I'll give you a quick run down of how I would set-up an "attack box" using freeware apps... I would start with a good mid-range laptop. I would recommend you use a version of Linux as an OS unless your company has a policy against it. I would start by loaded a couple of nice freeware tools such as nmap(port scanner) http://www.nmap.org/ and Nessus(remote security scanner) http://www.nessus.org/ . Those would be the core tools I would use for any testing done. Various other great tools I've used include : Whisker - CGI vulnerablity scanner - Good for checking for bad CGI's on any web server http://www.wiretrip.net/rfp/ Saint - Another Vulnerability checker- http://www.wwdsi.com/saint/ Sara - Another Vulnerability checker - http://www-arc.com/sara/ These are just a few of the tons of tools out there, I would recommend you load some up, and play with them in a lab to decide which you think are better for what your doing. Here is a link to a recent servey of the top 50 tools for pen-testing complete with some great links to web sites etc. http://www.nmap.org/tools.html Hope this helps -----Original Message----- From: Eric R. Van Skike [mailto:vanskikeat_private] Sent: Wednesday, July 25, 2001 12:08 AM To: pen-testat_private Subject: Tool kit assembly I've been lurking for awhile, and the vast amount of information that passes through this list has left me with a problem, to much information to process quickly :). It look's like I will need to do some penetration test for the organization I work for in the not-to-distant-future. The problem is, I do not really know where to begin as far as what programs would be appropriate. The organization I work for is currently just a Microsoft shop with very-few non MS services/programs made available to the masses. And here begins my request... I was wondering if anyone on this list could give me recommendations of programs or websites that would be useful for someone (such as myself) who is creating a 'tool kit'. With the wide array of programs available, I'd like to avoid getting programs that are not up to par. commercial or non-commercial is fine. Thanks in advance for any help. -Eric Van Skike vanskikeat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:44:17 PDT