Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Tools Update - First week of March 2010

From: "SD List" <list () security-database com>
Date: Sun, 7 Mar 2010 12:05:49 +0100 (CET)

Hello

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.

We also announce the update of the Free Security-Database IT vulnerability
and Threats Dashboard
(http://www.security-database.com/toolswatch/Security-Database-Vulnerability,1051.html).

SecTechno (http://www.sectechno.com/) the excellent blog that publishes
articles and whitepapers on a variety of IT security topics has also
released a nice paper on our Dashboards - Block new emerging threats with
Security-Database -
(http://www.sectechno.com/2010/02/23/block-new-emerging-threats-with-security-database/)


         New articles
         --------------------------


** Websecurify v0.5 Final **
by  ToolsTracker
- 6 March 2010

Websecurify Security Testing Framework identifies web security
vulnerabilities by using advanced browser automation, discovery and fuzzing
technologies. The framework is written in JavaScript and successfully
executes in numerous platforms including modern browsers with support for
HTML5, xulrunner, xpcshell, Java, V8 and others.

More information: here

-> http://www.security-database.com/toolswatch/Websecurify-v0-5-Final.html


** [PDF] hping cheatsheet **
by  ToolsTracker
- 3 March 2010

hping is a command-line oriented TCP/IP packet assembler/analyzer. The
interface is inspired to the ping(8) unix command, but hping isn't only
able to send ICMP echo requests. It supports TCP, [?]UDP], ICMP and RAW-IP
protocols, has a traceroute mode, the ability to send files between a
covered channel, and many other features.

More information about hping

Thanks to our friend, Alejandro "dab" Ramos, from Security By (...)

-> http://www.security-database.com/toolswatch/PDF-hping-cheatsheet.html


** Acunetix WVS v6.5 build 20100303 released **
by  ToolsTracker
- 3 March 2010

Acunetix Web Vulnerability Scanner (WVS) is an automated web application
security testing tool that audits your web applications by checking for
exploitable hacking vulnerabilities. Automated scans may be supplemented
and cross-checked with the variety of manual tools to allow for
comprehensive web site and web application penetration testing.

New Feature:

Added new option to export results to HTTP Fuzzer

New Security Checks:

Test for XML External Entity Injection

Test for XML Injection (...)

->
http://www.security-database.com/toolswatch/Acunetix-WVS-v6-5-build-20100303.html


** CANVAS v6.56 released **
by  ToolsTracker
- 2 March 2010

Immunity's CANVAS makes available hundreds of exploits, an automated
exploitation system, and a comprehensive, reliable exploit development
framework to penetration testers and security professionals worldwide.

Version 6.56 - 09/03/2010

New Modules

GetLocale - gets the locale of a Win32 MOSDEF Node.

disable_windows_firewall - Turns the Firewall off on a Windows machine
useful for bouncing.

brightstor_cmdexec - CVE-2008-4397 (automatically runs a MOSDEF callback
using the CANVAS TFTP (...)

-> http://www.security-database.com/toolswatch/CANVAS-v6-56-released.html


** Viva Chile ! **
by  Tools Tracker Team
- 1 March 2010

Our America, with a capital A as used to say 'Che', is bereaved by the
disaster that hits Chile these days. So, all our thoughts and condolences
are with the families of the disappeared. We recommend Chile Ayuda

Spanish Version

Nuestra Mayúscula América, como decía "Che", está siendo afligida por
el desastre ocurrido días atras en Chile. Queremos extender nuestro apoyo
y condolencias para las familias de los desaparecidos.

Recomendamos Chile (...)

-> http://www.security-database.com/toolswatch/Viva-Chile.html


** WebRaider v0.2.3.8 - One Click Ownage **
by  ToolsTracker
- 1 March 2010

WebRaider is a plugin based automated web application exploitation tool
which focuses to get a shell from multiple targets or injection point.

One Click Ownage

Idea of this attack is very simple. Getting a reverse shell from an SQL
Injection with one request without using an extra channel such as TFTP, FTP
to upload the initial payload.

It's only one request therefore faster,

Simple, you don't need a tool you can do it manually by using your browser
or a simple MITM proxy, (...)

->
http://www.security-database.com/toolswatch/WebRaider-v0-2-3-8-One-Click.html


** Security-Database Vulnerability Dashboard updates **
by  Tools Tracker Team
- 1 March 2010

Security-Database IT Vulnerability & Threats Dashboard allows readers and
others security professionals to visualize in a granular manner the
evolution of the attacks and the vulnerabilities list for each products. We
use the worldwide references as well as CVE, CVSS, OVAL and CWE which
guaranty a trusty and real information that comply to the standards.

Changelog

Fully migration from SDcon (H,M,L) to CVSS v2.0 (C,H,M,L)

New color brown for Critical Vulnerabilities

CVSS Calculator v2.0 (...)

->
http://www.security-database.com/toolswatch/Security-Database-Vulnerability,1051.html


** Windows Autopwn (winAUTOPWN) v2.1 released **
by  ToolsTracker
- 28 February 2010

winAUTOPWN is an auto (hacking) shell gaining tool. It can also be used to
test IDS, IPS and other monitoring sensors/softwares.

Autohack your targets with least possible interaction.

Features:

Contains already custom-compiled executables of famous and effective
exploits alongwith a few original exploits.

No need to debug, script or compile the source codes.

Scans all ports 1 -* 65535 after taking the IP address and tries all
possible exploits according to the list of discovered (...)

->
http://www.security-database.com/toolswatch/Windows-Autopwn-winAUTOPWN-v2-1.html


** Websecurify v0.5 RC 1 released **
by  ToolsTracker
- 28 February 2010

Websecurify Security Testing Framework identifies web security
vulnerabilities by using advanced browser automation, discovery and fuzzing
technologies. The framework is written in JavaScript and successfully
executes in numerous platforms including modern browsers with support for
HTML5, xulrunner, xpcshell, Java, V8 and others.

Changelog

Improved user interface.

The workspace window now has an Issue view which provides detailed
information on each finding.

Detailed reports which can (...)

->
http://www.security-database.com/toolswatch/Websecurify-v0-5-RC-1-released.html


** AutoScan v1.5 available **
by  Tools Tracker Team
- 27 February 2010

AutoScan-Network is a network discovering and managing application. No
configuration is required to scan your network. The main goal is to print
the list of connected equipments in your network

Features:

Multithreaded Scan

Automatic network discovery

Low surcharge on the network

Simultaneous subnetworks scans without human intervention

Realtime detection of any connected equipment

Supervision of any equipment (router, server, firewall...)

Supervision of any network service (smtp, (...)

->
http://www.security-database.com/toolswatch/AutoScan-v1-5-available.html


** Pangolin SQL injection tool build 3.2.1.1020 released **
by  Tools Tracker Team
- 27 February 2010

Pangolin is an automatic SQL injection penetration testing tool developed
by NOSEC. Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications.

Once it detects one or more SQL injections on the target host, the user
can choose among a variety of options to perform an extensive back-end
database management system fingerprint, retrieve DBMS session user and
database, enumerate users, password hashes, privileges, databases, dump
entire or user’s specific (...)

->
http://www.security-database.com/toolswatch/Pangolin-SQL-injection-tool-build.html


** Web Security Dojo v1.0 released **
by  Tools Tracker Team
- 27 February 2010

Web Security Dojo is a turnkey web application security lab with tools,
targets, and training materials built into a Virtual Machine(VM). It is
ideal for both self-instruction and training classes since everything is
pre-configured and no external network connection is needed. All tools and
targets are configured to use non-conflicting ports and a Firefox proxy
switcher is set up to match.

Web Security Dojo is an open source project built on Ubuntu and hosted at
SourceForge. It is (...)

->
http://www.security-database.com/toolswatch/Web-Security-Dojo-v1-released.html


** Saint Vulnerability Scanner and Exploiter v7.2.7 released **
by  Tools Tracker Team
- 27 February 2010

SAINT is the Security Administrator’s Integrated Network Tool. It is
used to non-intrusively detect security vulnerabilities on any remote
target, including servers, workstations, networking devices, and other
types of nodes. It will also gather information such as operating system
types and open ports. The SAINT graphical user interface provides access to
SAINT’s data management, scan configuration, scan scheduling, and data
analysis capabilities through a web browser. Different aspects of (...)

->
http://www.security-database.com/toolswatch/Saint-Vulnerability-Scanner-and.html


** John the Ripper updated to v1.7.5 **
by  Tools Tracker Team
- 27 February 2010

John the Ripper is a fast password cracker, currently available for many
flavors of Unix (11 are officially supported, not counting different
architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to
detect weak Unix passwords. Besides several crypt(3) password hash types
most commonly found on various Unix flavors, supported out of the box are
Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with
contributed patches.

Version 1.7.5 (...)

->
http://www.security-database.com/toolswatch/John-the-Ripper-updated-to-v1-7-5.html


** Watcher Web Security Scanning tool v1.3.0 available **
by  Tools Tracker Team
- 27 February 2010

Watcher (The Open source Web Security Testing Tool and PCI compliancy
auditing utility) is a runtime passive-analysis tool for HTTP-based Web
applications. It detects Web-application security issues as well as
operational configuration issues.

Watcher provides pen-testers hot-spot detection for vulnerabilities,
developers quick sanity checks, and auditors PCI compliance auditing. It
looks for issues related to mashups, user-controlled payloads (potential
XSS), cookies, comments, HTTP (...)

->
http://www.security-database.com/toolswatch/Watcher-Web-Security-Scanning-tool.html

Kind Regards

Security-Database Team



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: