Security testing with gauntlt
-
date post
19-Oct-2014 -
Category
Technology
-
view
3.074 -
download
0
description
Transcript of Security testing with gauntlt
![Page 1: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/1.jpg)
Put your code through the Gauntlet
![Page 2: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/2.jpg)
gauntlet, n. an attack from all sides
![Page 3: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/3.jpg)
Put your code through the Gauntlet gauntlt
![Page 4: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/4.jpg)
gauntlt - doing security testing using cucumber
![Page 5: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/5.jpg)
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
![Page 6: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/6.jpg)
gauntlt is
![Page 7: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/7.jpg)
an always-attacking environment for
developers
![Page 8: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/8.jpg)
with attacks written in easy-to-read language
![Page 9: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/9.jpg)
accessible to everyone involved in dev, ops, testing, security, ...
![Page 10: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/10.jpg)
gauntlt includes
![Page 11: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/11.jpg)
Why gauntlt?
Security domain knowledge is generally a mystery to dev teams
![Page 12: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/12.jpg)
gauntlt allows dev and ops and security to communicate and collaborate
![Page 13: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/13.jpg)
gauntlt joins:
The Philosophy of Rugged Software
&Principles of Behavior Driven Development
![Page 14: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/14.jpg)
Gauntlet gauntlt has a new home
![Page 15: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/15.jpg)
https://github.com/thegauntlet/gauntlt
![Page 16: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/16.jpg)
gauntlt has a reserved spot at rubygems
![Page 17: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/17.jpg)
![Page 18: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/18.jpg)
what does the gauntlt code include right now?
![Page 19: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/19.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
features - which is the cucumber way of describing tests
![Page 20: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/20.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
nmap feature - which verifies nmap is
installed and scans the target from the profile on ports 80 and 443
![Page 21: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/21.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
nmap step definitions - which actually defines
the steps that are called in the feature these steps can be
reused in other features
![Page 22: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/22.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
the profile - which is where user defined
data lives like hostname, URLs,
usernames, passwords
![Page 23: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/23.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
profile step definition - this is where we provide a way to
extract everything in the profile to hand off to features (i.e. target
hostname, URL, ...)
![Page 24: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/24.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
all the stuff to package this as a gem for
distribution
![Page 25: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/25.jpg)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
Did I mention aruba?gauntlt uses cucumber and aruba to execute against the command line making it possible to execute any test, script or language
![Page 26: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/26.jpg)
lets look inside a couple of these files
![Page 27: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/27.jpg)
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: Given nmap is installed
Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
feature for nmap:nmap.feature
![Page 28: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/28.jpg)
Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end
When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end
step definition for nmap:nmap.rb
![Page 29: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/29.jpg)
lets run gauntlt with the nmap.feature
against google.com
![Page 30: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/30.jpg)
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...
Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports
1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
running gauntlt with failing tests
![Page 31: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/31.jpg)
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m1.117s
running gauntlt with passing tests
![Page 32: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/32.jpg)
walk vs. run
• gauntlt has two modes: walk and run
• meaning fast and slow or smoke and full
• This is done by labels in cucumber
• For each feature you will get to decide if it is a @walk or a @run test or both
![Page 33: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/33.jpg)
some realizations
• The core of gauntlt needs to provide a set of functionality that encourages contributors to ‘package’ pen testing tools similar to ubuntu juju, chef or puppet
• A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host...
• gauntlt needs to bootstrap itself and tools into a vagrant ubuntu box
![Page 34: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/34.jpg)
gauntlt as a kickstarter project• A small bit of the funds will be used for
core code bounties: profile, DSL creation, architecture, vagrant bootstrap via chef, packaging architecture...
• The bulk of the funds will be used for feature bounties where we define features we want packaged for gauntlt such as w3af or dirbuster and pay developers for the best code.
![Page 35: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/35.jpg)
gauntlt features that could be built in the
future...
![Page 36: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/36.jpg)
nmap scanning for verifying ports
![Page 37: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/37.jpg)
crawl site and search for passwords in text
(assume fuzzing)
![Page 38: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/38.jpg)
badness with LOIC, slowloris, wget, curl
![Page 39: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/39.jpg)
Include recon, scanning, fuzzing, injecting, load
![Page 40: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/40.jpg)
multi-vector attacks:timing + load, fail
open, ...
![Page 41: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/41.jpg)
all the tools mentioned on the tool slide
![Page 42: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/42.jpg)
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
![Page 43: Security testing with gauntlt](https://reader033.fdocuments.in/reader033/viewer/2022051311/54445b3eafaf9fa4098b48c1/html5/thumbnails/43.jpg)
we need your help