Search the Community
Showing results for tags 'pentest'.
Found 4 results
I am looking to do some pen testing qualifications in the near future. I am really interested in buying some of the tool kits offered on the HAK5 Shop but just wanted to know if there are any laws for Japan that would not allow tools like this?
I have JWT token and I want to modify the key id field. Kid field can be used for local files. I had verfied that /etc/passwd can be used but I don't know the content. So I want to know some files that I can predict the content. The target website have 127.0.0.1/__sinatra__/404.png which I can download that png file. But I don't know the absolute path for that file. Does anyone know the solution of my problem.? Please help me.
Im looking for some ideas on how to work on and practice using kali linux for the purpose of pen-testing and using all the various functions kali comes with. Things to bare in mind: I am fairly new to this, I have more then one computer, Im looking to aggressively expand my knowledge in this area, and of course i wanna be able to do this w/o breaking or damaging anything. Thoughts and suggestions, please and thank you!
Hey everyone, just wanted to show you a recently created service for automated web application and network security scan. If some of you are hosting you'r own web applications perhaps you could test it. If you actually do, please check if there is some vulnerability Metascan could not find. Features: 1. Scans all 65535 ports on target hosts. The scan might take a while but it makes sure that all running services are found. 2. All the services running on host are checked for available vulnerabilities using CVEdetails DB. 3. All input forms and HTTP parameters are tested for most common web application vulnerabilities (XSS, SQLi, XXE and other OWASP TOP 10 attacks). 4. 40 protocols can be brute forced with Metascan's unique password dictionary. The dictionary has quite a long history as it was made up of real user passwords from recent data leaks. Most pentesters i know are building their own dictionaries, the METASCAN's one is huge. 5. Wordpress is tested separately with multiple tools and dir listing dictionaries for Wordpress version,plugins, themes enumeration. After the versions of plugins and CMS itself are revealed, METASCAN automatically searches for public exploits. The key word in METASCAN is "automatically", id say it's like an automatic pentester. 6.METASCAN is capable of subdomains enumeration too, so in case you have left some subdomains/testing servers and beta version servers on public, there will be info about them in the end report too. In my experience it is a common problem, especially for ICO. The reason i created this post is to provide website administrators who are most likely to be hanging out here with a useful service for automated web application security assessment. The solution could be useful in case you are not a pentester/whitehat yourself, but need to get some sense of how secure you'r website is without paying for human work, which is much more expensive. Also the scan is performed with usage of all the tools attacker could use to attack you'r web application. Also METASCAN is probably the best solution in case you need to scan multiple hosts or huge network. The network scanner is capable of scanning huge subnets, like /80. Hope you like it, and any feedback is always appreciated. It took a lot of coding and time to roll out this project. English version for a scan submit: https://metascan.ru/en.html