A recent email by Dave Aitel to the Dailydave mailing list on Pen testing web servers was an inspiration to publishing a short, but simple script. I like to keep things simple when I write scripts, taking the Unix philosophy of doing one thing and doing it well.
bruteoptions.py takes two arguments: 1) a FQDN [...]

This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service, the WSDL and also [...]

Last week, Richard Bejtlich reviewed “Nmap in the Enterprise,” and for the most part, was largely disappointed with it’s lack of enterprise context. My last script, tissynbe.py, parsed Nessus results in nbe format and inserted them into a MySQL database. Today, I’m making available nmaparse.py, a script that will parse grepable nmap output [...]

Today I am going to cover a topic that is the most important to me: software security. When I talk about “software security”, I refer to the process of building applications — the artifacts, components, and capital that goes into making a polished product. Applications are something that development teams worldwide strive to [...]

I mentioned in previous posts that I had been working with Nessus — I used it a lot. At the end of the engagement, we had almost a gigabyte of Nessus data saved in nbe format. So to quickly go through and analyze all the results, inserting it into a database was essential. I [...]