Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/garethr/pentesting-playground

Code for installing various security minded tools onto Vagrant powered virtual machines
https://github.com/garethr/pentesting-playground

Last synced: 12 days ago
JSON representation

Code for installing various security minded tools onto Vagrant powered virtual machines

Host: GitHub
URL: https://github.com/garethr/pentesting-playground
Owner: garethr
Created: 2013-04-20T21:14:20.000Z (over 11 years ago)
Default Branch: master
Last Pushed: 2014-07-21T21:15:12.000Z (over 10 years ago)
Last Synced: 2024-10-04T10:44:13.290Z (about 1 month ago)
Language: Puppet
Size: 197 KB
Stars: 172
Watchers: 21
Forks: 31
Open Issues: 5
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Penetration Testing Playground

There are lots of interesting tools for testing the security of web

applications. Unfortunately many of them are unknown to most developers

and poorly packaged (I don't want a separate distro thanks). This project aims to bring together some familiar developer tools (like Vagrant and Puppet) with as many interesting security tools as I can find.

Once you have have tools you want somewhere safe to test them out. This

project also contains a vulnerable web application running in a separate

virtual machine which can be used as a test bed.

## Usage

I'm assuming you already have Ruby and Vagrant installed. The we need to

install the dependencies.

    bundle install

    bundle exec librarian-puppet install

This should fill your modules folder with puppet modules from the Puppet

Forge. Next up we can start our virtual machines.

    vagrant up

This should launch two machines, one called attacker and the other

victim. Attacker gets lots of tools installed and victim gets a

vulnerable web application setup.

If you want to test some of the tools out then you'll want to ssh into

the attacker virtual machine:

    vagrant ssh attacker

Many of the tools are not packages and these are simply installed into

/opt. Just cd to the relevant directory and run the tools from there.

If you want to change anything on the victim virtual machine you can

access that with:

    vagrant ssh victim

If you only wanted the attacker (or victim) virtual machine then you can

use either:

   vagrant up attacker

   vagrant up victim

## Tools installed

* [skipfish](http://code.google.com/p/skipfish/)

* [nmap](http://nmap.org/)

* [nikto](http://www.cirt.net/nikto2)

* [w3af](http://w3af.org/)

* [garmr](https://github.com/mozilla/Garmr)

* [sslyze](https://github.com/iSECPartners/sslyze)

* [wpscanner](https://github.com/metachris/wpscanner)

* [owasp zap](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)

* [arachni](http://arachni-scanner.com/)

* [gauntlt](https://github.com/gauntlt/gauntlt)

* [sqlmap](http://sqlmap.org/)

* [wpscan](http://wpscan.org/)

* [sslscan](http://sourceforge.net/projects/sslscan/)

* [TLSSLed](http://blog.taddong.com/2013/02/tlssled-v13.html)

* [slowhttptest](https://code.google.com/p/slowhttptest/)

* [DIRB](http://dirb.sourceforge.net/)

* [SQLiBF](http://sourceforge.net/projects/sqlibf/)

If you would like to add something else then please send a pull request

or open an issue.

## Disclaimer

These tools are designed to attack or find vulnerabilities in other

applications. Testing for vulnerabilities is an important part of

building a secure web application, but please don't use this set of tools to

attack other peoples site. It's probably illegal and definitely not very

polite.