2016年十大安全工具排行榜(来自于ToolsWatch.org读者投票)
原文地址: http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/
Results by Year:
01 – Objective-See tools (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – OWASP VBScan (NEW)
04 – WarBerry PI (NEW)
05 – Mobile Security Framework (MobSF) (NEW)
06 – OWASP ZSC (NEW)
07 – Burp Suite (-1↓)
08 – Halcyon IDE (NEW)
09 – DataSploit (NEW)
10 – Lynis (-8↓)
10 – Faraday (-6↓)
10 – Sparta (NEW)
01- Objective-See OS X Security Tools
Introduced during Black Hat Arsenal 2015 and returned in 2016, Objective-See Security Tools were widely and grealtly appreciated by the audience.
Tools such KnockKnock, RansomWhere, BlockBlock and OverSight were massively voted during this campaign. Check the URL to learn how Patrick Wardle’s
tools can help you incredibly improve security of your Macs!
URL: https://objective-see.com/products.html
02- OWASP ZAP – Zed Attack Proxy Project
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
URL: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
03- OWASP VBScan
OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS
vulnerabilities and analyses them.
URL: https://www.owasp.org/index.php/OWASP_VBScan_Project
04- WarBerry PI
The WarBerry PI is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of
performing reconnaissance and mapping of an internal network and providing access to the remote hacking team while remaining covert and
bypassing security mechanisms.
The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security
access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at.
URL: https://github.com/secgroundzero/warberry
05- Mobile Security Framework (MobSF)
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code.
MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify
Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
URL: https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
06- OWASP ZSC
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated
script. This software can be run on Windows/Linux/OSX under python. According to other shellcode generators same as metasploit tools and etc,
OWASP ZSC using new encodes and methods which antiviruses won’t detect.
OWASP ZSC encoderes are able to generate shell codes with random encodes and that allows you to generate thousands of new dynamic
shellcodes with same job in just a second,that means, you will not get a same code if you use random encodes with same commands
URL: https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
07- Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process,
from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
URL: https://portswigger.net/burp/
08- Halcyon IDE
Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for
Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives
easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts.
Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and
also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers
and thus enhance the number of NSE writers in the information security community.
URL: http://halcyon-ide.org/
09- DataSploit
DataSploit utilizes various Open Source Intelligence (OSINT) tools and effective techniques and brings them all into one place, correlates the raw data
captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. DataSploit allows you to collect relevant
information about a target which can expand your attack/defence surface very quickly.
URL: https://github.com/upgoingstar/datasploit
10- Lynis
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of
their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
URL: https://cisofy.com/lynis/
10- Faraday
Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and
analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take
advantage of them in a multiuser way.
URL: https://www.faradaysec.com
10- Sparta
SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and
enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little
time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and
tools used are fully customisable as each tester has his own methods, habits and preferences.
URL: http://sparta.secforce.com/
Besides the Top 10, voters have mentioned the following tools (not sorted) and some made very decent scores
OWASP Dependency
OWASP JoomScan
ModSecurity
Android Tamer
BeeF
PEStudio
BloodHound
WPscan
WSSAT
Shelter AV Invasion
Responder
Needle
注: