Showing posts with label security-testing. Show all posts
Showing posts with label security-testing. Show all posts

Friday, June 8, 2012

Mobisec - Mobile Application Security Scanning Testing

MobiSec:

             makes mobile application penetration testing more streamlined for the tester, allowing more time to focus on the test objectives and progress, and less on the tools or the testing environment.



                               MobiSec - Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry­‐proven testing framework.
                                       Using a live environment provides penetration testers the  Ability to boot the MobiSec Live Environment on any Intel-­based system from a DVD or USB flash drive, or run the test environment within a virtual machine.


Features:


- Upgraded Ruby to 1.9.2p318 and installed for root account 
- Installed Ubuntu updates via Update Manager 
- Updated Metasploit to rev 15158 - Updated SET to rev 1262 
- Added SecurityCompass AndroidLabs apk to emulators 
- Added SecurityCompass LabServer 
- Updated Android SDK Manager to rev 17 
- Updated Eclipse and Android plugin 
- Updated android-emu.sh script to specify emulator to launch 
- Added Ettercap with GUI - Added SQLMap 
- Added pptpd, tcpick, tshark 
- Added SSLStrip
 - Added DroidBox with Android 2.1 emulator
 - Added iSniff SSL MitM tool for iPhone
 - Added dsniff 
- Added SQLiteSpy 
- Fixed Ruby install 
- Updated BeEF (from github) 
- Fixed install script on desktop 
- Added support for Lorcon2 msf module
 - Added Aircrack-ng and Airgraph-ng 
- Fixed Kismet install 
- Added Firefox plugins: - Cookies Manager+ - Greasemonkey - HackBar - HttpFox - JSView - MitM Me - Tamper Data - User Agent Quick Switch - XSS Me - Disabled login sound - Changed default user account lockout to 30 mins - Updated desktop background image.
 
Project Research Document : Click here
 
Installation Instruction : Doc click 
 
Download Link (iso) : MobiSec

 
Thanks for Visiting my Blog ...
 

Friday, July 22, 2011

Open Source web security Testing Tools

Watcher

Watcher Security Testing
Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.






Wapiti

Wapiti Security TestingFile Handling Errors (Local and remote include/require, fopen, readfile...)Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Capable of handling following. Wapiti supports Database Injection, XSS Injection, LDAP Injection, Command Execution detection, CRLF Injection and many others.



WebSecurify

WebSecurifyWebsecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community. WebSecurify supports SQL Injection, Local and Remote File Include, Cross Site Scripting/Request Forgery, Information Disclousre Problems, Session Security Problems to name a few among many others.





Nikto2

NiktoNikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.



Skipfish

SkipFishSkipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

SQL, PHP, Command, XML/XPath Injection along with String/Integer vulnerabilities, Directory/File intrusions, Script/CSS vulnerabilities, Password/MIME types vulnerabilities, SSL/HTTP/HTML Forms realted vulnerabilities, Failed Website Resource vulnerabilities are very few of the vulnerabilities to mention that Skipfish can address among other host of features.


Ettercap

EttercapEttercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It supports Linux, Mac, Windows, Solairs platforms with easy installation.






Flawfinder

FlawfinderFlawfinder searches through C/C++ source code looking for potential security flaws. Flawfinder is designed in Pyton and produces a list of ‘‘hits’’ (potential security flaws), sorted by risk; the riskiest hits are shownfirst. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts, and in those contexts the hit will have a lower risk level







Honeyd

HoneydHoneyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.






Wireshark

WiresharkWireshark, formerly known as Ethereal, is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Wireshark supports Multi-platform and runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others. Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.






BFBTester

BFBT Tester
BFBTester is good for doing quick, proactive security checks of binary programs. BFBTester will perform checks of single and multiple argument command line overflows and environment variable overflows. It can also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names.




By


chandru