Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Pen Testing .

  • 26-12-2014 4:45pm
    #1
    Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭


    I was wondering, what are the best applications to run on a server and pen test against? I have no issue setting up web and sql servers and php on my machine. I was also wondering what are the best tools to use to find vulnerabilities, crack them as a proof of concept then patch any holes?

    At the moment I'm using simple browser extensions in fire fox such as xss me, sql injection me and hackbar to name but a few. I also use wireshark, nmap and kismet for network testing and sniffing.


Comments

  • Closed Accounts Posts: 824 ✭✭✭Kinet1c


    Check out Kali Linux, tools galore


  • Moderators, Computer Games Moderators, Technology & Internet Moderators Posts: 19,242 Mod ✭✭✭✭L.Jenkins


    Grabbing a copy of the distro now.


  • Registered Users, Registered Users 2 Posts: 1,215 ✭✭✭harney


    Using Kali you could save yourself configuring servers and point your self at the following VM's:

    Metasploitable
    http://www.offensive-security.com/metasploit-unleashed/Main_Page

    Web Goat
    https://code.google.com/p/webgoat/

    They are designed vulnerable to test yourself.


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    harney wrote: »
    Using Kali you could save yourself configuring servers and point your self at the following VM's:

    Metasploitable
    http://www.offensive-security.com/metasploit-unleashed/Main_Page

    Web Goat
    https://code.google.com/p/webgoat/

    They are designed vulnerable to test yourself.
    there's also vulnhub for a whole load more intentionally vulnerable VM's to play around with.


  • Registered Users, Registered Users 2 Posts: 3,739 ✭✭✭Stuxnet


    +1 for Kali & Metasploitable, lots of YT vids on both.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 163 ✭✭BrianDug


    De-ICE VM's are also worth keeping in mind
    http://hackingdojo.com/pentest-media/


  • Registered Users, Registered Users 2 Posts: 6,889 ✭✭✭tolosenc


    You probably want an intercepting proxy for web/app testing. We use Burp Pro in work, but the free version and also ZAP are very good too.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    tolosenc wrote: »
    You probably want an intercepting proxy for web/app testing. We use Burp Pro in work, but the free version and also ZAP are very good too.

    I prefer ZAP myself (but have both). I'm not slagging Burp, just prefer ZAP and analysis that we did with both when running through our acceptance test suite indicated that they were about as good as each other.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    I prefer ZAP myself (but have both). I'm not slagging Burp, just prefer ZAP and analysis that we did with both when running through our acceptance test suite indicated that they were about as good as each other.

    I chain Burp and Zap together and sometimes, Zap finds stuff burp didnt.

    Been playing a lot with w3af recently and really like it. It may become my new go-to attack tool. Its written in python so extending it becomes very easy, compared to the other 2 which are Java based.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    Zap finds stuff burp didnt

    Yeah, I found that too. It's good to have both.


  • Advertisement
Advertisement