Pen Testing with Iron
description
Transcript of Pen Testing with Iron
![Page 1: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/1.jpg)
Pen Testing with Iron
Andrew WilsonTrustwave SpiderLabs
![Page 2: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/2.jpg)
Ubiquitous Hello
•Application Security Consultant
•Ex-Software Developer– Microsoft MVP
•Long walks on the beach
•Dancing in the rain
![Page 3: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/3.jpg)
Goals•Why Bother?
•Introduction to the DLR & CLR
•Getting Running
•Examples:
•Reflection and Disassembly
•Leveraging Existing Tools
•Driving Applications with Scripts
![Page 4: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/4.jpg)
Why Bother?•Best of Both Worlds
•Deeper Reach
•Simplification
![Page 5: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/5.jpg)
Python & Ruby:
![Page 6: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/6.jpg)
.NET Framework Is:•Awesome in library, connectivity, and
tooling
•Commonly used by companies you test
•Sucky at scripting and interactive programming
![Page 7: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/7.jpg)
CLR <3•Focuses concerns against business
problems
•Handles:
• Memory Management
• Metadata
• JIT
• Common Type System
![Page 8: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/8.jpg)
DLR <3
![Page 9: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/9.jpg)
Expression Trees
•Translate code from one language to MSIL
•Introduced in .Net 3.5 via Linq
![Page 10: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/10.jpg)
DLR+CLR
•Peace Love & Harmony
•Bi-Directional support:
•DLR – CLR (Ex. Python – CLR)
•CLR – DLR (Ex. CLR – Embedded Python)
![Page 11: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/11.jpg)
IronPython•Significantly more mature (circa 2006)
•Better support for existing Python applications
•Loads apps by being manually added to lib
![Page 12: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/12.jpg)
IronRuby•Needs your support
•Just obtained Visual Studio Support
•Loads assemblies via igem (instead of gem) install <gem>
![Page 13: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/13.jpg)
Getting Started
•You will need:
•IronRuby OR IronPython
•Language tools are optional
•Visual Studio Express OR MonoDevelop
•Reflector
![Page 14: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/14.jpg)
Use Cases:
•Disassembly / Reflection
•Existing Tooling
•Driving Applications via Scripts
![Page 15: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/15.jpg)
No Disassemble!
![Page 16: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/16.jpg)
Reflection::noitcelfeR
•.NET has reflection– but it sucks
•Ruby has reflection– and it rules
•Always Cheat, Always win.
![Page 17: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/17.jpg)
Use Existing Tools
![Page 18: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/18.jpg)
Use Existing Tools•Some things aren‘t 100% supported
•Workarounds are in progress & inevitable
•Gains are still decent & getting better
![Page 19: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/19.jpg)
THE POWER OF GRAYSKULL!!
![Page 20: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/20.jpg)
When Not To Use:
•When You Can’t
•Testing Web Applications You Can Debug Natively
•When Native Tools Are Better
![Page 21: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/21.jpg)
Closing Thoughts
•No Free Lunches
•Offers Unique Opportunities
•Projects In Transition
![Page 22: Pen Testing with Iron](https://reader035.fdocuments.in/reader035/viewer/2022062500/56815809550346895dc57976/html5/thumbnails/22.jpg)
QA