Friday, July 29, 2011

open source security assessment framework



Dradis

is an open source framework to enable effective information sharing, specially during security assessments.

Dradis is a self-contained web application that provides a centralized repository of information to keep track

This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

Download Link : Click Here

************************************************************************************
Posted by at
Labels: , , , , , , , , ,

Wednesday, July 27, 2011

Open Source Live-CD for Computer Forensic



PlainSight :
is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

Download Link : Click Here

********************************************************************************

DEFT 6 :
 is based on Lubuntu with Kernel 2.6.35 (Linux side) and DEFT Extra 3.0 (Windows side) with the best freeware Computer Forensic tools; it is a new concept of Computer Forensic live system, ewflib ready, that use WINE for run Windows Computer Forensics tools under Linux.


DEFT live-cd for incident-response & corporate/gov forensics and a DEFT-based persistent environment for acquisition-analysis within the inhouse forensic lab.

Download Link : Click here

**********************************************************************************
Posted by at
Labels: , , , , , , ,

Open Source Live-CD for Penetration testing



BackBox :
 is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.

Hacking tools new or updated: Firefox 4, Hydra 6.2, Kismet 2011.03.2, Metasploit Framework 3.6.0, NMap 5.51, SET 1.3.5, SqlMap 0.9, sslstrip 0.8, w3af 1.0-rc5, weevely 0.3, WhatWeb 1.4.7,
Wireshark 1.4.5, Zaproxy 1.2, etc

Download Link : Click Here

**************************************************************************************************************************************

Blackbuntu :
 is distribution for penetration testing which was specially designed for security training students and practitioners of information security.
Blackbuntu is Ubuntu base distro for Penetration Testing with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10.

Download Link : Click here

***********************************************************************************

Posted by at
Labels: , , , , , , , ,

Tuesday, July 26, 2011

Open Source network firewall


NetDefender :
is a Free Firewall with source code, which can be downloaded along with firewall executables. Netdefender works on windows 2000 and windows XP.

Requirements :

1. Netdefender can only run on an OS higher than windows 2000 (i.e. Win 2000, Win Xp I hope Vista would not break anything)
2. User must has admin rights (i.e. must be member of administrator group ) on the system.

Download Link : Click here

***********************************************************************************
Shorewall :
is a gateway/firewall configuration tool for GNU/Linux.


Download Link : Click here

************************************************************************************

Zorp
is a new generation proxy firewall suite and as such its core architecture is built around today's security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let's you override client actions, it let's you protect your servers with its built in IDS capabilities... The list is endless. It gives you all the power you need to implement your local security policy.

Download Link : Click here

***********************************************************************************
Ufw :

 stands for Uncomplicated Firewall, and is program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

Download Link : Click here

Thanks

chandru
Posted by at
Labels: , , , , , , , , , , ,

Monday, July 25, 2011

Best SQL Injection Security Scanners




SQLIer

– SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.

Get SQLIer : Click Here


SQLbftools

SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack.



Get SQLbftools : Click here

SQL Injection Brute-forcer –
SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application.

Get SQLLibf : Click Here

SQLBrute –
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries.

Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap –
 SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.


Get SQLMap : Click Here

Absinthe –
Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.

Get Absinthe: Click here

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.


SQID –

SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.

Get SQID : Click here

Blind SQL Injection Perl Tool
bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection.

Get Blind SQL Injection Perl Tool : Click here

SQL Power Injection Injector
SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads.

Get SQL Power Injection : Click here

FJ-Injector Framework
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation.

Get FJ-Injector Framework: Click here

SQLNinja
SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database.

Get SQLNinja: Click here

Automagic SQL Injector
The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.

Get Automagic SQL Injector: Click here

NGSS SQL Injector –
NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.
Posted by at
Labels: , , , , , , , ,

Friday, July 22, 2011

Top Ten Automation Testing tool

QTP

qtp



HP-QuickTest Professional software provides functional and regression test automation for software applications and environments. HP QuickTest Professional supports keyword and scripting interfaces and features a graphical user interface. Its features are: a cascaded optimization system, the industry's deepest and broadest insight into IT-controlled assets, and a secure, comprehensive, operational environment for a hybrid world, enhanced expert view, business process testing, screen recorder etc.







Watir


watir

Watir, pronounced water, is an open-source (BSD) family of ruby libraries for automating web browsers. It allows you to write tests that are easy to read and maintain. It is simple and flexible. It clicks links, fills in forms, and presses buttons. Watir also checks results, such as whether expected text appears on the page. Its features are: to connect to databases, read data files and spreadsheets, export XML, and structure your code as reusable libraries etc.










TOSCA Testsuite


tosca test suite

TOSCA Testsuite is a software tool for the automated execution of functional and regression software testing. In addition to test automation functions, it includes integrated test management, a graphical user interface (GUI), a command line interface (CLI) and an application programming interface (API), generation of dynamic, synthetic test data, highly automated business dynamic steering of test case generation and the unified handling and executing of manual and automated as well as GUI and non-GUI tests etc.








Selenium


selenium

Selenium is a portable software testing framework for web applications. Selenium provides a record/playback tool for authoring tests without learning a test scripting language. It includes features like record and playback, intelligent field selection, Xpath as needed, auto complete for all common selenium commands, walk through tests, debug and set breakpoints, ruby scripts, or other formats, support for selenium user-extensions file, option to automatically assert the title of every page etc.














VISUAL STUDIO TEST PROFESSIONALvisual studio test professional

Visual Studio Test Professional is an integrated testing toolset developed by Microsoft that delivers a complete plan-test-track workflow for in-context collaboration between testers and developers, in order to increase testers’ visibility to the overall project. Its features are file actionable bugs, manual testing, re-use manual test recordings, team foundation server, application lifecycle management etc. Whilst rich in features, it is an observation that testing professionals may get overwhelmed and intimidated due to abundance of menu items in the software that have no relevance to them.






WebUI TEST STUDIO

webui test studio


WebUI Test Studio is a tool for automated testing of web applications developed by telerik. WebUI Test Studio is used for testing all type of web applications without the need of writing code. The tool comes in two editions – a visual studio plug-in for software developers, and a standalone edition for QA professionals. Some features are: script less test recording, cross-browser test execution, web element abstraction and reuse, integration with visual studio, sentence-based UI validation, visual storyboard, test customization etc. It solves the problem of pop-ups by opening them in a different browser instance, so that they are not confined in the hosted browser.




RATIONAL FUNCTIONAL TESTER

ration functional tester

Rational Functional Tester is an automated functional testing and regression testing tool. Provides testers with automated testing capabilities for functional testing, regression testing, and GUI testing and data-driven testing. It’s features are: simplify test creation and visualization with storyboard testing, provides lifecycle traceability, validate dynamic data with dynamic data validation wizard, streamline automation with keyword testing, proxy SDK, test script version control for parallel development, etc.








TESTCOMPLETE

testcomplete

TestComplete is an automated testing tool that lets you create, manage and run tests for any windows, web or rich client software. It makes it easy for anyone to create automated tests. Some features are open APIs, easy extensibility, tons of documentation, scripted testing for total flexibility, windows and web testing, application support etc. It is an easy to use, all-in-one package that lets anyone start automating tests in minutes with no special skills. It has a low price, powerful features and impressive support resources.







TESTPARTNER
testpartner

Testpartner is an automated test tool that accelerates functional testing and facilitates the delivery of business-critical applications. Testpartner works via a tiered approach to testing that enables developers, quality experts and non-technical application users to collaborate and test more in the time available. Its features are: visual storyboard oriented approach, automated regression testing, automatic, object-oriented script generation, integrates with VBA etc. TestPartner encourages collaboration between developers, quality experts, and non-technical application users throughout the software development lifecycle, so more testing can be achieved in the available time.






SOA TEST

soatest

Parasoft SOAtest automates web application testing, message/protocol testing, cloud testing and security testing. Parasoft SOAtest and Parasoft load test (packaged together) ensure secure, reliable, compliant business processes and seamlessly integrate with Parasoft language products (e.g., Parasoft Jtest) to help teams prevent and detect application-layer defects from the start of the SDLC. Some features are client/server emulation, multi-layer verification, test case organization, regression testing, automatic test case generation, coding standard enforcement, soap -based enterprise system which operates as both the soap client and the soap server. This allows for early module testing of the applications.









TESTDRIVE

testcomplete
TestDrive is a full-featured automated testing solution designed to test GUI and browser applications "out-of-the-box". Significant reductions in timescales and advanced levels of quality can be achieved without the complexity of traditional testing tools. TestDrive integrates with all the other elements of our solution suite so that tests can be run from within Qualify, scripts can be built automatically from manual test results within TestDrive-Assist, and effects in the database can be simultaneously verified in TestBench.
Posted by at
Labels: , , ,

Open Source web security Testing Tools

Watcher

Watcher Security Testing
Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.





Wapiti

Wapiti Security TestingFile Handling Errors (Local and remote include/require, fopen, readfile...)Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable. Capable of handling following. Wapiti supports Database Injection, XSS Injection, LDAP Injection, Command Execution detection, CRLF Injection and many others.


WebSecurify

WebSecurifyWebsecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The platform is designed to perform automated as well as manual vulnerability tests and it is constantly improved and fine-tuned by a team of world class web application security penetration testers and the feedback from an active open source community. WebSecurify supports SQL Injection, Local and Remote File Include, Cross Site Scripting/Request Forgery, Information Disclousre Problems, Session Security Problems to name a few among many others.




Nikto2

NiktoNikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


Skipfish

SkipFishSkipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

SQL, PHP, Command, XML/XPath Injection along with String/Integer vulnerabilities, Directory/File intrusions, Script/CSS vulnerabilities, Password/MIME types vulnerabilities, SSL/HTTP/HTML Forms realted vulnerabilities, Failed Website Resource vulnerabilities are very few of the vulnerabilities to mention that Skipfish can address among other host of features.

Ettercap

EttercapEttercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It supports Linux, Mac, Windows, Solairs platforms with easy installation.





Flawfinder

FlawfinderFlawfinder searches through C/C++ source code looking for potential security flaws. Flawfinder is designed in Pyton and produces a list of ‘‘hits’’ (potential security flaws), sorted by risk; the riskiest hits are shownfirst. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts, and in those contexts the hit will have a lower risk level






Honeyd

HoneydHoneyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.





Wireshark

WiresharkWireshark, formerly known as Ethereal, is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Wireshark supports Multi-platform and runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others. Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.





BFBTester

BFBT TesterBFBTester is good for doing quick, proactive security checks of binary programs. BFBTester will perform checks of single and multiple argument command line overflows and environment variable overflows. It can also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names.



By


chandru

Posted by at
Labels: , , ,
Subscribe to: Posts (Atom)