August 5, 2010 at 10:49 pm #5434
I was wondering if anyone would happen to have any good suggestions on websites that have good updates of security tools. I used to check Security Database Tools Watch on a consistent basis and it was a great site for updated security tools. I also check out packetstorm on a consistent basis as well. I was just wondering if anyone may have any good suggestions on websites that update on new releases of security tools. Thanks for everyone’s help I appreciate it.
August 6, 2010 at 12:17 am #34331yatzParticipant
I usually watch the Hacker News network which is a weekly video cast, and they have a section called Tool Time which discusses new tools and the latest releases. There are probably better ones out there, that’s just the one I’m thinking of at the moment.
August 6, 2010 at 3:39 am #34332
Thanks I will for sure check it out, does anyone else have any sites?
August 6, 2010 at 3:51 am #34333dynamikParticipant
This is a good general list: http://sectools.org/ There was recently a new survey, so that will hopefully be updated soon.
New tools might be discussed in some general mailing lists: http://seclists.org/
If you’re looking to be notified about updates to specific tools, you should get on their respective mailing lists. Most are very light in traffic and only notify you when there’s an update.
Sites like Darker Reading or pod casts like PaulDotCom might touch upon notable releases as well.
August 6, 2010 at 5:49 am #34334
August 6, 2010 at 6:56 am #34335
August 6, 2010 at 12:11 pm #34336
In no specific order
Remember… You should at least *try* to understand how tools work and at one time, try making something similar for yourself. It allows you to understand the process of what the tool does a lot more yielding better (more granular) results.
August 6, 2010 at 2:54 pm #34337
@dynamik sectools.org is a good site but alot of there stuff is really outdated. I was hoping to look for something similar on how Security Database Tools Watch used to be where it would report out when a new update of a tool would be released.
@Equix3n- Thank you I do follow Tools Watch on twitter, once the website stopped being updated he stated that all of the information would be put through the twitter feed. I do look through the twitter feed, but it can be painful to read through.
@sil Thanks for the help. I knew comments like this were gonna pop up
“Remember… You should at least *try* to understand how tools work and at one time, try making something similar for yourself. It allows you to understand the process of what the tool does a lot more yielding better (more granular) results.”
Thats why I almost didn’t post. I do understand how the tools work I work with them everyday. I was just simply looking for any websites people would suggest. I am not trying to be rude to you, but it is comments like that that make people not want to post on this website at all.
I really do appreciate the help from everyone and thanks for the suggestions.
August 6, 2010 at 5:15 pm #34338
@steven my intent wasn’t to be rude, was to make one think about things for a second or two. E.g., I was just playing with Skipfish which is a kick … tool. It found many issues other similar scanners couldn’t find however, its noisy as heck and brutal on a webserver making an 8GB server running Apache almost come to a crawl. Because of the scanning methods Zalewski used – which differ from most – it was easy to parse similar things on the command line without using Skipfish, yet coming back to find vulnerabilities with curl (wget -qO – or links -dump), yet getting *almost* the same effect as using Skipfish.
Wasn’t to say “you know jack stop using tools… you don’t understand them…” was more to the tune of “don’t forget in testing most tests are (or should be) tailored, no tool fits one size” so apologies if it came across like that. EVERYONE has to use tools whether it was written by someone else or created on their own. There is no pentester I know that DOES NOT use a tool written by someone else. However, some of the most extreme pentesters I know and have met, use custom written tools for different reasons (stealth, protocol, timing, etc)
August 6, 2010 at 5:33 pm #34339hayabusaParticipant
@steven1664 – I’ll second sil’s advice / comments. (NOT ill intended…)
If you’re pentesting some environment, where you KNOW the folks have little / no security knowledge, then very often, you won’t care about being noisy, or what may or may not be seen by the site admins, or whomever. (Or, if the scope document for the test allows for you being seen, and they simply want to know what vulnerabilities they have, and could potentially be exploited.) But he’s absolutely right, with regards to using custom tools, and understanding how they work, from the standpoint of knowing that, while “Tool A” might give me the results I need in every case, “Tool B” will give me the same results, but in a more covert / quiet way, with less risk to the environment / servers being tested, etc. Becoming a truly exceptional pentester involves gathering tools (and / or now or eventually writing your own,) and understanding not just WHAT they do, but HOW they do it, so you can wisely pick and choose.
I firmly believe that sil was NOT trying to ‘belittle’ you, and I don’t think, in general, you’ll get much of that, here, from any of the regulars, and particularly sil. Sometimes wording on a web forum doesn’t adequately convey thoughts, nor does it give you a sense of real intention, sarcasm, humor, or otherwise, unless the person leaves comments that further clarify those things. I’d suggest, if you feel that way with regards to future replies, rather than openly blasting back, perhaps first PM the poster who replied, and ask for clarification, as, quite often (at least here), you’ll find no ill intent was there to begin with. 😉
August 6, 2010 at 10:21 pm #34340
I apologize if I upset anyone I wasn’t trying to do that. Its just I see alot of people putting small comments on things such as that and it just kind of makes me laugh sometimes because others have no idea of the knowledge or skills of other people, while I have seen some dumb people on posts here say things like how do I hack my girlfriends facebook or something dumb like that and those people are so stupid.
By starting the thread I was just trying to get an idea of some sites people use to track current security tools that they might use. Like I stated I used to check Security Database Tools Watch consistently, which made it easier for me than checking 20 websites for new security tool releases most of the new releases of things were in one place, Security Database Tools Watch was awesome.
I still follow his twitter feed at twitter.com/toolswatch and I check out http://packetstorm.linuxsecurity.com/ on a consistent basis as well and was just trying to start a good discussion on some possible sites people check out that I have not looked at before. Thanks everyone once again for the help and the posts.
August 6, 2010 at 11:59 pm #34341JhaddixParticipant
There are a few initiatives for this kind of documentation out there atm. One i like a lot is:
Which has syntax and videos for a lot of tools.
August 7, 2010 at 12:12 am #34342
August 7, 2010 at 12:37 am #34343
@steven what I’ve noticed is that I get a lot more tools that never hit those sites (and likely never will) by following certain people via say twitter, mailing lists, personal blogs. For example Chimichurri
“Microsoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won’t be talking about it before the fix) and they will be releasing fixes and advisories in August,” Cerrudo explained.
The researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server. These exploits could work on other services too with some minor modifications, he said.
Chimichurri and Churraskito have been out for a little bit and they still haven’t hit “tool sites”:
/Chimichurri/-->This exploit gives you a Local System shell
Usage: Chimichurri.exe ipaddress port
(EVERYBODY uses tools)… My initial point was just you explained in your response. I tend to see a lot of questions aimed towards: “Hi do I point and click ‘pwn’ something!” Where my responses tend to explain certain things to enable someone to think outside the box…
Anyhow, I’d pick the top 20 “scary people I wouldn’t want on my network” and follow them. For that, I name: Charlie Miller, Dave Aitel, Kostya, Dino Dai Zovi, HD Moore, Adam Shostack, Dan Guido, Pedro Amini, Alex Sotirov, Cesar Cerrudo, Halvar Flake, FX, Steven Ridley, Nico Waisman, Aaron Portnoy, Tavis Ormandy, wushi of team509, kingcope… Following those will lead you to LOTS of informative tools, methods, concepts, etc. I’d rather roll around in broken glass then fsck around even playing CTF with them.
Lastly If you can find him and or if he’d even wanna talk, (old schoolers would know him)… Eugene of the old group Ghettohackers (Where my dawg @). Probably the scariest guy I’ve ever corresponded with via way of security on the “hacking” level. Well him and a friend of mine named minga. (if you can find him) Your mileage may vary though, I talk to many of those listed from time to time and I admire their expertise and knowledge but am not intimidated by them so I tend to bug them like a mosquito in their ear from time to time. If I HAD to follow just 20 people, either to learn about tools, find out what *really* works, those would be them.
These guys all make tools (well most) and if they don’t they know and explain enough “hardcore” stuff that’ll make even the most experience security practitioner feel like a newborn. I try to follow most of their blogs, tweets, etc., and in the end, sometimes come up with my own “WTF” tools.
- You must be logged in to reply to this topic.