Monday, August 29, 2011

Tips for Secure SSH Login


Secure Shell (SSH):
has been constructed with regards to security. Previously, customers often accessed Telnet in order to gain connection to their servers; however, this was the time, when servers were located right across the hall, not widely spread across the infinite internet.

Secure Shell provides an additional layer of encryption to the communication, ensuring that the users can connect with the dedicated server or the virtual private server (VPS) without having to feel wary of any threat from malicious activity, such as the capturing of their password.

Default Port No: 22/Tcp


Restrict Root login's:
In an ordinary situation, you have no motive to permit straight root logins to your server. Although the system administrator can be one of the roots once it has logged in (using su or sudo), it is far too dangerous to make your root account open to the entire Internet.

Jail users in chroot directories:
Servers, belonging to Linux and UNIX, provide the ability of restricting ordinary users from doing something dangerous, such as removing all the documents;, however, nothing can be done about viewing the files.

Install Brute Force Detection software:
Malicious hackers can make use of forcible methods in an attempt to gain knowledge of your password and carry out malevolent activity on your server.

Maintain secure password and periodic rotations:
Being the sysadmin, you have the ability to manage the requirements regarding the strength of the password along with making it compulsory for users to modify their password after a period of time.

Set the Timeout Interval:
An extremely helpful feature, a part of SSH configuration file, is that it allows you to determine a timeout interval, disallowing users from staying logged in, irrespective of whether they have forgotten to logout .


Friday, July 29, 2011

open source security assessment framework



Dradis

is an open source framework to enable effective information sharing, specially during security assessments.

Dradis is a self-contained web application that provides a centralized repository of information to keep track

This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

Download Link : Click Here

************************************************************************************

Wednesday, July 27, 2011

Open Source Live-CD for Computer Forensic



PlainSight :
is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

Download Link : Click Here

********************************************************************************

DEFT 6 :
is based on Lubuntu with Kernel 2.6.35 (Linux side) and DEFT Extra 3.0 (Windows side) with the best freeware Computer Forensic tools; it is a new concept of Computer Forensic live system, ewflib ready, that use WINE for run Windows Computer Forensics tools under Linux.


DEFT live-cd for incident-response & corporate/gov forensics and a DEFT-based persistent environment for acquisition-analysis within the inhouse forensic lab.

Download Link : Click here

**********************************************************************************

Open Source Live-CD for Penetration testing



BackBox :
is a Linux distribution based on Ubuntu Lucid 10.04 LTS developed to perform penetration
tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories always been updated to the last stable version of the most known and used ethical hacking tools.

Hacking tools new or updated: Firefox 4, Hydra 6.2, Kismet 2011.03.2, Metasploit Framework 3.6.0, NMap 5.51, SET 1.3.5, SqlMap 0.9, sslstrip 0.8, w3af 1.0-rc5, weevely 0.3, WhatWeb 1.4.7,
Wireshark 1.4.5, Zaproxy 1.2, etc

Download Link : Click Here

**************************************************************************************************************************************

Blackbuntu :
is distribution for penetration testing which was specially designed for security training students and practitioners of information security.
Blackbuntu is Ubuntu base distro for Penetration Testing with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10.

Download Link : Click here

***********************************************************************************

Tuesday, July 26, 2011

Open Source network firewall


NetDefender :
is a Free Firewall with source code, which can be downloaded along with firewall executables. Netdefender works on windows 2000 and windows XP.

Requirements :

1. Netdefender can only run on an OS higher than windows 2000 (i.e. Win 2000, Win Xp I hope Vista would not break anything)
2. User must has admin rights (i.e. must be member of administrator group ) on the system.

Download Link : Click here

***********************************************************************************
Shorewall :
is a gateway/firewall configuration tool for GNU/Linux.



Download Link : Click here

************************************************************************************

Zorp
is a new generation proxy firewall suite and as such its core architecture is built around today's security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let's you override client actions, it let's you protect your servers with its built in IDS capabilities... The list is endless. It gives you all the power you need to implement your local security policy.


Download Link : Click here

***********************************************************************************
Ufw :

stands for Uncomplicated Firewall, and is program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

Download Link : Click here

Thanks

chandru


Monday, July 25, 2011

Best SQL Injection Security Scanners




SQLIer

– SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.

Get SQLIer : Click Here


SQLbftools

SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack.



Get SQLbftools : Click here

SQL Injection Brute-forcer –
SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application.

Get SQLLibf : Click Here

SQLBrute –
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries.

Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap –
SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.


Get SQLMap : Click Here

Absinthe –
Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.

Get Absinthe: Click here

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.


SQID –

SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.

Get SQID : Click here

Blind SQL Injection Perl Tool
bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection.

Get Blind SQL Injection Perl Tool : Click here

SQL Power Injection Injector
SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads.

Get SQL Power Injection : Click here

FJ-Injector Framework
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation.

Get FJ-Injector Framework: Click here

SQLNinja
SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database.

Get SQLNinja: Click here

Automagic SQL Injector
The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.

Get Automagic SQL Injector: Click here

NGSS SQL Injector –
NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.

Friday, July 22, 2011

Top Ten Automation Testing tool

QTP

qtp



HP-QuickTest Professional
software provides functional and regression test automation for software applications and environments. HP QuickTest Professional supports keyword and scripting interfaces and features a graphical user interface. Its features are: a cascaded optimization system, the industry's deepest and broadest insight into IT-controlled assets, and a secure, comprehensive, operational environment for a hybrid world, enhanced expert view, business process testing, screen recorder etc.







Watir


watir

Watir, pronounced water, is an open-source (BSD) family of ruby libraries for automating web browsers. It allows you to write tests that are easy to read and maintain. It is simple and flexible. It clicks links, fills in forms, and presses buttons. Watir also checks results, such as whether expected text appears on the page. Its features are: to connect to databases, read data files and spreadsheets, export XML, and structure your code as reusable libraries etc.










TOSCA Testsuite


tosca test suite

TOSCA Testsuite is a software tool for the automated execution of functional and regression software testing. In addition to test automation functions, it includes integrated test management, a graphical user interface (GUI), a command line interface (CLI) and an application programming interface (API), generation of dynamic, synthetic test data, highly automated business dynamic steering of test case generation and the unified handling and executing of manual and automated as well as GUI and non-GUI tests etc.








Selenium


selenium


Selenium is a portable software testing framework for web applications. Selenium provides a record/playback tool for authoring tests without learning a test scripting language. It includes features like record and playback, intelligent field selection, Xpath as needed, auto complete for all common selenium commands, walk through tests, debug and set breakpoints, ruby scripts, or other formats, support for selenium user-extensions file, option to automatically assert the title of every page etc.














VISUAL STUDIO TEST PROFESSIONALvisual studio test professional

Visual Studio Test Professional is an integrated testing toolset developed by Microsoft that delivers a complete plan-test-track workflow for in-context collaboration between testers and developers, in order to increase testers’ visibility to the overall project. Its features are file actionable bugs, manual testing, re-use manual test recordings, team foundation server, application lifecycle management etc. Whilst rich in features, it is an observation that testing professionals may get overwhelmed and intimidated due to abundance of menu items in the software that have no relevance to them.






WebUI TEST STUDIO

webui test studio



WebUI Test Studio is a tool for automated testing of web applications developed by telerik. WebUI Test Studio is used for testing all type of web applications without the need of writing code. The tool comes in two editions – a visual studio plug-in for software developers, and a standalone edition for QA professionals. Some features are: script less test recording, cross-browser test execution, web element abstraction and reuse, integration with visual studio, sentence-based UI validation, visual storyboard, test customization etc. It solves the problem of pop-ups by opening them in a different browser instance, so that they are not confined in the hosted browser.




RATIONAL FUNCTIONAL TESTER


ration functional tester

Rational Functional Tester is an automated functional testing and regression testing tool. Provides testers with automated testing capabilities for functional testing, regression testing, and GUI testing and data-driven testing. It’s features are: simplify test creation and visualization with storyboard testing, provides lifecycle traceability, validate dynamic data with dynamic data validation wizard, streamline automation with keyword testing, proxy SDK, test script version control for parallel development, etc.








TESTCOMPLETE

testcomplete


TestComplete is an automated testing tool that lets you create, manage and run tests for any windows, web or rich client software. It makes it easy for anyone to create automated tests. Some features are open APIs, easy extensibility, tons of documentation, scripted testing for total flexibility, windows and web testing, application support etc. It is an easy to use, all-in-one package that lets anyone start automating tests in minutes with no special skills. It has a low price, powerful features and impressive support resources.







TESTPARTNER
testpartner

Testpartner is an automated test tool that accelerates functional testing and facilitates the delivery of business-critical applications. Testpartner works via a tiered approach to testing that enables developers, quality experts and non-technical application users to collaborate and test more in the time available. Its features are: visual storyboard oriented approach, automated regression testing, automatic, object-oriented script generation, integrates with VBA etc. TestPartner encourages collaboration between developers, quality experts, and non-technical application users throughout the software development lifecycle, so more testing can be achieved in the available time.






SOA TEST

soatest

Parasoft SOAtest automates web application testing, message/protocol testing, cloud testing and security testing. Parasoft SOAtest and Parasoft load test (packaged together) ensure secure, reliable, compliant business processes and seamlessly integrate with Parasoft language products (e.g., Parasoft Jtest) to help teams prevent and detect application-layer defects from the start of the SDLC. Some features are client/server emulation, multi-layer verification, test case organization, regression testing, automatic test case generation, coding standard enforcement, soap -based enterprise system which operates as both the soap client and the soap server. This allows for early module testing of the applications.









TESTDRIVE

testcomplete
TestDrive is a full-featured automated testing solution designed to test GUI and browser applications "out-of-the-box". Significant reductions in timescales and advanced levels of quality can be achieved without the complexity of traditional testing tools. TestDrive integrates with all the other elements of our solution suite so that tests can be run from within Qualify, scripts can be built automatically from manual test results within TestDrive-Assist, and effects in the database can be simultaneously verified in TestBench.