[Owasp-leaders] list of good pen testing tools

Tony UcedaVelez tonyuv at owasp.org
Fri Nov 18 12:28:51 EST 2011


Agree with Andre and add Watobo and Samurai-WTF. O2 and ZAP are
definitely in the mix and great tools. Would like to see JBroFuzz get
to their level if maturity.

Tony UV

Sent from my Windows Phone
From: Andre Gironda
Sent: 11/18/2011 10:33 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] list of good pen testing tools
On Fri, Nov 18, 2011 at 9:10 AM, Dennis Groves <dennis.groves at owasp.org> wrote:
> The only list you need:
>
> OWASP O2.
>
> O2 is an Extensible Automated Application Security Testing Toolkit.

O2 is great, but it's heavily steeped in .NET and I'm not sure if it's
Mono friendly or not.

Basic tools such as VMware Workstation 8, BackTrack 5, Metasploit
Community Edition, NeXpose Community Edition, and the Web Exploitation
Framework are seriously really nice to have when they are all wrapped
in a nice Linux package. There might be some other tools to add into
that Linux mix, such as Esearchy-NG, Oedipus, Arachni, etc. Check out
http://securityaegis.com or http://zerocold.co.uk for the latest and
greatest pen-testing tools and methodologies.

If you have more money than just the cost of VMware Workstation 8,
then you probably also want to get Burp Suite Professional, IDA Pro,
Paros Pro, Netsparker Pro, or cool gear from HakShop. If you have a
ton of money, then consider Hex-Rays, some commercial SAST/IAST, and
some intelligence-oriented applications such as MaltEgo or i2
Analyst's Notebook. Also consider some expensive gear such as SILICA
from Immunity Security or some Xilinx-enabled gear from Ettus
Research. I would say don't bother with expensive commercial
vulnerability assessment or penetration-testing tools, such as Qualys,
CORE Impact, Metasploit Express/Pro, etc. Everybody uses those
already. I think nmap with the vulscan NSE script will get you better
results, especially once you start using your brainpower to mix in
some heavy-lifting with the open-source Metasploit and Web
Exploitation (wXf) Frameworks.

I find myself spending a lot of time in Eclipse, IntelliJ IDEA, and
Xcode for pen-testing recently. I don't think O2 is quite yet capable
of doing some things that these tools afford me, but I look forward to
that day.

-dre
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list