BANGLADESH UNIVERSITY OF ENGINEERING & TECHNOLOGY (BUET) DHAKA
TECHNICAL SPECIFICATION FOR SUPPLY AND INSTALLATION OF SOFTWARE.
NO: HEQEP/CP-3137/Procurement/PacakageG8/27-09-2016/007
| Sl. No. | Item Name | Description | Qty | |
|---|---|---|---|---|
| 1 | Penetration Testing Solution | Brand/Developer Name | To be mentioned by the bidder | 1 |
| Model/Version | To be mentioned by the bidder | |||
| Country of Origin | To be mentioned by the bidder | |||
| Software Specifications | ||||
| Installation, Deployment, and Integration | Software shall be installed on Linux (32bit/64bit) and Windows (32bit/64bit). For 64bit OS, the software must be truly 64bit architecture built. | |||
| Shall have weekly update (e.g. exploit module). | ||||
| Shall support offline activation and update. | ||||
| Administration | Shall have encrypted web GUI. | |||
| Shall have command line console. | ||||
| Shall apply API to integrate with other system or to automate the workflow. | ||||
| Tasks (e.g. scan, exploit) shall be run on schedule. | ||||
| Host Scan and Web Scan | Shall discover the hostâ??s OS and running service | |||
| Shall support customized nmap command for scan | ||||
| Shall support dry run to show the scan information in task log only | ||||
| Shall integrate with NeXpose to discover hostâ??s OS, running service and vulnerability | ||||
| Shall support automatic tag by OS | ||||
| Shall import the scan result from solutions including but not limited to NeXpose, Metasploit, Acunetix, Amap, Appscan, Foundstone, Libpcap, Microsoft MBSA, Nessus, NetSparker, Nmap, Qualys and Retina. | ||||
| System Exploitation | Shall apply exploit on individual IP or multiple IP. | |||
| Exploit modules shall be applied automatically based on OS, service and vulnerability reference. | ||||
| Shall have at least 6 reliability levels of exploit codes for automated exploitation. | ||||
| Shall support running individual exploit module. | ||||
| Shall have option to skip exploit on known fragile device. | ||||
| Shall support dry run to show exploit information in task log only. | ||||
| Shall replay the exploit code and the code can be customized. | ||||
| Bruteforcing | Shall apply bruteforce on the services including but not limited to SMB, Postgres, DB2, MySQL, MSSQL, Oracle, HTTP, HTTPS, SSH, Telnet, FTP, POP3, BSD EXEC, BSD LOGIN, BSD SHELL, VMAuthd, VNC, SNMP, AFP. | |||
| Shall support customized credential and dictionary. | ||||
| Shall support credential mutation. | ||||
| Shall support dry run to show the generated credential in task log only. | ||||
| Shall have built-in dictionary for well-known credential and default login. | ||||
| Post Exploitation Action and Evidence Collection | Shall support payload types "Meterpreter" and "Command Shell." | |||
| Shall support customized macro to run the selected operations automatically after exploit. | ||||
| Shall support post exploitation actions including but not limited to collect system data (screen capture, password, system information), build a virtual desktop connection, access file system, search the file system, run a command shell, create proxy pivot, create VPN pivot. | ||||
| Shall deploy persistent listener to allow exploited host connecting back automatically like building a botnet. | ||||
| Social Engineering Campaign | Shall support Web campaign, Email campaign and USB campaign. | |||
| Web campaign shall be customized with http/https, IP address, port and path (e.g. https://www.abc.com:1234/abcd). | ||||
| Web content shall be cloned from another web site (e.g. www.google.com). | ||||
| Web campaign shall supports browser autopwn (apply all the appropriate exploit modules based on the browser version), specific browser exploit (e.g. MS11-050) and not do anything (just checking the connection from the users). | ||||
| Email campaign shall support email content customization to include a specific URL or an agent attachment. | ||||
| USB campaign shall support generating an agent deployment exe file. | ||||
| Web Application Exploitation | Shall support web crawling on IPv4 and IPv6 web sites. | |||
| Web crawling shall be applied on a web site (e.g. http://www.abc.com) or started from a specific point (e.g. http://www.abc.com/path/starthere/). | ||||
| Shall detect the vulnerable URL and parameter such as SQL Injection and Cross Site Scripting. | ||||
| Report and Data Export | Shall have built-in standard report and customized report functionality | |||
| Shall have at least 9 built-in standard reports. | ||||
| Report format shall include but not limited to PDF, Word, RTF and HTML. | ||||
| Report shall be stored locally and sent to recipient by email after created. | ||||
| Training | 2 days 10hrs training at least for 10 persons | |||
| Warranty | Should have 02 years OEM Warranty including subscription & Support and bidder Should quote the manufacturer support part code. | |||
Dr. A.K.M. Ashikur Rahman
Professor, Dept. of Computer Science & Engineering, BUET
&
Sub Project Manager, CP- 3137