ToolsWatch folks are honored to announce the 2016 Top Security Tools, this is the fourth edition of our online voting by our readers.
We noticed that the tools presented during the Black Hat Arsenal sessions have gained a large popularity amongst the infosec community. We, at ToolsWatch, are very proud and happy to promote great tools from great folks at the greatest event Black Hat Arsenal.
Thanks for your time and your votes.
Results by Year
[tabgroup][tab title=”Results 2016″]
01 – Objective-See tools (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – OWASP VBScan (NEW)
04 – WarBerry PI (NEW)
05 – Mobile Security Framework (MobSF) (NEW)
06 – OWASP ZSC (NEW)
07 – Burp Suite (-1↓)
08 – Halcyon IDE (NEW)
09 – DataSploit (NEW)
10 – Lynis (-8↓)
10 – Faraday (-6↓)
10 – Sparta (NEW)
[/tab][tab title=”Results 2015″]
01 – OWASP ZAP – Zed Attack Proxy Project (+1↑)
02 – Lynis (+1↑)
03 – Haka (NEW)
04 – Faraday (NEW)
05 – BeEF – The Browser Exploitation Framework (-1↓)
06 – Burp Suite (NEW)
07 – PeStudio (-1↓)
08 – Nmap (+2↑)
09 – IDA Pro (NEW)
10 – OWASP Offensive (Web) Testing Framework (-3↓)
2016 Top Security Tools as Voted by ToolsWatch.org Readers
01- Objective-See OS X Security Tools
Introduced during Black Hat Arsenal 2015 and returned in 2016, Objective-See Security Tools were widely and grealtly appreciated by the audience. Tools such KnockKnock, RansomWhere, BlockBlock and OverSight were massively voted during this campaign. Check the URL to learn how Patrick Wardle’s tools can help you incredibly improve security of your Macs !
02- OWASP ZAP – Zed Attack Proxy Project
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
03- OWASP VBScan
OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analyses them.
04- WarBerry PI
The WarBerry PI is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of performing reconnaissance and mapping of an internal network and providing access to the remote hacking team while remaining covert and bypassing security mechanisms.
The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at.
05- Mobile Security Framework (MobSF)
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code.
MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
06- OWASP ZSC
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python. According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won’t detect.
OWASP ZSC encoderes are able to generate shell codes with random encodes and that allows you to generate thousands of new dynamic shellcodes with same job in just a second,that means, you will not get a same code if you use random encodes with same commands
Black Hat Arsenal survivor: Europe 2016
07- Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
08- Halcyon IDE
Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts.
Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.
DataSploit utilizes various Open Source Intelligence (OSINT) tools and effective techniques and brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. DataSploit allows you to collect relevant information about a target which can expand your attack/defence surface very quickly.
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
ToolsWatch Best Tools : Rank 4 2015
SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and tools used are fully customisable as each tester has his own methods, habits and preferences.
Besides the Top 10, voters have mentioned the following tools (not sorted) and some made very decent scores
- OWASP Dependency
- OWASP JoomScan
- Android Tamer
- Shelter AV Invasion