OWASP OWTF the Offensive 
(Web) Testing Framework 
+ 
PTES Penetration Testing 
Execution Standard 
= 
Kali Power Auto Web...
$WHOIS 
Mauro Risonho de Paula Assumpção 
Especialista em SGTI pela ICTS Protiviti 
mauro.assumpcao@icts.com.br 
 Autodid...
Agenda 
● OWTF Intro 
– Instalando OWTF com o Kali (apenas tools web) 
● Executando OWTF 
– Parte 1: OWTF Passive + Semi-p...
Email do Autor
Offensive (Web) Testing Framework 
= Multi-level “cheating” tactics
OWTF Chess-like approach 
Kasparov against Deep Blue - http://www.robotikka.com
Steps 
- http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso 
- http://docs.kali.org/network-install/kali-linux-...
Install – via git 
#git clone https://github.com/owtf/owtf.git 
#cd /root/owtf/install 
#python install.py 
#YES, YES, YES...
Escolher opcao 1
Escolher “Y” YES
Acabou de instalar 
com sucesso! :)
Definir quais tools usar 
#vim /root/owtf/profiles/general/default.cfg 
Framework path: @@@FRAMEWORK_DIR@@@/tools/... 
#TO...
OWTF CLI 
python owtf.py -h|more
Listar plugins OWTF - Web Attacks 
# python owtf.py -l web
Simulation mode 
Simulation mode “-s ”: 
1) SIMULATES what OWTF will do (so it does 
not do it!): 
2) Is useful to check t...
DEMO 
python owtf.py www.google.com
Reports? 
● file:///root/owtf/owtf_review/index.html 
–
DEMOS 
– Parte 1: OWTF Passive + Semi-passive Web 
analysis 
– Parte 2: OWTF Active Web analysis 
– Parte 3: OWTF aux plug...
Conclusao 
● OWASP OWTF um framework que automatiza 
e faz ganhar muito tempo em pentest(s) com 
foco em targets em web ap...
Duvidas?
$WHOIS 
Mauro Risonho de Paula Assumpção 
Especialista em SGTI pela ICTS Protiviti 
mauro.assumpcao@icts.com.br 
 Autodid...
Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests
Upcoming SlideShare
Loading in …5
×

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

550
-1

Published on

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
550
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

  1. 1. OWASP OWTF the Offensive (Web) Testing Framework + PTES Penetration Testing Execution Standard = Kali Power Auto Web Pentests! Mauro Risonho de Paula Assumpçao aka firebitsbr Sao Paulo, Brasil - 2014
  2. 2. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
  3. 3. Agenda ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusao ● Q&A
  4. 4. Email do Autor
  5. 5. Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  6. 6. OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  7. 7. Steps - http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso - http://docs.kali.org/network-install/kali-linux-network-mini-iso-install - https://www.owasp.org/index.php/OWASP_OWTF - github git clone git://github.com/owtf/owtf.git - OWTF 0.45.0 Winter Blizzard wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz tar -xvvf v0.45.0_Winter_Blizzard.tar.gz kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y
  8. 8. Install – via git #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!
  9. 9. Escolher opcao 1
  10. 10. Escolher “Y” YES
  11. 11. Acabou de instalar com sucesso! :)
  12. 12. Definir quais tools usar #vim /root/owtf/profiles/general/default.cfg Framework path: @@@FRAMEWORK_DIR@@@/tools/... #TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatweb TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe b-0.4.7/whatweb
  13. 13. OWTF CLI python owtf.py -h|more
  14. 14. Listar plugins OWTF - Web Attacks # python owtf.py -l web
  15. 15. Simulation mode Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more
  16. 16. DEMO python owtf.py www.google.com
  17. 17. Reports? ● file:///root/owtf/owtf_review/index.html –
  18. 18. DEMOS – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing
  19. 19. Conclusao ● OWASP OWTF um framework que automatiza e faz ganhar muito tempo em pentest(s) com foco em targets em web applications e infraweb, nas tarefas rotineiras, mas pentests customizados, apenas agrega um pouco mais valor, mas nao substitui o processo manual, inteligente e humano.
  20. 20. Duvidas?
  21. 21. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×