Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 758
  • Last Modified:

Penetration test software


We plan to release a financial transactions web site in production. Before this however we need to perform a complete penetration test for this solution.

So I would like to suggest me any possible penetration test software to assist us in this area.

Thank you in advance
  • 3
  • 2
  • 2
  • +3
1 Solution
I would highly recommend the network tool Yersinia and w33f. However be warned that Yersinia can cripple your network so please remember to save your IOS configurations or other networking configuration files before attempting the attacks.


Please award helpful / correct if this post has helped

By: Another VMware newbie, VMthinker
You can use Nessus, a great tool for vulnerability testing. 
Metasploit  -

Nmap -

Nessus already listed above.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Brad HoweDevOps ManagerCommented:

Here are a couple more. While Metasploit and nmap are TOOLS, they are not automated pentesting suites. They are tools for a manual penetration project.  As well, some of hte suites below are used for internal vulnerability assessment and not necesarily a full attack on an application.

I am surprise nobody mentioned "BACKTRACK 4.0"

Advanced IP Port Scanner

HP Webinspect

Cerberus Internet Scanner

CyberCop Scanner




Note this is only a few, there are MANY!!!

When picking a tool suite. Think of the following.


Hope it helps,
Brad HoweDevOps ManagerCommented:
With this said, If you are not familiar with pentesting, I would suggest you look into a 3rd Party to conduct your tests.
For financial platforms the 3 forms are testing should be as followed.
Penetration Testing
What they do is act like an malious attacker. They use manual techniques and penetration toolsets to assess our application defenses. They start with the gathering of public information just like a “malicious” attacker from our public domains. Test our public frontend devices such as firewalls, perimeter routers, web servers for vulnerabilities and try to break into our systems. This is a preventative form of our defense. We provide Jefferson wells a list of all our external sites and twice a year they provide footprintings on the application and potential gaps.
PCI Scanning is a standard that was created to help companies that process card payments prevent credit card fraud through increased controls around data.  All merchants and service providers who process, store, or transmit cardholder data must demonstrate compliance with the PCI DSS or are liable to lawsuit or worst the loss of the ability to process credit card payments.
While some servers do not  house Credit card information, they are still available public and therefore can be used as a gateway to other targets.
These scans tend to focus primarily on cipher strengths, SSL versions and weak ports open such as RDP with out SSL.
Some companies that do this are QUALYS, HACKER GUARDIAN, etc...
See this list for others, most come with trail scans too. -
Vulnerability Testing
Vulnerability Testing is used to test security of our internal systems so that IF we are compromised, we are possibly limited to the level of insider attacks. These scans check ports, default service accounts, services, shares open on servers etc….
Typical reports provide vulnerabilities which are caused by Dangerous Default Settings, Software Feature, Vendor Flaw, Mis-configuration.
 Hope it helps,
I agree with Hades666, having a professional service do the testing is the best advice.
Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
yes professional service would the best, but why not to hack around
looking @
1.      Nessus (Linux if you can)
2.      Nikto (Linux)
3.      Paros proxy (Linux if you can)
4.      Ike-scan (Linux)
5.      SARA (Security Auditor's Research Assistant) (Linux)
6.      MBSA (discutable)
7.      Backtrack
8.      skipfish
9.      our own perl/shell scripts
10.    appscan
my recommendation goes for appscan from IBM ex. Watchfire

Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
Brad HoweDevOps ManagerCommented:
But then again, I always fall to Backtrack. No footprint with all the toolsets I need. As per the link, the list is good but then again, most of them are vulnerability assessment tools and again not neccesarily pentration testing tools.
Regardless, IF you are doing this by yourself,
A) have valid backups
B) turn off IDS
C) GET CONSENT as it is criminal offense.
I would highly suggest you just get an approved penetration vendor and have it contractually scheduled, approved and reported against.
Just my 2 cents.
johnf23Author Commented:
OK I will test it
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now