Penetration Testing mailing list archives
Tools Update - First week of March 2010
From: "SD List" <list () security-database com>
Date: Sun, 7 Mar 2010 12:05:49 +0100 (CET)
Hello Here is the site's newsletter "Security Database Tools Watch" (http://www.security-database.com/toolswatch). This letter summarizes the articles and news items published since 7 days. We also announce the update of the Free Security-Database IT vulnerability and Threats Dashboard (http://www.security-database.com/toolswatch/Security-Database-Vulnerability,1051.html). SecTechno (http://www.sectechno.com/) the excellent blog that publishes articles and whitepapers on a variety of IT security topics has also released a nice paper on our Dashboards - Block new emerging threats with Security-Database - (http://www.sectechno.com/2010/02/23/block-new-emerging-threats-with-security-database/) New articles -------------------------- ** Websecurify v0.5 Final ** by ToolsTracker - 6 March 2010 Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The framework is written in JavaScript and successfully executes in numerous platforms including modern browsers with support for HTML5, xulrunner, xpcshell, Java, V8 and others. More information: here -> http://www.security-database.com/toolswatch/Websecurify-v0-5-Final.html ** [PDF] hping cheatsheet ** by ToolsTracker - 3 March 2010 hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, [?]UDP], ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. More information about hping Thanks to our friend, Alejandro "dab" Ramos, from Security By (...) -> http://www.security-database.com/toolswatch/PDF-hping-cheatsheet.html ** Acunetix WVS v6.5 build 20100303 released ** by ToolsTracker - 3 March 2010 Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. New Feature: Added new option to export results to HTTP Fuzzer New Security Checks: Test for XML External Entity Injection Test for XML Injection (...) -> http://www.security-database.com/toolswatch/Acunetix-WVS-v6-5-build-20100303.html ** CANVAS v6.56 released ** by ToolsTracker - 2 March 2010 Immunity's CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals worldwide. Version 6.56 - 09/03/2010 New Modules GetLocale - gets the locale of a Win32 MOSDEF Node. disable_windows_firewall - Turns the Firewall off on a Windows machine useful for bouncing. brightstor_cmdexec - CVE-2008-4397 (automatically runs a MOSDEF callback using the CANVAS TFTP (...) -> http://www.security-database.com/toolswatch/CANVAS-v6-56-released.html ** Viva Chile ! ** by Tools Tracker Team - 1 March 2010 Our America, with a capital A as used to say 'Che', is bereaved by the disaster that hits Chile these days. So, all our thoughts and condolences are with the families of the disappeared. We recommend Chile Ayuda Spanish Version Nuestra Mayúscula América, como decía "Che", está siendo afligida por el desastre ocurrido días atras en Chile. Queremos extender nuestro apoyo y condolencias para las familias de los desaparecidos. Recomendamos Chile (...) -> http://www.security-database.com/toolswatch/Viva-Chile.html ** WebRaider v0.2.3.8 - One Click Ownage ** by ToolsTracker - 1 March 2010 WebRaider is a plugin based automated web application exploitation tool which focuses to get a shell from multiple targets or injection point. One Click Ownage Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload. It's only one request therefore faster, Simple, you don't need a tool you can do it manually by using your browser or a simple MITM proxy, (...) -> http://www.security-database.com/toolswatch/WebRaider-v0-2-3-8-One-Click.html ** Security-Database Vulnerability Dashboard updates ** by Tools Tracker Team - 1 March 2010 Security-Database IT Vulnerability & Threats Dashboard allows readers and others security professionals to visualize in a granular manner the evolution of the attacks and the vulnerabilities list for each products. We use the worldwide references as well as CVE, CVSS, OVAL and CWE which guaranty a trusty and real information that comply to the standards. Changelog Fully migration from SDcon (H,M,L) to CVSS v2.0 (C,H,M,L) New color brown for Critical Vulnerabilities CVSS Calculator v2.0 (...) -> http://www.security-database.com/toolswatch/Security-Database-Vulnerability,1051.html ** Windows Autopwn (winAUTOPWN) v2.1 released ** by ToolsTracker - 28 February 2010 winAUTOPWN is an auto (hacking) shell gaining tool. It can also be used to test IDS, IPS and other monitoring sensors/softwares. Autohack your targets with least possible interaction. Features: Contains already custom-compiled executables of famous and effective exploits alongwith a few original exploits. No need to debug, script or compile the source codes. Scans all ports 1 -* 65535 after taking the IP address and tries all possible exploits according to the list of discovered (...) -> http://www.security-database.com/toolswatch/Windows-Autopwn-winAUTOPWN-v2-1.html ** Websecurify v0.5 RC 1 released ** by ToolsTracker - 28 February 2010 Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. The framework is written in JavaScript and successfully executes in numerous platforms including modern browsers with support for HTML5, xulrunner, xpcshell, Java, V8 and others. Changelog Improved user interface. The workspace window now has an Issue view which provides detailed information on each finding. Detailed reports which can (...) -> http://www.security-database.com/toolswatch/Websecurify-v0-5-RC-1-released.html ** AutoScan v1.5 available ** by Tools Tracker Team - 27 February 2010 AutoScan-Network is a network discovering and managing application. No configuration is required to scan your network. The main goal is to print the list of connected equipments in your network Features: Multithreaded Scan Automatic network discovery Low surcharge on the network Simultaneous subnetworks scans without human intervention Realtime detection of any connected equipment Supervision of any equipment (router, server, firewall...) Supervision of any network service (smtp, (...) -> http://www.security-database.com/toolswatch/AutoScan-v1-5-available.html ** Pangolin SQL injection tool build 3.2.1.1020 released ** by Tools Tracker Team - 27 February 2010 Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or users specific (...) -> http://www.security-database.com/toolswatch/Pangolin-SQL-injection-tool-build.html ** Web Security Dojo v1.0 released ** by Tools Tracker Team - 27 February 2010 Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use non-conflicting ports and a Firefox proxy switcher is set up to match. Web Security Dojo is an open source project built on Ubuntu and hosted at SourceForge. It is (...) -> http://www.security-database.com/toolswatch/Web-Security-Dojo-v1-released.html ** Saint Vulnerability Scanner and Exploiter v7.2.7 released ** by Tools Tracker Team - 27 February 2010 SAINT is the Security Administrators Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINTs data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of (...) -> http://www.security-database.com/toolswatch/Saint-Vulnerability-Scanner-and.html ** John the Ripper updated to v1.7.5 ** by Tools Tracker Team - 27 February 2010 John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches. Version 1.7.5 (...) -> http://www.security-database.com/toolswatch/John-the-Ripper-updated-to-v1-7-5.html ** Watcher Web Security Scanning tool v1.3.0 available ** by Tools Tracker Team - 27 February 2010 Watcher (The Open source Web Security Testing Tool and PCI compliancy auditing utility) is a runtime passive-analysis tool for HTTP-based Web applications. It detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP (...) -> http://www.security-database.com/toolswatch/Watcher-Web-Security-Scanning-tool.html Kind Regards Security-Database Team ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Tools Update - First week of March 2010 SD List (Mar 08)