Penetration Testing
Tools Update - 3rd week of october Oct 25 2009 09:43AM
SD List (list security-database com) (1 replies)
Tools Update - last week of october Oct 31 2009 08:11PM
SD List (list security-database com)

Here is the site's newsletter "Security Database Tools Watch"
This letter summarizes the articles and news items published since 7 days.

New articles

** Enhanced Mitigation Evaluation Toolkit v1.0.2 released **
by Tools Tracker Team
- 30 October 2009

Security mitigation technologies are technologies designed to make it more
difficult for an attacker to exploit vulnerabilities in a given piece of
software. The Enhanced Mitigation Evaluation Toolkit (EMET) is a toolkit
that allows certain security mitigation technologies to be applied to user
specified applications.

This utility builds on our current offerings in several key ways:

Until now, many of the available mitigations have required for an
application to be manually opted in and (...)


** Focus on HP's Scrawlr SQL injection tool **
by Tools Tracker Team
- 30 October 2009

Scrawlr, developed by the HP Web Security Research Group in coordination
with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a
website while simultaneously analyzing the parameters of each individual
web page for SQL Injection vulnerabilities.

Scrawlr is lightning fast and uses our intelligent engine technology to
dynamically craft SQL Injection attacks on the fly. It can even provide
proof positive results by displaying the type of backend database in use
and a list (...)


** SAINT® 7.1.5 Released **
by Tools Tracker Team
- 30 October 2009

SAINT is the Security Administrator?s Integrated Network Tool. It is
used to non-intrusively detect security vulnerabilities on any remote
target, including servers, workstations, networking devices, and other
types of nodes. It will also gather information such as operating system
types and open ports. The SAINT graphical user interface provides access to
SAINT?s data management, scan configuration, scan scheduling, and data
analysis capabilities through a web browser. Different aspects of (...)


** Wireshark v1.2.3, v1.0.10, and v1.3.1 Released **
by ToolsTracker
- 28 October 2009

Wireshark is the world?s most popular network protocol analyzer. It has
a rich and powerful feature set and runs on most computing platforms
including Windows, OS X, Linux, and UNIX. Network professionals, security
experts, developers, and educators around the world use it regularly. It is
freely available as open source, and is released under the GNU General
Public License version 2

Wireshark 1.2.3 (stable), 1.0.10 (old stable), and 1.3.1 (development)
have been released. (...)


** OAT v2.0 - OCS Assessment Tool - released **
by ToolsTracker
- 28 October 2009

OAT (OCS Assessment Tool) is an Open Source Security tool designed to
check the password strength of Microsoft Office Communication Server users.
After a password is compromised, OAT demonstrates potential UC attacks that
can be performed by legitimate users if proper security controls are not in

OCS == Microsoft Office Communications Server

OAT Modes

Internal Network Attack Mode

Internal network is a deployment scenario where OCS users have unfiltered
network connectivity to the (...)


** YARA v1.3 - A malware identification and classification tool **
by ToolsTracker
- 27 October 2009

YARA is a tool aimed at helping malware researchers to identify and
classify malware samples. With YARA you can create descriptions of malware
families based on textual or binary patterns contained on samples of those

Each description consists of a set of strings and a Boolean expression
which determines its logic.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be
used through its command-line interface or from your own Python scripts
with the yara-python (...)


** Acunetix WVS v6.5 build 20091027 released **
by ToolsTracker
- 27 October 2009

Acunetix Web Vulnerability Scanner (WVS) is an automated web application
security testing tool that audits your web applications by checking for
exploitable hacking vulnerabilities. Automated scans may be supplemented
and cross-checked with the variety of manual tools to allow for
comprehensive web site and web application penetration testing.

Bug fixes:

Fixed: Redirect on LoginSequenceStep was not followed correctly

Fix in URL Rewrite module to remove GetVars before matching (...)


** NetReconn v1.72 - released **
by ToolsTracker
- 27 October 2009

A small set of tools based on previous reference programs and scripts.
Currently consists of: tiny network strobe, sniffer and payload decoder.

These tools are not meant to replace current tools out there; they are
designed to be small, fast and "do one thing well".

Version 1.72

fixed ipdump manpage

added payload decoder ndecode

better input validation (still not perfect though)

converted to standard exit codes everywhere

nstrobe: Fixed AI_ADDRCONFIG error on NetBSD

deleted mini (...)


** DirSnatch v2.0 - listing directory **
by ToolsTracker
- 26 October 2009

This tool allows for export of directory listings of your web root. The
essence of the tool is very basic. If you want a nice and neat directory
listing in a format ready to request in an automated fashion this is your

This tool was developed with Ruby 1.8.6.

License: GNU General Public License v3

More information: here


** OpenSCAP v0.5.4 - released **
by ToolsTracker
- 26 October 2009

The OpenSCAP Project was created to provide an open-source framework to
the community which enables integration with the Security Content
Automation Protocol (SCAP) suite of standards and capabilities.

It is the goal of OpenSCAP to provide a simple, easy to use set of
interfaces to serve as the framework for community use of SCAP.

Version 0.5.4

new CPE model

evaluation of set objects and system characteristic output

implementation of variable model

bindings clean up

probes tune up, (...)


** Cain & Abel v4.9.35 - released **
by ToolsTracker
- 26 October 2009

Cain & Abel is a password recovery tool for Microsoft Operating Systems.
It allows easy recovery of various kind of passwords by sniffing the
network, cracking encrypted passwords using Dictionary, Brute-Force and
Cryptanalysis attacks, recording VoIP conversations, decoding scrambled
passwords, recovering wireless network keys, revealing password boxes,
uncovering cached passwords and analyzing routing protocol.

Version v4.9.35

Added Windows Firewall status detection on startup.

Added (...)


** CeWL v2.2 (Custom Word List generator) - released **
by ToolsTracker
- 24 October 2009

CeWL (Custom Word List generator) is a ruby app which spiders a given url
to a specified depth, optionally following external links, and returns a
list of words which can then be used for password crackers such as John the
Ripper. CeWL is pronounced "cool".

Version 2.2

Added grabbing words from the meta keywords and description tags, from
HTML comments and from select HTML attribute tags, currently alt and title.
If you want to add more attributes just edit the attribute_names array to


** Vicnum v1.3 [OWASP Project] - Released! **
by ToolsTracker
- 24 October 2009

A lightweight flexible vulnerable web application written in PERL and PHP.
It demonstrates common web application vulnerabilities such as cross site
scripting and session management issues.

Vicnum is helpful to IT auditors who need to hone web security skills and
can also be used by those setting up 'capture the flag' exercises or by
those who just want to have some fun with web assessments.

Vicnum the basics

A vulnerable web app using LAMP



Packaged as a Ubuntu (...)



CEO & Founder


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus