"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba


For Penetration Testers   pdf

DEFENSICS™ for penetration testing

The purpose of penetration testing is to see whether it is possible to gain access into a system by trying out various attack scenarios. Penetration testing is still largely done manually: one or more security experts are called in to conduct ad-hoc tests. This is a relatively slow and resource consuming method of testing. Nevertheless, it has its purpose. Frequently, penetration testing is used to justify the need for more extensive testing.

Codenomicon DEFENSICS™ enables you to achieve better audit efficiency by providing easy-to-use test automation tools. The Codenomicon Network Analyzer helps you focus on the correct attack vectors and the DEFENSICS™ fuzzers test the systems faster and more thoroughly.

 

Why use DEFENSICS™ in Penetration testing?

DEFENSICS™ is especially designed for penetration testers. It contains general purpose XML and Traffic capture fuzzers, enabling you to test both protocol and application level implementations, and model-based fuzzers for other frequently used protocols like HTTP, SSL/TLS and FTP, providing you with all the tools you need to perform more thorough penetration testing quickly and easily.

 

AUTOMATED PENETRATION TESTING:

Codenomicon DEFENSICS™ tools are fully automated software based solutions that are easy to integrate to your own security auditing processes. The resulting tests are faster and more comprehensive.

BUILT-IN INTELLIGENCE:

Penetration testing requires substantial knowledge of protocols and systems from the testers, whereas in Fuzzing the expertise can be built into the tools. Relatively inexperienced testers can perform the fuzz tests, making it easier to build up the penetration test team. Codenomicon's model-based fuzzers:

  • COVER the entire protocol, and document every tested feature and resulted test case
  • TARGET protocol areas most susceptible to vulnerabilities to shorten test run times
  • IDENTIFY vulnerabilities in deeper protocol layers
  • GENUINELY INTEROPERATE with systems under test (SUT)
  • DO NOT REQUIRE TEST TOOL CREATION OR MAINTENANCE EFFORT

TEST ANY PROTOCOL:

The Codenomicon Traffic Capture Fuzzer can be used to test all IP-based traffic. The tests are generated from captured messages, thus no protocol specifications are needed to create the tests. It is the only tool available for testing proprietary protocols and protocol extensions. It can also be used to test systems in the very early stages of development.

TEST ANY LAYER:

Tests should cover all layers of protocols in all infrastructure components, including browsers, load balancers, firewalls and application servers. DEFENSICS™ has ready-made off-the-shelf test suites for testing all communication layers, from IPv4 and IPv6 to application protocols like HTTP and SIP. Both client and server implementations can be tested.

TEST XML APPLICATIONS THOROUGHLY:

XML is widely used, but its complexity not only makes it prone vulnerabilities, but also hard to test. Codenomicon's intelligent stateful fuzzers can genuinely interact with the tested system and test each layer individually, thus they achieve unparalleled efficiency in finding vulnerabilities.

FAST TEST RUNS:

The Codenomicon Penetration Test Suite package enables you to test faster and more effectively by:

  • EXECUTING MULTIPLE TESTS simultaneously
  • TARGETING TESTS using MODEL-BASED FUZZERS
  • and the NETWORK ANALYZER

 

Benefits of proactive fuzz testing:

 

FIND ZERO-DAY VULNERABILITIES:

DEFENSICS™ has unparalleled ability to find unique, previously unknown vulnerabilities.

REPRESENTS REAL THREATS:

Fuzzing does exactly what the attackers do when finding zero-day vulnerabilities, send unexpected messages to vulnerable systems in order to find flaws.

BUILDS SECURITY INTO YOUR SYSTEM:

Fuzzing improves the quality of your code ensuring the security of your application.