Re: [Owasp-delhi] Tools for Web Server V A
Hi, There is one more opensource tool available which keeps on getting free feeds. Regards, Munish From: owasp-delhi-boun...@lists.owasp.org [mailto:owasp-delhi-boun...@lists.owasp.org] On Behalf Of Neelu Tripathy Sent: Friday, February 19, 2010 10:28 AM To: suresh tiwary Cc: owasp-delhi@lists.owasp.org Subject: Re: [Owasp-delhi] Tools for Web Server V A Hi , Yes, NESSUS can be used for web server VA. It is recommended to use the professional feeds, though. Besides you can fine tune your tests for IIS in NESSUS. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com Website: http://www.tcs.com http://www.tcs.com/ Experience certainty.IT Services Business Solutions Outsourcing From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com, shekhar.ar...@me.com, vinodh.ki...@teaqtech.com Date: 02/18/2010 05:50 PM Subject: [Owasp-delhi] Tools for Web Server V A Dear OWASP Delhi, Thank you all for the good information. but i am still confused whether NESSUS is a web server vulnerability assessment tool or a Network Assessment tool. Please suggest. The situation is: I have to perform the V.A of IIS using a tool. So how do I start, Use NESSES and proceed or use any commercial tool. If commercial tool, then which is the widely accepted commercial tool. A organization cant have multiple commerical tool, so suggest A few commercial tools that can perform web server V.A. Also any checklist for IIS V.A ? Thanks regards, Suresh Note: Forwarded message attached -- Original Message -- From: Vinodh Kiran S vinodh.ki...@teaqtech.com To: sureshtiw...@rediffmail.com Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com Subject: FW: [Owasp-delhi] Tools for Web Server V A - Message from Vinodh Kiran S vinodh.ki...@teaqtech.com on Unknown - To: sureshtiw...@rediffmail.com cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com Subject: FW: [Owasp-delhi] Tools for Web Server V A Dear Suresh, In continuation of the below recommendations from Rahul and Neelu, I just wanted to let you know that we represent Core Security (Providers of Core Impact), here in India. The attached datasheet will give you a quick overview. I would like to know your thoughts on this. Please do contact me for any further assistance. Good Day! Regards, Vinodh Kiran S |Sr. Manager - ECM | Cell: +91 (0) 9900247424 Teaq Technologies Pvt. Ltd. #320, 6c Cross, OMBR Layout | Bangalore 560 043, INDIA |Telefax: +91 (80) 4161 2610 From: owasp-delhi-boun...@lists.owasp.org [mailto:owasp-delhi-boun...@lists.owasp.org mailto:owasp-delhi-boun...@lists.owasp.org ] On Behalf Of Neelu Tripathy Sent: Wednesday, February 17, 2010 4:11 PM To: suresh tiwary Cc: owasp-delhi@lists.owasp.org; owasp-delhi-boun...@lists.owasp.org Subject: Re: [Owasp-delhi] Tools for Web Server V A Hi Suresh, Apart from what Rahul suggested, you can also for GFI Languard or Core Impact (both proprietary). For a better hands-on and/or manual assessment, try using Metasploit (Opensource), though that might be more on the PT side. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Date: 02/17/2010 11:46 AM Subject: [Owasp-delhi] Tools for Web Server V A Sent by: owasp-delhi-boun...@lists.owasp.org Issue: Tools for web server V A for IIS, Apache etc ? Dear OWASP Delhi, Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools. 1. What are the free tools / open source tools actually and practically used for web serv V A ? 2. What are the commercial tools used for automated web server V A ? 3. How a manual web server v a is conducted ? Any checklist and the practical process. 4. People can share their web server v a experience. Thanks regards, Suresh ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi https://lists.owasp.org/mailman/listinfo/owasp-delhi =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received
Re: [Owasp-delhi] Tools for Web Server V A
Hi , Yes, NESSUS can be used for web server VA. It is recommended to use the professional feeds, though. Besides you can fine tune your tests for IIS in NESSUS. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com, shekhar.ar...@me.com, vinodh.ki...@teaqtech.com Date: 02/18/2010 05:50 PM Subject: [Owasp-delhi] Tools for Web Server V A Dear OWASP Delhi, Thank you all for the good information. but i am still confused whether NESSUS is a web server vulnerability assessment tool or a Network Assessment tool. Please suggest. The situation is: I have to perform the V.A of IIS using a tool. So how do I start, Use NESSES and proceed or use any commercial tool. If commercial tool, then which is the widely accepted commercial tool. A organization cant have multiple commerical tool, so suggest A few commercial tools that can perform web server V.A. Also any checklist for IIS V.A ? Thanks regards, Suresh Note: Forwarded message attached -- Original Message -- From: Vinodh Kiran S vinodh.ki...@teaqtech.com To: sureshtiw...@rediffmail.com Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com Subject: FW: [Owasp-delhi] Tools for Web Server V A - Message from Vinodh Kiran S vinodh.ki...@teaqtech.com on Unknown - To: sureshtiw...@rediffmail.com cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com Subject: FW: [Owasp-delhi] Tools for Web Server V A Dear Suresh, In continuation of the below recommendations from Rahul and Neelu, I just wanted to let you know that we represent Core Security (Providers of Core Impact), here in India. The attached datasheet will give you a quick overview. I would like to know your thoughts on this. Please do contact me for any further assistance. Good Day! Regards, Vinodh Kiran S |Sr. Manager ? ECM | Cell: +91 (0) 9900247424 Teaq Technologies Pvt. Ltd. #320, 6c Cross, OMBR Layout | Bangalore 560 043, INDIA |Telefax: +91 (80) 4161 2610 From: owasp-delhi-boun...@lists.owasp.org [ mailto:owasp-delhi-boun...@lists.owasp.org] On Behalf Of Neelu Tripathy Sent: Wednesday, February 17, 2010 4:11 PM To: suresh tiwary Cc: owasp-delhi@lists.owasp.org; owasp-delhi-boun...@lists.owasp.org Subject: Re: [Owasp-delhi] Tools for Web Server V A Hi Suresh, Apart from what Rahul suggested, you can also for GFI Languard or Core Impact (both proprietary). For a better hands-on and/or manual assessment, try using Metasploit (Opensource), though that might be more on the PT side. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Date: 02/17/2010 11:46 AM Subject: [Owasp-delhi] Tools for Web Server V A Sent by: owasp-delhi-boun...@lists.owasp.org Issue: Tools for web server V A for IIS, Apache etc ? Dear OWASP Delhi, Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools. 1. What are the free tools / open source tools actually and practically used for web serv V A ? 2. What are the commercial tools used for automated web server V A ? 3. How a manual web server v a is conducted ? Any checklist and the practical process. 4. People can share their web server v a experience. Thanks regards, Suresh ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you [attachment CORE_IMPACT_Pro.pdf deleted by Neelu Tripathy/TVM/TCS] =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication
Re: [Owasp-delhi] Tools for Web Server V A
hi All, A site which can assist: http://www.vulnerabilityscanning.com/Web-Servers-Security.htm regards, satyajit On 2/19/10, Neelu Tripathy neelu.tripa...@tcs.com wrote: Hi , Yes, NESSUS can be used for web server VA. It is recommended to use the professional feeds, though. Besides you can fine tune your tests for IIS in NESSUS. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com Website: http://www.tcs.com Experience certainty.IT Services Business Solutions Outsourcing From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com, shekhar.ar...@me.com, vinodh.ki...@teaqtech.com Date: 02/18/2010 05:50 PM Subject: [Owasp-delhi] Tools for Web Server V A -- Dear OWASP Delhi, Thank you all for the good information. but i am still confused whether NESSUS is a web server vulnerability assessment tool or a Network Assessment tool. Please suggest. The situation is: I have to perform the V.A of IIS using a tool. So how do I start, Use NESSES and proceed or use any commercial tool. If commercial tool, then which is the widely accepted commercial tool. A organization cant have multiple commerical tool, so suggest A few commercial tools that can perform web server V.A. Also any checklist for IIS V.A ? Thanks regards, Suresh Note: Forwarded message attached -- Original Message -- From: Vinodh Kiran S vinodh.ki...@teaqtech.com To: sureshtiw...@rediffmail.com Cc: neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com Subject: FW: [Owasp-delhi] Tools for Web Server V A http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline@middle? - Message from Vinodh Kiran S vinodh.ki...@teaqtech.com on Unknown - *To:* sureshtiw...@rediffmail.com *cc:* neelu.tripa...@tcs.com, ra.shrivastav...@gmail.com *Subject:* FW: [Owasp-delhi] Tools for Web Server V A Dear Suresh, In continuation of the below recommendations from Rahul and Neelu, I just wanted to let you know that we represent Core Security (Providers of Core Impact), here in India. The attached datasheet will give you a quick overview. I would like to know your thoughts on this. Please do contact me for any further assistance. Good Day! Regards, Vinodh Kiran S |Sr. Manager – ECM | Cell: +91 (0) 9900247424 * * *Teaq Technologies Pvt. Ltd.* #320, 6c Cross, OMBR Layout | Bangalore 560 043, INDIA |Telefax: +91 (80) 4161 2610 *From:* owasp-delhi-boun...@lists.owasp.org [ mailto:owasp-delhi-boun...@lists.owasp.orgowasp-delhi-boun...@lists.owasp.org] *On Behalf Of *Neelu Tripathy* Sent:* Wednesday, February 17, 2010 4:11 PM* To:* suresh tiwary* Cc:* owasp-delhi@lists.owasp.org; owasp-delhi-boun...@lists.owasp.org* Subject:* Re: [Owasp-delhi] Tools for Web Server V A Hi Suresh, Apart from what Rahul suggested, you can also for GFI Languard or Core Impact (both proprietary). For a better hands-on and/or manual assessment, try using Metasploit (Opensource), though that might be more on the PT side. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Date: 02/17/2010 11:46 AM Subject: [Owasp-delhi] Tools for Web Server V A Sent by: owasp-delhi-boun...@lists.owasp.org -- Issue: Tools for web server V A for IIS, Apache etc ? Dear OWASP Delhi, Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools. 1. What are the free tools / open source tools actually and practically used for web serv V A ? 2. What are the commercial tools used for automated web server V A ? 3. How a manual web server v a is conducted ? Any checklist and the practical process. 4. People can share their web server v a experience. Thanks regards, Suresh ___ Owasp-delhi mailing list owasp-de...@lists.owasp.org* **https://lists.owasp.org/mailman/listinfo/owasp-delhi*https://lists.owasp.org/mailman/listinfo/owasp-delhi =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete
Re: [Owasp-delhi] Tools for Web Server V A
Hi Suresh, 1. Whtat are the free tools / open source tools actually and practically used for web serv V A ? Qualys Guard and Nessus. They also give you something like test scans using that you can run a few scans as you like and this doesn't require paying them till a certain limit. 2. What are the commercial tools used for automated web server V A ? Qualys Guard and Nessus again. You can configure them to run scan and throw reports at periodic interval. 3. How a manual web server v a is conducted ? Any checklist and the practical process. Not much idea about this one. Sorry 4. People can share their web server v a experience. - Well what the report provides is a lot of information and there may be false positives also. There generally are, then it will require some research and then talking to the Asset owners of the Assets where the vulnerability exists. In Qualys there are two kinds of vulnerability 1. Potential 2. Confirmed. Hope this all gives you a good idea and helps you moving ahead !! Regards Rahul Shrivastava IT Security Consultant On Wed, Feb 17, 2010 at 11:40 AM, suresh tiwary sureshtiw...@rediffmail.com wrote: Issue: Tools for web server V A for IIS, Apache etc ? Dear OWASP Delhi, Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools. 1. What are the free tools / open source tools actually and practically used for web serv V A ? 2. What are the commercial tools used for automated web server V A ? 3. How a manual web server v a is conducted ? Any checklist and the practical process. 4. People can share their web server v a experience. Thanks regards, Suresh http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline@middle? ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi -- Regards Rahul Shrivastava IT Security Consultant ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi
Re: [Owasp-delhi] Tools for Web Server V A
Hi Suresh, Apart from what Rahul suggested, you can also for GFI Languard or Core Impact (both proprietary). For a better hands-on and/or manual assessment, try using Metasploit (Opensource), though that might be more on the PT side. Regards, Neelu Tripathy Security Analyst, TEG Tata Consultancy Services Mailto: neelu.tripa...@tcs.com From: suresh tiwary sureshtiw...@rediffmail.com To: owasp-delhi@lists.owasp.org Date: 02/17/2010 11:46 AM Subject: [Owasp-delhi] Tools for Web Server V A Sent by: owasp-delhi-boun...@lists.owasp.org Issue: Tools for web server V A for IIS, Apache etc ? Dear OWASP Delhi, Can anyone provide complete and comprehensive information, sites of web server vulnerability assessment by manual method and by automated tools. 1. What are the free tools / open source tools actually and practically used for web serv V A ? 2. What are the commercial tools used for automated web server V A ? 3. How a manual web server v a is conducted ? Any checklist and the practical process. 4. People can share their web server v a experience. Thanks regards, Suresh ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you ___ Owasp-delhi mailing list Owasp-delhi@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi