모의 해킹(침투) 테스트(Automated Penetration Test) Framework 소개

[이미지출처 : oneconsult]

○ Automated Penetration Test Tools

1. Arachni

2. CORE IMPACT® Pro

3. CORE INSIGHT Enterprise

4. Google® Skipfish

5. Immunity® CANVAS® Professional

6. Immunity SILICA®

7. Parasoft® SOAtest with Parasoft Load Test

8. Rapid7® Metasploit® Express

9. Rapid7 Metasploit Pro

10. Rapid7 NeXpose

11. Spirent® Avalanche Vulnerability Assessment

12. w3af

13. Wapiti 2.2.1

14. Websecurify

1. Arachni

Type	Automated Pen Testing Framework
Target(s)	Web applications
Format	Software
OS	Linux, UNIX, POSIX-compliant; Window/Cygwin
Hardware
License	Open source
SCAP Validated
Standards
Supplier	Tasos “Zapotek” Laskos, Matías Aereal Aeón
Information	http://arachni.segfault.gr/

* Latest Release : v0.4.0.2(20120815)

2. CORE IMPACT® Pro

Type	Automated Pen Testing Framework
Target(s)	Web applications, databases, client/server host operating systems, email users
Format	Software
OS	Windows 7 (Ultimate/Pro/Enterprise 32/64-bit); Vista (Ultimate/Enterprise/Business) SP2; Server 2008/2003 R2/2003 SP2; XP Pro SP3; all running IE 7.0
Hardware
License	Commercial
SCAP Validated	http://nvd.nist.gov/validation_coresecurity.cfm
Standards	SCAP, CVE, CVSS
Supplier	CORE Security Technologies
Information	http://www.coresecurity.com/content/CORE-INSIGHT-Enterprise

3. CORE INSIGHT Enterprise

Type	Automated Pen Testing Framework
Target(s)	Network devices (routers, hubs, switches, firewalls, IDS/IPS, etc.), Web applications, databases (Microsoft SQL Server, Oracle, IBM DB2, etc.), server client/server host operating systems (Windows, Linux, Mac OSs, etc.), endpoint applications (e.g., antivirus/antiphishing/antimalware systems, host IDS/IPS, browsers, email clients, instant messengers, media players, business applications, productivity tools, etc.) and end users.
Format	Software
OS	Windows 7 (Ultimate/Pro/Enterprise 32/64-bit); Vista (Ultimate/Enterprise/Business) SP2; Server 2008/2003 R2/2003 SP2; XP Pro SP3; all running IE 7.0
Hardware	3GHz+ Pentium IV, 1GB RAM (2GB recommended), 4GB free disk space, Ethernet NIC, 1024x768 res. monitor (1280x1024 recommended)
License	Commercial
SCAP Validated
Standards
Supplier	CORE Security Technologies
Information	http://www.coresecurity.com/content/CORE-INSIGHT-Enterprise

4. Google® Skipfish

Type	Automated Pen Testing Framework
Target(s)	Web application
Format	Software
OS	Linux, FreeBSD, Mac OS X, and Windows/ Cygwin
Hardware
License	Open source
SCAP Validated
Standards
Supplier	Google Skipfish
Information	http://code.google.com/p/skipfish/wiki/SkipfishDoc

5. Immunity® CANVAS® Professional

Type	Automated Pen Testing Framework
Target(s)	All common platforms and applications
Format	Software
OS	Windows, Linux (validated on Ubuntu and Fedora), Mac OS X, UNIX, other Oss (e.g., mobile phone OSs) with Python25/26, GTK2, pycairo, pygobject, and pygtk installed
Hardware	1.2GHz CPU, 1GB RAM, 250MB disk, wired or wireless NIC
License	Commercial
SCAP Validated
Standards
Supplier	Immunity, Inc.
Information	http://www.immunitysec.com/products-canvas.s html

6. Immunity SILICA®

Type	Automated Pen Testing Framework
Target(s)	802.11 a/b/g/n Wi-Fi-based hosts and devices
Format	Appliance or software
OS	Software: Ubuntu Linux (native or on VMware)
Hardware	Intel CPU, Personal Computer Memory Card International Association PC Card or ExpressCard
License	Commercial
SCAP Validated
Standards
Supplier	Immunity, Inc.
Information	http://www.immunitysec.com/productssilica.s html

7. Parasoft® SOAtest with Parasoft Load Test

Type	Automated Pen Testing Framework
Target(s)	Representative (not complete list): IBM WebSphere, Oracle (including BEA WebLogic and AquaLogic), .NET (with Windows Communication Foundation), Software AG/webMethods, Progress® Sonic® (SonicMQ®, SOAP/XML, Java Message Service [JMS])
Format	Software
OS	Windows 2000/2003/XP/Vista/7; Linux; Solaris. If running plug-in version of SOAtest with Load Testing Solution plug-in, must also run Eclipse 3.2.1+
Hardware
License	Commercial
SCAP Validated
Standards
Supplier	Parasoft Corp.
Information	http://www.parasoft.com/jsp/solutions/soa_solution. jsp?itemId=319#security_testing

8. Rapid7® Metasploit® Express

Type	Automated Pen Testing Framework
Target(s)	Web applications, network devices, database servers, endpoint systems, and email users on the following platforms: Linux (Ubuntu, BackTrack, Red Hat), Mac OS X, Windows, UNIX, Apple iPhone®, Google Android®, Nokia® N900
Format	Software
OS	Windows (XP, 2003, Vista, 2008 Server, 7); Linux (Red Hat Enterprise 5.x, Ubuntu 8.04+ [32-bit/64-bit]; may run on other Linux distributions, but not validated on them by Rapid7)
Hardware	2GHz+ processor, 2GB RAM (increase as needed if running virtual machine targets on the same device), 500MB disk, 10/100Mbps NIC
License	Commercial
SCAP Validated
Standards	CVE
Supplier	Rapid7
Information	http://www.metasploit.com/

9. Rapid7 Metasploit Pro

Type	Automated Pen Testing Framework
Target(s)	Web applications, network devices, database servers, endpoint systems, and email users on the following platforms: Linux (Ubuntu, BackTrack, Red Hat), Mac OS X, Windows, UNIX-like platforms, Apple iPhone, Google Android, Nokia N900
Format	Software
OS	Windows (XP, 2003, Vista, 2008 Server, 7); Linux (Red Hat Enterprise 5.x, Ubuntu 8.04+ [32-bit/64-bit]; may run on other Linux distributions, but not validated on them by Rapid7)
Hardware	2GHz+ processor, 2GB RAM (increase as needed if running virtual machine targets on the same device), 500MB disk, 10/100Mbps NIC
License	Commercial
SCAP Validated
Standards	CVE
Supplier	Rapid7
Information	http://www.metasploit.com/

10. Rapid7 NeXpose

Type	Automated Pen Testing Framework
Target(s)	Networks, operating systems, databases, Web applications
Format
OS	Software
Hardware	2GHz+ Intel CPU, 4GB RAM (32-bit) or 8GB RAM (64bit), 90GB+ disk, 100Mbps NIC
License	Commercial (Community edition is Freeware)
SCAP Validated	http://nvd.nist.gov/validation_rapid7.cfm
Standards	SCAP, OVAL, CVE, CVSS
Supplier	Rapid7
Information	http://www.rapid7.com/products/nexpose-enterprise-edition.jsp
	http://www.rapid7.com/products/nexpose/features/overview.jsp

11. Spirent® Avalanche Vulnerability Assessment

Type	Automated Pen Testing Framework
Target(s)	Networks
Format	Appliance
OS
Hardware
License	Tool: Open source; Appliance: Commercial
SCAP Validated
Standards
Supplier	Spirent Communications (UK)
Information	http://www.spirent.com/Solutions-Directory/Avalanche/Avalanche_ Vulnerability_Assessment.aspx

12. w3af

Type	Automated Pen Testing Framework
Target(s)	Web applications
Format	Software
OS	Windows XP/Vista (validated), OpenBSD (validated), any other platform that supports Python (not validated); all must have Python 2.5 and related files installed
Hardware
License	Open source
SCAP Validated
Standards
Supplier	Rapid7 (Andrés Riancho)
Information	http://w3af.sourceforge.net/

13. Wapiti 2.2.1

Type	Automated Pen Testing Framework
Target(s)	Web applications
Format	Software
OS	Any OS in which a Python interpreter and runtime are installed (including Windows, Mac OS X, Linux)
Hardware
License	Open source
SCAP Validated
Standards
Supplier	Nicolas Surribas (Spain)
Information	http://wapiti.sourceforge.net/

14. Websecurify

Type	Automated Pen Testing Framework
Target(s)	Web applications, including those that use newer Web technologies (e.g., HTML 5)
Format	Software
OS	Windows, Mac OS X, Linux
Hardware
License	Open Source
SCAP Validated
Standards
Supplier	GNUCITIZEN Information Security Think Tank
Information	http://www.websecurify.com/