Top 50+ Security Testing Tools for Cyber Security Engineers in 2020
As we are surrounded in this world by automation, it is necessary to take security measures so as to protect the networks, data, information, systems, enterprise infrastructure from threats and vulnerabilities. Such security tools need to be tested on regular intervals to maintain a problem-free network and infrastructure. Let us have a look at some Security Testing Tools for Cyber Security Engineers.
Security Testing Tools According to their Functions:
- Information Gathering
- Port Scanning
- Packet Analyzer/Sniffers
- Vulnerability Scanners
- Password Cracker
List of Security Testing Tools for Cyber Security Engineers in every category:
- Google Hacking Database Tool (GHDB)
- What is my IP/IP Address Lookup
- HTTrack Website Copier
- Wayback Machine
- The Harvester
- Angry IP Scanner
- Advance Port Scanner
- AJAX Spidering
- Websocket Testing
- IBM AppScan
- HP WebInspect
- Fortify Static Code Analyzer
- Burp Professional Scanner
- Qualys Cloud Platform
- Angry IP Scanner
- Advance Port Scanner
- IE watch
- SQL Map
- SET (Social Engineer Toolkit)
- John the Ripper
- Cain and Abel
- THC Hydra
- Rainbow Crack
- Air crack
Now, let us have a look at all these tools individually.
Skipfish is known to be a useful application reconnaissance tool. Skipfish carries out repeated crawling and dictionary-based probes, thus preparing an interactive sitemap for the targeted site. The skipfish map has an output from various active security checks. Skipfish’s final report provides a base for professional web application security assessments. Its key features include high speed (2000 requests per second), easy to operate, and high-quality security logic.
Download Link – https://ccm.net/download/download-21845-skipfish
NsLookup helps in finding the IP address, which corresponds to a host or domain name which corresponds to an IP address. NsLookup is used in the command-line of the operating system. “Command Prompt” is used to start service for Windows users, and “Terminal Window” is used to start the service for UNIX users. NsLookup is an easy but practical command-line tool.
Download Link – http://nslookup.softwaresea.com/Windows-software-download/nslookup
Google Hacking Database Tool (GHDB)
The Google Hacking Database Tool (GHDB) functions to reveal sensitive data that is disclosed by web applications and vulnerable servers. It was originally launched in 2000 to serve penetration testers. In 2010 it became a part of exploit-db.com and was expanded to include search engines like Bing, GitHub apart from the Google Search Engine. The search engine queries in GHDB include product-specific advisories, sensitive online shopping data, files with sensitive data, passwords, and user names, etc.
Download Link – https://www.exploit-db.com/google-hacking-database
The Samspade tool was authored in 1997 by Steve Atkins. It is a Windows Software Tool. Samspade’s design helps in assisting and in tracking down sources of e-mail spam. It was initially the name of a free web service that provides access to similar online tools. Its functions include Zone Transfer, Scan Addresses, Browse Web, Fast and Slow Traceroute, Decode URL, SMTP Relay Check, Crawl Website, Check cancels, S-Lang Command, and Parse E-mail Headers.
Download Link – https://www.majorgeeks.com/files/details/sam_spade.html
What is my IP/IP Address Lookup
An IP Address Lookup helps in determining the geolocation of IP addresses. The IP Address will help you identify the state, city, postal/zip code, country, ISP, and time-zone. The above data helps locate the exact location of any Ipv4 and IPv6 addresses. This information uses the IP Lookup Tool. It is a myth that the IP Address Lookup provides the correct postal address of the user. At most, you can locate the city of the users.
Download Link – https://www.softpedia.com/get/Network-Tools/IP-Tools/IP-Lookup.shtml
HTTrack Website Copier
The HTTrack Website Copier will help you download a World Wide Web Site from the Internet to your local directory. It builds directories, images, HTML, and other files from the server to your computer. The HTTrack will arrange the original site’s relative link structure. All you would have to do is open up a mirrored website in your browser, and you will be able to browse the site from link to link (as you view it online). The HTTrack will also update an existing mirrored site and resume interrupted downloads. It can be configured fully and has an integrated help system.
Download Link – https://www.httrack.com/page/2/
The robots.txt file can be used to inform the Googlebot about the areas of a domain that could be crawled by the search engine’s crawler and the ones which might not. The robots.txt file can also include a reference to the XML sitemap. A text editor can be used to create this flight. Each file will consist of two blocks. The first one will specify the user agent to which the instructions should be applied, and the second one is the “Disallow command post which the URLs to be excluded from crawling are listed.”
Download Link – http://tools.seobook.com/robots-txt/generator/
The Wayback Machine tool initially provided a location to keep the digital artifacts safe for historians and researchers. But it can also be viewed as a mode of entertainment where you can see what pages looked like back in 2001. Another use is to access a page from a website that no longer exists. The Wayback machine will allow you to obtain a site that has been shut down, and you might still be able to download files that previously existed on that page.
Download Link – https://www.waybackmachinedownloader.com/en/
A harvester is a unique tool used to gather emails, hosts, open ports, sub-domains, banners, and employee names from various public sources such as PGP Key Servers, SHODHAN Computer Database, and Search Engines. This tool will help in the early stages of penetration to understand the customer footprint on the internet. It also functions to help the organization understand what an attacker can see about their organization. It has many new features like Virtual Host Verifier, All Sources Search, Time delays between request, save to XML and HTML, basic graph with stats, new sources, etc.
Download Link – https://github.com/laramies/theHarvester
The Metagoofil tool extracts metadata of public documents like pdf, doc, Xls, ppt, ODP, ods, which are available on the target website. This tool initially performs searches in Google to identify and download documents to a local disk. After downloading, libraries like PdfMiner, Hachoir, etc. extract metadata. It then generates a report with username, versions of software, and servers or machine names, which will help them penetrate in information gathering phase.
Download Link – https://www.darknet.org.uk/2008/05/metagoofil-download-metadata-information-gathering-tool/
The Maltego is an open-source intelligence (OSINT) and graphical link analysis tool which is known to provide a bunch of transforms for discovering data from open sources and visualize that information in a graphical format that will be suitable for data mining and link analysis. This tool’s focus is on analyzing real-world relationships between people, groups, domains, affiliations, internet infrastructure, etc. with online services like Facebook and Twitter.
Download Link – https://www.maltego.com/downloads/
Angry IP Scanner
The Angry IP Scanner is an IP Address and Port Scanner. It helps in scanning IP Addresses in any range as well as their ports. It can make cross-platform and lightweight. Every Angry IP Scanner will ping all IP addresses to check if it’s alive and then resolve its hostname, scans ports, determines MAC address. It also has features like NetBIOS information, web server detection, customizable openers, etc. It is also known to use a multithreaded approach (separate scanning thread for each scanned IP address)
Download Link – https://angryip.org/download/
A ping sweep is a method to establish a range of IP addresses that map to live hosts. Fping is the tool which uses for Pingsweep. The first version of Fping was established in 1992, and ever since, it is the standard tool used for network diagnosis and statistics. Fping is a program that sends ICMP echo probes to network hosts. Fping is similar to ping but performs much better while pinging multiple hosts.
Download Link – https://www.solarwinds.com/engineers-toolset/use-cases/ping-sweep
The SuperScan Tool is a port scanning software that helps to detect open TCP and UDP ports on a target computer. It helps to determine which services are running on ports and run queries like ICMP Traceroute, Ping, Whois, and Hostname Lookups. Superscan 4 is a rewritten version of Superscan 3. Crackers, System Administrators, and Script K use Superscan to evaluate a computer’s security. They also use it to test unauthorized open ports on their computer networks.
Download Link – https://www.filecroco.com/download-superscan/
Advance Port Scanner
The Advanced Port Scanner is a free tool available online, which helps you understand the number of ports on your computer and their location. The scanner can scan all the ports or the ones in ranges. The scan does not only take place on your main PC but also on your networked computers. The Advanced Port Scanner is a small file and doesn’t need much space on the desktop. It is a very popular tool in India, the United States of America, and the Islamic Republic of Iran. It has a user-friendly interface and rich functionality.
Download Link – https://www.advanced-port-scanner.com/
Network Mapper, commonly called as Nmap is a free tool, used for scanning and network discovery. Network administrators use the Network Mapper (Nmap) for identification of devices running on their systems, discover hosts available and services offered by them, finding open ports, and for detecting security risks.
Download Link – https://nmap.org/download.html
The Netcat tool helps in reading and writing data across network connections using the TCP/IP protocol. It is known to be one of the reliable tools at the back-end, which is driven by programs and scripts. It provides features like Outbound and Inbound Connections, TCP, or UDP to or from any ports. It has built-in port scanning capabilities with randomizer. It consists of Advanced Usage options like buffered send mode and the remote host.
Download Link – https://sourceforge.net/projects/nc110/
The traceroute helps in finding out how the data transmission travels from your computer to another. The traceroute comprises a list of computers on the network which are involved with specific internet activity. Each machine is an identification of a particular listing, and the amount of time taken to get the data from one computer to the next is calculated. If there is an interruption in the transfer of data, traceroute will show that along the chain of the problem. Among many other functions, one more feature is that if somebody faces difficulty while accessing a particular website, then traceroute helps to find out the location of the problem.
Download Link – https://www.solarwinds.com/free-tools/traceroute-ng
Wireshark is currently a leading tool for analyzing traffic for a system administrator or security professional. It also used for troubleshooting issues, if any. Wireshark troubleshoots dropped packets, malicious activity, and latency issues. Professionals wishing to operate Wireshark require knowledge about networking, which includes TCP/IP Stack, Routing, Port Forwarding, DHCP, etc. Basically, Wireshark will intercept traffic and convert the binary traffic into a human-readable format making it easier to understand which traffic crosses your network along with its frequency and latency between hops.
Download Link – https://www.wireshark.org/download.html
Ettercap is a free and open-source network security tool for attacks on LAN. It is used for security auditing and computer network protocol. It runs on Linux, Solaris, Mac OS X, BSD, and Microsoft Windows. It puts the network interface into a promiscuous mode and thus acting as ‘man in the middle’ and unleash various attacks. It has four ways of operations like IP based packets based on IP source and destination, MAC-based packets based on MAC address, ARP based which uses ARP poisoning to sniff on a switched LAN between two hosts, and Public ARP based which uses ARP poisoning to sniff on a switched LAN from a victim host to other hosts.
Download Link – https://www.ettercap-project.org/downloads.html
This Data Network Packet Analyzer Computer Program is known as Tcpdump, which runs under a command-line interface. The user can display TCP/IP and other packets that are transmitted. Tcpdump works on Linux, Free BSD, Solaris, NetBSD, OpenBSD, DragonBSD, macOS, and others. In those systems, Tcpdump uses the libpcap library to capture packets. The port of Tcpdump for Windows is called WinDump; it uses WinPcap, the Windows version of libcap.
Download Link – https://www.softpedia.com/get/Network-Tools/Network-Monitoring/tcpdump.shtml
Kismet is a wireless network and device detector, war-driving tool, sniffer, and WIDS framework. Kismet works with Bluetooth Interfaces, WiFi Interfaces, SDR hardware like RTLSDR, and other specialized equipment. Kismet works on Linux, OSX, and, to a degree, Windows 10 under the WSL framework. Kismet has features like using other programs to play audio alarms for network events, readout network summaries, or provide GPS coordinates. This is the main package containing the core, client, and server.
Download Link – https://www.kismetwireless.net/downloads/
NetworkMiner is an open-source network Forensics Analysis Tool which works mainly for Windows but also Linux, FreeBSD, and Mac OS X. It’s a passive network snipper/packet capturing tool to detect OS, hostnames, sessions, open ports, etc. without putting traffic on the network. NetworkMiner provides extracted artifacts in an intuitive UI. It is a popular tool among law enforcement and response teams.
Download Link – https://www.netresec.com/?page=NetworkMiner
Nessus is used during penetration testing engagements, malicious attacks, and vulnerability assessments. Nessus is free for the non-enterprise tool, but for enterprises, there are different options like:
- Tenable.io – Subscription-based service which allows teams to share scanners, schedules, scan policies, and scan results.
- Nessus Agents – Providing ways to scan hosts within your environment without having to provide credentials to hosts
- Nessus Professional – It helps professionals performing high-speed asset discovery, malware detection, configuration auditing, sensitive data discovery, etc
- Nessus Manager – Provides functions of Nessus Professional along with vulnerability management and collaboration features
Download Link – https://www.tenable.com/products/nessus
ZAP, the abbreviation for Zed Attack Proxy is an open-source tool. It’s maintained under the Open Web Application Security Project (OWASP). The OWASP is a community of developers that offers new modules or add-ons. ZAP is known to perform manual penetration tests as well as automated scans.
Download Link – https://www.zaproxy.org/download/
AJAX Spidering is performed during the penetration test. It helps to discover requests on the AJAX-rich web application. The AJAX Spidering has functions like maximum crawl states, maximum depths to crawl, maximum duration, and other options in crawling. Initially, the regular spidering tool identifies URLs of the applications. Post this; the AJAX Spider runs to get a map of all application resources. ZAP helps automatically open the application and explores it through an event-driven dynamic crawling engine. It is thus eliminating all manual work.
Download Link – https://www.zaproxy.org/docs/desktop/addons/ajax-spider/
The fuzzer is a security tool that injects various payloads to force the application to go to an undesired state, thus exposing vulnerability. A tester will help to choose from lists through sources like JbroFuzz, FuzzDBond, and Dirtbuster. The Fuzzer is customizable with controls like fuzzing location, delay in fuzzing, number of concurrent threats. The fuzzer can refresh Anti-CSRF tokens in the application. ZAP can automatically record the token and the associated URL. Thus ZAP will regenerate the token preventing missing or invalid token errors.
Download Link – https://sourceforge.net/directory/os:windows/?q=fuzzer
Websocket Testing is very important due to various implementations across applications. It is very easy to intercept, analyze, and tamper the traffic between the client and server using this tool. The Websocket Message Editor is used to work with Direction, Opcodes, etc. ZAP also provides details about the opcode of every message – Ping, Binary, Text, Close, or Pong. The WebSocket message can be sent to the fuzzer for subsequent payload injection.
Download Link – https://chrome.google.com/webstore/detail/websocket-test-client/fgponpodhbmadfljofbimhhlengambbn?hl=en
Acunetix is used for vulnerability management. It is a web application security testing tool that checks vulnerabilities like Injection, SQL, Cross-Site Scripting, thus auditing web applications. The AcuSensor (IAST) will help you to test hidden inputs not discovered during black-box scanning (DAST). But the AcuSensor technology is optional with all product licenses. Acusensor works with ASP.net, Java, and PHP. AcuSensor is easy of remediation, has higher precision, and full coverage.
Download Link – https://www.acunetix.com/download/fullver13/
The IBM AppScan is currently known as HCL AppScan. It comprises of web security testing tools. HCL technologies purchased this tool in July 2019. AppScan helps to test Web Applications for security vulnerabilities during the development process. It understands the behavior of every application (internal of off-the-shelf application) and helps to develop a program which tests its functions for vulnerabilities.
Download Link – https://raidforums.com/Thread-IBM-Security-AppScan-Standard-9-0-3-11-9-0-3-12-Latest-CRACKED?page=4
The HP WebInspect helps in identifying the exploitable security vulnerabilities in a Web application from development through production. HP WebInspect is known to deliver broad technology coverage, extensive vulnerability knowledge, fast scanning capabilities, and accurate web application scanning results. WebInspect is an integral part of the HP integrated security testing technology. It uncovers real and relevant security vulnerabilities.
Download Link – https://www.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/download
Fortify Static Code Analyzer
It is an automatic static code analyzer that helps developers eliminate vulnerabilities and building secure software. Developers locate and fix security defects with integration to IDEs. They gain comprehensive and accurate language coverage, along with enabling compliance. Automated scans launched for speed or coverage. For quick triage and complex security issue, they provide productive analysis results by drilling into the source code details. They also offer automatic scans, thus enabling developers on security. They help to secure custom and open-source codes along with highly optimized static scans, which are too fast.
Download Link – https://hp-fortify.software.informer.com/1.0/
Burp Professional Scanner
The Burp Scanner helps in performing automated scans of websites. It helps in discovering audit and content vulnerabilities. There are 2 phases in this process. One is the Crawling for Content, and then comes the auditing for vulnerabilities. In the initial stage, the scanner navigates around the application to catalog the content of the app and navigational paths within it. The later stage involves analyzing the application’s traffic and behavior, thus identifying vulnerabilities.
Download Link – https://portswigger.net/burp/communitydownload
Netsparker will help to combat the cybersecurity skills gap and automate the web security process. The tools perform automated vulnerability assessment, thus helping you prioritize your work on fixing the issues. You can also discover and protect your current assets to avoid resource-intensive manual procedures. Netsparker functions include automatic crawling, assigning vulnerabilities according to severity and urgency to be fixed, and scanning the internet to discover your assets.
Download Link – https://www.hackingtools.in/free-download-netsparker/
Qualys Cloud Platform
The Qualys Cloud Platform was previously known as QualysGuard. It is a portfolio of products, services, and solutions used for security and compliance. The main aim of these tools is to help organizations simplify security operations and lowering the cost of compliance. They are known to deliver critical security intelligence on demand. They help automate auditing, compliance, and protection.
Other functions include asset discovery and inventory, vulnerability management, remediation prioritization, compliance monitoring, container security, web application scanning and firewall, file integrity monitoring, an indication of compromise, and others.
Download Link – https://blog.qualys.com/news/2019/10/31/qualys-cloud-platform-8-21-6-new-features
Web Application Attack and Audit Framework (w3af) is a tool that helps in identifying and exploiting various web application vulnerabilities. The w3af console will help if you require a command-line application only. It helps in discovering the web application vulnerabilities using the black box scanning technique. The w3af core and its plugins are written in Python. W3af has more than 130 plugins.
Download Link – http://w3af.org/download
Brutus is a popular remote online password cracking tools. This tool, released in October 2000, is the fastest and most flexible password cracking tool. It supports HTTP (Basic Authentication), HTTP (HTML Form/CGI), POP3, FTP, SMB, Telnet, and other types such as IMAP, NNTP, NetBus, etc. Brutus also helps create your authentication types. It also supports multi-stage authentication engines, has the resume and load options. So you will be able to pause the attack process and resume according to your convenience.
Download Link – https://www.hackingtools.in/free-download-brutus/
Ophcrack is a password cracking tool for Windows. It is also compatible with Mac and Linux systems. It cracks LM and NTLM hashes. For cracking Windows XP, Vista, and Windows 7, free rainbow-tables are also available. A live CD of OphCrack can simplify the cracking. One can use the Live CD of OphCrack to crack Windows-based passwords. This tool is available for free.
Download Link – https://ophcrack.sourceforge.net/
John the Ripper
John the Ripper is a fast password cracker available for Unix, macOS, Windows, DOS, BeOS, and OpenVMS. Its primary function is to detect weak Unix passwords. It is one of the most frequently used password testings and breaking programs. John the Ripper combines several password crackers into one package, auto-detects password hash types, and includes a customizable cracker. It runs against various encrypted password formats, including several crypt password hash types.
Download Link – https://www.techspot.com/downloads/6970-john-the-ripper.html
Cain and Abel
Cain and Abel (often abbreviated to Cain) are a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using techniques such as dictionary attacks, brute force, and cryptanalysis attacks. Cryptanalysis attacks are made via rainbow tables, which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel are maintained by Massimiliano Montoro and Sean Babcock.
Download Link – https://www.filehorse.com/download-cain-and-abel/
The parallelized login cracker HYDRA helps in supporting various protocols to attack. It is known to be fast and flexible. This tool makes it easy for researchers and security consultants to gain unauthorized access to a system. It supports Cisco AAA, Cisco auth; Cisco enables, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC, and XMPP.
Download Link – https://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/
Rainbow Crack is a general-purpose implementation of Phillipe Oechslin’s Faster time memory technique. It makes use of the time-memory tradeoff to crack hashes. It differentiates hash crackers from brute force. A brute force hash cracker generates all plaintexts and computes the corresponding hashes on the fly. Once a match is found, the plaintext is found. While testing all possible plaintexts, no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded. A time-memory tradeoff hash cracker needs a pre-computation stage. At the time, all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length computes, and the results are stored in files called a rainbow table.
Download Link – https://www.hackingtools.in/free-download-rainbowcrack/
TrueCrack is a password cracker for TrueCrypt volumes. It works on Linux and optimized with Nvidia Cuda. It supports the following:
- XTS block cipher mode for hard disk encryption based on encryption algorithms: AES, SERPENT, TWOFISH.
- File-hosted (container) and Partition/device-hosted.
- PBKDF2 (defined in PKCS5 v2.0) based on key derivation functions: Ripemd160, Sha512 and Whirlpool.
- Hidden volumes and Backup headers.
TrueCrack works as a Dictionary: Reading the passwords from a file of words and Alphabet: Generating passwords of a given length from the given alphabet. It works in GPU and CPU.
Download Link – https://password-cracker.en.softonic.com/download
Aircrack is a set of tools that will help in assessing WiFi Network Security. Here are the four domains it focuses on:
- Monitoring: Packet capturing and export of data
- Attacking: Replay attacks, de-authentication, fake access points, and others via packet injection
- Testing: Checking WiFi cards and driver capabilities
- Cracking: WEP and WPA PSK (WPA 1 and 2)
These tools are command line, which means they allow heavy scripting. GUIs are known to take advantage of this feature. It works on Linux, Windows, OSX, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2.
Download Link – https://www.aircrack-ng.org/downloads.html
The Metasploit Framework is a Modular Penetration Testing Platform. It enables us to write, test, and execute the exploit code. The Metasploit tools help in testing security vulnerabilities, execute attacks, enumerate networks, and evade detection. The Metasploit tools help to exploit development and penetration testing. The framework is modular and easily extensible and enjoys an active community. If it doesn’t do what you want it to do, you can almost certainly tweak it to suit.
Download Link – https://www.metasploit.com/download
The SQL Map is a penetration testing tool that automates detecting and exploiting SQL injection flaws and taking over database servers. It has a potent detection engine and features for penetration testing and a broad range of switches. Other features include penetration testing and a full range of switches. It provides support for six SQL Injection Techniques. It supports users, password hashes, privileges, roles, databases, tables, and columns.
Download Link – https://sqlmap.soft112.com/
Havij is an automatic SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements, and even accessing the underlying file system and executing commands on the operating system. The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injecting vulnerable targets using Havij.
The user-friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone, even amateur users.
Download Link – https://www.darknet.org.uk/2010/09/havij-advanced-automated-sql-injection-tool/
SET (Social-Engineer Toolkit)
The Social-Engineer Toolkit (SET) performs advanced attacks against the human element. The attacks built into the toolkit targets and focus on attacks against a person or organization used during a penetration test. It includes access to the Fast-Track Penetration Testing platform. Social engineering attack options such as Spear-Phishing Attacks, Website Attacks, Infection Media Generator, Mass Mailing, Arduino-Based Attack, QRCode Attacks, Powershell Attack Vectors, and much more.
Download Link – https://securityonline.info/install-social-engineering-toolkit-set-windows/
BeEF (The Browser Exploitation Framework)
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BeEF allows professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF looks past the hardened network perimeter and client system and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
Download Link – https://github.com/beefproject/beef/wiki/Installation
The Paros Proxy Lightweight Web Application tool a popular penetration testing tool for web applications. Web app developers and security experts use it to test their web applications for security vulnerabilities. Paros contains three sections; the top section, which divided into the left and right sections, and the lower part. The Left Section displays the website while testing and the discovered files and folders. The Right Section shows the requests and responses to each application made to the target website. The Bottom Section displays the answers from the crawling and scans performed on the target website.
Download Link – https://sourceforge.net/projects/paros/
WebScarab is a web security application testing tool. It serves as a proxy that intercepts and allows people to alter web browser web requests (both HTTP and HTTPS) and web server replies. WebScarab also may record traffic for further review. WebScarab can run across multiple operating systems.
Download Link – https://webscarab.apponic.com/
IEWatch is a plugin for Microsoft Internet Explorer that allows capturing HTTP traffic and analyzing HTML code. It is for web developers, site administrators, and quality assurance engineers. IEWatch is an essential web development tool to get the job done fast and efficiently. IEWatch can display HTTP duration information in a timeline chart. The HTML code window features color syntax highlighting and a breakdown of the HTML elements such as images, links, forms, flash objects, and scripts.
Download Link – https://www.httpwatch.com/
Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your computer. A web browser configures to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received. Charles makes it easy to see what is happening, so you can quickly diagnose and fix problems. Charles makes debugging quick, reliable, and advanced, saving you time and frustration.
Download Link – https://www.charlesproxy.com/download/latest-release/
Any more Security Testing Tools that we have missed out on?
Do let us know in the comments section below.