Tuesday, March 3, 2009

Top 20 Security Assessment Tools

Nessus
Home Page: http://www.nessus.org/
Description: The premier Open Source vulnerability assessment tool Nessus is a remote security scanner for Linux, BSD, Solaris, and other Unix platforms. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks.

Ethereal
Home Page: http://www.ethereal.com/
Description: Sniffing the glue that holds the Internet together Ethereal is a free network protocol analyzer for Unix and Windows. You can interactively browse the capture data, viewing summary and detail information for each packet.

Netcat
Home Page: http://netcat.sourceforge.net/
Description: The network swiss army knife. A simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.

Libwhisker
Home Page: http://sourceforge.net/projects/whisker/
Description: Rain.Forest.Puppy's CGI vulnerability scanner and libraryWhisker is a scanner which allows you to test HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Libwhisker is a perl library (used by Whisker) which allows for the creation of custom HTTP scanners.

John the Ripper
Home Page: http://www.openwall.com/john/
Description: An extraordinarily powerful, flexible, and fast multi-platform password hash cracker. John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords.

Sam Spade
Home Page: http://www.samspade.org/ssw/
Description: Freeware Windows network query tool. SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more.

Nikto
Home Page: http://www.cirt.net/code/nikto.shtml
Description: Nikto is a web server scanner which looks for over 2000 potentially dangerous files/CGIs and problems on over 200 servers.

Kismet
Home Page: http://www.kismetwireless.net/
Description: A powerful wireless sniffer. Kismet is an 802.11b network sniffer and network dissector. It is capable of sniffing using most wireless cards, automatic network IP block detection via UDP, ARP, and DHCP packets, Cisco equipment lists via Cisco Discovery Protocol, weak cryptographic packet logging, and Ethereal and tcpdump compatible packet dump files.

SuperScan
Home Page: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm
Description: Foundstone's Windows TCP port scanner. A connect-based TCP port scanner, pinger and hostname resolver. No source code is provided. It can handle ping scans and port scans using specified IP ranges.

L0phtCrack 4 (now called "LC4")
Download Location: http://www.net-security.org/software.php?id=17
Description: Windows password auditing and recovery application L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows NT/2000 workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc).

Retina
Home Page: http://www.eeye.com/html/Products/Retina/index.html
Description: Commercial vulnerability assessment scanner by eEye. Like Nessus and ISS Internet Scanner mentioned previously, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found.

Nmap
Home Page: http://www.insecure.org/
Description: Open source scanning tool for Windows and Linux.

Network Stumbler
Download Location: http://www.stumbler.net/
Description: Free Windows 802.11 Sniffer. Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such called Ministumbler. The tool is currently free but Windows-only and no source code is provided.

SARA
Home Page: http://www-arc.com/sara/
Description: Security Auditor's Research Assistant. SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner.

N-Stealth
Home Page: http://www.nstalker.com/eng/products/nstealth/
Description: Web server scanner. N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as whisker and nikto, but do take their web site with a grain of salt. The claims of "30,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable.

Cain & Abel
Download Location: http://www.oxid.it/cain.html
Description: The poor man's L0phtcrack. Cain & Abel is a free password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

XProbe2
Home Page: http://www.sys-security.com/index.php?page=xprobe
Description: Active OS fingerprinting tool. XProbe is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as many different ideas.

SolarWinds Toolsets
Download Location: http://www.solarwinds.net/
Description: A plethora of network discovery/monitoring/attack tools. SolarWinds has created and sells dozens of special-purpose tools targetted at systems administrators. Security related tools include many network discovery scanners and an SNMP brute-force cracker.

Brutus
Download Location: http://www.hoobie.net/brutus/
Description: A network brute-force authentication cracker. This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available.

Paketto Keiretsu
Home Page: http://www.doxpara.com/read.php/code/paketto.html
Description: Extreme TCP/IP. The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. They tap functionality within existing infrastructure and stretch protocols beyond what they were originally intended for.

Sunday, March 1, 2009

onError: Handling "Image Not Found" in JavaScript

HTTP requests are expensive, so making an HTTP request and getting a useless response (ie. 404 Not Found) is totally unnecessary and will slow down the user experience without any benefit. Even worse is when the link to an external JavaScript is wrong and the result is a 404. First, this download will block parallel downloads. Next the browser may try to parse the 404 response body as if it were JavaScript code, trying to find something usable in it.

Although, we cann't reduce the http requests if image is not found, but error can be handled resulting in showing some other appropriate image to the user.
We can use "try... catch" statement to catch the error in a web page. Alternatively, we can use the onerror event as well for the same purpose.
The onerror event is fired whenever there is a script error in the page.

Example use:
To use the onerror event, you must create a function to handle the errors. Then you call the function with the onerror event handler. The event handler is called with three arguments: msg (error message), url (the url of the page that caused the error) and line (the line where the error occurred).

onerror = handleErr

function handleErr(msg,url,l) {
//Handle the error here
return true or false
}

An another example for handling it, another image can we shown if image is not found
eg. <img src="http://www.yahoo.com/badimage.gif" alt="Bad Image" onError="this.src='http://l.yimg.com/a/i/ww/beta/y3.gif';" />

LinkWithin

Related Posts with Thumbnails