Search This Blog

Wednesday, August 3, 2011

VAPT Tools




                                                                                   Vulnerability Assessment And Penetration Testing Tools

VAPT:
  Vulnerability Assessment And Penetration Testing
Vulnerability assessment is a process in which the IT systems such as computers and networks, and software such as operating systems and application software are
scanned in order to indentify the presence of known and unknown vulnerabilities.


As many as 70% of web sites have vulnerabilities that could lead to the theft of
sensitive corporate data such as credit card information and customer lists.


Hackers are concentrating their efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the
world, insecure web applications provide easy access to backend corporate databases.


VAPT can be performed in the following nine-step process:

Scope:
While performing assessments and tests, the scope of the assignment needs to be
clearly defined. The scope is based on the assets to be tested. The following are the
three possible scopes that exist


Black Box Testing: Testing from an external network with no prior knowledge of the internal networks and systems
Gray Box Testing: Testing from an external or internal network, with knowledge of the internal networks and systems. This is usually a combination of black box testing and white box testing
White Box Testing: Performing the test from within the network with the knowledge
of the network architecture and the systems. This is also referred to as internal testing

Information Gathering

The process of information gathering is to obtain as much information as possible
 about the IT environment such as networks, IP addresses, operating system version,
etc. This is applicable to all the three types of scope as discussed earlier.


Vulnerability Detection

In this process, tools such as vulnerability scanners are used, and vulnerabilities are identified in the IT environment by way of scanning.

Information Analysis and Planning

This process is used to analyze the identified vulnerabilities, combined with the information gathered about the IT environment, to devise a plan for penetrating into
the network and system


Penetration Testing


In this process, the target systems are attacked and penetrated using the plan devised
 in the earlier process.


Privilege Escalation
After successful penetration into the system, this process is used to identify and
 escalate access to gain higher privileges, such as root access or administrative access
 to the system.


Result Analysis

This process is useful for performing a root cause analysis as a result of a successful compromise to the system leading to penetration, and devise suitable recommen-
dations in order to make the system secure by plugging the holes in the system.


Reporting

All the findings that are observed during the vulnerability assessment and penetration testing process need to be documented, along with the recommendations, in order to produce the testing report to the management for suitable actions.

Cleanup


Vulnerability assessment and penetration testing involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning up
 (restoring) the data and files used in the target machines.


FIMAP
FIMAP is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.  


Download 



ZAProxy v1.3.0 – Integrated Penetration Testing Tool


ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Main Features-->>
Intercepting Proxy, Automated scanner,  Passive scanner, Brute Force, scanner, Spider, Fuzzer, Port scanner, Dynamic SSL certificates, API, Beanshell integration.

Download 
ZAP v1.3.0
Windows Installer – ZAP_1.3.0_Windows.exe
Linux Installer – ZAP_1.3.0_Linux.tar.gz


Burp Suite Free Edition v1.4 –
Web Application Security Testing Tool


Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Download Burp Suite Free Edition v1.4
burpsuite_v1.4.zip    


Acunetix 
Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner includes many innovative features:

1. AcuSensor Technology
2. An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
3. Industries' most advanced and in-depth SQL injection and Cross site scripting testing.
4. Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer. 
5. Visual macro recorder makes testing web forms and password protected areas easy
6. Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
7. Extensive reporting facilities including VISA PCI compliance reports.
8.Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease.
9. Intelligent crawler detects web server type and application language.
11. Acunetix crawls and analyzes websites including flash content, SOAP and AJAX.
12. Port scans a web server and runs security checks against network services running on the server.
Download Trial Edition


Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment