Thursday, February 13, 2014


Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features: 

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. 
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. 
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. 

The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. 

Download the latest version of Skipfish here

Detailed project documentation available here

Source: Skipfish 

Thursday, February 6, 2014

Netsparker - The False Positive Free Web Application Security Scanner

Netsparker is said to be the only false-positive-free web application security scanner. Its ease of use permits a penetration testers to simply point it at their website(s) to automatically discover security flaws.


This tool is capable of crawling, attacking, and identifying vulnerabilities in all custom web applications, irregardless of the platform and technologies used to build it - just like a an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it. For example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

The latest version of Netsparker - V 3.2 was released on 22nd January 2014.

The new version includes several new features, improvements that make web vulnerability scans more efficient and also a number of bug fixes. The main highlight of this version is the web services scanner; Netsparker users can now scan and identify vulnerabilities and security issues in web services automatically and easily with Netsparker.

Download the 15 day trial edition of Netsparker Web Application Security Scanner here.

The FREE Community Edition, which is a SQL Injection Scanner is available for download here.

Source: Netsparker and Toolswatch.

Tuesday, February 4, 2014

Wapiti: The Vulnerable Web Application Scanner

Wapiti allows you to audit the security of your web applications.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.


Wapiti can detect the following vulnerabilities :
  • File disclosure (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)
  • XXE (XmleXternal Entity) injection
  • Use of know potentially dangerous files (thanks to the Nikto database)
  • Weak .htaccess configurations that can be bypassed
  • Presence of backup files giving sensitive information (source code disclosure)

Wapiti supports both GET and POST HTTP methods for attacks. It also supports multipart and can inject payloads in filenames (upload) and displays a warning when an anomaly is found (for example 500 errors and timeouts) makes the difference beetween permanent and reflected XSS vulnerabilities.

General features :
  • Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...)
  • Can suspend and resume a scan or an attack
  • Can give you colors in the terminal to highlight vulnerabilities
  • Different levels of verbosity
  • Fast and easy way to activate/deactivate attack modules
  • Adding a payload can be as easy as adding a line to a text file

Browsing features:
  • Support HTTP and HTTPS proxies
  • Authentication via several methods : Basic, Digest, Kerberos or NTLM
  • Ability to restrain the scope of the scan (domain, folder, webpage)
  • Automatic removal of a parameter in URLs
  • Safeguards against scan endless-loops (max number of values for a parameter)
  • Possibility to set the first URLs to explore (even if not in scope)
  • Can exclude some URLs of the scan and attacks (eg: logout URL)
  • Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
  • Can activate / deactivate SSL certificates verification
  • Extract URLs from Flash SWF files
  • Try to extract URLs from javascript (very basic JS interpreter)
  • HTML5 aware (understand recent HTML tags)
Wapiti is a command-line application.
Here is an exemple output against a vulnerable web application.
You may find some useful information in the README and the INSTALL files.
Download Wapiti here
Source: Sourceforge

Sunday, February 2, 2014


Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Wireshark Logo

Wireshark is cross-platform, using the GTK+ widget toolkit in current releases, and Qt in the development version, to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including GNU/Linux, OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all of the traffic travelling through the switch will necessarily be sent to the port on which the capture is being done, so capturing in promiscuous mode will not necessarily be sufficient to see all traffic on the network. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering.

On Linux, BSD, and OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put wireless network interface controllers into monitor mode.

Download Wireshark here

Source: Wikipedia

Tuesday, January 14, 2014

w3af: Web Application Attack and Audit Framework

The Web Application Attack and Audit framework, also referred to as w3af, was developed by Andres Riancho in March 2007 and is released as an open-source web application security scanner. Since July 2010, it has been announced that w3af was sponsored by and partnered with Rapid7.

At its core is a vulnerability scanner and exploitation tool aimed at auditing the security of web applications. This free tool is written in Python and is commonly used by penetration testers to provide information pertaining to security vulnerabilities of a particular web application.

This scanner is capable of identifying a mass of web application vulnerabilities with its extensive range of more than 130 plug-ins. Once identified, penetration testers may exploit vulnerabilities such as blind SQL injections, OS commanding, remote file inclusions (PHP), cross site scripting (XSS), as well as unsafe file uploads as a means of gaining access to the remote system.

The plugins available for w3af are categorised as follows:

  • Discovery
  • Audit
  • Grep
  • Attack
  • Output
  • Mangle
  • Evasion
  • Bruteforce

w3af is supported on a host of operating systems including Microsoft Windows, Linux, and Mac OS X, FreeBSD and OpenBSD and can be operated via graphical user interface (GUI) or command line interface (CLI). While older versions of the scanner had a fully working installer for Windows, the latest version has not been tested on this platform.

The project initially used Sourceforge as its base of operations, but have since migrated to Github. 

Linux, Mac, and BSD users may download the source from w3af's Github repository as follows:

git clone
cd w3af

After downloading the source and running the commands above, a list of unmet dependencies will be listed along with the commands to be executed in order to install them. Once these have been installed, w3af can be executed via the following command 


If you prefer to run w3af via console or command line, execute w3af_console and install the required dependencies.

More information on w3af can be found at the following site dedicated to the project:

Thursday, February 21, 2013


Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently, there are some network protocols implemented, but others are coming (tell us which one is your preferred). Attacks for the following network protocols are implemented (but of course you are free for implementing new ones):
  • Spanning Tree Protocol (STP)
  • Cisco Discovery Protocol (CDP)
  • Dynamic Trunking Protocol (DTP)
  • Dynamic Host Configuration Protocol (DHCP)
  • Hot Standby Router Protocol (HSRP)
  • IEEE 802.1Q
  • IEEE 802.1X
  • Inter-Switch Link Protocol (ISL)
  • VLAN Trunking Protocol (VTP)
Download Yersinia here

Monday, February 18, 2013

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 2.14

An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.

SIFT 2.0 was a massive success, SIFT 2.14 will hope to again exceed expectations. As voted by you, the readers, the 2010 Toolsmith Tool of the Year was SIFT 2.0. The SANS Investigative Forensic Toolkit (SIFT) Workstation Version 2.0, as discussed in May's ISSA Journal, is a Linux distribution that is preconfigured for forensic investigations. SIFT 2.0 includes all the tools a forensic analyst/incident responder would require to conduct a thorough system investigation. I particularly favor it for memory analysis - grab a memory image from your victim system; pull it back to your SIFT VM and get down to business in no time flat.

Read more about the SANS Investigate Forensic Toolkit (SIFT) Workstation here

Download SIFT Workstation VMware Appliance - 1.5 GB

Download SIFT Workstation Installation DVD (.iso) - 1.5 GB