Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.

Related posts:

1. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2. Backtrack 4 Final Released!! Backtrack is a linux-based penetration testing suite of tools  used...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

Google has released an open-source Web security scanner called Skipfish that is designed to allow people to scan Web applications for security holes.

The tool scans a Web application for flaws including “tricky scenarios” such as blind SQL or XML injection, Google developer Michal Zalewski said in the Skipfish wiki.

Skipfish prepares a site map annotated with interactive crawl results, highlighting flaws, after a recursive crawl and dictionary-based probing of the target site. The tool can also generate a final report that can be used as a basis for a security assessment.

Read more of “Google releases Skipfish Web-security scanner” at ZDNet UK.

Related posts:

1. Pause your Google History Have you ever used your Google search history? If you...
2. Lynis – Security and System Auditing Tool Lynis is an auditing tool for Unix (specialists). It scans...
3. Virtual Networking and Security Training Tool As someone who works in an environment where I have...

Sahi is an open source testing tool for web applications, with the facility to record and playback scripts. Developed in Java, C and Javascript, this tool uses simple Javascript to execute events in the browser.

Features:

In-browser controls
Intelligent recorder
Text-based scripts
Ant support for playback of suites of tests
Multi-threaded playback from a command line
HTTP and HTTPS support
AJAX support

Sahi runs as a proxy server which intercepts traffic from the web browser and records the web browsing actions. Sahi can play back those recorded actions by injecting Javascript into the browser so it can access elements in the web page. This makes the tool independent of the website/ web application.

Read more and download it here:

http://www.darknet.org.uk/2010/03/sahi-web-automation-application-security-testing-tool/

Related posts:

1. Google Informs users of terminination of support for IE6 I received this email from the good offices of Google...
2. Skipfish-Web Scanning Security Tool from Google Google has released an open-source Web security scanner called Skipfish...
3. Web Application Security Testing White Paper The need to provide web security and defend web applications...

• Combination of user / plain-text password.
• Combination of user / NTLM hash.
• Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

• Spawn an interactive command prompt.
• Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
• Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
• List users details, domains and password policy.

You can download keimpx 0.2 here:

keimpx-0.2.zip

source: http://www.darknet.org.uk/2010/02/keimpx-open-source-smb-credential-scanner/

Related posts:

1. 100+ Open Source Security Tools Security testing  or assessment is a process to determine that...
2. 5 Open Source Alternatives to Microsoft Office The Microsoft Office productivity suite has risen to become the...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

Dr. Ali Jahangiri

Download it here: http://www.livehacking.com/cd-dvd/download.htm

Read the full press release here: http://www.free-press-release-center.info

Related posts:

1. Backtrack 4 Final Released!! Backtrack is a linux-based penetration testing suite of tools  used...
2. Cloud-based…hacking?? I assigned my class a research paper on the security...
3. Free episodes of Hakin9 Magazine posted Hakin9 is a source of advanced, practical guidelines regarding the...

Related posts:

1. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2. More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...
3. Brevity is the soul of…..getting yourself infected with all kinds of nasties! Would you click on the link : http://www.click-here-to-give-me-access-to-all-your-computer-files.com? No? How...

Confidentiality: A security measure which protects against the disclosure of information to parties other than the intended recipient(s). Often ensured by means of encoding, using a defined algorithm and some secret information known only to the originator of the information and the intended recipient(s) (a process known as cryptography) but that is by no means the only way of ensuring confidentiality.

Integrity: A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than encoding all of the communication.

Authentication: A measure designed to establish the validity of a transmission, message, or originator. It allows a receiver to have confidence that the information it receives originated from a specific known source.

Authorization: The process of determining that a requester is allowed to receive a service or perform an operation.

Availability: Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Non-repudiation: A measure intended to prevent the later denial that an action happened, or a communication took place, etc. In communication terms, this often involves the interchange of authentication information combined with some form of provable time stamp.

I’ve listed 100+ free and open source tools used in security testing here.

Related posts:

1. keimpx – New Open Source SMB Credential Scanner keimpx is an open source tool, released under a modified...
2. How many security tools can you fit on your key chain? When I first started running Ubuntu as my laptop OS...
3. 5 Open Source Alternatives to Microsoft Office The Microsoft Office productivity suite has risen to become the...

The principal focus of the testing should on the application under test. This means that the vulnerability of the surrounding environment is not under test, nor are for example Internet facing firewalls, except in their relationship to the application. Therefore it would be appropriate for the Vendor to confirm that the firewalls are configured correctly for this application and that no unnecessary ports are allowed through. Conversely, the vendor should be instructed not to test your firewalls beyond this.

The test should include a paper review of the architectural design, before beginning testing. The review should validate the physical placement of the various network components servers, and identify potential issues or security weaknesses.

It should be left to the vendor to use their judgment as to which particular tests are relevant to a particular application. There are two exceptions to this.

• If it can be seen that the vendors proposed testing is not comprehensive enough, then the project should insist on extending the scope to include additional areas of testing.
• If in the opinion of the project, the tests proposed would have a undesirable effect on production infrastructure or applications. In this case steps must be taken to achieve the same testing via an alternative manner. For example, this may involve the use of application disaster recovery equipment.

While its difficult to specifically prescribe which tests are appropriate for any generic set of applications, in principal you should consider the following where applicable:

• Password cracking scan of password files on servers.
• An on-box scan for security vulnerabilities.
• An examination of client-side application for information that reveals information about how the application functions that could be used for a more focused attack.
• Examination of client-side code and locally stored information such as cookies and session information. This should include alterations to such information in an attempt to:

- subvert authentication checking – establish the bounds of server reliance on client data fields – test for other unexpected results and potentially access confidential information.

• Bounds checking and application validation for both accidental and mischievous input. The test should ensure that applications correctly respond to unexpected data formats or sizes.
• Potential for buffer overflows.
• Examination of application-to-application interaction between resources such as the web service and back-end data feeds. Attempts are made to access application resources by impersonating other system functions or sources.
• An examination of application-level traffic passing between various host systems for passwords, CGI parameters, and other data that might be reused as part of an exploitation attempt.
• Conduct authenticated user testing to see if they can abuse the system as a “customer”.
• Attempted permission escalation by, for example, referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking.
• Susceptibility of the application to replay attack and man in the middle attacks.
• Other session orientated attacks, including an analysis of system responses to such data.
• Susceptibility of the application to specially crafted packets delivered independently of the front end application checking.
• Investigation of robustness and resilience of application Authentication mechanisms.
• Software-specific manufacturer-recognised exploits
• Content sharing vulnerabilities
• Presence of deployment process vulnerabilities
• Presence of activation process vulnerabilities
• Request process vulnerabilities
• File and user permission vulnerabilities
• Cluster connectivity vulnerabilities
• Excess build and configuration weaknesses
• Application of applicable security patches, fixes and updates
• Legacy application code development weaknesses
• SQL injection weaknesses
• Cross-scripting vulnerabilities
• Potential to fraud the application
• Encryption and authentication vulnerabilities
• Defacement weaknesses
• Redirections vulnerabilities
• Administration rights & controls
• Sniffer attack vulnerabilities

Some applications may have a number of identical components in the architecture, e.g. a web-enabled application may have 4 web servers in parallel for loading reasons. In these cases, the project should ensure that the vendor is testing all instances of the components. Extending the web server example further, this would mean that each web servers operating system would need to be tested to ensure that any hardening processes undertaken had been completed on each of the servers.

This does not mean that each instance of the actual application code running on each web server is subjected to all tests. In other words it should be sufficient to conduct data validation tests against only 1 of the servers

It happens more often that one would think, but there have been many cases of penetration tests launching attacks against networks that were not authorised for testing. Therefore the project must ensure the vendor knows the limits that they are working under. It is worth asking the vendor what methods they use to limit unintentional damage to your network.

Lastly, the vendor should be reminded by the project that any information collected is to be treated in confidence, and that they must take appropriate steps to ensure any data retained by them is secured and destroyed securely when no longer required.

Author: Penny Reyes
Article Source: EzineArticles.com
Provided by: Smart cooker

Related posts:

1. SAHI – Web Automation & Application Security Testing Tool Sahi is an automation tool to test web applications. Sahi...
2. Web Application Security Testing White Paper The need to provide web security and defend web applications...
3. Revealed – 5 Web Application Security Threats How secure are your Web applications and your Web application...

BackTrack 4 (codenamed “pwnsauce”) includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to most major bugs that we knew of. You can install and use it as your primary operating system, run it as a live cd, from a usb drive, or as a virtual machine.

Some of the tools included in the suite are: Metasploit, Kismet, Autoscan, Nmap, Ettercap, Wireshark, etc. These tools can be used for network, system and wireless reconnaissance, enumeration and penetration.

I use the backtrack suite in teaching my ethical hacking class. It is a great tool for anyone interested in learning to perform security assessments.

Other suites with similar functionality can be found in a previous post.

Related posts:

1. How many security tools can you fit on your key chain? When I first started running Ubuntu as my laptop OS...
2. Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added Metasploit provides useful information and tools for penetration testers, security...
3. Live Hacking CD based on Ubuntu?? Get out!! Dr. Ali Jahangiri, the well known security expert and author...

I was quite pleased when I came across Katana, which is a multi-boot suite that combines multiple security distributions ( and you can add more ) to one bootable USB. By default, it comes with the following:

- Backtrack 4
- the Ultimate Boot CD
- Organizational Systems Wireless Auditor (OSWA) Assistiant
- the Ultimate Boot CD for Windows
- Got Root? Slax
- Ophcrack Live
- Damn Small Linux
- Damn Vulnerable Linux

It also includes “over 100 portable Windows applications”. Katana v1.0 can be downloaded from the developer’s site here.

Related posts:

1. Aaaah The Infamous Blue Screen of Death On Tuesday, Microsoft issued a patch, MS10-015,  to fix a...
2. Recent Microsoft Update BSOD may be caused by Rootkit Last week, I posted here about the recent pandemic of...
3. 100+ Open Source Security Tools Security testing  or assessment is a process to determine that...

Related posts:

1. Backtrack 4 Final Released!! Backtrack is a linux-based penetration testing suite of tools  used...
2. Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added Metasploit provides useful information and tools for penetration testers, security...
3. SAHI – Web Automation & Application Security Testing Tool Sahi is an automation tool to test web applications. Sahi...