2013 Top Security Tools as Voted by ToolsWatch.org Readers

Dear all,

I am honored to present the 2013 Top Security Tools as voted by users and readers. As you may have noticed, this vote was slightly particular. Indeed, I have intentionally omitted the usual pre-configured list to not limit the people choice and give them the opportunity to vote freely and in a good conscience. And amazingly it works.

I also had an awesome entry. It was like My brain with comment “A tool is worthless unless you have a brain behind it 🙂“. It was from Kevin Mitnick (confirmed). Anyway, this one was good and absolutely true. Tools actually just help out to achieve what your brains are scheming and plotting.

In fact, i have just realized that the survey was such a good idea as i discovered new gems. Therefore, it will be a great opportunity to cover them in separate posts.

Enough talking, here are the 2013 Top 10 Security Tools as voted by ToolsWatch.org Users and Readers

Top 10 – Best Security Tool of the year 2013

RANK 1

OWASP ZAP – Zed Attack Proxy Project

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Link >> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Testimonials

“Full of features, stable and actively maintained”

“Best intercepting proxy for doing web application pentesting. It’s free and has advanced functionalit”

“My goto attack proxy application”

“Simply the best open-source application vulnerability scanner”

“Fuzzing and injection are simple and intuitive”

RANK 2

BeEF – The Browser Exploitation Framework Project

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Link >> http://beefproject.com/

Testimonials

“BeEF really shines when it comes to demonstrating the possibilities of XSS to clients. It always blows them away!”

“Great tool for client-side and browser exploitation”

RANK 3

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Link >> http://portswigger.net/burp/

RANK 4

PEStudio

PeStudio is a free tool performing the static investigation of any Windows executable binary. A file being analyzed with PeStudio is never launched. Therefore you can evaluate unknown executable and even malware with no risk. PeStudio runs on any Windows Platform and is fully portable, no installation is required. PeStudio does not change the system or leaves anything behind.

Link >> http://www.winitor.com/

RANK 5

OWASP Xenotix

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation.

Link >> http://opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-5-relesed/

RANK 6

Lynis The Hardening Unix Tool

Lynis is a security tool to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks, looks for installed software and determines compliance to standards. Also will it detects security issues and errors in configuration. At the end of the scan it will provide the warnings and suggestions to help you improving the security defense of your systems.

Link >> http://cisofy.com/lynis/

RANK 7

Recon-NG The Web Reconnaissance Framework

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.

Link >> https://bitbucket.org/LaNMaSteR53/recon-ng

RANK 8

Suricata The Network IDS/IPS

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Link >> http://suricata-ids.org/

RANK 9

WPScan WordPress Security Tool

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations.

Link >> http://wpscan.org/

RANK 10

O-SAFT OWASP SSL Advanced Forensic Tool

This tool lists information about remote target’s SSL certificate and tests the remote target’s SSL connection according given list of ciphers and various SSL configurations.

• show SSL connection details
• show certificate details
• check for supported ciphers
• check for ciphers provided in your own libssl.so and libcrypt.so
• check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
• check for protections against attacks (BEAST, CRIME, RC4 Bias, …)
• may check for a single attribute
• may check multiple targets at once
• can be scripted (headless or as CGI)
• should work on any platform (just needs perl, openssl optional)
• scoring for all checks (still to be improved in many ways 😉
• output format can be customized
• various trace and debug options to hunt unusual connection problems

Link >> https://www.owasp.org/index.php/O-Saft

Other Security Tools that entered the contest and voted by few users (no particular order)

• AlienVault OSSIM – The Open Source SIEM  >> http://www.alienvault.com/open-threat-exchange/projects
• oclHashcat – The Advanced Password Recovery  >> http://hashcat.net/oclhashcat/
• Metasploit – The Exploit Framework >> http://www.metasploit.com/
• WATOBO – Web Application Toolbox >> http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
• Drozer The Comprehensive security and attack framework for Android >> https://labs.mwrinfosecurity.com/tools/drozer/
• SQLMap The Automatic SQL Injection and TakeOver Tool >> http://sqlmap.org/
• Nmap – The Network Scanner and Mapper >> http://nmap.org
• Vega – The open source scanner and web testing platform >> subgraph.com/products.html
• Nova –  The Honeypot Configuration Tool and IDS >> https://github.com/DataSoft/Nova
• Arachni – The Web Application Security Scanner Framework >> http://www.arachni-scanner.com/
• Tunna Framework Bypass Firewalls Restrictions Tools >> http://www.secforce.com/research/tunna.html
• Veil – Anti Virus Evasion >> https://www.veil-evasion.com/
• Moloch – Large Scale PCAP Capturing and Indexing Database >> https://github.com/aol/moloch
• Pipal – The Password Analyzer >> http://www.digininja.org/projects/pipal.php
• SimpleRisk The Entreprise Risk Management Simplified >> http://www.simplerisk.org/
• Security Research and Development Framework >> https://github.com/AmrThabet/winSRDF
• Hackbar Firefox extension for testing Application Security >> https://addons.mozilla.org/en-US/firefox/addon/hackbar/
• Python – The Programming Language >> http://www.python.org/
• Websecurify Web Application Security Toolkit >> http://www.websecurify.com
• Hackademic Challenges Project >> https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
• Cuckoo Sandbox >> http://www.cuckoosandbox.org/