Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Penetration testing tools?


Ben wrote:
No search hits for:
 * social engineering
 * impersonate

Am I missing something or does this document miss half of IT security,
from the word go?

It might just be that the language is unfamiliar - try authentication and access control.


On Mon, Oct 20, 2008 at 12:04 PM, Marghanita da Cruz
<marghanita@xxxxxxxxxxxx> wrote:
Amos,

You might like to check the Australian Government ICT Security Manual (ISM)
it
tends to talk at a higher conceptual level than specific applications. But
provides useful contextual information...I would be interested in your
comments
about its relevance/comprehensiveness.
<http://www.dsd.gov.au/library/infosec/ism.html>

Marghanita

Morgan Storey wrote:
Hi Amos,

That isn't a bad list, I tend to direct people to
http://sectools.org/vuln-scanners.html even though it is a little
dated, and doesn't mention OpenVAS (Nessus forked and OpenVAS is truly
OSS), I also use Webscarab, Xenu (just a link checker but gives you a
good list of the site), W3af, as it is open source and does some nice
fuzzing through its proxy, Nikto/Wikto and Nmap if it is more than
just web.
These are all just auto tests, they won't find everything and there
are some false finds too, so you also have to have a look at
techniques like sql injection (you can get sql injection tools like
the Acuntix, but it is not cheap), and imho you are better learning
the techniques yourself, cause if you know how a tool works you are so
much better off.

Regards

On 10/16/08, Amos Shapira <amos.shapira@xxxxxxxxx> wrote:
Hello,

I need to find tools to run penetration testing on our external web
interfaces (a web application and an HTTP-based data interface).

The idea is to be able to run automatic tests on new releases before
deployment. Stress is on "automatic".

Has anyone here got good experience with such tools?  I'm digging through
the net and found lots of lists (e.g.

http://www.samurainet.org/blog/2008/05/12/web-application-penetration-testing-my-tools-of-the-trade/)
but if someone can give some input from their personal experience on
what's
worth pursuing and what's a waste of time it'll, well..., might save us
some
time.

Thanks,

--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html



--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202


--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html




--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202