Gauntlt: Go Ahead, Be Mean to Your Code

Tuesday, December 18, 12

Would you vote for this talk as the best if...?

A. If its funny

B. If it useful to my job

C. Dude, I know you want to win the iPad, you are down to 4 min and 37 seconds, stop surveying and start talking!

Tuesday, December 18, 12

@wickettSr. DevOps Engineer

Mentor Graphics, Embedded Software Division

CISSP, GWAPT, CCSK, GSEC, GCFW

james@gauntlt.org

gauntlt.org

Tuesday, December 18, 12

A BRIEF HISTORY OF INFOSEC

Tuesday, December 18, 12

WE HADCINEMA

Tuesday, December 18, 12

WE MADE FREEPHONE CALLS

Tuesday, December 18, 12

WE WERE COOL

Tuesday, December 18, 12

WE COULDN’T STOP THEVIRUSES AND WORMS

Tuesday, December 18, 12

INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES

Tuesday, December 18, 12

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI

Tuesday, December 18, 12

“IS THIS SECURE?”-YOUR CUSTOMER

Tuesday, December 18, 12

“ITS CERTIFIED”- YOU

Tuesday, December 18, 12

Tuesday, December 18, 12

NO PAIN, NO GAIN

Tuesday, December 18, 12

Put your code through the Gauntlet

Tuesday, December 18, 12

Your web app You

Put your code through the Gauntlet

Tuesday, December 18, 12

Your web app

sslyze

fuzzers

nmap

curl

sqlmapgarmr

You

w3afgeneric

Put your code through the Gauntlet

Tuesday, December 18, 12

GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO

COMMUNICATE

Tuesday, December 18, 12

$ gem install gauntlt

# download example attacks from github# customize the example attacks # now you can run gauntlt

$ gauntlt

# gauntlt looks for *.attack in its # directory

install gauntlt

Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples

Tuesday, December 18, 12

@slow

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

nmap.attack

Tuesday, December 18, 12

wickett$ gauntlt

@slowFeature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s

running gauntlt with failing tests

Tuesday, December 18, 12

wickett$ gauntlt

@slowFeature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | | tcp_ping_ports | 22,25,80,443 |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)5 steps (5 passed)0m18.341s

running gauntlt with passing tests

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

setup steps

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

setup steps

verify tool

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

setup steps

verify tool

set config

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

attack!

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

attack!

env param

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

attack!

env param

getconfig

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

assert

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

assert

needle

Tuesday, December 18, 12

Feature: Run sqlmap against a target

Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """

assert

needle

haystack

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition ruby

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition

Tuesday, December 18, 12

Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end

When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")

command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend

step definition

execute

Tuesday, December 18, 12

Supported Tools

• curl

• nmap

• sslyze

• sqlmap

• Garmr

• generic command line

Tuesday, December 18, 12

Try it yourself athttp://gauntlt.org/

with the new gauntlt video tutorial!

Tuesday, December 18, 12