Tag Archives: 渗透测试

渗透测试资源

开源黑盒测试工具
一般测试
• OWASPWebScarab
• OWASP CAL9000: CAL9000 是一个基于浏览器的工具集合,它可以使得手动测试更加快速高效。它包含有一个XSS 攻击
库,字符编码器/解码器,HTTP 请求生成器和响应计算器,测试清单,自动攻击编辑器以及其它很多内容。
• OWASP PanteraWeb Assessment Studio Project
• SPIKE – http://www.immunitysec.com
• Paros – http://www.parosproxy.org
• Burp Proxy – http://www.portswigger.net
• Achilles Proxy – http://www.mavensecurity.com/achilles
• Odysseus Proxy – http://www.wastelands.gen.nz/odysseus/
• Webstretch Proxy – http://sourceforge.net/projects/webstretch
• Firefox LiveHTTPHeaders, Tamper Data and Developer Tools – http://www.mozdev.org
• Sensepost Wikto (Google cached fault-finding) – http://www.sensepost.com/research/wikto/index2.html
• Grendel-Scan – http://www.grendel-scan.com

特定漏洞测试

Flash测试

  • OWASP SWFIntruder – http://www.owasp.org/index.php/Category:SWFIntruder,

http://www.mindedsecurity.com/swfintruder.html

AJAX测试

  • OWASP Sprajax Project

SQL注入测试

  • OWASP SQLiX
  • Multiple DBMS SQL Injection tool – SQL Power Injector
  • MySQL Blind Injection Bruteforcing, Reversing.org – [sqlbftools]
  • Antonio Parata: Dump Files by SQL inference on Mysql – [SqlDumper]
  • Sqlninja: a SQL Server Injection & Takeover Tool – http://sqlninja.sourceforge.net
  • Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool – http://sqlmap.sourceforge.net
  • Absinthe 1.1 (formerly SQLSqueal) – http://www.0x90.org/releases/absinthe/
  • SQLInjector – http://www.databasesecurity.com/sql-injector.htm
  • bsqlbf-1.2-th – http://www.514.es

Oracle测试

  • TNS Listener tool (Perl) – http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
  • Toad for Oracle – http://www.quest.com/toad

SSL测试

  • Foundstone SSL Digger – http://www.foundstone.com/resources/proddesc/ssldigger.htm

暴力破解密码测试

  • THC Hydra – http://www.thc.org/thc-hydra/
  • John the Ripper – http://www.openwall.com/john/
  • Brutus – http://www.hoobie.net/brutus/
  • Medusa – http://www.foofus.net/~jmk/medusa/medusa.html

HTTP方法测试

  • NetCat – http://www.vulnwatch.org/netcat

缓冲区溢出测试

  • OllyDbg – http://www.ollydbg.de

o “一个基于Windows 的用于分析缓冲区溢出漏洞的调试器”

  • Spike – http://www.immunitysec.com/downloads/SPIKE2.9.tgz
  • 一个可用于探寻漏洞以及执行长度测试的漏洞检查框架
  • Brute Force Binary Tester (BFB) – http://bfbtester.sourceforge.net

o 一个主动的二进制检查器

  • Metasploit – http://www.metasploit.com/projects/Framework/

o 一个快速的攻击产生和测试框架

Fuzzing工具

  • WSFuzzer

Googling

  • Foundstone Sitedigger (Google cached fault-finding) – http://www.foundstone.com/resources/proddesc/sitedigger.htm

商业黑盒测试工具

  • Typhon – http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
  • NGSSQuirreL – http://www.ngssoftware.com/products/database-security/
  • Watchfire AppScan – http://www.watchfire.com
  • Cenzic Hailstorm – http://www.cenzic.com/products_services/cenzic_hailstorm.php
  • SPI Dynamics WebInspect – http://www.spidynamics.com
  • Burp Intruder – http://portswigger.net/intruder
  • Acunetix Web Vulnerability Scanner – http://www.acunetix.com
  • ScanDo – http://www.kavado.com
  • WebSleuth – http://www.sandsprite.com
  • NT Objectives NTOSpider – http://www.ntobjectives.com/products/ntospider.php
  • Fortify Pen Testing Team Tool – http://www.fortifysoftware.com/products/tester
  • Sandsprite Web Sleuth – http://sandsprite.com/Sleuth/
  • MaxPatrol Security Scanner – http://www.maxpatrol.com
  • Ecyware GreenBlue Inspector – http://www.ecyware.com
  • Parasoft WebKing (more QA-type tool)

OWASP 测试指南v3.0

  • MatriXay – http://www.dbappsecurity.com
  • N-Stalker Web Application Security Scanner – http://www.nstalker.com

源代码分析工具—开源/免费软件

  • OWASP LAPSE
  • PMD – http://pmd.sourceforge.net/
  • FlawFinder – http://www.dwheeler.com/flawfinder
  • Microsoft’s FxCop
  • Splint – http://splint.org
  • Boon – http://www.cs.berkeley.edu/~daw/boon
  • Pscan – http://www.striker.ottawa.on.ca/~aland/pscan
  • FindBugs – http://findbugs.sourceforge.net

源代码分析工具—商业软件

  • Fortify – http://www.fortifysoftware.com
  • Ounce labs Prexis – http://www.ouncelabs.com
  • Veracode – http://www.veracode.com
  • GrammaTech – http://www.grammatech.com
  • ParaSoft – http://www.parasoft.com
  • ITS4 – http://www.cigital.com/its4
  • CodeWizard – http://www.parasoft.com/products/wizard
  • Armorize CodeSecure – http://www.armorize.com/product/
  • Checkmarx CxSuite – http://www.checkmarx.com

验收测试工具—开源