General Discussion | Vulnerability Assessment Tools

Author	Message	Time
MrRaza	Since I just was hired on a Vulnerability Assessment and Auditing Specialist for a major bank, and having my own arsenal of tools, I was wonder what other useful tools or utilities the community might have, and if they wanted to list any. I'm interested to see what people come up with, especially to help me and expand what I already have. If the tools or program costs money, no problem, there's lots of money where I work to buy licenses, no pun intended. Websites are also welcome too. Don't mention SANS, got that one already ;)....	August 27, 2008, 7:00 PM
iago	Nessus is generally the baseline tool for VA. It's $1250/year for commercial use, so it's not terribly expensive. OpenVAS is an open alternative to Nessus, although it's not 'there' yet. I've heard that OSSIM has something similar, but I haven't looked into it. Nmap is getting ramped up for VA, although that's going to take some time. But Nmap + manual digging/verification can be ok if it's small scale. AppScan is a good Web server scanner, designed for custom applications, although Web stuff still requires a lot of manual work. I think it's something like $20k/year, but I can't remember. AppDetective is good for database scanning, whether for VA or for compliance auditing. Not sure about the price on that one. And, of course, CORE Impact is a great tool for pen-testing, but that's above and beyond most VAs (depending on what the goals/terms are). It runs about $30k/year. There are a lot of other cool tools for penetration testing, too, but there are too many to list. I've started keeping track of good free tools I like on my wiki. Those are the main ones I use, although depending on the situation you never know. :)	August 27, 2008, 7:33 PM
Kp	For your tests, what're you allowed to do? For example, can you run scans that may crash badly coded applications? Are you focused on knowing what's in the network or on checking that known programs are secure? Are you validating programs that are only available to employees/contractors, or is there a risk that J. Random Hacker on the Internet can try to hit the target? Are the scanned targets mostly running closed source third party stuff, or can you get the source to the targets (either because they're OSS or because they were written in house)? If the latter, source code analysis tools would be worth checking as well. You might be able to find vulnerabilities through code analysis without ever touching a production application.	August 28, 2008, 2:37 AM
MrRaza	[quote author=Kp link=topic=17618.msg179526#msg179526 date=1219891053] For your tests, what're you allowed to do? For example, can you run scans that may crash badly coded applications? Are you focused on knowing what's in the network or on checking that known programs are secure? Are you validating programs that are only available to employees/contractors, or is there a risk that J. Random Hacker on the Internet can try to hit the target? Are the scanned targets mostly running closed source third party stuff, or can you get the source to the targets (either because they're OSS or because they were written in house)? If the latter, source code analysis tools would be worth checking as well. You might be able to find vulnerabilities through code analysis without ever touching a production application. [/quote] Sorry about the late response... I start the job on the 4th, so I don't know the exact details yet, but in the interview they stated several times that strong networking, TCP/IP protocol and Windows OS skills would be necessary, which I have from my diploma and CCNA/CCNP. They also said that I'd be performing security assessments on servers with the help of serveral tools (commercial and freeware) to determine networking and operating system vulnerablilities. They also mentioned some programming would be involved, specifically ASP/PERL. And then from there, I'd track and and review those vulnerabilities and generate reports, and proceed to present my findings. I could go on, but I don't want to. It seems like an interesting opportunity, I'm assuming that they'd have their own in house applications,they also asked if I was decent at creating and reviewing ACL hits. Here's from the job description, "- Working with the the Forensics Team the employee would be required to perform the following activities: - Data Management /acquisition with Encase - Worm outbreak response - contacting *** and arranging drive acquisition, follow up - System administration and data management - Honeypot project - Maintain Viral outbreak root cause matrix - Support Internal Investigations by assisting IT Analyst - Privacy - submitting Customerlink Inquiry tracking jobs "	August 29, 2008, 4:07 PM
MrRaza	[quote author=iago link=topic=17618.msg179525#msg179525 date=1219865584] Nessus is generally the baseline tool for VA. It's $1250/year for commercial use, so it's not terribly expensive. OpenVAS is an open alternative to Nessus, although it's not 'there' yet. I've heard that OSSIM has something similar, but I haven't looked into it. Nmap is getting ramped up for VA, although that's going to take some time. But Nmap + manual digging/verification can be ok if it's small scale. AppScan is a good Web server scanner, designed for custom applications, although Web stuff still requires a lot of manual work. I think it's something like $20k/year, but I can't remember. AppDetective is good for database scanning, whether for VA or for compliance auditing. Not sure about the price on that one. And, of course, CORE Impact is a great tool for pen-testing, but that's above and beyond most VAs (depending on what the goals/terms are). It runs about $30k/year. There are a lot of other cool tools for penetration testing, too, but there are too many to list. I've started keeping track of good free tools I like on my wiki. Those are the main ones I use, although depending on the situation you never know. :) [/quote] Nessus is very good, espeically with the report generation. OSSIM is bomb, so amazing. I also like using black track2 or 3, for metasploit and kismet. Spectrum OneClick, uses java, and provide the status of switches and routers, and also the ability to click and view the most relevant device information. BASE is also a very well built tool. It also depends on how you are going about determining network security, different methodologies have different tools and steps that are used, for instance OSSTMM. Dynamips/Dynagen/GS3 is also good for testing how network will react with routers virtually before deployment. NMAP is good for monitoring specific client as well as a range of addresses. NBAR works well on a core router to determine what protocols are going through that particular switch. Cain and Abel is handy to test whether man in the middle attacks are possible, and various layer 2 vulnerabilities exist (DHCP Snooping and Dynamic ARP Inspection).	August 30, 2008, 9:09 AM

Author

Message

Time

MrRaza

Since I just was hired on a Vulnerability Assessment and Auditing Specialist for a major bank, and having my own arsenal of tools, I was wonder what other useful tools or utilities the community might have, and if they wanted to list any. I'm interested to see what people come up with, especially to help me and expand what I already have. If the tools or program costs money, no problem, there's lots of money where I work to buy licenses, no pun intended.

Websites are also welcome too.

Don't mention SANS, got that one already ;)....

August 27, 2008, 7:00 PM

iago

Nessus is generally the baseline tool for VA. It's $1250/year for commercial use, so it's not terribly expensive. OpenVAS is an open alternative to Nessus, although it's not 'there' yet. I've heard that OSSIM has something similar, but I haven't looked into it.

Nmap is getting ramped up for VA, although that's going to take some time. But Nmap + manual digging/verification can be ok if it's small scale.

AppScan is a good Web server scanner, designed for custom applications, although Web stuff still requires a lot of manual work. I think it's something like $20k/year, but I can't remember.

AppDetective is good for database scanning, whether for VA or for compliance auditing. Not sure about the price on that one.

And, of course, CORE Impact is a great tool for pen-testing, but that's above and beyond most VAs (depending on what the goals/terms are). It runs about $30k/year. There are a lot of other cool tools for penetration testing, too, but there are too many to list. I've started keeping track of good free tools I like on my wiki.

Those are the main ones I use, although depending on the situation you never know. :)

August 27, 2008, 7:33 PM

For your tests, what're you allowed to do? For example, can you run scans that may crash badly coded applications? Are you focused on knowing what's in the network or on checking that known programs are secure? Are you validating programs that are only available to employees/contractors, or is there a risk that J. Random Hacker on the Internet can try to hit the target? Are the scanned targets mostly running closed source third party stuff, or can you get the source to the targets (either because they're OSS or because they were written in house)? If the latter, source code analysis tools would be worth checking as well. You might be able to find vulnerabilities through code analysis without ever touching a production application.

August 28, 2008, 2:37 AM

MrRaza

[quote author=Kp link=topic=17618.msg179526#msg179526 date=1219891053]
For your tests, what're you allowed to do? For example, can you run scans that may crash badly coded applications? Are you focused on knowing what's in the network or on checking that known programs are secure? Are you validating programs that are only available to employees/contractors, or is there a risk that J. Random Hacker on the Internet can try to hit the target? Are the scanned targets mostly running closed source third party stuff, or can you get the source to the targets (either because they're OSS or because they were written in house)? If the latter, source code analysis tools would be worth checking as well. You might be able to find vulnerabilities through code analysis without ever touching a production application.
[/quote]

Sorry about the late response...

I start the job on the 4th, so I don't know the exact details yet, but in the interview they stated several times that strong networking, TCP/IP protocol and Windows OS skills would be necessary, which I have from my diploma and CCNA/CCNP. They also said that I'd be performing security assessments on servers with the help of serveral tools (commercial and freeware) to determine networking and operating system vulnerablilities. They also mentioned some programming would be involved, specifically ASP/PERL. And then from there, I'd track and and review those vulnerabilities and generate reports, and proceed to present my findings.

I could go on, but I don't want to. It seems like an interesting opportunity, I'm assuming that they'd have their own in house applications,they also asked if I was decent at creating and reviewing ACL hits.

Here's from the job description,

"- Working with the the Forensics Team the employee would be required to perform the following activities:
- Data Management /acquisition with Encase
- Worm outbreak response - contacting *** and arranging drive acquisition, follow up
- System administration and data management
- Honeypot project
- Maintain Viral outbreak root cause matrix
- Support Internal Investigations by assisting IT Analyst
- Privacy - submitting Customerlink Inquiry tracking jobs
"

August 29, 2008, 4:07 PM

MrRaza

[quote author=iago link=topic=17618.msg179525#msg179525 date=1219865584]
Nessus is generally the baseline tool for VA. It's $1250/year for commercial use, so it's not terribly expensive. OpenVAS is an open alternative to Nessus, although it's not 'there' yet. I've heard that OSSIM has something similar, but I haven't looked into it.

Nmap is getting ramped up for VA, although that's going to take some time. But Nmap + manual digging/verification can be ok if it's small scale.

AppScan is a good Web server scanner, designed for custom applications, although Web stuff still requires a lot of manual work. I think it's something like $20k/year, but I can't remember.

AppDetective is good for database scanning, whether for VA or for compliance auditing. Not sure about the price on that one.

And, of course, CORE Impact is a great tool for pen-testing, but that's above and beyond most VAs (depending on what the goals/terms are). It runs about $30k/year. There are a lot of other cool tools for penetration testing, too, but there are too many to list. I've started keeping track of good free tools I like on my wiki.

Those are the main ones I use, although depending on the situation you never know. :)

[/quote]

Nessus is very good, espeically with the report generation. OSSIM is bomb, so amazing. I also like using black track2 or 3, for metasploit and kismet. Spectrum OneClick, uses java, and provide the status of switches and routers, and also the ability to click and view the most relevant device information. BASE is also a very well built tool. It also depends on how you are going about determining network security, different methodologies have different tools and steps that are used, for instance OSSTMM. Dynamips/Dynagen/GS3 is also good for testing how network will react with routers virtually before deployment. NMAP is good for monitoring specific client as well as a range of addresses. NBAR works well on a core router to determine what protocols are going through that particular switch. Cain and Abel is handy to test whether man in the middle attacks are possible, and various layer 2 vulnerabilities exist (DHCP Snooping and Dynamic ARP Inspection).

August 30, 2008, 9:09 AM

Valhalla Legends Forums Archive | General Discussion | Vulnerability Assessment Tools