Recon & Mapping
Its various tools (proxy, spider, scanner, intruder, repeater, sequencer, etc.) work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
It’s a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
Fierce Domain Scanner
It’s a scanner that tests your DNS
for a zone transfer and then goes ahead and performs a brute force against your domain. Testing a list of sub domains against your domain to attempt to find other servers and IP addresses.
It’s a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.
Through Paros's proxy nature, all HTTP
and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
It’s a framework with lots of modules (proxy, spider, session ID analyser, fuzzer, etc.) for analysing applications that communicate using the HTTP
and HTTPS protocols. (OWASP)
It is a multi-threaded, multi-platform web server audit that gathers commonly useful functionalities for web server auditing like website crawling, URL
scanning or file fuzzing.
Zed Attack Proxy
It is a web application fuzzer for requests being made over HTTP
or HTTPS. (OWASP)
It is a penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers.
It performs “black-box” scans and scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
It works like a local proxy. It supports passive and active checks. Passive checks are more like filter functions (used to collect useful information, e.g. email or IP addresses). Active produces a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.
Zed Attack Proxy
It is a collection of injectable files, designed to be used in a pentest when SQL
injection flaws are found and are in multiple languages for different environments. They provide functionality such as shell, DNS
retrieval and others.
The Metasploit Framework is the actual development platform used to create security test tools and exploit modules and can also be used as a penetration testing system. It is an extremely powerful command-line tool that has released some of the most sophisticated exploits to public security vulnerabilities. It’s also known for its anti-forensic and evasion tools, which are built into the Metasploit Framework.
It is a tool for brute forcing data out of databases using blind SQL
It is a tool targeted to exploit SQL
Injection vulnerabilities on a web application that uses Microsoft SQL
Server as its back-end.
Zed Attack Proxy
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
outils_web.txt · Dernière modification: 2017/04/09 15:33 (modification externe)