Ceci est une ancienne révision du document !
Application
Recon & Mapping
Burp Suite
Its various tools (proxy, spider, scanner, intruder, repeater, sequencer, etc.) work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
CeWL
DirBuster
It’s a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
Fierce Domain Scanner
It’s a scanner that tests your
DNS for a zone transfer and then goes ahead and performs a brute force against your domain. Testing a list of sub domains against your domain to attempt to find other servers and IP addresses.
GPScan
Maltego CE
Nikto
It’s a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.
Paros
Through Paros's proxy nature, all
HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
w3af
WebScarab
It’s a framework with lots of modules (proxy, spider, session ID analyser, fuzzer, etc.) for analysing applications that communicate using the
HTTP and HTTPS protocols. (OWASP)
Websecurify
WebShag
It is a multi-threaded, multi-platform web server audit that gathers commonly useful functionalities for web server auditing like website crawling,
URL scanning or file fuzzing.
Zed Attack Proxy
ZenMap
Discovery
Burp Suite
Flare
Grendel-Scan
JBroFuzz
It is a web application fuzzer for requests being made over
HTTP or HTTPS. (OWASP)
ProxyStrike
Rat Proxy
SQLmap
It is a penetration testing tool that automates the process of detecting and exploiting
SQL injection flaws and taking over of database servers.
w3af
Wapiti
It performs “black-box” scans and scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
Watabo
It works like a local proxy. It supports passive and active checks. Passive checks are more like filter functions (used to collect useful information, e.g. email or IP addresses). Active produces a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.
WebScarab
WebShag
Zed Attack Proxy
Exploitation
Durzosploit
Laudanum
It is a collection of injectable files, designed to be used in a pentest when
SQL injection flaws are found and are in multiple languages for different environments. They provide functionality such as shell,
DNS query,
LDAP retrieval and others.
The Metasploit Framework is the actual development platform used to create security test tools and exploit modules and can also be used as a penetration testing system. It is an extremely powerful command-line tool that has released some of the most sophisticated exploits to public security vulnerabilities. It’s also known for its anti-forensic and evasion tools, which are built into the Metasploit Framework.
MonkeyFist
SQLBrute
It is a tool for brute forcing data out of databases using blind
SQL injection vulnerabilities.
SQLmap
SQLNinja
It is a tool targeted to exploit
SQL Injection vulnerabilities on a web application that uses Microsoft
SQL Server as its back-end.
w3af
Yokoso
Zed Attack Proxy
Methodologies
OWASP
Operating Systems
Samurai WTF
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
outils_web.1345756004.txt.gz · Dernière modification: 2017/04/09 15:33 (modification externe)