Penetration Testing [closed]

Solution 1:

the whitehat consultants i've seen come in & use this tool then send you a massive bill.

Take a look at OWASP (Open Web Application Security Project) they're very informative & free! they have a very detailed pen-testing guide that you must look at.

Solution 2:

Tools that I would use

Nmap Sister Tool SQLMap

and Nessus

also quick scanning for XSS and HTML Injection http://www.seoegghead.com/tools/scan-for-html-injection.seo also http://www.cirt.net/nikto2

Make sure you have looked at this during your development OWASP

You need to also check the Security Guidence from MS Windows Server 2008 Security Guide

Solution 3:

McAfee Secure offers a pretty decent scanning service that will look at the web server, network, and the web site itself in an automated, on-demand way. Their scanner is certified for PCI scans, so it's pretty comprehensive.

Solution 4:

Another option is Qualys. Keep in mind that Qualys and the mcAfee Secure solution are vulnerability scanners. Pen-testing can be automated with respect to scans, and some of it can be automated for XSS and SQL injection attacks, but ultimately, you'd want a reputable pentester checking the system.

Solution 5:

The first thing would be a network scan. Since you're on the windows stack, use zenmap and scan the webserver and both sql servers. This will tell you about open ports and services running. Run zenmap on the comprehensive test. I would use this info to tweak your firewall to block ports that are exposed.

Another thing you would want to do is look for SQL Injection vulnerabilities.

Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.

It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.

Check out this ScreenToaster video that I created. It demonstrates a simple network scan for sql server, port 1433, and a basic SQL Injection.