Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

https://pentest-tools.com/ Reputable?

  • 18-04-2015 8:27am
    #1
    Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭


    I just wanted to run some vulnerability tests on a friends website, and came across this site https://pentest-tools.com/

    Is it reputable?


Comments

  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    edanto wrote: »
    I just wanted to run some vulnerability tests on a friends website, and came across this site https://pentest-tools.com/

    Is it reputable?

    A friends website? Really??! :rolleyes:

    Where is your 'friends' website hosted? Is it sitting on his own server in his bedroom or elsewhere?

    Also if you are looking at sites like that i advise don't bother as you clearly don't know what you're doing and could cause alot more damage (leaving the legalities aside) than good.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Pentest-Tools.com is a collection of ethical hacking tools for penetration testers and network auditors who need to check the security of networks, public servers, websites or people.

    Penetration Testers and network auditors should have their own tools at their disposal. Tools they know how to work and know the effect if any running the tools can have on target systems.

    Is it reputable? Well I don't know any reputable pen testers who would use it, if that answers your question.


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    heh, their 'tools' work against 127.0.0.1 ...


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Blowfish wrote: »
    heh, their 'tools' work against 127.0.0.1 ...

    It also passes the hostname or IP address directly to the tool in question, e.g. nmap. I wonder how good their user input sanitisation is. I'd bet good money there is an OS injection vuln there somewhere.

    Sounds like they need a pen tester to pen test their pen testing website.


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    That answers the question very helpfully, and thanks.

    I know I'm not a pen-tester, I don't know the first thing about it, but my friend had an idle question about general website vulnerability and I assumed that someone would have put that service together.

    They have of course, it exists on https://www.qualys.com/ which I know to be reputable as they were one of the main sites that heartbleed articles linked to (other than filippo.io of course). I'm using it now to do the basic patching/vulnerability scan (after telling the hosting company) and I'll see what it turns up. The effort and cost suit the need in this case. It's low value.

    While this simple and free approach is 'pentesting for dummies', that's clearly the level my question was pitched at so I don't know why I got the sarcy rolleyes from timmywex. I tend to learn a lot from reading posts here, no need to be so unfriendly to an obvious n00b question.

    Skylops, helpful as ever, thanks for that. The pentest-tools.com came up first in a google search and I didn't even visit the site for the simple reason that it sounded like the kind of site that might try infect me just for visiting and I didn't fancy risking that without checking with someone.

    As you were gents.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    One pretty important thing to note though is that Qualys is basically just a vulnerability scanner. It'll miss out on a lot of important stuff, primarily around looking at how well the site is actually coded.
    syklops wrote: »
    It also passes the hostname or IP address directly to the tool in question, e.g. nmap. I wonder how good their user input sanitisation is. I'd bet good money there is an OS injection vuln there somewhere.

    Sounds like they need a pen tester to pen test their pen testing website.
    Indeed, it actually passed through '-1' to nmap when I put it in. It's stupidly open to trolling too, just point it at FBI/NSA sites...


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    edanto wrote: »
    That answers the question very helpfully, and thanks.

    I know I'm not a pen-tester, I don't know the first thing about it, but my friend had an idle question about general website vulnerability and I assumed that someone would have put that service together.

    They have of course, it exists on https://www.qualys.com/ which I know to be reputable as they were one of the main sites that heartbleed articles linked to (other than filippo.io of course). I'm using it now to do the basic patching/vulnerability scan (after telling the hosting company) and I'll see what it turns up. The effort and cost suit the need in this case. It's low value.

    While this simple and free approach is 'pentesting for dummies', that's clearly the level my question was pitched at so I don't know why I got the sarcy rolleyes from timmywex. I tend to learn a lot from reading posts here, no need to be so unfriendly to an obvious n00b question.

    Skylops, helpful as ever, thanks for that. The pentest-tools.com came up first in a google search and I didn't even visit the site for the simple reason that it sounded like the kind of site that might try infect me just for visiting and I didn't fancy risking that without checking with someone.

    As you were gents.

    If you want to PM me the site I can have a quick look at it for you. I might find something an automated scanner wont.

    You'll have to excuse timmywex but if you hang out in InfoSec forums long enough you will inevitably get a "I am hacking/pen testing my "friends" website and need help with a particular aspect" / thinkly-veiled, do the difficult part for me please. He maybe had assumed you were one of these.


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    Ah - I see. So the allusion was that I was trying to work professionally as a pen tester, and was coming to the forum here trying to frantically learn the basics before the client sussed what was up. Fair enough, my OP could easily have been read in that light and I understand where timmywex was coming from with that context. No sweat.


  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    edanto wrote: »
    Ah - I see. So the allusion was that I was trying to work professionally as a pen tester, and was coming to the forum here trying to frantically learn the basics before the client sussed what was up. Fair enough, my OP could easily have been read in that light and I understand where timmywex was coming from with that context. No sweat.

    Hey Edanto - makes more sense when you clarified, so apologies from me i guess :-)

    The internet is awash with my friend knows a guy, my friend did this, want to do for a friend etc etc where the friend doesn't exist, so with a short post, a link to the first google result and a topic about hacking a website thats what it seemed like!

    Just be careful that if you only run that Qualys scan you may actually miss alot of stuff, there are some free web application scanners out there too (results can be hit and miss) so may worth having a look at them. Look up OWASP, and particularly the OWASP Top Ten for some of the things to have a look at.


Advertisement