[AusNOG] Pen Testing Tools

[Christian Heinrich]

Shane,

On Wed, Nov 30, 2016 at 6:40 PM, Shane Chrisp <shane at 2000cn.com.au> wrote:
>  I have a client who will be undergoing auditing and Pen Testing in a number
> of months time, who would like to perform some basic tests themselves to
> find as much stuff as possible before engaging a professional services group
> to perform more thorough tests leading up to the main audit. Does anyone
> have any suggestions of tools, preferably free or very low cost to do these
> initial tests with?

Aside from have no initial cost of ownership, these are common to most
auditors and hence you can eliminate the low hanging fruit before it
is used as filler in their deliverable:
- https://nmap.org/download.html
- https://cirt.net/Nikto2
- https://github.com/rapid7/metasploit-framework/releases
- https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- http://sqlmap.org/
- https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php

You can also reuse the output of Nmap, i.e. -oA, as the input to
Nikto, metasploit, etc and if you can provide a recent nmap output
file then their time will be consumed in later exploitation phrases,
requiring expertise, rather than during the recon phrase.

If you have trouble building these then their already available on the
ISO and VM published by https://www.kali.org/downloads/ and this also
has an extensive list of FOSS, but less well known, that is installed
too.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact