap options, swtiches and uses – https://eikonal.wordpress.com/2010/09/20/nmap-options-swtiches-and-uses/
  • HERE (=at this blog): Memory of things disappearing > nmap stuff > getports.awk – https://eikonal.wordpress.com/2010/06/23/memory-of-things-disappearing-nmap-stuff-getports-awk/ – an awk script listing open ports coming from nmap.
• SuperScan
• scanline
• dsniff by Dug Song – http://monkey.org/~dugsong/dsniff/ – a collection of scanning and sniffing tools:
  • dsniff –
  • filesnarf –
  • mailsnarf –
  • msgsnarf –
  • urlsnarf –
  • webspy –
  • arpspoof –
  • dnsspoof –
  • macof –
  • sshmitm –
  • webmitm

  Articles:

  • “Passwords Found on a Wireless Network”, D. Song, USENIX Technical Conference WIP, June 2000. – http://monkey.org/%7Edugsong/talks/usenix00.ps [PS]
  • “Network Monitoring with Dsniff, LinuxSecurity.com, May 2001. – http://biblio.l0t3k.net/sniffers/en/dsniff_netmon.txt
  • “On the lookout for dsniff, part 2, IBM DeveloperWorks, February 2001. – http://www.ibm.com/developerworks/library/s-sniff2.html
  • “On the lookout for dsniff”, IBM DeveloperWorks, January 2001. – http://www.ibm.com/developerworks/library/s-sniff.html
  • “dsniff and SSH : Reports of My Demise are Greatly Exaggerated” by Richard E. Silverman (O’Reilly Sys Admin Networking; 2000.12.22) – http://www.oreillynet.com/pub/a/oreilly/networking/news/silverman_1200.html
  • “Attacks Against SSH 1 and SSL”, Slashdot, December 2000. – http://slashdot.org/it/00/12/18/0759236.shtml
  • “The End of SSL and SSH?” by Kurt Seifried (2000.12.17) – http://www.seifried.org/security/cryptography/20011108-end-of-ssl-ssh.html | “The End of SSL and SSH? Follow-up.” (2000.12.22) – http://www.seifried.org/security/cryptography/20011108-sslssh-followup.html
  • “Catch Hackers in the Act”, CNET Web Builder, December 2000. – [GONE]
  • “Why Your Switched Network Isn’t Secure”, SANS Institute, September 2000. – http://www.sans.org/security-resources/idfaq/switched_network.php
  • “Switched networks lose their security advantage due to packet-capturing tool”, InfoWorld magazine, May 2000. – http://www.packet-sniffer.net/packet-capturing.htm | at Google books
  • “Think you’re safe from sniffing?”, Windows 2000 magazine, June 2000. – http://www.windowsitpro.com/article/internet/think-you-re-safe-from-sniffing-.aspx
  • “Finding dsniff on Your Network” (SANS) – http://www.sans.org/reading_room/whitepapers/testing/finding-dsniff-network_262

  Compiling dsniff on Cygwin:

  • Download the latest tar.gz archive od dsniff. Unpack it. Enter the created directory.
  • Run ./configure
  • You will need WinPcap (http://www.winpcap.org/) installed on your Windows system, as well as elements of the Winpcap developer package (http://www.winpcap.org/devel.htm) distributed to various cygwin directories, according to the instruction given at http://mathieu.carbou.free.fr/wiki/index.php?title=Winpcap_/_Libpcap
  • Also needed in libnet (http://libnet.sourceforge.net/), with instructions how to copmpile it presented at http://mathieu.carbou.free.fr/wiki/index.php?title=How_to_compile_Libnet_under_Cygwin

Vulnerability Scanners, Integrated VA (Vulnerability Assessment) scanners

• Acunetix WVS by Acunetix: http://www.acunetix.com/ (Commercial)
• ClickToSecure by Cenzic: http://www.cenzic.com/products/saas/ctsARC/ (SAAS = Software-as-a-Service)
• Grabber by Romain Gaucher: http://rgaucher.info/beta/grabber/ (Free / Open Source)
• Hailstorm by Cenzic: http://www.cenzic.com/products/software/overview/ (Commercial)
• MileScan Web Security Auditor by MileSCAN Technologies: http://www.milescan.com/hk/ (Commercial)
• N-Stalker by N-Stalker: http://nstalker.com/products/ (Commercial)
• NTOSpider by NTObjectives: http://www.ntobjectives.com/products/ntospider.php (Commercial)
• NeXpose by Rapid7: http://www.rapid7.com/products/ (Commercial) – includes Metasploit
• Nessus by Tenable Network Security: http://www.nessus.org (Commercial, formerly free and open source)
  • Tutorial & Update:Nessus server setup and NASL modding – http://www.thetazzone.com/tutorial-updatenessus-server-setup-and-nasl-modding/#
  • Tutorial – Step-by-step setup of Nessus (TAZ = The Tazzonde Network; 2009.09.05) – http://www.thetazzone.com/tutorial-step-by-step-setup-of-nessus/
  • “Demonstrating Compliance with nessus Web Applicaiton Scans” by Ron Gula and Michel Arbol (Tenable; 2010.09.27) – http://www.tenablesecurity.com/whitepapers/customer_page/nesssus-web-based-auditing.pdf
  • “Web Application Scanning with Nessus (Detecting Web Applciaiton Vulnerabilities and Environmental Weaknesses)” (revision 3) by Brian martin and Carole Fennelly (Tenable; 2010.09.02) – http://www.nessus.org/whitepapers/Tenable_Web_App_Scanning.pdf
  • Nessus Web Application Scanning – New plugins & Configuration – http://blog.tenablesecurity.com/web-app-auditing/
  • Tenable/Nessus blog – http://blog.tenablesecurity.com/ | RSS – http://blog.tenablesecurity.com/rss.xml
  • Tenabke podcasts RSS – http://www.tenable.com/TenablePodcast.xml
  • Tenable YouTube channel – http://www.youtube.com/user/tenablesecurity
  • “Bob’s Great Adventure: Attacking & Defending Web Applications” by Paul Asadoorian – http://www.nessus.org/whitepapers/BobsGreatAdventure-AttackDefendWebApplications.pdf
  • “Using Nessus In Web Application Vulnerability Assessments” by paul Asadoorian – http://www.nessus.org/whitepapers/NessusWebAppTesting.pdf
  • Tenable white papers – http://www.nessus.org/whitepapers/
• NetSparker by Mavituna Security: http://www.mavitunasecurity.com/ (Commercial)
• OpenVAS (openvas.org): Free and open source splinter of the previous free and open source version Nessus. See also: freshmeat.net/projects/openvas | wald.intevation.org/projects/openvas
• Powerfuzzer by Marcin Kozlowski: http://www.powerfuzzer.com/ (Free / Open Source)
• ProFeed
• QualysGuard Web Application Scanning by Qualys: http://www.qualys.com/products/qg_suite/was/ (SAAS = Software-as-a-Service)
• Retina Web Security Scanner by eEye Digital Security: http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx (Commercial)
• SecurityQA Toolbar by iSEC Partners: https://www.isecpartners.com/SecurityQAToolbar.html (Free / Open Source)
• Sentinel by WhiteHat: http://whitehatsec.com/home/services/services.html (SAAS = Software-as-a-Service)
• Veracode Web Application Security by Veracode: http://www.veracode.com/solutions/web-application-security-dynamic-testing.html (SAAS = Software-as-a-Service)
• Wapiti by Nicolas Surribas: http://wapiti.sourceforge.net/ (Free / Open Source)

Windows Auditing

GOTO: https://eikonal.wordpress.com/2011/01/05/auditing-ms-windows/

Unix Auditing

GOTO: https://eikonal.wordpress.com/2011/07/08/auditing-unix/

Database auditing

GOTO: https://eikonal.wordpress.com/2011/02/24/database-security/

Web Applications and Web Services assessment

Lists of tools:

• Phoenix’ list of webapp security tools at OWASP – https://www.owasp.org/index.php/Phoenix/Tools

Application Assessment:

• Acunetix [COMERCIAL] – http://www.acunetix.com/
• AppScan [COMERCIAL] – http://www-306.ibm.com/software/awdtools/appscan/ | http://www-01.ibm.com/software/awdtools/appscan/
  • AppScan OnDemand by IBM: http://www-01.ibm.com/software/awdtools/appscan/ondemand/ [SAAS = Software-as-a-Service]
• Burp Proxy – http://portswigger.net/proxy/
• Burp Suite by PortSwigger: http://portswigger.net/suite/ (Commercial)
• CAT The manual Web Application Audit – http://cat.contextis.co.uk/
• Charles [COMMERICAL] – http://www.charlesproxy.com/ – an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
• DFF scanner – http://netsec.rs/70/tools.html – find files and folders on server
• Exploit-me – http://labs.securitycompass.com/index.php/exploit-me/
• Fiddler2 – http://www.fiddler2.com/fiddler2/
  • Watcher – http://websecuritytool.codeplex.com/ – passive Web-security scanner, an addon to the Fiddler
  • x5s – XSS security testing assistant – http://xss.codeplex.com/, an addon to the Fiddler
  • Other extensions – http://www.fiddler2.com/Fiddler2/extensions.asp
• FunkLoad – http://funkload.nuxeo.org/: functional and load web tester
• Grendel-Scan by David Byrne and Eric Duprey: http://grendel-scan.com/ (Free / Open Source) | blog – http://grendel-scan.com/blog
• IBM AppSCAN
• Nikto – http://www.cirt.net/nikto2 – [GPL] {Perl} – web server scanner. Infrequent updates of plugins. | mail list: https://attrition.org/mailman/listinfo/nikto-discuss and its archive – http://attrition.org/pipermail/nikto-discuss/
• N-Stalker [COMERCIAL] – http://www.nstalker.com/products/
• Netsparker
• NTOSpider [COMERCIAL] – http://www.ntobjectives.com/products/ntospider.php
• OWA (Outlook Web Access) attack tool – http://netsec.rs/70/tools.html – testing owa accounts
• Pantera (OWASP Pantera Web Assessment Studio Project) – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
• Paros proxy by Chinotec: http://parosproxy.org/ (Free / Open Source)
• ProxyMon (formerly ScarabMon) – http://code.google.com/p/proxmon/ | https://www.isecpartners.com/proxmon.html – monitors proxy logs and reports on security issues it discovers.
• Ratproxy – http://code.google.com/p/ratproxy/
  A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
  Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
  Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
• Samurai WTF – http://samurai.inguardians.com/
• Skipfish – http://code.google.com/p/skipfish/
• Tamper data – http://tamperdata.mozdev.org/
• Twill – http://twill.idyll.org/: browse the Web from a command-line interface. Supports automated Web testing
• W3AF by Andres Riancho: http://w3af.sourceforge.net/ [Free / Open Source]
• WebApp360 by nCircle: http://www.ncircle.com/index.php?s=products_webapp360 (Commercial)
• WebInspect by HP [COMERCIAL] – https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__ [SAAS = Software-as-a-Service]
• WebKing by Parasoft: http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319 (Commercial)
• WebSaint
• WebScanService by Elanize KG: http://www.german-websecurity.com/en/products/webscanservice/ (SAAS = Software-as-a-Service)
• WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project by OWASP
• WebSecurify – http://www.websecurify.com/: Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community.
• Wikto – http://www.sensepost.com/labs/tools/pentest/wikto – Very similar to Nikto, but with a few more features
• Windmill – http://trac.getwindmill.com/: web testing tool designed to let you painlessly automate and debug your web application
• Wmap – http://www.metasploit.com/redmine/projects/framework/wiki/WMAP: WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It’s a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation.
• WMAT – http://netsec.rs/70/tools.html – web mail attack tool | Readme file – http://replay.web.archive.org/20090630080119/http://security-net.biz/wmat/readme.txt
  WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl. It takes a file containing usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.
• WSMap – https://www.isecpartners.com/wsmap.html: find web service endpoints and discovery files

Web services testing:

• SOAPClient – a generic SOAP client – http://www.soapclient.com/soaptest.html
• Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 (Microsoft’s MSDL) – http://msdn.microsoft.com/en-us/library/ff648183.aspx

Fuzzing:

• Sulley – http://code.google.com/p/sulley/: fuzzer development and fuzz testing framework consisting of multiple extensible components
• Peach Fuzzing Platform – http://peachfuzz.sourceforge.net/: extensible fuzzing framework for generation and mutation based fuzzing
• antiparser – http://antiparser.sourceforge.net/: fuzz testing and fault injection API
• ProxyFuzz – TAOF: including http://theartoffuzzing.com”>TAOF: including <a href="http://theartoffuzzing.com/joomla/index.php?option=com_content&task=view&id=21&Itemid=40: a man-in-the-middle non-deterministic network fuzzer
• untidy – http://untidy.sourceforge.net/: general purpose XML fuzzer
• Powerfuzzer – http://www.powerfuzzer.com/: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
• FileP – https://www.isecpartners.com/file_fuzzers.html: file fuzzer. Generates mutated files from a list of source files and feeds them to an external program in batches
• SMUDGE – http://www.fuzzing.org/wp-content/SMUDGE.zip
• Mistress – http://www.packetstormsecurity.org/fuzzer/mistress.rar: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
• Fuzzbox – https://www.isecpartners.com/fuzzbox.html: multi-codec media fuzzer
• Forensic Fuzzing Tools – https://www.isecpartners.com/forensic_fuzzing_tools.html: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
• Windows IPC Fuzzing Tools – https://www.isecpartners.com/windows_ipc_fuzzing_tools.html: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
• WSBang – https://www.isecpartners.com/wsbang.html: perform automated security testing of SOAP based web services
• Construct – http://construct.wikispaces.com/: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
• fuzzer.py (feliam) – http://sites.google.com/site/felipeandresmanzano/fuzzer.py?attredirects=0: simple fuzzer by Felipe Andres anzano

Using browsers as the webapp testing tools:

• Turning Firefox to an Ethical Hacking Platform (Security Database Tools Watch; 2007.02.12) – http://www.security-database.com/toolswatch/Turning-Firefox-to-an-Ethical.html
• Turning Firefox to an auditing platform (Security Database Tools Watch; 2007.01.07) – http://www.security-database.com/toolswatch/Turning-Firefox-to-an-auditing.html

Misc info:

• Book: “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/
• The Web Application Security Consortium (WASC): http://www.webappsec.org/ | http://projects.webappsec.org/
  • Web Application Security Scanner List: http://projects.webappsec.org/Web-Application-Security-Scanner-List
  • The Web Security Glossary: http://projects.webappsec.org/The-Web-Security-Glossary
  • Script Mapping – http://projects.webappsec.org/Script-Mapping
  • Threat Classification – http://projects.webappsec.org/Threat-Classification
  • Web Application Security Scanner Evaluation Criteria – http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
• OSSTMM – “Open Source Security Testing Methodology Manual” by Pete Herzog – http://www.isecom.org/osstmm/
• OWASP: http://www.owasp.org/index.php/Main_Page
  • OWASP Testing Guide:
• Top 10 Web Vulnerability Scanners – http://sectools.org/web-scanners.html:

  • #1 – Nikto : A more comprehensive web scanner:
    Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
  • #2 – Paros proxy : A web application vulnerability assessment proxy
    A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
  • #3 – WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
    In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
  • #4 – WebInspect : A Powerful Web Application Scanner
    SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
  • #5 – Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library
    Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
  • #6 – Burpsuite : An integrated platform for attacking web applications
    Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
  • #7 – Wikto : Web Server Assessment Tool
    Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
  • #8 – Acunetix WVS : Commercial Web Vulnerability Scanner
    Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
  • #9 – Rational AppScan : Commercial Web Vulnerability Scanner
    AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM’s Rational division after IBM purchased it’s original developer (Watchfire) in 2007.
  • #10 – N-Stealth : Web server scanner
    N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
• Jeremiah Grossman blog on web applicaiton’s security: http://jeremiahgrossman.blogspot.com | RSS – http://feeds.feedburner.com/JeremiahGrossman:
  • Web application scan-o-meter – http://jeremiahgrossman.blogspot.com/2007/05/web-application-scan-o-meter.html
  • Are web application scanners ***ing useless? – http://jeremiahgrossman.blogspot.com/2007/07/are-web-application-scanners-ing.html
  • Attribute-Based Cross-Site Scripting – http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html

• “Web Application Testing” by Russ Klanke (at Aggressive Virus Defense blog) – http://aggressivevirusdefense.wordpress.com/2009/08/02/web-application-testing/ – has numerous good links and tips.
• Browser Security Handbook – http://code.google.com/p/browsersec/wiki/Main
  Browser Security Handbook is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

  The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6, 7, and 8), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser.

  Open-source test cases provided alongside with this document permit any other browser implementations to be quickly evaluated in a similar manner.

• “Web Security Testing Cookbook” by Paco Hope – http://websecuritytesting.com/
  • Scripts – http://websecuritytesting.com/recipe-scripts-and-source-code
  • Web links – http://websecuritytesting.com/web-links

(other) Specialized scanners

• netwox (=Network Toolbox) by Laurent Constantin – http://www.laurentconstantin.com/en/netw/netwox/ | Netwag ( a graphical front-end to netwox) – http://www.laurentconstantin.com/en/netw/netwag/
• Network Stuff – http://jacquelin.potier.free.fr/networkstuff/index.php

| Network Stuff – Handy network utility – http://brainfoldb4u.wordpress.com/2010/03/15/network-stuff-handy-network-utility/

IPSec security

• IPSecScan (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipsecscan/ – IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.

Wireless Hacking and auditing

• OSWA – http://securitystartshere.org/page-training-oswa.htm
• AirCrack-NG Suite – http://www.aircrack-ng.org/
• AiroScript-NG – http://airoscript.aircrack-ng.org/
• Kismet – http://www.kismetwireless.net/
• Inssider – http://www.metageek.net/products/inssider
• Kismac – http://kismac-ng.org/

VoIP & Telephony auditing

• VAST Viper – http://vipervast.sourceforge.net/
• WarVox – http://warvox.org/

Live CDs

• Backtrack 4 – http://www.remote-exploit.org
• PentBox – http://www.pentbox.net/
• Matriux – http://www.matriux.com/

Exploitation Frameworks

Tools:

• Metasploit – http://www.metasploit.org – has both free and commercial (as a part of NeXpose by Rapid7) versions.
  • More info here at this site: https://eikonal.wordpress.com/2010/06/24/metasploit/
  • Carna0wnage blog – http://carnal0wnage.attackresearch.com/ has a lot of metasploit tricks.
• Exploit DB – http://www.exploit-db.com/
• CANVAS by Immunity Sec – http://www.immunitysec.com/products-canvas.shtml
• Core Impact by Core Security Technologies – http://www.coresecurity.com/content/core-impact-overview [COMMERCIAL, very expensive]
• SaintExploit – http://www.saintcorporation.com/products/software/saintExploit.html [COMMERCIAL]
• Inguma – http://code.google.com/p/inguma/ – a Python based framework
• WXF – https://github.com/WebExploitationFramework/wXf – a Ruby based frameworkt that focuses on Web vulnerability exploitation
• Ronin – http://github.com/ronin-ruby – a Ruby based framework

Articles:

• “Frameworks and how I hack currently (and how I don’t)” by valsmith (Carna0wnage blog; 2011.05.10) – http://carnal0wnage.attackresearch.com/node/453

Penetration Testing and Exploitation

• Python tools for penetration testers (by Dirk Loss)- http://dirk-loss.de/python-tools.htm

Network testers

• Scapy – http://secdev.org/projects/scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library
• pylibpcap – pypcap: Pcapy and http://code.google.com/p/pypcap/”>pypcap: Pcapy and <a href="http://pylibpcap.sourceforge.net/: several different Python bindings for libpcap
• libdnet – http://code.google.com/p/libdnet/: low-level networking routines, including interface lookup and Ethernet frame transmission
• dpkt – http://code.google.com/p/dpkt/: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
• Impacket – http://oss.coresecurity.com/projects/impacket.html: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
• pynids – http://jon.oberheide.org/pynids/: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
• Dirtbags py-pcap – http://dirtbags.net/py-pcap/: read pcap files without libpcap
• flowgrep – http://monkey.org/%7Ejose/software/flowgrep/: grep through packet payloads using regular expressions
• httplib2 – http://code.google.com/p/httplib2/: comprehensive HTTP client library that supports many features left out of other HTTP libraries

---

See also: list of (other) security tools (in this blog) – https://eikonal.wordpress.com/2010/07/28/security-tools/.