Welcome to cyber ery I'm Raymond Evans and I will be your subject matter expert for Cyber Aires. Web at penetration testing course this video We will be discussing Web app, pen testing tools. So here's some of the tools we will be discussing that will be used throughout this course. There will be a couple more that will be used throughout the course that will pop up here and there.
However, if you're running
the Cali and Kelly to environment,
they come pre installed, so you won't have to worry about getting them.
We will be using Vega, which is a Web vulnerability scanner.
It's Spider's tests for cross site scripting, sequel injection and XML injection and more
tests for vulnerabilities automatically. And you can also set up a proxy to have the test through. Vega also has an interceptor proxy, which allows for you to
performed manipulation off packets, which come in handy where to find it.
Think fun at the link
or it comes preinstalled on Callie and Callie to next. We have burp. Sweet Bird Sweet is a Web application vulnerability scanner as well
Form Spider Ring. It tests for sequel injection. Cross the scripting XML injection and a whole lot more. It also has an interceptor but proxy built in, which again allows you to
capture the packets as a traverse and allows you to manipulate things that are being that is being Sam
and also as a repeater tool which can allow you to re attempt an attack
and allow you to change the packet before you send the attack.
birth suite has a really nice report builder built into it as well, which is very handy.
He also has an active
scanner and a passive scanner. However, we will not be using this tool due to the cost of it.
It is a $300 tool, and I'm not gonna have my students go out and get that. It can be found at the poor swinger Web site.
And it couldn't be found that while the free version could be found preinstalled on Callie and Kelly, too. So if you want to mess around with a free version and see the built in tools, that has
then by all means, go ahead and do that.
Next, we have sequel Matt. Sequel map is an automatic sequel, injection and database enumeration tool.
It tests for sequel vulnerabilities, dumps and cracks. Password hash is executes. Commands on the database
allows for user privilege escalation and post request injection.
This is an excellent tool that is free
when we get to our sequel.
Inject Exploitation Lesson will be using this along with sequel Suss. Next, there is sequel. Ninja
Sequel Ninja is an automatic sequel injection and database enumeration. Tool test for sequel Vulnerabilities dubs it cracks. Pastor Hashes Executes commands Elin Database. It also performs usual privilege escalation and post request injection
that can be found the link below. But it can also be found preinstalled on Callie as well. I'm not gonna really hit this tool.
Um, but I want you know that this tool is available for you and could be a pretty powerful tool in your arsenal. Next, we have a Rack Night, which is a Web application attack and on a free market acts the same way as Vega and Burp Sweet. Except it's super customizable.
We will be using this tool
audits for sequel injection, cross site scripting, buffer overflows and a whole lot more
house says a Web crawler built in.
it allows for vulnerability, verification as well, which is really awesome.
You could find that at the Iraq Nice Scanner website,
this is a tool that will be used. So have this downloaded and installed.
Next, we have Nick down.
Nick does an open source Web server scanner.
installed Web servers and its software and checks for outdated versions of servers and also checks for any server configuration. Five problems.
You could find that at the
link below here, or you can find it preinstalled and Kelly.
And then we have searched Boy Search plays an excellent tool to use. It's an exploit database that's easy to search, and
it's pre loaded with tons of exploits scripts.
So it compiles all available exploits from exploit D B one handy location,
and it also compiles a bunch of scripts as well. So,
normally, the exploit D B database people only think of that as, Hey, this is where things from medicine flights it, but in actuality, it actually has a lot of exploits scripts that you can search for,
And, uh, it was pretty handy to have, especially when you're trying to, uh,
perform, um, a security audit and you make a quick check to see if an exploit exists for something. Finally, we have N map.
What is that map? Well, in maps one, the most basic tools you're gonna hear about and that were securing your cyber security
and map is in network discovery and security auditing tool. It's found on every single, the next distribution that's out there and map is a fantastic tool.
It's used for host Discovery, port scanning, OS detection, version detection
and as an awesome script engines. What does that mean? Well,
and it'll identify everything that is alive on your network. All the machines that are communicating, you know, go through and I'll scan all the ports of that machine.
And it will tell you what kind of service is air running. And the versions of those service is. So if you're trying to scan for something that
might be an older service version on a networking, trying to figure out whether or not you're running that
specific piece of software, well, you can run that and map in. It'll detect if some kind of server
software is running. That might be older, outdated version. It needs updated.
We also do a West detection. So it'll tell you what kind of operating system server is, or a desktop or whatever. And maybe it will tell you what that OS is on and finally has a really robust script engine.
This script engine allows you to do some really awesome things. So a lot of people think and map is just
the scanner totally used for network when actually end map allows you to do things like detecting cross site scripting sequel in Jack Shane's Brute Forcing databases all kinds of really awesome stuff
and map is definitely a tool that you want to know how to use. And then you went in your arsenal, learn how to use it well and learn how to use that script engine. Well, because there's some really awesome tools in there that will help you be better at what you're doing. So it was covered. We talked about Vega Burb Suite, which are both
Web app vulnerability scanners that were used for fuzzing and trying to find vulnerabilities on a Web application
who talked about sequel map and sequel Ninja, which are both used for getting information from databases.
We also talked about W three F, which again is another Web application father, as well as some other built in tools within.
And we talked about Nick Dough, which is used for
scanning a server and identifying any kind of miss configurations or
blatant vulnerability, is right at the door or anything that might be interesting.
Then we talked about Search Split, which is an exploit database that's built into Callie Lennix and can be used to look up
exploits or scripts that
can be used against a target.
Then we talked about and Map, which is a super robust script, engine and
network scanner and all kinds of awesome stuff. Happy acting, everyone.