Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is an open source testing tool for web applications, with the facility to record and playback scripts. Developed in Java, C and Javascript, this tool uses simple Javascript to execute events in the browser.

Features:

In-browser controls
Intelligent recorder
Text-based scripts
Ant support for playback of suites of tests
Multi-threaded playback from a command line
HTTP and HTTPS support
AJAX support

Sahi runs as a proxy server which intercepts traffic from the web browser and records the web browsing actions. Sahi can play back those recorded actions by injecting Javascript into the browser so it can access elements in the web page. This makes the tool independent of the website/ web application.

Read more and download it here:

http://www.darknet.org.uk/2010/03/sahi-web-automation-application-security-testing-tool/

keimpx is an open source tool, released under a modified version of Apache License 1.1. It can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

• Combination of user / plain-text password.
• Combination of user / NTLM hash.
• Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

• Spawn an interactive command prompt.
• Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
• Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
• List users details, domains and password policy.

You can download keimpx 0.2 here:

keimpx-0.2.zip

source: http://www.darknet.org.uk/2010/02/keimpx-open-source-smb-credential-scanner/

Dr. Ali Jahangiri, the well known security expert and author of Live Hacking: The Ultimate Guide to Hacking Techniques & Countermeasures for Ethical Hackers & IT Security Experts, is pleased to announce the launch of the Live Hacking CD, a new Linux distribution designed for ethical hacking. The Live Hacking CD contains the tools and utilities you need to test and hack your own network but using the tools and techniques that more malicious hackers would use.

Download it here: http://www.livehacking.com/cd-dvd/download.htm

Read the full press release here: http://www.free-press-release-center.info

Hakin9 is a source of advanced, practical guidelines regarding the latest hacking methods as well as the ways of securing systems, networks and applications. I have provided a few recommended copies to download as pdf. Get them here.

Security testing  or assessment is a process to determine that an Information System adequately protects data and maintains intended functionality from the following points:

Confidentiality: A security measure which protects against the disclosure of information to parties other than the intended recipient(s). Often ensured by means of encoding, using a defined algorithm and some secret information known only to the originator of the information and the intended recipient(s) (a process known as cryptography) but that is by no means the only way of ensuring confidentiality.

Integrity: A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than encoding all of the communication.

Authentication: A measure designed to establish the validity of a transmission, message, or originator. It allows a receiver to have confidence that the information it receives originated from a specific known source.

Authorization: The process of determining that a requester is allowed to receive a service or perform an operation.

Availability: Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Non-repudiation: A measure intended to prevent the later denial that an action happened, or a communication took place, etc. In communication terms, this often involves the interchange of authentication information combined with some form of provable time stamp.

I’ve listed 100+ free and open source tools used in security testing here.

When scoping an application security penetration test, Or thus suggest that you remember the following:

The principal focus of the testing should on the application under test. This means that the vulnerability of the surrounding environment is not under test, nor are for example Internet facing firewalls, except in their relationship to the application. Therefore it would be appropriate for the Vendor to confirm that the firewalls are configured correctly for this application and that no unnecessary ports are allowed through. Conversely, the vendor should be instructed not to test your firewalls beyond this.

The test should include a paper review of the architectural design, before beginning testing. The review should validate the physical placement of the various network components servers, and identify potential issues or security weaknesses.

It should be left to the vendor to use their judgment as to which particular tests are relevant to a particular application. There are two exceptions to this.

• If it can be seen that the vendors proposed testing is not comprehensive enough, then the project should insist on extending the scope to include additional areas of testing.
• If in the opinion of the project, the tests proposed would have a undesirable effect on production infrastructure or applications. In this case steps must be taken to achieve the same testing via an alternative manner. For example, this may involve the use of application disaster recovery equipment.

While its difficult to specifically prescribe which tests are appropriate for any generic set of applications, in principal you should consider the following where applicable:

• Password cracking scan of password files on servers.
• An on-box scan for security vulnerabilities.
• An examination of client-side application for information that reveals information about how the application functions that could be used for a more focused attack.
• Examination of client-side code and locally stored information such as cookies and session information. This should include alterations to such information in an attempt to:

- subvert authentication checking – establish the bounds of server reliance on client data fields – test for other unexpected results and potentially access confidential information.

• Bounds checking and application validation for both accidental and mischievous input. The test should ensure that applications correctly respond to unexpected data formats or sizes.
• Potential for buffer overflows.
• Examination of application-to-application interaction between resources such as the web service and back-end data feeds. Attempts are made to access application resources by impersonating other system functions or sources.
• An examination of application-level traffic passing between various host systems for passwords, CGI parameters, and other data that might be reused as part of an exploitation attempt.
• Conduct authenticated user testing to see if they can abuse the system as a “customer”.
• Attempted permission escalation by, for example, referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking.
• Susceptibility of the application to replay attack and man in the middle attacks.
• Other session orientated attacks, including an analysis of system responses to such data.
• Susceptibility of the application to specially crafted packets delivered independently of the front end application checking.
• Investigation of robustness and resilience of application Authentication mechanisms.
• Software-specific manufacturer-recognised exploits
• Content sharing vulnerabilities
• Presence of deployment process vulnerabilities
• Presence of activation process vulnerabilities
• Request process vulnerabilities
• File and user permission vulnerabilities
• Cluster connectivity vulnerabilities
• Excess build and configuration weaknesses
• Application of applicable security patches, fixes and updates
• Legacy application code development weaknesses
• SQL injection weaknesses
• Cross-scripting vulnerabilities
• Potential to fraud the application
• Encryption and authentication vulnerabilities
• Defacement weaknesses
• Redirections vulnerabilities
• Administration rights & controls
• Sniffer attack vulnerabilities

Some applications may have a number of identical components in the architecture, e.g. a web-enabled application may have 4 web servers in parallel for loading reasons. In these cases, the project should ensure that the vendor is testing all instances of the components. Extending the web server example further, this would mean that each web servers operating system would need to be tested to ensure that any hardening processes undertaken had been completed on each of the servers.

This does not mean that each instance of the actual application code running on each web server is subjected to all tests. In other words it should be sufficient to conduct data validation tests against only 1 of the servers

It happens more often that one would think, but there have been many cases of penetration tests launching attacks against networks that were not authorised for testing. Therefore the project must ensure the vendor knows the limits that they are working under. It is worth asking the vendor what methods they use to limit unintentional damage to your network.

Lastly, the vendor should be reminded by the project that any information collected is to be treated in confidence, and that they must take appropriate steps to ensure any data retained by them is secured and destroyed securely when no longer required.

Author: Penny Reyes
Article Source: EzineArticles.com
Provided by: Smart cooker

Backtrack is a linux-based penetration testing suite of tools  used by security professionals to perform assessments. Backtrack has been fully customized as a penetration testing tool.

BackTrack 4 (codenamed “pwnsauce”) includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to most major bugs that we knew of. You can install and use it as your primary operating system, run it as a live cd, from a usb drive, or as a virtual machine.

Some of the tools included in the suite are: Metasploit, Kismet, Autoscan, Nmap, Ettercap, Wireshark, etc. These tools can be used for network, system and wireless reconnaissance, enumeration and penetration.

I use the backtrack suite in teaching my ethical hacking class. It is a great tool for anyone interested in learning to perform security assessments.

Other suites with similar functionality can be found in a previous post.

When I first started running Ubuntu as my laptop OS of choice, it was partly  because I got fed up with having to rebuild my Windows XP OS whenever it would pick up some particularly stubborn piece of varmint during my browsing of hacking sites around the web. The second reason, however, was that most security tools I wanted to use were native to Linux and it was just easier to install them on my Ubuntu laptop and always have them available. You never know when you might get the urge to….um…nevermind.  I tried running them as virtual machines in VMware for a while but I found  the inability to use all the computing resources on the laptop a little limiting. There are several pretty good suites out there that do good job of compiling tools ( eg. Backtrack, my fave ) but it lacks some of the tools found in other suites.

I was quite pleased when I came across Katana, which is a multi-boot suite that combines multiple security distributions ( and you can add more ) to one bootable USB. By default, it comes with the following:

- Backtrack 4
- the Ultimate Boot CD
- Organizational Systems Wireless Auditor (OSWA) Assistiant
- the Ultimate Boot CD for Windows
- Got Root? Slax
- Ophcrack Live
- Damn Small Linux
- Damn Vulnerable Linux

It also includes “over 100 portable Windows applications”. Katana v1.0 can be downloaded from the developer’s site here.