Nmap options, switches and uses

There are probably many places containing lists of useful nmap commands. I have found these two large lists quite useful:

• [1] Linux / UNIX: Scanning network for open ports with nmap command (NixCraft) – http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
• [2] Nmap Cheat Sheet – http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html

Please use these sites directly, and this blog post only as a backup/blended copy.

Basic techniques

• Scan a Single Target:

  nmap [target]

• Scan Multiple Targets

  # nmap [target1, target2, etc]
  

• Scan a List of Targets

  # nmap -iL [list.txt]
  

• Scan a Range of Hosts

  # nmap [range of ip addresses]
  

• Scan an Entire Subnet

  # nmap [ip address/cdir]
  

• Scan Random Hosts

  # nmap -iR [number]
  

• Excluding Targets from a Scan

  # nmap [targets] --exclude [targets]
  

• Excluding Targets Using a List

  # nmap [targets] --excludefile [list.txt]
  

• Perform an Aggressive Scan

  # nmap -A [target]
  

• Scan an IPv6 Target

  # nmap -6 [target]
  

Discovery Options

• Perform a Ping Only Scan

  # nmap -sP [target]
  

• Don�t Ping

  # nmap -PN [target]
  

• TCP SYN Ping

  # nmap -PS [target]
  

• TCP ACK Ping

  # nmap -PA [target]
  

• UDP Ping

  # nmap -PU [target]
  

• SCTP INIT Ping

  # nmap -PY [target]
  

• ICMP Echo Ping

  # nmap -PE [target]
  

• ICMP Timestamp Ping

  # nmap -PP [target]
  

• ICMP Address Mask Ping

  # nmap -PM [target]
  

• IP Protocol Ping

  # nmap -PO [target]
  

• ARP Ping

  # nmap -PR [target]
  

• Traceroute

  # nmap --traceroute [target]
  

• Force Reverse DNS Resolution

  # nmap -R [target]
  

• Disable Reverse DNS Resolution

  # nmap -n [target]
  

• Alternative DNS Lookup

  # nmap --system-dns [target]
  

• Manually Specify DNS Server(s)

  # nmap --dns-servers [servers] [target]
  

• Create a Host List

  # nmap -sL [targets
  

Advanced Scanning Functions

• TCP SYN Scan

  # nmap -sS [target]
  

• TCP Connect Scan

  # nmap -sT [target]
  

• UDP Scan

  # nmap -sU [target]
  

• TCP NULL Scan

  # nmap -sN [target]
  

• TCP FIN Scan

  # nmap -sF [target]
  

• Xmas Scan

  # nmap -sX [target]
  

• TCP ACK Scan

  # nmap -sA [target]
  

• Custom TCP Scan

  # nmap --scanflags [flags] [target]
  

• IP Protocol Scan

  # nmap -sO [target]
  

• Send Raw Ethernet Packets

  # nmap --send-eth [target]
  

• Send IP Packets

  # nmap --send-ip [target]
  

• TCP Connect scanning for localhost and network 192.168.0.0/24:

  # nmap -v -sT localhost
  # nmap -v -sT 192.168.0.0/24
  

• >nmap TCP SYN (half-open) scanning:

  # nmap -v -sS localhost
  # nmap -v -sS 192.168.0.0/24
  

• nmap TCP FIN scanning:

  # nmap -v -sF localhost
  # nmap -v -sF 192.168.0.0/24
  

• nmap TCP Xmas tree scanning:

  # nmap -v -sX localhost
  # nmap -v -sX 192.168.0.0/24
  

  Useful to see if firewall protecting against this kind of attack or not.

• nmap TCP Null scanning:

  # nmap -v -sN localhost
  # nmap -v -sN 192.168.0.0/24
  

  Useful to see if firewall protecting against this kind attack or not.

• nmap TCP Windows scanning:

  # nmap -v -sW localhost
  # nmap -v -sW 192.168.0.0/24
  

• nmap TCP RPC scanning:

  # nmap -v -sR localhost
  # nmap -v -sR 192.168.0.0/24
  

  Useful to find out RPC (such as portmap) services.

• nmap UDP scanning:

  # nmap -v -O localhost
  # nmap -v -O 192.168.0.0/24
  

  Useful to find out UDP ports.

• nmap remote software version scanning:

  # nmap -v -sV localhost
  # nmap -v -sV 192.168.0.0/24
  

  You can also find out what software version opening the port.

Port Scanning Options

• Perform a Fast Scan

  # nmap -F [target]
  

• Scan Specific Ports

  # nmap -p [port(s)] [target]
  

• Scan Ports by Name

  # nmap -p [port name(s)] [target]
  

• Scan Ports by Protocol

  # nmap -sU -sT -p U:[ports],T:[ports] [target]
  

• Scan All Ports

  # nmap -p "*" [target]
  

• Scan Top Ports

  # nmap --top-ports [number] [target]
  

• Perform a Sequential Port Scan

  # nmap -r [target]
  

Version Detection

• Operating System Detection

  # nmap -O [target]
  

• Submit TCP/IP Fingerprints

  # www.nmap.org/submit/
  

• Attempt to Guess an Unknown OS

  # nmap -O --osscan-guess [target]
  

• Service Version Detection

  # nmap -sV  [target]
  

• Troubleshooting Version Scans

  # nmap -sV --version-trace [target]
  

• Perform a RPC Scan

  # nmap -sR [target]
  

Timing Options

• Timing Templates

  # nmap -T[0-5] [target]
  

• Set the Packet TTL

  # nmap --ttl [time] [target]
  

• Minimum # of Parallel Operations

  # nmap --min-parallelism [number] [target]
  

• Maximum # of Parallel Operations

  # nmap --max-parallelism [number] [target]
  

• Minimum Host Group Size

  # nmap --min-hostgroup [number] [targets
  

• Maximum Host Group Size

  # nmap --max-hostgroup [number] [targets
  

• Maximum RTT Timeout

  # nmap --initial-rtt-timeout [time] [target]
  

• Initial RTT Timeout

  # nmap --max-rtt-timeout [TTL] [target]
  

• Maximum Retries

  # nmap --max-retries [number] [target]
  

• Host Timeout

  # nmap --host-timeout [time] [target]
  

• Minimum Scan Delay

  # nmap --scan-delay [time] [target]
  

• Maximum Scan Delay

  # nmap --max-scan-delay [time] [target]
  

• Minimum Packet Rate

  # nmap --min-rate [number] [target]
  

• Maximum Packet Rate

  # nmap --max-rate [number] [target]
  

• Defeat Reset Rate Limits

  # nmap --defeat-rst-ratelimit [target]
  

Firewall Evasion Techniques

• Fragment Packets

  # nmap -f [target]
  

• Specify a Specific MTU

  # nmap --mtu [MTU] [target]
  

• Use a Decoy

  # nmap -D RND:[number] [target]
  

• Idle Zombie Scan

  # nmap -sI [zombie] [target]
  

• Manually Specify a Source Port

  # nmap --source-port [port] [target]
  

• Append Random Data

  # nmap --data-length [size] [target]
  

• Randomize Target Scan Order

  # nmap --randomize-hosts [target]
  

• Spoof MAC Address

  # nmap --spoof-mac [MAC|0|vendor] [target]
  

• Send Bad Checksums

  # nmap --badsum [target]
  

Output Options

• Save Output to a Text File

  # nmap -oN [scan.txt] [target]
  

• Save Output to a XML File

  # nmap -oX [scan.xml] [target]
  

• Grepable Output

  # nmap -oG [scan.txt] [targets
  

• Output All Supported File Types

  # nmap -oA [path/filename] [target]
  

• Periodically Display Statistics

  # nmap --stats-every [time] [target]
  

• 133t Output

  # nmap -oS [scan.txt] [target]
  

Troubleshooting and Debugging

• Getting Help

  # nmap -h
  

• Display Nmap Version

  # nmap -V
  

• Verbose Output

  # nmap -v [target]
  

• Debugging

  # nmap -d [target]
  

• Display Port State Reason

  # nmap --reason [target]
  

• Only Display Open Ports

  # nmap --open [target]
  

• Trace Packets

  # nmap --packet-trace [target]
  

• Display Host Networking

  # nmap --iflist
  

• Specify a Network Interface

  # nmap -e [interface] [target]
  

Nmap Scripting Engine

• Execute Individual Scripts

  # nmap --script [script.nse] [target]
  

• Execute Multiple Scripts

  # nmap --script [expression] [target]
  

• Script Categories

  # all, auth, default, discovery, external, intrusive, malware, safe, vuln
  

• Execute Scripts by Category

  # nmap --script [category] [target]
  

• Execute Multiple Script Categories

  # nmap --script [category1,category2,etc
  

• Troubleshoot Scripts

  # nmap --script [script] --script-trace [target]
  

• Update the Script Database

  # nmap --script-updatedb
  

Ndiff

• Comparison Using Ndiff

  # ndiff [scan1.xml] [scan2.xml
  

• Ndiff Verbose Mode

  # ndiff -v [scan1.xml] [scan2.xml
  

• XML Output Mode

  # ndiff --xml [scan1.xml] [scan2.xml
  

---

See also: https://eikonal.wordpress.com/2010/01/29/vulnerability-assessment-tools/ at this blog.

MetaSploit

• Home: http://www.metasploit.com/.
• Blog: http://blog.metasploit.com/
• Wiki: http://www.metasploit.com/redmine/projects/framework/wiki/
• Metasploit SAP Management Console AUX Modules – http://blog.c22.cc/2011/01/09/metasploit-sap-management-console-aux-modules/ | http://blog.c22.cc/toolsscripts/metasploit-modules/ | http://code.google.com/p/chrisjohnriley-metasploit-modules/downloads/list
• “Pass the Hash Attack with Metasploit” by dgodam (DGODAM blog; 2011.02.19) – http://www.dgodam.com/2011/02/pass-hash-attack-with-metasploit.html
• Carna0wnage blog – http://carnal0wnage.attackresearch.com/ – metasploit tricks

Vulnerability Assessment tools

Information Gathering

• Maltego – http://www.paterva.com/web4/index.php/maltego
• Binging – http://www.blueinfy.com/

Network Scanners and Discovery, Port scanners

• AutoScan – http://autoscan-network.com/
• Angry IP Scanner – http://www.angryip.org | http://sourceforge.net/projects/ipscan/
• IPEye (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipeye/ – IPEye is a TCP port scanner that can do SYN, FIN, Null and Xmas scans.
• Netifera – http://netifera.com/
• nmap (~”Network Mapper”): nmap.org, http://www.insecure.org/nmap/
  • “NMap – Notes” – http://wikihead.wordpress.com/2010/06/23/nmap-notes/
  • Discussion on nmap – http://www.secguru.com/forum/viewtopic.php?t=68
  • Cheatsheet – http://www.secguru.com/index.php/content/view/535/
  • Nmap tutorial at EDUCAUSE – http://www.educause.edu/Nmap/1295
  • SQL Comes to Nmap: Power and Convenience/ by Hasnain Atique (Fri, 2004-10-01 01:00. SysAdmin) – http://www.linuxjournal.com/article/7314
  • Nmap Technical Guide/ by Michael Cobb (2006.10.17; SeachSecurity) – http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1224310,00.html
  • short blurb on nmap by Eric Lubow (2006.08.21) – http://www.linuxsecurity.com/content/view/124599/177/
  • TAZ Tutorials:
    • NMAP Lesson 1 – The Basics – http://www.thetazzone.com/tutorial-nmap-lesson-1-the-basics/
    • NMAP Lesson 2 – More Basics – http://www.thetazzone.com/edit-post-report-this-post-warn-user-information-reply-with-quote-tutorial-nmap-348-lesson-2-more-basics/
    • NMAP Lesson 3 – Common Output – http://www.thetazzone.com/tutorial-nmap-348-lesson-3-common-output/
    • NMAP Lesson 4 – Stealth Scans – http://www.thetazzone.com/tutorial-nmap-348-lesson-4-stealth-scans/
    • NMAP Lesson 5 – Fingerprinting & scannin – http://www.thetazzone.com/tutorial-nmap-348-lesson-5-fingerprinting-scannin/
  • Scanning network for open ports with nmap command (nixcraft) – http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
  • Nmap Online – http://nmap-online.com/
  • nmap Cookbook’s blog – http://nmapcookbook.blogspot.com/
    • nmap Cheatsheet – http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html
  • HERE (=at this blog): Nmap options, swtiches and uses – https://eikonal.wordpress.com/2010/09/20/nmap-options-swtiches-and-uses/
  • HERE (=at this blog): Memory of things disappearing > nmap stuff > getports.awk – https://eikonal.wordpress.com/2010/06/23/memory-of-things-disappearing-nmap-stuff-getports-awk/ – an awk script listing open ports coming from nmap.
• SuperScan
• scanline
• dsniff by Dug Song – http://monkey.org/~dugsong/dsniff/ – a collection of scanning and sniffing tools:
  • dsniff –
  • filesnarf –
  • mailsnarf –
  • msgsnarf –
  • urlsnarf –
  • webspy –
  • arpspoof –
  • dnsspoof –
  • macof –
  • sshmitm –
  • webmitm

  Articles:

  • “Passwords Found on a Wireless Network”, D. Song, USENIX Technical Conference WIP, June 2000. – http://monkey.org/%7Edugsong/talks/usenix00.ps [PS]
  • “Network Monitoring with Dsniff, LinuxSecurity.com, May 2001. – http://biblio.l0t3k.net/sniffers/en/dsniff_netmon.txt
  • “On the lookout for dsniff, part 2, IBM DeveloperWorks, February 2001. – http://www.ibm.com/developerworks/library/s-sniff2.html
  • “On the lookout for dsniff”, IBM DeveloperWorks, January 2001. – http://www.ibm.com/developerworks/library/s-sniff.html
  • “dsniff and SSH : Reports of My Demise are Greatly Exaggerated” by Richard E. Silverman (O’Reilly Sys Admin Networking; 2000.12.22) – http://www.oreillynet.com/pub/a/oreilly/networking/news/silverman_1200.html
  • “Attacks Against SSH 1 and SSL”, Slashdot, December 2000. – http://slashdot.org/it/00/12/18/0759236.shtml
  • “The End of SSL and SSH?” by Kurt Seifried (2000.12.17) – http://www.seifried.org/security/cryptography/20011108-end-of-ssl-ssh.html | “The End of SSL and SSH? Follow-up.” (2000.12.22) – http://www.seifried.org/security/cryptography/20011108-sslssh-followup.html
  • “Catch Hackers in the Act”, CNET Web Builder, December 2000. – [GONE]
  • “Why Your Switched Network Isn’t Secure”, SANS Institute, September 2000. – http://www.sans.org/security-resources/idfaq/switched_network.php
  • “Switched networks lose their security advantage due to packet-capturing tool”, InfoWorld magazine, May 2000. – http://www.packet-sniffer.net/packet-capturing.htm | at Google books
  • “Think you’re safe from sniffing?”, Windows 2000 magazine, June 2000. – http://www.windowsitpro.com/article/internet/think-you-re-safe-from-sniffing-.aspx
  • “Finding dsniff on Your Network” (SANS) – http://www.sans.org/reading_room/whitepapers/testing/finding-dsniff-network_262

  Compiling dsniff on Cygwin:

  • Download the latest tar.gz archive od dsniff. Unpack it. Enter the created directory.
  • Run ./configure
  • You will need WinPcap (http://www.winpcap.org/) installed on your Windows system, as well as elements of the Winpcap developer package (http://www.winpcap.org/devel.htm) distributed to various cygwin directories, according to the instruction given at http://mathieu.carbou.free.fr/wiki/index.php?title=Winpcap_/_Libpcap
  • Also needed in libnet (http://libnet.sourceforge.net/), with instructions how to copmpile it presented at http://mathieu.carbou.free.fr/wiki/index.php?title=How_to_compile_Libnet_under_Cygwin

Vulnerability Scanners, Integrated VA (Vulnerability Assessment) scanners

• Acunetix WVS by Acunetix: http://www.acunetix.com/ (Commercial)
• ClickToSecure by Cenzic: http://www.cenzic.com/products/saas/ctsARC/ (SAAS = Software-as-a-Service)
• Grabber by Romain Gaucher: http://rgaucher.info/beta/grabber/ (Free / Open Source)
• Hailstorm by Cenzic: http://www.cenzic.com/products/software/overview/ (Commercial)
• MileScan Web Security Auditor by MileSCAN Technologies: http://www.milescan.com/hk/ (Commercial)
• N-Stalker by N-Stalker: http://nstalker.com/products/ (Commercial)
• NTOSpider by NTObjectives: http://www.ntobjectives.com/products/ntospider.php (Commercial)
• NeXpose by Rapid7: http://www.rapid7.com/products/ (Commercial) – includes Metasploit
• Nessus by Tenable Network Security: http://www.nessus.org (Commercial, formerly free and open source)
  • Tutorial & Update:Nessus server setup and NASL modding – http://www.thetazzone.com/tutorial-updatenessus-server-setup-and-nasl-modding/#
  • Tutorial – Step-by-step setup of Nessus (TAZ = The Tazzonde Network; 2009.09.05) – http://www.thetazzone.com/tutorial-step-by-step-setup-of-nessus/
  • “Demonstrating Compliance with nessus Web Applicaiton Scans” by Ron Gula and Michel Arbol (Tenable; 2010.09.27) – http://www.tenablesecurity.com/whitepapers/customer_page/nesssus-web-based-auditing.pdf
  • “Web Application Scanning with Nessus (Detecting Web Applciaiton Vulnerabilities and Environmental Weaknesses)” (revision 3) by Brian martin and Carole Fennelly (Tenable; 2010.09.02) – http://www.nessus.org/whitepapers/Tenable_Web_App_Scanning.pdf
  • Nessus Web Application Scanning – New plugins & Configuration – http://blog.tenablesecurity.com/web-app-auditing/
  • Tenable/Nessus blog – http://blog.tenablesecurity.com/ | RSS – http://blog.tenablesecurity.com/rss.xml
  • Tenabke podcasts RSS – http://www.tenable.com/TenablePodcast.xml
  • Tenable YouTube channel – http://www.youtube.com/user/tenablesecurity
  • “Bob’s Great Adventure: Attacking & Defending Web Applications” by Paul Asadoorian – http://www.nessus.org/whitepapers/BobsGreatAdventure-AttackDefendWebApplications.pdf
  • “Using Nessus In Web Application Vulnerability Assessments” by paul Asadoorian – http://www.nessus.org/whitepapers/NessusWebAppTesting.pdf
  • Tenable white papers – http://www.nessus.org/whitepapers/
• NetSparker by Mavituna Security: http://www.mavitunasecurity.com/ (Commercial)
• OpenVAS (openvas.org): Free and open source splinter of the previous free and open source version Nessus. See also: freshmeat.net/projects/openvas | wald.intevation.org/projects/openvas
• Powerfuzzer by Marcin Kozlowski: http://www.powerfuzzer.com/ (Free / Open Source)
• ProFeed
• QualysGuard Web Application Scanning by Qualys: http://www.qualys.com/products/qg_suite/was/ (SAAS = Software-as-a-Service)
• Retina Web Security Scanner by eEye Digital Security: http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx (Commercial)
• SecurityQA Toolbar by iSEC Partners: https://www.isecpartners.com/SecurityQAToolbar.html (Free / Open Source)
• Sentinel by WhiteHat: http://whitehatsec.com/home/services/services.html (SAAS = Software-as-a-Service)
• Veracode Web Application Security by Veracode: http://www.veracode.com/solutions/web-application-security-dynamic-testing.html (SAAS = Software-as-a-Service)
• Wapiti by Nicolas Surribas: http://wapiti.sourceforge.net/ (Free / Open Source)

Windows Auditing

GOTO: https://eikonal.wordpress.com/2011/01/05/auditing-ms-windows/

Unix Auditing

GOTO: https://eikonal.wordpress.com/2011/07/08/auditing-unix/

Database auditing

GOTO: https://eikonal.wordpress.com/2011/02/24/database-security/

Web Applications and Web Services assessment

Lists of tools:

• Phoenix’ list of webapp security tools at OWASP – https://www.owasp.org/index.php/Phoenix/Tools

Application Assessment:

• Acunetix [COMERCIAL] – http://www.acunetix.com/
• AppScan [COMERCIAL] – http://www-306.ibm.com/software/awdtools/appscan/ | http://www-01.ibm.com/software/awdtools/appscan/
  • AppScan OnDemand by IBM: http://www-01.ibm.com/software/awdtools/appscan/ondemand/ [SAAS = Software-as-a-Service]
• Burp Proxy – http://portswigger.net/proxy/
• Burp Suite by PortSwigger: http://portswigger.net/suite/ (Commercial)
• CAT The manual Web Application Audit – http://cat.contextis.co.uk/
• Charles [COMMERICAL] – http://www.charlesproxy.com/ – an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
• DFF scanner – http://netsec.rs/70/tools.html – find files and folders on server
• Exploit-me – http://labs.securitycompass.com/index.php/exploit-me/
• Fiddler2 – http://www.fiddler2.com/fiddler2/
  • Watcher – http://websecuritytool.codeplex.com/ – passive Web-security scanner, an addon to the Fiddler
  • x5s – XSS security testing assistant – http://xss.codeplex.com/, an addon to the Fiddler
  • Other extensions – http://www.fiddler2.com/Fiddler2/extensions.asp
• FunkLoad – http://funkload.nuxeo.org/: functional and load web tester
• Grendel-Scan by David Byrne and Eric Duprey: http://grendel-scan.com/ (Free / Open Source) | blog – http://grendel-scan.com/blog
• IBM AppSCAN
• Nikto – http://www.cirt.net/nikto2 – [GPL] {Perl} – web server scanner. Infrequent updates of plugins. | mail list: https://attrition.org/mailman/listinfo/nikto-discuss and its archive – http://attrition.org/pipermail/nikto-discuss/
• N-Stalker [COMERCIAL] – http://www.nstalker.com/products/
• Netsparker
• NTOSpider [COMERCIAL] – http://www.ntobjectives.com/products/ntospider.php
• OWA (Outlook Web Access) attack tool – http://netsec.rs/70/tools.html – testing owa accounts
• Pantera (OWASP Pantera Web Assessment Studio Project) – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
• Paros proxy by Chinotec: http://parosproxy.org/ (Free / Open Source)
• ProxyMon (formerly ScarabMon) – http://code.google.com/p/proxmon/ | https://www.isecpartners.com/proxmon.html – monitors proxy logs and reports on security issues it discovers.
• Ratproxy – http://code.google.com/p/ratproxy/
  A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
  Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
  Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
• Samurai WTF – http://samurai.inguardians.com/
• Skipfish – http://code.google.com/p/skipfish/
• Tamper data – http://tamperdata.mozdev.org/
• Twill – http://twill.idyll.org/: browse the Web from a command-line interface. Supports automated Web testing
• W3AF by Andres Riancho: http://w3af.sourceforge.net/ [Free / Open Source]
• WebApp360 by nCircle: http://www.ncircle.com/index.php?s=products_webapp360 (Commercial)
• WebInspect by HP [COMERCIAL] – https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__ [SAAS = Software-as-a-Service]
• WebKing by Parasoft: http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319 (Commercial)
• WebSaint
• WebScanService by Elanize KG: http://www.german-websecurity.com/en/products/webscanservice/ (SAAS = Software-as-a-Service)
• WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project by OWASP
• WebSecurify – http://www.websecurify.com/: Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community.
• Wikto – http://www.sensepost.com/labs/tools/pentest/wikto – Very similar to Nikto, but with a few more features
• Windmill – http://trac.getwindmill.com/: web testing tool designed to let you painlessly automate and debug your web application
• Wmap – http://www.metasploit.com/redmine/projects/framework/wiki/WMAP: WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It’s a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation.
• WMAT – http://netsec.rs/70/tools.html – web mail attack tool | Readme file – http://replay.web.archive.org/20090630080119/http://security-net.biz/wmat/readme.txt
  WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins, written in python with support of pyCurl. It takes a file containing usernames, file with passwords, URL of web mail app and chose pattern for attack. Patterns are XML files that define post/get fields, http method, referer, success tag, etc … for each web mail applications.
• WSMap – https://www.isecpartners.com/wsmap.html: find web service endpoints and discovery files

Web services testing:

• SOAPClient – a generic SOAP client – http://www.soapclient.com/soaptest.html
• Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 (Microsoft’s MSDL) – http://msdn.microsoft.com/en-us/library/ff648183.aspx

Fuzzing:

• Sulley – http://code.google.com/p/sulley/: fuzzer development and fuzz testing framework consisting of multiple extensible components
• Peach Fuzzing Platform – http://peachfuzz.sourceforge.net/: extensible fuzzing framework for generation and mutation based fuzzing
• antiparser – http://antiparser.sourceforge.net/: fuzz testing and fault injection API
• ProxyFuzz – TAOF: including http://theartoffuzzing.com”>TAOF: including <a href="http://theartoffuzzing.com/joomla/index.php?option=com_content&task=view&id=21&Itemid=40: a man-in-the-middle non-deterministic network fuzzer
• untidy – http://untidy.sourceforge.net/: general purpose XML fuzzer
• Powerfuzzer – http://www.powerfuzzer.com/: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
• FileP – https://www.isecpartners.com/file_fuzzers.html: file fuzzer. Generates mutated files from a list of source files and feeds them to an external program in batches
• SMUDGE – http://www.fuzzing.org/wp-content/SMUDGE.zip
• Mistress – http://www.packetstormsecurity.org/fuzzer/mistress.rar: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
• Fuzzbox – https://www.isecpartners.com/fuzzbox.html: multi-codec media fuzzer
• Forensic Fuzzing Tools – https://www.isecpartners.com/forensic_fuzzing_tools.html: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
• Windows IPC Fuzzing Tools – https://www.isecpartners.com/windows_ipc_fuzzing_tools.html: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
• WSBang – https://www.isecpartners.com/wsbang.html: perform automated security testing of SOAP based web services
• Construct – http://construct.wikispaces.com/: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
• fuzzer.py (feliam) – http://sites.google.com/site/felipeandresmanzano/fuzzer.py?attredirects=0: simple fuzzer by Felipe Andres anzano

Using browsers as the webapp testing tools:

• Turning Firefox to an Ethical Hacking Platform (Security Database Tools Watch; 2007.02.12) – http://www.security-database.com/toolswatch/Turning-Firefox-to-an-Ethical.html
• Turning Firefox to an auditing platform (Security Database Tools Watch; 2007.01.07) – http://www.security-database.com/toolswatch/Turning-Firefox-to-an-auditing.html

Misc info:

• Book: “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/
• The Web Application Security Consortium (WASC): http://www.webappsec.org/ | http://projects.webappsec.org/
  • Web Application Security Scanner List: http://projects.webappsec.org/Web-Application-Security-Scanner-List
  • The Web Security Glossary: http://projects.webappsec.org/The-Web-Security-Glossary
  • Script Mapping – http://projects.webappsec.org/Script-Mapping
  • Threat Classification – http://projects.webappsec.org/Threat-Classification
  • Web Application Security Scanner Evaluation Criteria – http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
• OSSTMM – “Open Source Security Testing Methodology Manual” by Pete Herzog – http://www.isecom.org/osstmm/
• OWASP: http://www.owasp.org/index.php/Main_Page
  • OWASP Testing Guide:
• Top 10 Web Vulnerability Scanners – http://sectools.org/web-scanners.html:

  • #1 – Nikto : A more comprehensive web scanner:
    Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
  • #2 – Paros proxy : A web application vulnerability assessment proxy
    A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
  • #3 – WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
    In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
  • #4 – WebInspect : A Powerful Web Application Scanner
    SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
  • #5 – Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library
    Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
  • #6 – Burpsuite : An integrated platform for attacking web applications
    Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
  • #7 – Wikto : Web Server Assessment Tool
    Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
  • #8 – Acunetix WVS : Commercial Web Vulnerability Scanner
    Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
  • #9 – Rational AppScan : Commercial Web Vulnerability Scanner
    AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM’s Rational division after IBM purchased it’s original developer (Watchfire) in 2007.
  • #10 – N-Stealth : Web server scanner
    N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
• Jeremiah Grossman blog on web applicaiton’s security: http://jeremiahgrossman.blogspot.com | RSS – http://feeds.feedburner.com/JeremiahGrossman:
  • Web application scan-o-meter – http://jeremiahgrossman.blogspot.com/2007/05/web-application-scan-o-meter.html
  • Are web application scanners ***ing useless? – http://jeremiahgrossman.blogspot.com/2007/07/are-web-application-scanners-ing.html
  • Attribute-Based Cross-Site Scripting – http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html

• “Web Application Testing” by Russ Klanke (at Aggressive Virus Defense blog) – http://aggressivevirusdefense.wordpress.com/2009/08/02/web-application-testing/ – has numerous good links and tips.
• Browser Security Handbook – http://code.google.com/p/browsersec/wiki/Main
  Browser Security Handbook is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

  The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6, 7, and 8), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser.

  Open-source test cases provided alongside with this document permit any other browser implementations to be quickly evaluated in a similar manner.

• “Web Security Testing Cookbook” by Paco Hope – http://websecuritytesting.com/
  • Scripts – http://websecuritytesting.com/recipe-scripts-and-source-code
  • Web links – http://websecuritytesting.com/web-links

(other) Specialized scanners

• netwox (=Network Toolbox) by Laurent Constantin – http://www.laurentconstantin.com/en/netw/netwox/ | Netwag ( a graphical front-end to netwox) – http://www.laurentconstantin.com/en/netw/netwag/
• Network Stuff – http://jacquelin.potier.free.fr/networkstuff/index.php

| Network Stuff – Handy network utility – http://brainfoldb4u.wordpress.com/2010/03/15/network-stuff-handy-network-utility/

IPSec security

• IPSecScan (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipsecscan/ – IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.

Wireless Hacking and auditing

• OSWA – http://securitystartshere.org/page-training-oswa.htm
• AirCrack-NG Suite – http://www.aircrack-ng.org/
• AiroScript-NG – http://airoscript.aircrack-ng.org/
• Kismet – http://www.kismetwireless.net/
• Inssider – http://www.metageek.net/products/inssider
• Kismac – http://kismac-ng.org/

VoIP & Telephony auditing

• VAST Viper – http://vipervast.sourceforge.net/
• WarVox – http://warvox.org/

Live CDs

• Backtrack 4 – http://www.remote-exploit.org
• PentBox – http://www.pentbox.net/
• Matriux – http://www.matriux.com/

Exploitation Frameworks

Tools:

• Metasploit – http://www.metasploit.org – has both free and commercial (as a part of NeXpose by Rapid7) versions.
  • More info here at this site: https://eikonal.wordpress.com/2010/06/24/metasploit/
  • Carna0wnage blog – http://carnal0wnage.attackresearch.com/ has a lot of metasploit tricks.
• Exploit DB – http://www.exploit-db.com/
• CANVAS by Immunity Sec – http://www.immunitysec.com/products-canvas.shtml
• Core Impact by Core Security Technologies – http://www.coresecurity.com/content/core-impact-overview [COMMERCIAL, very expensive]
• SaintExploit – http://www.saintcorporation.com/products/software/saintExploit.html [COMMERCIAL]
• Inguma – http://code.google.com/p/inguma/ – a Python based framework
• WXF – https://github.com/WebExploitationFramework/wXf – a Ruby based frameworkt that focuses on Web vulnerability exploitation
• Ronin – http://github.com/ronin-ruby – a Ruby based framework

Articles:

• “Frameworks and how I hack currently (and how I don’t)” by valsmith (Carna0wnage blog; 2011.05.10) – http://carnal0wnage.attackresearch.com/node/453

Penetration Testing and Exploitation

• Python tools for penetration testers (by Dirk Loss)- http://dirk-loss.de/python-tools.htm

Network testers

• Scapy – http://secdev.org/projects/scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library
• pylibpcap – pypcap: Pcapy and http://code.google.com/p/pypcap/”>pypcap: Pcapy and <a href="http://pylibpcap.sourceforge.net/: several different Python bindings for libpcap
• libdnet – http://code.google.com/p/libdnet/: low-level networking routines, including interface lookup and Ethernet frame transmission
• dpkt – http://code.google.com/p/dpkt/: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
• Impacket – http://oss.coresecurity.com/projects/impacket.html: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
• pynids – http://jon.oberheide.org/pynids/: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
• Dirtbags py-pcap – http://dirtbags.net/py-pcap/: read pcap files without libpcap
• flowgrep – http://monkey.org/%7Ejose/software/flowgrep/: grep through packet payloads using regular expressions
• httplib2 – http://code.google.com/p/httplib2/: comprehensive HTTP client library that supports many features left out of other HTTP libraries

---

See also: list of (other) security tools (in this blog) – https://eikonal.wordpress.com/2010/07/28/security-tools/.