Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Tools Update - Last week of January 2010

From: "SD List" <list () security-database com>
Date: Sun, 31 Jan 2010 10:49:02 +0100 (CET)

Hello

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.


         New articles
         --------------------------


**  Netsparker - "Automate That" Release v1.1.5.0057 **
by  Tools Tracker Team
- 28 January 2010

Netsparker can crawl, attack and identify vulnerabilities in all custom
web applications regardless of the platform and the technology they are
built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection,
Cross-site Scripting (XSS), Remote Code Execution and many more. It has
exploitation built on it, for example you can get a reverse shell out of an
identified SQL Injection or extract data via running custom SQL queries.

Netsparker (...)

->
http://www.security-database.com/toolswatch/Netsparker-Automate-That-Release.html


** Two methodologies for physical penetration testing using social
engineering **
by  Tools Tracker Team
- 28 January 2010

During a penetration test on the physical security of an organization, if
social engineering is used, the penetration tester directly interacts with
the employees. These interactions are usually based on deception and if not
done properly can upset the employees, violate their privacy or damage
their trust towards the organization, leading to law suits and loss of
productivity of the organization.

This paper proposes two methodologies for performing a physical
penetration test where the (...)

->
http://www.security-database.com/toolswatch/Two-methodologies-for-physical.html


** WireShark v1.2.6 released **
by  Tools Tracker Team
- 28 January 2010

Wireshark is the world’s most popular network protocol analyzer. It has
a rich and powerful feature set and runs on most computing platforms
including Windows, OS X, Linux, and UNIX. Network professionals, security
experts, developers, and educators around the world use it regularly. It is
freely available as open source, and is released under the GNU General
Public License version 2

Wireshark 1.2.6 (stable) has been released. Installers for Windows, Mac OS
X 10.5.5 and above (...)

->
http://www.security-database.com/toolswatch/WireShark-v1-2-6-released.html


** SecuBat Web Vulnerability Scanner v0.5 available **
by  Tools Tracker Team
- 28 January 2010

SecuBat is a generic and modular web vulnerability scanner that, similar
to a port scanner, automatically analyzes web sites with the aim of finding
exploitable SQL injection and XSS vulnerabilities.

The SecuBat vulnerability scanner consists of three main components:
First, the crawling component gathers a set of target web sites. Then, the
attack component launches the configured attacks against these targets.
Finally, the analysis component examines the results returned by the web
(...)

->
http://www.security-database.com/toolswatch/SecuBat-Web-Vulnerability-Scanner.html


** Bing Web Server Probe v1.0 released **
by  Tools Tracker Team
- 28 January 2010

This is a tool for security researchers. It allows you to search for
either an IP address or a DNS name and display all associated domain names
known to Bing.

If a specific IP address is searched, all domain records associated with
that address are displayed

If a DNS name is searched, all domain records associated with all
addresses returned for that DNS name are displayed.

Two separate self-contained versions of the tool are available:
command-line-based and GUI-based. The GUI version (...)

->
http://www.security-database.com/toolswatch/Bing-Web-Server-Probe-v1-released.html


** Cloud Computing Risk Assessment methodology available **
by  Tools Tracker Team
- 27 January 2010

ENISA -the European Network and Information Security Agency, working for
the EU Institutions and Member States. ENISA is the EU’s response to
security issues of the European Union. As such, it is the 'pacemaker' for
Information Security in Europe. The objective is to make ENISA’s web site
the European ‘hub’ for exchange of information, best practices and
knowledge in the field of Information Security.

ENISA is carrying out a risk assessment of cloud computing with input from
30 experts from (...)

->
http://www.security-database.com/toolswatch/Cloud-Computing-Risk-Assessment.html


** Imperva's Top 20 weakest passwords **
by  Tools Tracker Team
- 27 January 2010

In December 2009, a major password breach occurred that led to the release
of 32 million passwords1. Further, the hacker posted to the Internet2 the
full list of the 32 million passwords (with no other identifiable
information). Passwords were stored in clear- text in the database and were
extracted through a SQL Injection vulnerability3. The data provides a
unique glimpse into the way that users select passwords and an opportunity
to evaluate the true strength of these as a security (...)

->
http://www.security-database.com/toolswatch/Imperva-s-Top-20-weakest-passwords.html


** DIRB Web Content Scanner v2.03 released **
by  Tools Tracker Team
- 27 January 2010

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web
Objects. It basically works by launching a dictionary based attack against
a web server and analizing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but
you can use your custom wordlists. Also DIRB sometimes can be used as a
classic CGI scanner, but remember is a content scanner not a vulnerability
scanner.

DIRB main purpose is to help in professional web application auditing.
(...)

->
http://www.security-database.com/toolswatch/DIRB-Web-Content-Scanner-v2-03.html


** The Dude network monitor v3.5 released **
by  Tools Tracker Team
- 24 January 2010

The Dude network monitor is a new application by MikroTik which can
dramatically improve the way you manage your network environment. It will
automatically scan all devices within specified subnets, draw and layout a
map of your networks, monitor services of your devices and alert you in
case some service has problems.

Some of it’s features:

The Dude is free of charge!

Auto network discovery and layout

Discovers any type or brand of device

Device, Link monitoring, and notifications (...)

->
http://www.security-database.com/toolswatch/The-Dude-network-monitor-v3-5.html


** Focus on BotHunter v1.5 the Malware Infection Detection System **
by  Tools Tracker Team
- 24 January 2010

BotHunter is the first, and still the best, network-based malware
infection detection system out there. It tracks the two-way communication
flows between your computer(s) and the Internet, comparing your network
traffic against an abstract model of malware communication patterns.(1) Its
goal is to catch bots and other coordination-centric malware infesting your
network, and it is exceptionally effective.

CHANGES TO THE BOTHUNTER CORRELATOR

Skype detection logic has been added to the (...)

->
http://www.security-database.com/toolswatch/Focus-on-BotHunter-v1-5-the.html


** Ncrack v0.01 Alpha released **
by  Tools Tracker Team
- 24 January 2010

Ncrack is a high-speed network authentication cracking tool. It was built
to help companies secure their networks by proactively testing all their
hosts and networking devices for poor passwords. Security professionals
also rely on Ncrack when auditing their clients. Ncrack was designed using
a modular approach, a command-line syntax similar to Nmap and a dynamic
engine that can adapt its behaviour based on network feedback. It allows
for rapid, yet reliable large-scale auditing of multiple (...)

->
http://www.security-database.com/toolswatch/Ncrack-v0-01-Alpha-released.html


** SAINT® 7.2.5 Released **
by  Tools Tracker Team
- 24 January 2010

SAINT is the Security Administrator’s Integrated Network Tool. It is
used to non-intrusively detect security vulnerabilities on any remote
target, including servers, workstations, networking devices, and other
types of nodes. It will also gather information such as operating system
types and open ports. The SAINT graphical user interface provides access to
SAINT’s data management, scan configuration, scan scheduling, and data
analysis capabilities through a web browser. Different aspects of (...)

-> http://www.security-database.com/toolswatch/SAINT-R-7-2-5-Released.html


** OWASP Code Crawler v2.5 released **
by  Tools Tracker Team
- 24 January 2010

A tool aimed at assisting code review practitioners. It is a static code
review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to
implement a total code review solution for "everyone".

Changelog :

Code Crawler Editor

Find (CTRL+F)

Mark Findings

Select All (CTRL+A)

Copy as RTF (sweet)

CodeFolding

SyntaxHighlight

BracketMatching

Unlimited Undo/Redo buffer

Bookmarks

Go to line (CTRL+G)

Replace (...)

->
http://www.security-database.com/toolswatch/OWASP-Code-Crawler-v2-5-released.html

Regards

Nabil OUCHN
CEO & Founder
Security-Database
France

Maximiliano Soler
ToolsWatch Leader
Security-Database
Argentina




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: