Penetration Testing mailing list archives
Tools Update - 3rd week of october
From: "SD List" <list () security-database com>
Date: Sun, 25 Oct 2009 10:43:27 +0100 (CET)
Dear list, Here is the site's newsletter "Security Database Tools Watch" (http://www.security-database.com/toolswatch). This letter summarizes the articles and news items published since 7 days. New articles -------------------------- ** CeWL v2.2 (Custom Word List generator) - released ** by ToolsTracker - 24 October 2009 CeWL (Custom Word List generator) is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL is pronounced "cool". Version 2.2 Added grabbing words from the meta keywords and description tags, from HTML comments and from select HTML attribute tags, currently alt and title. If you want to add more attributes just edit the attribute_names array to (...) -> http://www.security-database.com/toolswatch/CeWL-v2-2-Custom-Word-List.html ** Vicnum v1.3 [OWASP Project] - Released! ** by ToolsTracker - 24 October 2009 A lightweight flexible vulnerable web application written in PERL and PHP. It demonstrates common web application vulnerabilities such as cross site scripting and session management issues. Vicnum is helpful to IT auditors who need to hone web security skills and can also be used by those setting up 'capture the flag' exercises or by those who just want to have some fun with web assessments. Vicnum the basics A vulnerable web app using LAMP Perl PHP Packaged as a Ubuntu (...) -> http://www.security-database.com/toolswatch/Vicnum-v1-3-OWASP-Project-Released.html ** OpenSSH v5.3 - released ** by ToolsTracker - 22 October 2009 OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol (...) -> http://www.security-database.com/toolswatch/OpenSSH-v5-3-released.html ** Acunetix WVS v6.5 build 20091012 released ** by ToolsTracker - 22 October 2009 Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. Bug Fixes Memory leak when invoking state change handler Item index for an item which has just been inserted fails in the Browserframe Error in (...) -> http://www.security-database.com/toolswatch/Acunetix-WVS-v6-5-build-20091012.html ** GreenSQL-FW v1.1.0 - released ** by ToolsTracker - 22 October 2009 GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). Main Firewall changes in GreenSQL version 1.1: Added support for the MySQL v.5.0 protocol Optimized code Added new patterns Fixed memory leak when adding new (...) -> http://www.security-database.com/toolswatch/GreenSQL-FW-v1-1-released.html ** AutoNessus v1.3.2 released ** by ToolsTracker - 22 October 2009 AutoNessus automates regular Nessus scans and provides delta reporting. The goal is to reduce the analysis time for subsequent scans of the same infrastructure by only reporting delta findings. Version 1.3.2 - Fixing some bugs Ticket [ 2849220 ] - do-scan errors Ticket [ 2849229 ] - Nessus 4 compatibility Ticket [ 2740544 ] - XSS protection in diff kills formatting Ticket [ 2793178 ] - Odd rendering of CVE references Ticket [ 2783580 ] - Missing EMAIL= not handled gracefully Ticket (...) -> http://www.security-database.com/toolswatch/AutoNessus-v1-3-2-released.html ** Rudix release 2009 Unix ports and packages for Mac OS X ** by Tools Tracker Team - 20 October 2009 Rudix features a world class collection of pre-compiled and ready to use Unix compatible software which are not available from a fresh installation of Mac OS X but are popular among other Unix environments. Here you can find utilities, programming languages, libraries and tools delivered as standard Mac OS X packages. Rudix provides for system administrators and developers a powerful and easy to customize port system where you can retrieve, compile and build native Mac OS X software for (...) -> http://www.security-database.com/toolswatch/Rudix-release-2009-Unix-ports-and.html ** VHoster v1.0 - using the API of Live ** by ToolsTracker - 19 October 2009 This tool is to enumerate the online domains that correspond to the same IP. Is very simple and util. Using the service of Live / BING, that maintains an interrelated database can be released. This tool automates the search: IP:[THE IP] -> http://www.security-database.com/toolswatch/VHoster-v1-using-the-API-of-Live.html ** Nikto v2.1.0 - released ** by ToolsTracker - 19 October 2009 Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable. Changes (...) -> http://www.security-database.com/toolswatch/Nikto-v2-1-released.html ** Binging beta released - Footprinting and Discovery Tool with Bing - ** by Tools Tracker Team - 18 October 2009 Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying (...) -> http://www.security-database.com/toolswatch/Binging-beta-released-Footprinting.html ** KrbGuess v0.21 released - Kerberos usernames enumeration ** by Tools Tracker Team - 18 October 2009 KrbGuess is a small and simple tool which can be used during security testing to guess valid usernames against a Kerberos environment. It allows you to do this by studying the response from a TGT request to the KDC server. The tool works against both Microsoft Active Directory, MIT and Heimdal Kerberos implementations. In addition it will detect if an account lacks pre-authentication. The tool is supplied with a file containing a list of usernames and requests a TGT for each user and then (...) -> http://www.security-database.com/toolswatch/KrbGuess-v0-21-released-Kerberos.html ** Cain and Abel updated to v4.9.34 ** by Tools Tracker Team - 18 October 2009 Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocol. Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter. (...) -> http://www.security-database.com/toolswatch/Cain-and-Abel-updated-to-v4-9-34.html N.OUCHN CEO & Founder @ Security-Database ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Tools Update - 3rd week of october SD List (Oct 27)