Penetration Testing/Pentest Tools

26/02/2017 - 07:05
  1. Web application Penetration Testing Tool – BurpSuite

Web applications or more specifically, the website is where we daily approach, from simple things like listening to music, watching movies ... or financial transactions such as purchases, transfer money...  All this work, we can do through the website. People and organizations using the website to introduce and promote their products to customers, financial organizations use the website to provide financial transaction services…

These website may contain security vulnerabilities due to design, configure and deploy. It is worse,, if your system website been hacked and exploit information. With the motto: think like a hacker to assess web applications, BurpSuite is a comprehensive solution for scanning, searching for web application vulnerabilities.

BurpSuite is a platform, that has incorporated many features to serve the process of implementing web applications penetration testing. These features combine seamlessly together to full support penetration testing process, from gathering information, analyzing the direction of attack, thereby finding and exploiting vulnerabilities. Besides the detection popular web vulnerabilities such as SQL injection, XSS, XXE, HTML injection... BurpSuite also detect a wide range of new attack techniques integrated in Web applications such as: SSTI, JSON hijacking, CORS Misconfiguration, SMTP  header injection...

In addition, Burpsuite supports add on services to allow security experts to write the supporting utilities, to perform the advanced functions based on BurpSuite’s API.


With BurpSuite, you can combine the automatic and handicraft evaluation process to make your work faster, more accurately and more efficiently.

BurpSuite includes:

  • Proxy - allowing change, check the request / answer between the browser and the target web application
  • Spider - detection, search the content of the target web application
  • Scanner - automatic detection of web vulnerabilities
  • Intruder – implementing the option attack to find and exploit vulnerabilities unusual
  • Repeater - adjust and resubmit the request
  • Sequencer - used for the evaluation of random session token.
  • Extension – allows you to write the utilities to perform advanced functions.
     

2. Network System Penetration Testing Tools - Tenable Network Security

Tenable Network Security is leading security company in the world, specializing in providing solutions for scanning, search, assess and manage vulnerabilities. Tenable provide a comprehensive solution from scanning, analysis, and reports of penetration testing system.

The products of Tenable Network Security
Nessus – is leading pentest tool in the world, with millions of users. With massive databases and continuously updated, Nessus help you analyze and assess the overall security devices in the network, along with the interpretation, exploiting, how to fix vulnerabilities. Nessus is the first choice for security professionals.


SecurityCenter – With the ability to create and manage the vulnerability assessment reports, this tool helps network security professionals to easily manage, with an overview of the vulnerabilities in the system and then finding out the main rational policy on patching vulnerabilities. Moreover, SecurityCenter also allows you to benchmark and report on the possible risk of the system.
SecurityCenter Continuous View (SecurityCenter CV) -  is a higher level of management vulnerabilities. Nessus and SecurityCenter be used as a platform, SecurityCenter CV constantly monitor all devices and network bandwidth. And the ability to network monitor and analyze events logged on the device in real-time, comprehensive monitoring of all network activities and events occurring on the device, so you can find out, edit and repair vulnerabilities faster.

Compares the products feature of Tenable Network Security

 

3. Source code Penetration Testing Tools -  HPE Security Fortify Static Code Analyzer (SCA)

HPE Security Fortify Static Code Analyzer (SCA) is a tool to assess and analyze vulnerabilities based on scanning the application's source code. SCA it identifies the cause of software vulnerabilities and provide exactly analysis results, thereby helping the developers propose proper solutions.


Features

  • Language support:
    ABAP/BSP
    ActionScript/MXML (Flex)
    ASP.NET, VB.NET, C# (.NET)
    C/C++
    Classic ASP (w/VBScript)
    COBOL
    ColdFusionCFML
    HTML
    Java (including Android)
    JavaScript/AJAX
    JSP
    .... 
  • Supported IDEs
    Eclipse
    IntelliJ Ultimate
    IntelliJ Community Android Studio
    IBM Rational Application Developer (RAD)
    IBM Rational Software Architect (RSA)
    Microsoft® Visual Studio
  • Supported Build Tools
    Ant
    Jenkins
    Maven
    MSBuild
    Xcodebuild
     

4. Assessment compliance of audit policies, operating systems, system administrator database... - CIS Configuration Assessment Tool (CIS-CAT)

CIS-CAT is a tool written in Java. CIS-CAT CAT help you evaluate audit policies (Users Rights, Windows Firewall...), assess database management system (mysql, oracle ...), assess server configuration...

 

CIS-CAT supports to appreciate a lot of operating system, system administrator database:

Amazon Linux 2014.09, v1.1.0 (OVAL XML also available)

Apache Tomcat 5.5-6.0 Benchmark v1.0.0

Apple OSX 10.5 Benchmark v1.1.0

Apple OSX 10.6 Benchmark v1.0.0

Apple OSX 10.8 Benchmark v1.3.0

Apple OSX 10.9 Benchmark v1.2.0

Apple OSX 10.10 Benchmark v1.1.0

Apple OSX 10.11 Benchmark v1.0.0

CentOS Linux 6 Benchmark v1.1.0 (OVAL XML also available)

CentOS Linux 7 Benchmark v1.1.0 (OVAL XML also available)

Cisco IOS 15 Benchmark v4.0.0 (OVAL XML also available)

Debian Linux Benchmark v1.0.0

Debian Linux 7 Benchmark v1.0.0 (OVAL XML also available)

Debian Linux 8 Benchmark v1.0.0 (OVAL XML also available)

Google Chrome 46 Benchmark v.1.0.0 (OVAL XML also available)

HP-UX 11i Benchmark v1.4.2

IBM AIX 4.3-5.1 Benchmark v1.0.1

IBM AIX 5.3-6.1 Benchmark v1.1.0

IBM AIX 7.1 Benchmark v1.1.0

MIT Kerberos 1.10 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office Access 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office Excel 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office Outlook 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office PowerPoint 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Office Word 2013 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Internet Explorer 10 Benchmark v1.1.0 (OVAL XML also available)

Microsoft Internet Explorer 11 Benchmark v1.0.0 (OVAL XML also available)

Microsoft Internet Information Services (IIS) 7/7.5, v1.6.0 (OVAL XML also available)

Microsoft Internet Information Server (IIS) 8/8.5 Benchmark v1.3.0 (OVAL XML also available)

Microsoft SQL Server 2008 R2 Database Engine Benchmark v1.2.0 (OVAL XML also available)

Microsoft SQL Server 2012 Database Engine Benchmark v1.1.0 (OVAL XML also available)

Microsoft SQL Server 2014, v1.0.0 (OVAL XML also available)

Microsoft Windows 2003 Member Server Domain Controller Benchmark v3.1.0 (OVAL XML also available)

Microsoft Windows 2008 Server Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)

Microsoft Windows 2008 R2 Server Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)

Microsoft Windows 2012 Server Benchmark v1.0.0 (Domain Joined) (OVAL XML also available)

Microsoft Windows 2012 R2 Server Benchmark v2.1.0 (OVAL XML also available)

Microsoft Windows XP Benchmark v3.1.0 (OVAL XML also available)

Microsoft Windows 7 Benchmark v2.1.0 (Domain Joined) (OVAL XML also available)

Microsoft Windows 8 Benchmark v1.0.0 (Domain Joined) (OVAL XML also available)

Microsoft Windows 8.1 Benchmark v2.1.0 (OVAL XML also available)

Microsoft Windows 10 Benchmark v1.0.0 (OVAL XML also available)

Mozilla Firefox 3 Benchmark v1.0.0

Mozilla Firefox 38 ESR Benchmark v1.0.0 (OVAL XML also available)

Mozilla Firefox ESR 24, v1.0.0 (OVAL XML also available)

Oracle Database 9i-10g Benchmark v2.0.1

Oracle Database 11g Benchmark v1.0.1

Oracle Database 11g R2 Benchmark v2.1.0 (OVAL XML also available)

Oracle Database 12c Benchmark v1.1.0 (OVAL XML also available)

Oracle Linux 7 Benchmark, v1.1.0 (OVAL XML also available)

Oracle MySQL Community Server 5.6 Benchmark, v1.0.0 (OVAL XML also available)

Oracle MySQL Enterprise Edition 5.6 Benchmark, v1.0.0 (OVAL XML also available)

Oracle MySQL Community Server 5.7 v1.0.0 (OVAL XML also available)

Oracle Solaris 10 Benchmark v5.2.0

Oracle Solaris 11 Benchmark v1.1.0

Oracle Solaris 11.1 Benchmark v1.0.0

Oracle Solaris 11.2 Benchmark v1.0.0

Google Chrome 46 Benchmark v.1.0.0 (OVAL XML also available)

RedHat Enterprise Linux 4 Benchmark v1.0.5

RedHat Enterprise Linux 5 Benchmark v2.2.0 (OVAL XML also available)

RedHat Enterprise Linux 6 Benchmark v1.4.0 (OVAL XML also available)

RedHat Enterprise Linux 7 Benchmark v1.1.0 (OVAL XML also available)

Slackware Linux 10.2 Benchmark v1.1.0

Solaris 2.5.1-9 Benchmark v1.3.0

SUSE Linux Enterprise Server 9 Benchmark v1.0.0

SUSE Linux Enterprise Server 10 Benchmark v2.0.0

SUSE Linux Enterprise Server 11 Benchmark v1.1.0 (OVAL XML also available)

SUSE Linux Enterprise Server 12 Benchmark v1.0.0 (OVAL XML also available)

Ubuntu 12.04 LTS Server Benchmark v1.1.0

Ubuntu 14.04 LTS Server Benchmark, v1.0.0

VMware ESX 3.5 Benchmark v1.2.0

VMware ESX 4.1 Benchmark v1.0.0

VMware ESXi 5.5 Benchmark v1.2.0 (OVAL XML also available)

 

Penetration Testing/Pentest Tools_Datasheet