Sunday 8 September 2013

Pentest Tool 2013 ( Mostly Used For Pentesting )

Pentest Tool 2013 ( Mostly Used For Pentesting )

Presenting  Best  Pentest  Tool ( MUST have )

1. PWN STAR

A bash script to launch the AP, can be configured with a variety of attack options. Including a number of scripts and the index.html php server, for phishing. Can act as a multi-client captive portal using php and iptables.Exploitation classics such as crime-PDF, De-auth with aireplay, etc..
General Features:
  1. Managing Interfaces and MAC Spoofing
  2. Set sniffing
  3. Phishing Web
  4. Karmetasploit
  5. WPA handshake
  6. De-auth client
  7. Manage iptables

2. ZED ATTACK PROXY (ZAP)

(ZAP) is a tool integrated penetration testing to find vulnerabilities in web applications. This tool is designed for use by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to the toolbox tester.
Key Features:
  1. Intercepting Proxy
  2. Active scanners
  3. Passive scanners
  4. Brute Force scanner
  5. Spider
  6. Fuzzer
  7. Port Scanner
  8. Dynamic SSL certificates
  9. API
  10. Beanshell integration

3. SET (SOCIAL ENGINEERING TOOLKIT)

Tools which focuses on attacking the human element of weakness and inattention. This tool is widely used today and is one of the most successful tools demonstrated at Defcon.
Key Features:
  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector

4. BURP SUITE

Burp Suite is a very nice tool for web application security testing. This tool is great for pentester and security researchers. It contains a variety of tools with many interfaces between them designed to facilitate and speed up the process of attacking web applications.
General function:
  1. Interception proxy
  2. Radar and spiders crawling
  3. Webapps scanner
  4. Attack tool
  5. Repeater and sequencer tools

5. ETTERCAP

Ettercap is a multipurpose sniffer / interceptor / logger for Local Area Network . Supports active and passive dissection of many protocols (even in the form of code) and includes many feature for network and host analysis.

General function:
  1. To perform traffic and data capture
  2. To do logging network
  3. Etc.

6. SANS INVESTIGATIVE FORENSIC TOOLKIT (SIFT)

The SANS Investigative Forensic Toolkit (SIFT) Workstation is a VMware Appliance that can be configured with all the need to perform a detailed digital forensic. Compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The new version has been completely rebuilt in the Ubuntu base with many additional tools and capabilities that are used in modern forensic technology.
Public Function SIFT:
  1. iPhone, Blackberry, and Android Forensic Capabilities
  2. Registry Viewer (Yaru)
  3. Compatibility with F-Response Tactical, Standard, and Enterprise
  4. PTK 2.0 (Special Release – Not Available for Download)
  5. Automated Generation Timeline via log2timeline
  6. Many Firefox Investigative Tools
  7. Windows Journal Parser and Shellbags Parser (jp and sbag)
  8. Many Windows Analysis Utilities (prefetch, usbstor, event logs, and more)
  9. Complete Overhaul of Regripper Plugins (added over 80 additional plugins)

7. WIRESHARK

Wireshark is the tool most widely used and most popular in the world of protocol analyzer, and is the de facto standard across many industries and educational institutions to analyze the network in various protocols.
General function:
  1. Live capture and offline analysis
  2. Standard three-pane packet browser
  3. Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  4. Captured data network can be browsed via a GUI, or via the TTY-mode tshark utility
  5. The most powerful display filters in the industry
  6. Rich VoIP analysis
  7. Read / write many different capture file formats
  8. Etc.

8. WEBSPLOIT

WebSploit is an Open Source Project for Remote Scan and Analysis System of the weaknesses in web applications.
Key Features:
[>] Social Engineering Works
[>] Scan, Web Crawler & Analysis
[>] Automatic Exploiter
[>] Support Network Attacks
-
[+] Autopwn – Used From Metasploit For Scan and Exploit Target Service
[+] WMAP – Scan, Target Used Crawler From Metasploit WMAP plugin
[+] format infector – inject the payload into reverse and bind file format
[+] phpmyadmin Scanner
[+] LFI Bypasser
[+] Apache Users Scanner
[+] Dir Bruter
[+] admin finder
[ +] MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
[+] MITM – Man In The Middle Attack
[+] Java Applet Attack
[+] MFOD Attack Vector
[+] USB Infection Attack
[+] Dos ARP Attack
[+ ] Killer Web Attack
[+] Attack Fake Update
[+] Fake Access Point Attack

9. WINAUTOPWN

WinAutoPWN is a tool that is used to directly exploit Windows Framework, so that we are automatically going to be an administrator on the windows. Widely used by “Defacer” Indonesia to deface the Windows Server
:)

 WinAutoPWN Download Here:

10. HASHCAT

Hashcat are a variety of tools to crack passwords in encrypted, very powerful for password recovery.
General function:
  1. Multi-Threaded
  2. Free
  3. Multi-Hash (up to 24 million hashes)
  4. Multi-OS (Linux, Windows and OSX native binaries)
  5. Multi-Algo (MD4, MD5, SHA1, DCC, NTLM, MySQL, …)
  6. SSE2 accelerated
  7. All Attack-Modes except Brute-Force and Permutation can be extended by rules
  8. Very fast Rule-engine
  9. Rules compatible with JTR and PasswordsPro
  10. Possible to resume or limit session
  11. Automatically Recognizes recovered hashes from outfile at startup
  12. Can automatically generate random rules
  13. Load saltlist from external files and then use them in a Brute-Force Attack variant
  14. Able to work in an distributed environment
  15. Specify multiple wordlists or multiple directories of wordlists
  16. Number of threads can be configured
  17. Priority threads run on Lowest Prices
  18. 30 + Algorithms implemented a with performance in mind
  19. … and much more

11. UNISCAN

Uniscan is a scanner for web applications, which are written in perl for Linux. Uniscan current version is 6.2.
General function:
  1. Identification of system pages through a Web Crawler.
  2. Use of threads in the crawler.
  3. Control the maximum number of requests the crawler.
  4. Control of variation of system pages identified by Web Crawler.
  5. Control of file extensions that are ignored.
  6. Test of pages found via the GET method.
  7. Test the forms found via the POST method.
  8. Support for SSL requests ( HTTPS ).
  9. Proxy support.
  10. Generate site list using Google.
  11. Generate site list using Bing.
  12. Plug-in support for Crawler.
  13. Plug-in support for dynamic tests.
  14. Plug-in support for static tests.
  15. Plug-in support for the stress tests.
  16. Multi-language support.
  17. Web client.

12. OLYYDBG

OllyDbg is a 32-bit assembler debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source code is not available.
General function:
  1. Intuitive user interface, no cryptical commands
  2. Code analysis – traces registers, Recognizes procedures, loops, API calls, switches, tables, constants and strings
  3. Directly loads and debugs DLLs
  4. Object file scanning – locates routines from object files and libraries
  5. Allows for user-defined labels, comments and function descriptions
  6. Understands debugging information in Borland ® format
  7. Saves patches between sessions, writes them back to executable file and updates fixups
  8. Open architecture – many third-party plugins are available
  9. No installation – no trash in registry or system directories
  10. Debugs multithread applications
  11. Attaches to running programs
  12. Configurable disassembler, supports both MASM and IDEAL formats
  13. MMX, 3DNow! and SSE instructions and the data types, Including Athlon extensions
  14. Full UNICODE support
  15. Dynamically Recognizes ASCII and UNICODE strings – also in Delphi format!
  16. Recognizes complex code constructs, like call to jump to procedure
  17. Decodes calls to more than 1900 standard API and 400 C functions
  18. Gives context-sensitive help on API functions from external help file
  19. Sets conditional, logging, memory and hardware breakpoints
  20. Traces program execution, logs arguments of known functions
  21. Shows fixups
  22. Dynamically traces stack frames
  23. Searches for imprecise commands and masked binary sequences
  24. Searches whole allocated memory
  25. Finds references to constant or address range
  26. Examines and modifies memory , sets breakpoints and pauses program on-the-fly
  27. Assembles commands into the shortest binary form
  28. Starts from the floppy disk

13. BBQSQL

BBQSQL is Opensource SQL injection tools with specific frameworks that are designed to run for hyper fast processing, database agnostic, easy to setup, and easy to modify. This is another awesome release from Arsenal in 2012 Blackhat USA. When conducting security assessments of applications, we often find it difficult to SQL vulnerabilities exploitable, with this tool will be extremely easy.
BBQSQL written in the Python programming language. This is very useful when complex SQL injection attack vulnerability. BBQSQL also a semi-automated tool, which allows little customization for those who are finding it difficult to trigger SQL injection. This tool was built to be database agnostic and very versatile. It also has an intuitive UI for setting up the attack much easier.
General function:
  1. SQL Injection Tools
  2. URL
  3. HTTP Method
  4. Headers
  5. Cookies
  6. Encoding methods
  7. Redirect behavior
  8. Files
  9. HTTP Auth
  10. Proxies

14. CRYPTOHAZE

Tools to crack the password / hash where cryptohaze supports CUDA, OpenCL , and the CPU code (SSE, AVX, etc.). Can run on OS that support CUDA. All of this is intended to make it easier to pentester did crack the hash.
General function:
  1. Crack various hash
  2. Showing results from crackhash
  3. Cracking in a variety of OS platforms

15. SAMURAI WEB TESTING FRAMEWORK (SWTF)

SWTF is used to perform the tests / pentest against web application, is used to find a weakness and exploited to perform the web. Very comprehensive and widely used in the world, including one used by staff binushacker
:)

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.