[WEB SECURITY] Tools or software for hacking windows/iis.

Jarmon, Don R Don.Jarmon at Intergraph.com
Thu Dec 21 17:34:52 EST 2006


I have been working with vulnerability assessment tools since 1995 and
still seeking one that I like (Free or Commercial).

First scan tool: http://www.ciac.org/ciac/bulletins/f-20.shtml
 
Exploiting a known vulnerability is more like a carnival act.  It can be
pretty cool to watch but not much real value.  We all know gas is
flammable.  Does using a match to test add any value?  Web application
security goes much beyond just patching.  The challenge for any
organization is to establish a secure baseline and sustain throughout
the entire lifecycle.  This requires effective administrative, physical,
and technical controls.

Most vulnerability assessment tools can only identify surface blemishes
that most often can be linked to ineffective security management
programs.  You have already identified an ineffective vulnerability
management process.  Further exploiting using another tool would not
address the over all security settings and controls of the Web server.
 
http://nvd.nist.gov  (Search for IIS or Windows 2000 or SQL)
http://iase.disa.mil/stigs/compilation/index.html

Don Jarmon - CISSP
Sr. Technical Consultant
Security, Government & Infrastructure (SG&I) Division
Intergraph Corporation
P.O. Box 6695, Huntsville, AL 35824 USA 
P 1.256.730.2366 F 1.256.730.4501
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com


-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us] 
Sent: Thursday, December 21, 2006 11:30 AM
To: Web Security
Subject: [WEB SECURITY] Tools or software for hacking windows/iis.

Hello group, I am auditing a Windows 2000 web server that has not been
patched for 2 years.  I am looking for tools that could be used to
exploit know vulnerabilities - I do not want to damage the server, but
would like to demonstrate the security weakness for my work papers.  I
have heard that there are tools such as iishack.exe that may be able to
help.  I would like an easy tool, as I am not that technical.  I have a
basic understanding of web application security.
 
Thank you,
 
Albert E. Schmidt, CPA
Senior Information System Auditor
Office of Legislative Audits
Department of General Services
Maryland General Assembly

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list