Text 13052, 58 rader
Skriven 2006-09-25 18:58:30 av Rich Gauszka (1:379/45)
Ärende: free security tools that really work
============================================
From: "Rich Gauszka" <gauszka@hotmail.com>

http://www.infoworld.com/article/06/09/22/39OPsecadvise_1.html
  Many of Foundstone's tools became instant computer security classics, such
as Superscan (an excellent port scanner), Fport (a port enumerator), stress
testing tools, and all sorts of malware scanners. These are programs and tools
that Foundstone's own expert consultants and penetration testers use during
security audits: When Foundstone has a security need that begs automation, one
of its many excellent programmers codes a quick program. I'm still surprised by
how many of our internal tools end up being given away on the Web.

But it is the last round of tools that have really caught my eye. If you
haven't taken a look at Foundstone's free security tools in a few months, you
really owe yourself another visit. Here's a summary of my favorites:

-- Fscrack is a Windows GUI front end to John the Ripper. "John," as we pen
testers like to call it, is the fastest free password hash cracker available.
What it does, it does well. It has dozens of options and ways to customize, but
as a command-line tool, user-friendliness isn't one of its strong points. GUIs
slow down command-line tools, but Foundstone made a GUI front end that makes
configuration a snap, and the resulting syntax command then runs in the normal
command-line mode. It's similar to Nmapfe, if you are familiar with Nmap's GUI
front-end tool.

-- HackPack is a simple concept that allows security administrators to keep
many of their most popular security tools up to date. Think RSS feeds for your
security tools.

-- Hacme Platform (Hacme Casino, Hacme Bookstore, Hacme Shipping, and so on)
is a collection of local virtual Web-based environments made just for hacking.
You install and then learn how to exploit common vulnerabilities. Developed for
a wide range of technologies (.Net, Java, ASP, Cold Fusion MX, and so on), the
idea is to use these tools to teach your developers what not to do.

-- SiteDigger allows you to penetration-test a Web site by checking for
vulnerabilities using information found in Google's cache -- it requires use of
a Google API license, also free. Yes, you can pen-test a Web site without the
site ever being aware of your direct presence. SiteDigger checks for common
vulnerabilities as identified by Foundstone and uses the even larger database
collected at Johnny Long's Google Hacking Database site.

-- WSDigger is a black box pen-testing tool for Web services.

Of course, Insecure.org's Top 100 Network Security Tools Web site is the best
security tool list on the planet. You can take a look at top network security
tools as voted by nmap-hackers mailing list participants.

The listprovides a good summary description of each tool, displays the platform
they run on, and tells you whether the tool is free or commercial. Most are
free. Even if you've been doing computer security for years, if you haven't
visited this list, you will pick up a handful of utilities that you'll use the
rest of your career.

And as always, be sure to thank the vendors and developers who give us our
excellent tools.

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)