.

Security Tools Website

<<

steven1664

Newbie
Newbie

Posts: 17

Joined: Thu Jul 09, 2009 9:13 am

Post Thu Aug 05, 2010 5:49 pm

Security Tools Website

I was wondering if anyone would happen to have any good suggestions on websites that have good updates of security tools.  I used to check Security Database Tools Watch on a consistent basis and it was a great site for updated security tools.  I also check out packetstorm on a consistent basis as well.  I was just wondering if anyone may have any good suggestions on websites that update on new releases of security tools.  Thanks for everyone's help I appreciate it.

 
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Aug 05, 2010 7:17 pm

Re: Security Tools Website

I usually watch the Hacker News network which is a weekly video cast, and they have a section called Tool Time which discusses new tools and the latest releases.  There are probably better ones out there, that's just the one I'm thinking of at the moment.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

steven1664

Newbie
Newbie

Posts: 17

Joined: Thu Jul 09, 2009 9:13 am

Post Thu Aug 05, 2010 10:39 pm

Re: Security Tools Website

Thanks I will for sure check it out, does anyone else have any sites?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Aug 05, 2010 10:51 pm

Re: Security Tools Website

This is a good general list: http://sectools.org/ There was recently a new survey, so that will hopefully be updated soon.

New tools might be discussed in some general mailing lists: http://seclists.org/

If you're looking to be notified about updates to specific tools, you should get on their respective mailing lists. Most are very light in traffic and only notify you when there's an update.

Sites like Darker Reading or pod casts like PaulDotCom might touch upon notable releases as well.
The day you stop learning is the day you start becoming obsolete.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri Aug 06, 2010 12:49 am

Re: Security Tools Website

Are you on twitter? Follow @toolswatch http://twitter.com/ToolsWatch He provides regular updates on a lot of tools.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Aug 06, 2010 1:56 am

Re: Security Tools Website

dynamik wrote:This is a good general list: http://sectools.org/ There was recently a new survey, so that will hopefully be updated soon.


i totally forgot about that survey! i am curious about the results!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Aug 06, 2010 7:11 am

Re: Security Tools Website

In no specific order

http://www.dragoslungu.com/tag/tools/
http://twitter.com/ToolsWatch
http://twitter.com/hipaasecurity
http://twitter.com/Security_Tools
http://packetstormsecurity.org
http://www.securitytoollist.com/
http://www.security-database.com/

Remember... You should at least *try* to understand how tools work and at one time, try making something similar for yourself. It allows you to understand the process of what the tool does a lot more yielding better (more granular) results.
<<

steven1664

Newbie
Newbie

Posts: 17

Joined: Thu Jul 09, 2009 9:13 am

Post Fri Aug 06, 2010 9:54 am

Re: Security Tools Website

@dynamik sectools.org is a good site but alot of there stuff is really outdated.  I was hoping to look for something similar on how Security Database Tools Watch used to be where it would report out when a new update of a tool would be released.

@Equix3n- Thank you I do follow Tools Watch on twitter, once the website stopped being updated he stated that all of the information would be put through the twitter feed.  I do look through the twitter feed, but it can be painful to read through.

@sil Thanks for the help.  I knew comments like this were gonna pop up

"Remember... You should at least *try* to understand how tools work and at one time, try making something similar for yourself. It allows you to understand the process of what the tool does a lot more yielding better (more granular) results."

Thats why I almost didn't post.  I do understand how the tools work I work with them everyday.  I was just simply looking for any websites people would suggest.  I am not trying to be rude to you, but it is comments like that that make people not want to post on this website at all. 

I really do appreciate the help from everyone and thanks for the suggestions.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Aug 06, 2010 12:15 pm

Re: Security Tools Website

@steven my intent wasn't to be rude, was to make one think about things for a second or two. E.g., I was just playing with Skipfish which is a kick ... tool. It found many issues other similar scanners couldn't find however, its noisy as heck and brutal on a webserver making an 8GB server running Apache almost come to a crawl. Because of the scanning methods Zalewski used - which differ from most - it was easy to parse similar things on the command line without using Skipfish, yet coming back to find vulnerabilities with curl (wget -qO - or links -dump), yet getting *almost* the same effect as using Skipfish.

Wasn't to say "you know jack stop using tools... you don't understand them..." was more to the tune of "don't forget in testing most tests are (or should be) tailored, no tool fits one size" so apologies if it came across like that. EVERYONE has to use tools whether it was written by someone else or created on their own. There is no pentester I know that DOES NOT use a tool written by someone else. However, some of the most extreme pentesters I know and have met, use custom written tools for different reasons (stealth, protocol, timing, etc)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Aug 06, 2010 12:33 pm

Re: Security Tools Website

@steven1664 - I'll second sil's advice / comments.  (NOT ill intended...)

If you're pentesting some environment, where you KNOW the folks have little / no security knowledge, then very often, you won't care about being noisy, or what may or may not be seen by the site admins, or whomever.  (Or, if the scope document for the test allows for you being seen, and they simply want to know what vulnerabilities they have, and could potentially be exploited.)  But he's absolutely right, with regards to using custom tools, and understanding how they work, from the standpoint of knowing that, while "Tool A" might give me the results I need in every case, "Tool B" will give me the same results, but in a more covert / quiet way, with less risk to the environment / servers being tested, etc.  Becoming a truly exceptional pentester involves gathering tools (and / or now or eventually writing your own,) and understanding not just WHAT they do, but HOW they do it, so you can wisely pick and choose.

I firmly believe that sil was NOT trying to 'belittle' you, and I don't think, in general, you'll get much of that, here, from any of the regulars, and particularly sil.  Sometimes wording on a web forum doesn't adequately convey thoughts, nor does it give you a sense of real intention, sarcasm, humor, or otherwise, unless the person leaves comments that further clarify those things.  I'd suggest, if you feel that way with regards to future replies, rather than openly blasting back, perhaps first PM the poster who replied, and ask for clarification, as, quite often (at least here), you'll find no ill intent was there to begin with.   ;)

Cheers!
Last edited by hayabusa on Fri Aug 06, 2010 12:37 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

steven1664

Newbie
Newbie

Posts: 17

Joined: Thu Jul 09, 2009 9:13 am

Post Fri Aug 06, 2010 5:21 pm

Re: Security Tools Website

I apologize if I upset anyone I wasn't trying to do that.  Its just I see alot of people putting small comments on things such as that and it just kind of makes me laugh sometimes because others have no idea of the knowledge or skills of other people, while I have seen some dumb people on posts here say things like how do I hack my girlfriends facebook or something dumb like that and those people are so stupid. 

By starting the thread I was just trying to get an idea of some sites people use to track current security tools that they might use.  Like I stated I used to check Security Database Tools Watch consistently, which made it easier for me than checking 20 websites for new security tool releases most of the new releases of things were in one place, Security Database Tools Watch was awesome.

I still follow his twitter feed at twitter.com/toolswatch and I check out http://packetstorm.linuxsecurity.com/ on a consistent basis as well and was just trying to start a good discussion on some possible sites people check out that I have not looked at before.  Thanks everyone once again for the help and the posts.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Aug 06, 2010 6:59 pm

Re: Security Tools Website

There are a few initiatives for this kind of documentation out there atm. One i like a lot is:

http://tools.securitytube.net/index.php?title=Main_Page

Which has syntax and videos for a lot of tools.

gl!
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Fri Aug 06, 2010 7:12 pm

Re: Security Tools Website

Knowledge Resource is Power.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Aug 06, 2010 7:37 pm

Re: Security Tools Website

@steven what I've noticed is that I get a lot more tools that never hit those sites (and likely never will) by following certain people via say twitter, mailing lists, personal blogs. For example Chimichurri

“Microsoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won’t be talking about it before the fix) and they will be releasing fixes and advisories in August,” Cerrudo explained.

The researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server.  These exploits could work on other services too with some minor modifications, he said.


http://www.zdnet.com/blog/security/wind ... osoft/6849

Chimichurri and Churraskito have been out for a little bit and they still haven't hit "tool sites":

  Code:
C:\EthicalHackerdotNet>Chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->
Usage: Chimichurri.exe ipaddress port <BR>
C:\EthicalHackerdotNet>


(EVERYBODY uses tools)... My initial point was just you explained in your response. I tend to see a lot of questions aimed towards: "Hi do I point and click 'pwn' something!" Where my responses tend to explain certain things to enable someone to think outside the box...

Anyhow, I'd pick the top 20 "scary people I wouldn't want on my network" and follow them. For that, I name: Charlie Miller, Dave Aitel, Kostya, Dino Dai Zovi, HD Moore, Adam Shostack, Dan Guido, Pedro Amini, Alex Sotirov, Cesar Cerrudo, Halvar Flake, FX, Steven Ridley, Nico Waisman, Aaron Portnoy, Tavis Ormandy, wushi of team509, kingcope... Following those will lead you to LOTS of informative tools, methods, concepts, etc. I'd rather roll around in broken glass then fsck around even playing CTF with them.

Lastly If you can find him and or if he'd even wanna talk, (old schoolers would know him)... Eugene of the old group Ghettohackers (Where my dawg @). Probably the scariest guy I've ever corresponded with via way of security on the "hacking" level. Well him and a friend of mine named minga. (if you can find him) Your mileage may vary though, I talk to many of those listed from time to time and I admire their expertise and knowledge but am not intimidated by them so I tend to bug them like a mosquito in their ear from time to time. If I HAD to follow just 20 people, either to learn about tools, find out what *really* works, those would be them.

These guys all make tools (well most) and if they don't they know and explain enough "hardcore" stuff that'll make even the most experience security practitioner feel like a newborn. I try to follow most of their blogs, tweets, etc., and in the end, sometimes come up with my own "WTF" tools.

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software