11 tools
Metasploit took the security world by storm when it was released in
2004. It is an advanced open-source platform for developing, testing,
and using exploit code. The extensible model through which payloads,
encoders, no-op generators, and exploits can be integrated has made it
possible to use the Metasploit Framework as an outlet for cutting-edge
exploitation research. It ships with hundreds of exploits, as you can
see in their list of modules.
This makes writing your own exploits easier, and it certainly beats
scouring the darkest corners of the Internet for illicit shellcode of
dubious quality. One free extra is Metasploitable,
an intentionally insecure Linux virtual machine you can use for testing
Metasploit and other exploitation tools without hitting live servers.
Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).
The Metasploit Framework now includes an official Java-based GUI and also Raphael Mudge's excellent Armitage. The Community, Express, and Pro editions have web-based GUIs. Read 10 reviews.
Latest release: version 4.9 on March 26, 2014 (5 months ago).
W3af is an extremely popular, powerful, and flexible framework for
finding and exploiting web application vulnerabilities. It is easy to
use and extend and features dozens of web assessment and exploitation
plugins. In some ways it is like a web-focused Metasploit.
Read 15 reviews.
Latest release: version 1.1 on Oct. 11, 2011 (2 years, 10 months ago).
Core Impact isn't cheap (be prepared to spend at least $30,000), but
it is widely considered to be the most powerful exploitation tool
available. It sports a large, regularly updated database of professional
exploits, and can do neat tricks like exploiting one machine and then
establishing an encrypted tunnel through that machine to reach and
exploit other boxes. Other good options include Metasploit and Canvas.
Read 5 reviews.
Latest release: version 12 on Aug. 8, 2011 (3 years ago).
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over
of back-end database servers. It comes with a broad range of features,
from database fingerprinting to fetching data from the DB and even
accessing the underlying file system and executing OS commands via
out-of-band connections. The authors recommend using the development
release from their Subversion repository.
Read 9 reviews.
Latest release: version 0.9 on April 11, 2011 (3 years, 4 months ago).
Canvas is a commercial vulnerability exploitation tool from Dave Aitel's ImmunitySec. It includes more than 370 exploits and is less expensive than Core Impact or the commercial versions of Metasploit. It comes with full source code, and occasionally even includes zero-day exploits.
Read 1 review.
Latest release: version 6.73 on Oct. 26, 2011 (2 years, 10 months ago).
Latest release: version 0.2.6-r1 on April 29, 2012 (2 years, 4 months ago).
Netsparker is a web application security scanner, with support for
both detection and exploitation of vulnerabilities. It aims to be false
positive–free by only reporting confirmed vulnerabilities after
successfully exploiting or otherwise testing them.
Read 4 reviews.
Latest release: version 1.8.3.3 on Feb. 10, 2011 (3 years, 6 months ago).
BeEF is a browser exploitation framework. This tool will demonstrate
the collecting of zombie browsers and browser vulnerabilities in
real-time. It provides a command and control interface which facilitates
the targeting of individual or groups of zombie browsers. It is
designed to make the creation of new exploit modules easy.
Read 3 reviews.
Latest release: version 0.4.5.0 on April 25, 2014 (4 months ago).
dradis is an open source framework to enable effective sharing of
information among participants in a penetration test. It is a
self-contained web application that provides a centralised repository of
information to keep track of what has been done so far, and what is
still ahead. It has plugins to read and collect the output of a variety
of network scanning tools, like Nmap, Burp Suite, and Nikto.
Review this tool.
Latest release: version 2.6.1 on Feb. 11, 2011 (3 years, 6 months ago).
Latest release: version 5.3 RC1 on Nov. 1, 2009 (4 years, 10 months ago).
11 tools
(6) ★★★★½ Metasploit
Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).
The Metasploit Framework now includes an official Java-based GUI and also Raphael Mudge's excellent Armitage. The Community, Express, and Pro editions have web-based GUIs. Read 10 reviews.
Latest release: version 4.9 on March 26, 2014 (5 months ago).
★★★½ w3af
Latest release: version 1.1 on Oct. 11, 2011 (2 years, 10 months ago).
(4) ★★★★½ Core Impact
Latest release: version 12 on Aug. 8, 2011 (3 years ago).
(7) ★★★★½ sqlmap
Latest release: version 0.9 on April 11, 2011 (3 years, 4 months ago).
(1) ★★★★★ Canvas
Latest release: version 6.73 on Oct. 26, 2011 (2 years, 10 months ago).
(58) ★★★★★ Social Engineer Toolkit
The Social Engineer Toolkit incorporates many useful social-engineering attacks all in one interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. It can automatically generate exploit-hiding web pages or email messages, and can use Metasploit payloads to, for example, connect back with a shell once the page is opened. Read 73 reviews.no rating sqlninja
sqlininja exploits web applications that use Microsoft SQL Server as a database backend. Its focus is on getting a running shell on the remote host. sqlninja doesn't find an SQL injection in the first place, but automates the exploitation process once one has been discovered. Review this tool.Latest release: version 0.2.6-r1 on April 29, 2012 (2 years, 4 months ago).
(4) ★★★★★ Netsparker
Latest release: version 1.8.3.3 on Feb. 10, 2011 (3 years, 6 months ago).
no rating BeEF (#77, new!)
Latest release: version 0.4.5.0 on April 25, 2014 (4 months ago).
no rating dradis
Latest release: version 2.6.1 on Feb. 11, 2011 (3 years, 6 months ago).
(1) ★★★★★ WebGoat
WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. Read 1 review.Latest release: version 5.3 RC1 on Nov. 1, 2009 (4 years, 10 months ago).
11 tools
0 comments:
Post a Comment