Open source tools for penetration testing

28 views
Skip to first unread message

Dev

unread,
Jul 2, 2011, 7:53:11 AM7/2/11
to null, er.dev....@gmail.com
Hi Team,

Hello to the team. I am in very urgent need to find a open source tool
that can do the best penetration testing of a application which has a
login and scan the complete website to generate a report for all the
vulnerabilities.

There is a IBM tool AppScan which scans the application and generates
a comprehensive report. My need is to find a similar tool which can do
the same and generate a report but should be open source.

Kindly help me, I ll be very thankful.

Regards,
Devender

AmarDeep Singh

unread,
Jul 2, 2011, 9:13:40 AM7/2/11
to null-...@googlegroups.com
Devender,

OWASP has a good list available at: https://www.owasp.org/index.php/Appendix_A:_Testing_Tools#Fuzzer

Take a look at WebScrab Project : https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project



Thanks,
Amardeep Singh


--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

This list is supported by Institute of Information Security http://iisecurity.in
Real-world hackers, real-world training – Certified Professional Hacker at IIS (http://iisecurity.in)

TAS

unread,
Jul 2, 2011, 9:18:37 AM7/2/11
to null-...@googlegroups.com, er.dev....@gmail.com
Arachni, Skipfish and w3af. Be careful with skipfish.
-
TAS
http://twitter.com/p0wnsauc3

TAS

unread,
Jul 2, 2011, 12:30:32 PM7/2/11
to Devender Sharma, null-...@googlegroups.com
Yes. They generate reports.

-
TAS
http://twitter.com/p0wnsauc3

From: Devender Sharma <er.dev....@gmail.com>
Date: Sat, 2 Jul 2011 20:17:54 +0530
Subject: Re: [null] Open source tools for penetration testing

Thanx. Will these tools scan automatically scan complete website n generate reports????

On 2 Jul 2011 18:48, "TAS" <p0wn...@gmail.com> wrote:

Arachni, Skipfish and w3af. Be careful with skipfish.
-
TAS
http://twitter.com/p0wnsauc3

-----Original Message-----
From: Dev <er.dev....@gmail.com>
Sender: null-...@googlegroups.com
Date: Sat, 2 Jul 2011 04:53:11
To: null<null-...@googlegroups.com>
Reply-To: null-...@googlegroups.com
Cc: <er.dev....@gmail.com>
Subject: [null] Open source tools for penetration testing


Hi Team,

Hello to the team. I am in very urgent need to find a open source tool

that can do the be...

--

null - Spreading the right Information

null Mailing list charter: http://null.co.in/section/about/nu...

Gaurav Shah

unread,
Jul 3, 2011, 1:43:14 AM7/3/11
to null-...@googlegroups.com, Devender Sharma

But be careful of false negatives which will also be generated by these tools.

Don't completely rely on automated scanners for finding vulnerabilities.

Sent from Android.

On 02-Jul-2011 10:00 PM, "TAS" <p0wn...@gmail.com> wrote:

Yes. They generate reports.



-
TAS
http://twitter.com/p0wnsauc3

From: Devender Sharma <er.dev....@gmail.com>
Date: Sat, 2 Jul 2011 20:17:54 +0530
Subject: Re: [null] Open source tools for penetration testing

Thanx. Will these tools scan automatically scan complete website n generate reports????


>
> On 2 Jul 2011 18:48, "TAS" <p0wn...@gmail.com> wrote:
>

> Arachni, Skipfish and w3af. Be care...

>
>
> Hi Team,
>
> Hello to the team. I am in very urgent need to find a open source tool

that can do the be...

--

>
> null - Spreading the right Information

null Mailing list charter: http://null.co.in/section/about/nu...



--
null - Spreading the right Information

null Mailing list charter: http://null.co.in/section/ab...

Devender Sharma

unread,
Jul 4, 2011, 2:07:53 PM7/4/11
to Bhalla, Nish, null-...@googlegroups.com

Can pls any1 tel me way to generate reports frm web scarab plz?????

On 3 Jul 2011 12:18, "Bhalla, Nish" <nish....@securitybyte.org> wrote:

http://keystream.subgraph.com/2011/07/01/vega-beta-release/

An interesting new tool.

Nish


On 7/2/11, TAS <p0wn...@gmail.com> wrote:
> Yes. They generate reports.
> -
> TAS

> http://twitte...

> -----Original Message-----
> From: Devender Sharma <er.dev....@gmail.com>
> Date: Sat, 2 Jul 2...

> To: <p0wn...@gmail.com>
> Cc: <null-...@googlegroups.com>
> Subject: Re: [null] Open source to...

> http://null.co.in/section/about/null_list_charter/
>
> This list is supported by Institute of Info...

--
Sent from my mobile device

webDEViL

unread,
Jul 4, 2011, 2:41:10 PM7/4/11
to null-...@googlegroups.com
Why do you have take care with skipfish?
--
Regards,
webDEViL


TAS

unread,
Jul 4, 2011, 10:53:55 PM7/4/11
to null-...@googlegroups.com
It generates more http traffic as compared to other scanner that I listed. And it was only a word of caution.

-
TAS
http://twitter.com/p0wnsauc3

From: webDEViL <w3bd...@gmail.com>
Date: Tue, 5 Jul 2011 00:11:10 +0530
Subject: Re: [null] Open source tools for penetration testing

Dhiraj Ranka

unread,
Jul 5, 2011, 2:58:09 AM7/5/11
to null-...@googlegroups.com
I have used Arachni, it produces more false positives but on the other hand it has enormous list of checking for directory listing, XSS, etc. and report are also very good. So sometimes if you are lucky then it gives some excellent findings.

Here are some commands for the same

to load all available modules and audit all forms, links and cookies.

same thing with verbose output. The results will be saved in the example.com.afr file.

$ arachni -fv http://example.com --report=afr:outfile=example.com.afr

to create a report using .afr:

$ arachni --repload=example.com.afr --report=html:outfile=example_report.html

or any other report type as shown by:

$ arachni --lsrep

It also maintain its forum https://github.com/zapotek/arachni where in you can post your issues.

-- 
Be in my web world,
http://dhirajranka.com/
http://twitter.com/dhirajranka/
Reply all
Reply to author
Forward
0 new messages