An overview of free tools for pentest web-resources and not only v2
Free Pentester Web Application Tools
In this article I will talk about the most popular tools for pentesting (penetration tests) of web applications according to the "black box" strategy.
To do this, we will consider utilities that will help in this type of testing. Consider the following product categories:
- Network scanners
- Web Scripting Scanners
- Exploiting
- Automation Injection
- Debuggers (sniffers, local proxies, etc.)
Some products have a universal “character”, so I will relate them to the category in which they have a better result (subjective opinion).
Network scanners.
The main task is to reveal the available network services, install their versions, determine the OS, etc.
Nmap

Nmap (“Network Mapper”) is a free, open source utility for network analysis and system security auditing. Fierce opponents of the console can use Zenmap, this is a GUI to Nmap.
This is not just a “smart” scanner, it is a serious extensible tool (from “unusual chips” - the presence of a script to check the node for the presence of the “ Stuxnet " worm (mentioned here ). Typical example of use:
nmap -A -T4 localhost-A to determine the version of the OS, scan using scripts and traces
-T4 time management settings (more - faster, from 0 to 5)
localhost - target host
Anything tougher?
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all localhostThis is a set of options from the “slow comprehensive scan” profile in Zenmap. It takes quite a while to complete, but it also gives more detailed information that can be found out about the target system. A reference guide in Russian , if you decide to delve deeper, and I also recommend translating the Beginner's Guide to Nmap article .
Nmap has earned the “Security Product of the Year” status by magazines and communities such as the Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest.
An interesting point, Nmap can be seen in the films “Matrix: Reloaded”, “Die Hard 4”, “Bourne Ultimatum”, “Hottabych” and others .
IP Tools

IP-Tools - a kind of set of different network utilities, comes with a GUI, "dedicated" to windows users.
Scanner of ports, shared resources (shared printers / folders), WhoIs / Finger / Lookup, telnet client and much more. Just a convenient, fast, functional tool.
It makes little sense to consider other products, since there are a lot of utilities in this area and they all have a similar operating principle and functionality. Yet the most commonly used is nmap.
Web Scripting Scanners
Trying to find popular vulnerabilities (SQL inj, XSS, LFI / RFI, etc.) or errors (not deleted temporary files, indexing directories, etc.)
Acunetix Web Vulnerability Scanner

Acunetix Web Vulnerability Scanner - the link shows that this is an xss scanner, but this is not
Nikto

Nikto is an Open Source (GPL) web scanner. Eliminates routine manual work. Searches for undeleted scripts on the target site (some test.php, index_.php, etc.), database administration tools (/ phpmyadmin /, / pma and the like), etc., that is, checks the resource for the most frequent errors that usually arise due to the human factor.
Plus, if it finds some popular script, it checks it for released exploits (which are in the database).
Reports on available "unwanted" methods, such as PUT and TRACE.
Well and so on. It is very convenient if you work as an auditor and conduct website analysis every day.
Of the minuses, I would like to note a high percentage of false positives. For example, if your site instead of 404 errors (when it should occur) gives the main thing all the time, then the scanner will say that all the scripts and all vulnerabilities from its database are on your site. In practice, this is not so common, but as a fact, a lot depends on the structure of your site.
Classic use:
./nikto.pl -host localhostIf you need to be authorized on the site, you can set a cookie in the nikto.conf file, the STATIC-COOKIE variable.
Wikto

Wikto - Nikto under Windows, but with some additions like “fuzzy” logic when checking code for errors, using GHDB, receiving links and folders of a resource, real-time monitoring of HTTP requests / responses. Wikto is written in C # and requires the .NET framework.
skipfish

skipfish is a web vulnerability scanner from Michal Zalewski (known as lcamtuf). It is written in C, cross-platform (for Win you need Cygwin). Recursively (and for a very long time, about 20 ~ 40 hours, although the last time I worked 96 hours) it goes around the whole site and finds all kinds of security holes. It also generates a lot of traffic (several GB inbound / outbound). But all means are good, especially if there is time and resources.
Typical use:
./skipfish -o /home/reports www.example.comIn the “reports” folder there will be a report in html, an example .
w3af

w3af - Web Application Attack and Audit Framework, an open-source web vulnerability scanner. It has a GUI, but you can work from under the console. More precisely, this is a framework with a bunch of plugins .
You can talk about its advantages for a long time, it is better to try it:]
Typical work with it comes down to choosing a profile, specifying a goal and, in fact, launching it.
Mantra security framework

Mantra is a dream that came true . A collection of free and open security tools embedded in a web browser.
Very useful when testing web applications at all stages.
Usage comes down to installing and launching the browser.
In fact, there are a lot of utilities in this category and it is quite difficult to select a specific list from them. Most often, each pentester itself determines the set of tools it needs.
Exploiting
For automated and more convenient exploitation of vulnerabilities in software and scripts, they write exploits that only need to pass parameters in order to exploit a security breach. And there are products that eliminate the manual search for exploits, and even use them on the fly. This category will now be discussed.
Metasploit framework

The Metasploit® Framework is a kind of monster in our business. He knows so much that the instruction will be published in several articles. We will consider automatic exploitation (nmap + metasploit). The bottom line is that Nmap will analyze the port we need, install the service, and metasploit will try to apply exploits to it based on the class of service (ftp, ssh, etc.). Instead of a text instruction, I will insert a video, quite popular on the topic of autopwn
Or you can simply automate the operation of the exploit we need. For example: In fact, the capabilities of this framework are very extensive, so if you decide to go deeper, click on the link
msf > use auxiliary/admin/cisco/vpn_3000_ftp_bypass
msf auxiliary(vpn_3000_ftp_bypass) > set RHOST [TARGET IP]
msf auxiliary(vpn_3000_ftp_bypass) > run
Armitage

Armitage -
Screencast:
Tenable Nessus®

Tenable Nessus® vulnerability scanner - there are a lot of things that can do it, but we need one of the features from it - determining which services have exploits. Free version of the product "home only"
Use:
- Download (for your system), install, register (the key comes to the mail).
- Started the server, added the user to Nessus Server Manager (Manage users button)
- We go to the address
https: // localhost: 8834 /
and get the flash client in the browser - Scans -> Add -> fill in the fields (by selecting the scan profile that suits us) and click Scan
To check the practical vulnerability of services to exploits, you can use the Metasploit Framework described above or try to find an exploit (for example, on Explot-db , packet storm , explot search , etc.) and use it manually against your own IMHO systems
: too bulky. He brought him as one of the leaders in this area of the software industry.
Injection Automation
Many of the web app sec scanners perform injection searches, but they are still just common scanners. And there are utilities that are specifically involved in the search and operation of injections. They will be discussed now.
sqlmap

sqlmap is an open-source utility for finding and operating SQL injections. It supports such database servers as: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase, SAP MaxDB.
Typical use comes down to the line:
python sqlmap.py -u "http://example.com/index.php?action=news&id=1" Enough manuals, including in Russian. Softina greatly facilitates the work of the pentester when working on this area.
I will add the official video demonstration:
bsqlbf-v2
bsqlbf-v2 - perl script, bruteforcer of "blind" Sql injections. It works both with integer values in url and with string (string).
Supports DB:
- MS-SQL
- MySQL
- PostgreSQL
- Oracle
./bsqlbf-v2-3.pl -url www.somehost.com/blah.php?u=5 -blind u -sql "select table_name from imformation_schema.tables limit 1 offset 0" -database 1 -type 1
Debuggers
These tools are mainly used by developers in case of problems with the results of their code execution. But this direction is also useful in pentesting, when you can replace the data we need on the fly, analyze what comes in response to our input parameters (for example, with fuzzing), etc.
Burp suite
Burp Suite - A set of utilities that help with penetration tests. The web is a good review in Russian from Raz0r (true for 2008).
The free version includes:
- Burp Proxy - local proxy, allows you to change already generated requests from the browser
- Burp Spider - a spider looking for existing files and directories
- Burp Repeater - manually send HTTP requests
- Burp Sequencer - analysis of random values in forms
- Burp Decoder - a standard codec (html, base64, hex, etc.), of which there are thousands that can be quickly written in any language
- Burp Comparer - string matching component
Fiddler

Fiddler - Fiddler is a debugging proxy that logs all HTTP (S) traffic. Allows you to explore this traffic, set breakpoints and "play" with incoming or outgoing data.
There are also Firesheep , the monster Wireshark and others, the choice is the user.
Conclusion
Naturally, each pentester has its own arsenal and its own set of utilities, since there are simply a lot of them. I tried to bring some of the most convenient and popular. But so that anyone can get acquainted with other utilities in this direction, I will provide links below.
Various tops / lists of scanners and utilities
- Security and hacking tools
- Top 100 Network Security Tools
- Top 10 Web Vulnerability Scanners .
- Top 10 Vulnerability Scanners
- OWASP Top 10 Tools and Tactics
- Web-based Application Security Scanners
- Web Application Security Scanner List by WebAppSec
- Утилиты по infosec на форуме RDot
- Сканеры уязвимостей (Википедия)
Дистрибутивы Linux, в состав которых уже входит куча разных утилит для пентестинга
upd : BurpSuite documentation in Russian from the Hack4Sec team (added by AntonKuzmin )
PS You can't keep silent about XSpider. He does not participate in the review, although it is shareware (he found out when he sent the article to SecLab because of this (not knowledge, and lack of the latest version 7.8) and did not include it in the article). And in theory his review was planned (I have prepared difficult tests for him), but I don’t know if the world will see him.
PPS Some material from the article will be used for its intended purpose in the upcoming report on CodeFest2012 in the QA section, in which there will be tools not mentioned here (free, essno), as well as an algorithm, in what order to use, what result to expect, what configurations to use and all sorts of hints and tricks when working (I think about the report almost every day , I’ll try to tell from myself all the best on the topic topic)
By the way, according to this article there was a lesson at Open InfoSec Days ( tag on Habré , site ), you can