Penetration Testing mailing list archives
Tools Update - Last week of January 2010
From: "SD List" <list () security-database com>
Date: Sun, 31 Jan 2010 10:49:02 +0100 (CET)
Hello Here is the site's newsletter "Security Database Tools Watch" (http://www.security-database.com/toolswatch). This letter summarizes the articles and news items published since 7 days. New articles -------------------------- ** Netsparker - "Automate That" Release v1.1.5.0057 ** by Tools Tracker Team - 28 January 2010 Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries. Netsparker (...) -> http://www.security-database.com/toolswatch/Netsparker-Automate-That-Release.html ** Two methodologies for physical penetration testing using social engineering ** by Tools Tracker Team - 28 January 2010 During a penetration test on the physical security of an organization, if social engineering is used, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust towards the organization, leading to law suits and loss of productivity of the organization. This paper proposes two methodologies for performing a physical penetration test where the (...) -> http://www.security-database.com/toolswatch/Two-methodologies-for-physical.html ** WireShark v1.2.6 released ** by Tools Tracker Team - 28 January 2010 Wireshark is the worlds most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2 Wireshark 1.2.6 (stable) has been released. Installers for Windows, Mac OS X 10.5.5 and above (...) -> http://www.security-database.com/toolswatch/WireShark-v1-2-6-released.html ** SecuBat Web Vulnerability Scanner v0.5 available ** by Tools Tracker Team - 28 January 2010 SecuBat is a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. The SecuBat vulnerability scanner consists of three main components: First, the crawling component gathers a set of target web sites. Then, the attack component launches the configured attacks against these targets. Finally, the analysis component examines the results returned by the web (...) -> http://www.security-database.com/toolswatch/SecuBat-Web-Vulnerability-Scanner.html ** Bing Web Server Probe v1.0 released ** by Tools Tracker Team - 28 January 2010 This is a tool for security researchers. It allows you to search for either an IP address or a DNS name and display all associated domain names known to Bing. If a specific IP address is searched, all domain records associated with that address are displayed If a DNS name is searched, all domain records associated with all addresses returned for that DNS name are displayed. Two separate self-contained versions of the tool are available: command-line-based and GUI-based. The GUI version (...) -> http://www.security-database.com/toolswatch/Bing-Web-Server-Probe-v1-released.html ** Cloud Computing Risk Assessment methodology available ** by Tools Tracker Team - 27 January 2010 ENISA -the European Network and Information Security Agency, working for the EU Institutions and Member States. ENISA is the EUs response to security issues of the European Union. As such, it is the 'pacemaker' for Information Security in Europe. The objective is to make ENISAs web site the European hub for exchange of information, best practices and knowledge in the field of Information Security. ENISA is carrying out a risk assessment of cloud computing with input from 30 experts from (...) -> http://www.security-database.com/toolswatch/Cloud-Computing-Risk-Assessment.html ** Imperva's Top 20 weakest passwords ** by Tools Tracker Team - 27 January 2010 In December 2009, a major password breach occurred that led to the release of 32 million passwords1. Further, the hacker posted to the Internet2 the full list of the 32 million passwords (with no other identifiable information). Passwords were stored in clear- text in the database and were extracted through a SQL Injection vulnerability3. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security (...) -> http://www.security-database.com/toolswatch/Imperva-s-Top-20-weakest-passwords.html ** DIRB Web Content Scanner v2.03 released ** by Tools Tracker Team - 27 January 2010 DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner. DIRB main purpose is to help in professional web application auditing. (...) -> http://www.security-database.com/toolswatch/DIRB-Web-Content-Scanner-v2-03.html ** The Dude network monitor v3.5 released ** by Tools Tracker Team - 24 January 2010 The Dude network monitor is a new application by MikroTik which can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems. Some of its features: The Dude is free of charge! Auto network discovery and layout Discovers any type or brand of device Device, Link monitoring, and notifications (...) -> http://www.security-database.com/toolswatch/The-Dude-network-monitor-v3-5.html ** Focus on BotHunter v1.5 the Malware Infection Detection System ** by Tools Tracker Team - 24 January 2010 BotHunter is the first, and still the best, network-based malware infection detection system out there. It tracks the two-way communication flows between your computer(s) and the Internet, comparing your network traffic against an abstract model of malware communication patterns.(1) Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective. CHANGES TO THE BOTHUNTER CORRELATOR Skype detection logic has been added to the (...) -> http://www.security-database.com/toolswatch/Focus-on-BotHunter-v1-5-the.html ** Ncrack v0.01 Alpha released ** by Tools Tracker Team - 24 January 2010 Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple (...) -> http://www.security-database.com/toolswatch/Ncrack-v0-01-Alpha-released.html ** SAINT® 7.2.5 Released ** by Tools Tracker Team - 24 January 2010 SAINT is the Security Administrators Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINTs data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of (...) -> http://www.security-database.com/toolswatch/SAINT-R-7-2-5-Released.html ** OWASP Code Crawler v2.5 released ** by Tools Tracker Team - 24 January 2010 A tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone". Changelog : Code Crawler Editor Find (CTRL+F) Mark Findings Select All (CTRL+A) Copy as RTF (sweet) CodeFolding SyntaxHighlight BracketMatching Unlimited Undo/Redo buffer Bookmarks Go to line (CTRL+G) Replace (...) -> http://www.security-database.com/toolswatch/OWASP-Code-Crawler-v2-5-released.html Regards Nabil OUCHN CEO & Founder Security-Database France Maximiliano Soler ToolsWatch Leader Security-Database Argentina ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Tools Update - Last week of January 2010 SD List (Feb 02)