• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Gauntlt Rugged By Example
 

Gauntlt Rugged By Example

on

  • 1,113 views

Talk given at AppSec USA 2012. See the video here > https://vimeo.com/54250714

Talk given at AppSec USA 2012. See the video here > https://vimeo.com/54250714

Statistics

Views

Total Views
1,113
Views on SlideShare
1,113
Embed Views
0

Actions

Likes
1
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Gauntlt Rugged By Example Gauntlt Rugged By Example Presentation Transcript

    • GAUNTLT:RUGGEDBY EXAMPLEJAMES WICKETTMANI TADAYONJEREMIAH SHIRKSG: JASON CHAN
    • WE WANT YOU TO BESUCCESSFUL ANDMAKE A DIFFERENCE
    • James WickettCISSP, GWAPT,CCSK, GSEC, GCFW @wickett@RuggedDevOps @gauntlt
    • A BRIEF HISTORY OFINFORMATION SECURITY
    • WE USED TO BE COOL
    • WE HADCINEMA
    • WE HADHEROES
    • WE MADE FREEPHONE CALLS
    • WE WERE COOL
    • WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
    • WE COULDN’T STOP THEVIRUSES AND WORMS
    • INSTEAD OF ENGINEERINGINFOSEC BECAME ACTUARIES
    • WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
    • “[RISK ASSESSMENT] INTRODUCES ADANGEROUS FALLACY: THATSTRUCTURED INADEQUACY ISALMOST AS GOOD AS ADEQUACYAND THAT UNDERFUNDEDSECURITY EFFORTS PLUS RISKMANAGEMENT ARE ABOUT ASGOOD AS PROPERLY FUNDEDSECURITY WORK” - MICHAL ZALEWSKI
    • SOMETHING ELSEHAPPENED GLOBALLY
    • DEVS BECAME COOL
    • ENTER DEVOPS
    • CODE BECAME SOCIAL
    • “I DON’T WANT YOUTO SEND ME ANINSTALLATION DVD”
    • WE SELL TIME NOW
    • WE SELL SOCIALAND FRIENDSHIPS
    • “IS THIS SECURE?”-YOUR CUSTOMER
    • “ITS CERTIFIED”- YOU
    • WHY CAN’T YOUGIVE A BETTER ANSWER?
    • THE INEQUITABLEDISTRIBUTION OFLABOR IN SECURITYMIMICS THAT IN DEV/OPS
    • 2% OF AN ENGINEERINGDEV TEAM ARE WORKINGON SECURITY - BSIMM 2012 data, http://bsimm.com/
    • -LEARNING FROM(PREFERABLY OTHERPEOPLE’S) MISTAKES-DEVELOPING TOOLS TOCORRECT PROBLEMS- PLANNING TO HAVEEVERYTHINGCOMPROMISED
    • ENTER RUGGED
    • Current Software
    • Rugged Software
    • ADVERSITY REQUIRESRUGGED SOLUTIONS
    • ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTSTHAT PROHIBIT NORMALFUNCTION AND OPERATION.
    • Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise. RUGGEDIZATION THEORY
    • NO PAIN, NO GAIN
    • "Secondly, our network got a lot stronger as a result of the LulzSec attacks."-Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012 by CloudFlare team
    • RUGGED BY DESIGN,DEVOPS BY CULTURE
    • RUGGED DEVOPS
    • REPEATABLE – NO MANUAL STEPS, CIRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDIT, INFRA AS CODERAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATIONREDUCED - LIMITED ATTACK SURFACE
    • ENTER GAUNTLT
    • Put your code through the GAUNTLT
    • GAUNTLET, N.AN ATTACK FROMALL SIDES
    • custom attacks dirbuster metasploit sqlmap fuzzers nessusw3af nmap Your web app You
    • gauntlt is built for doing security testing in a DevOps world
    • GAUNTLT IS
    • AN ALWAYS-ATTACKINGENVIRONMENT FORDEVELOPERS
    • WITH ATTACKSWRITTEN INEASY-TO-READLANGUAGE
    • ACCESSIBLE TOEVERYONE INVOLVEDIN DEV, OPS,TESTING, SECURITY, ...
    • WHY GAUNTLT?SECURITY DOMAINKNOWLEDGE IS GENERALLYA MYSTERY TO DEV TEAMS
    • GAUNTLT ALLOWS DEV ANDOPS AND SECURITY TOCOMMUNICATE
    • GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
    • HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
    • $ gem install gauntlt# download attacks$ gauntlt
    • install gauntlt$ gem install gauntlt# download example attacks from github# customize the example attacks# now you can run gauntlt$ gauntltExamples > https://github.com/thegauntlet/gauntlt/tree/master/examples
    • LETS LOOK INSIDE ACOUPLE OF THESE FILES
    • GAUNTLT ATTACKS
    • @slow nmap.attackFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of portsusing the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
    • running gauntlt with failing testswickett$ gauntlt@slowFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using thenmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
    • running gauntlt with passing testswickett$ gauntlt@slowFeature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using thenmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """1 scenario (1 passed)5 steps (5 passed)0m18.341s
    • gauntlt:Netflix Use Case
    • Problem Statement• Netflix is a heavy AWS user, and we provide self- service deployment for dev teams• AWS’ Elastic Load Balancer (ELB) provides cross- datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet)• Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
    • How do we ensure the100s of clusters associated with ELBs are configuredand protected as intended?
    • Solution: Use gauntlt to organize and perform ELB testing
    • gauntlt test:What response will an ELB provideto an arbitrary Internet node, and is it expected?
    • Process1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state2. Determine “target list” of current ELBs to evaluate3. Generate per-ELB listener gauntlt attack files4. Execute attacks5. Alert on failures and new ELBs6. Triage findings and update ELB master list
    • gauntlt Attack Template• Uses gauntlt curl feature• Sub in protocol, port, hostname, and response code from ELB master and target list
    • GAUNTLTA VERY SHORT INTRODUCTION
    • ABOUT MANI• Mani Tadayon• Senior Software Engineer, ZestFinance• Lots of experience in web development, ruby and test automation• Learning Clojure
    • CONWAY’S LAWAny organization that designs a system ... willinevitably produce a design whose structure is acopy of the organizations communicationstructure. Melvin E. Conway, 1968
    • BEHAVIOR-DRIVEN DEVELOPMENTBDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes acycle of interactions with well-defined outputs,resulting in the delivery of working, testedsoftware that matters. Dan North , 2009
    • CUCUMBER
    • ATTACK FILE• Plain text file• Gherkin syntax: • Given • When • Then
    • Feature: Run sqlmap against a targetScenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injectionpoints """
    • Feature: Run sqlmap against a target verify Scenario: Identify SQL injection vulnerabilities tool Given "sqlmap" is installedsetup steps And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: set """ config python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
    • Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """attack! python <sqlmap_path> -u <target_url> """ env Then the output should contain: get param config """ sqlmap identified the following injection points """
    • Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ haystack Then the output should contain: """assert sqlmap identified the following injection points """ needle
    • ATTACK ADAPTER• Step definition for attack file• Support code in ruby or java• Support shell script
    • Given /^"sqlmap" is installed$/ dostep definition ensure_python_script_installed(sqlmap) ruby end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap") command.gsub!(<target_url>, target_url) command.gsub!(<sqlmap_path>, sqlmap_path) run command end
    • Given /^"sqlmap" is installed$/ do ensure_python_script_installed(sqlmap) end When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")step definition command.gsub!(<target_url>, target_url) command.gsub!(<sqlmap_path>, sqlmap_path) run command end execute
    • GAUNTLT DESIGN• Simple• Extensible• UNIX™ : stdin, stdout, exit status• Minimum features yield maximum utility
    • UPCOMING FEATURES• More output parsers• More attack adapters• More goats• Better support for JRuby & Java• Anything you want: https://github.com/thegauntlet/gauntlt/issues
    • GauntltUsing the Gauntlt Starter Kit
    • About me• Jeremiah Shirk• Application & Infrastructure Manager, Kansas State University• 18 years doing unix admin, security, and some open source contributions• Keeper of tiny flocks
    • KSU 55 - WVU 14
    • Gauntlt Starter Kit
    • DependenciesVirtualBox Vagrant
    • Download• https://www.virtualbox.org/• http://vagrantup.com/
    • Starter Kit on GitHub• The starter kit is on GitHub at https:// github.com/thegauntlet/gauntlt-starter-kit• Or, download a copy from: www.gauntlt.org/...
    • Base box$ vagrant box add precise32 http://files.vagrantup.com/precise32.box[vagrant] Downloading with Vagrant::Downloaders::HTTP...[vagrant] Downloading box: http://files.vagrantup.com/precise32.box[vagrant] Extracting box...[vagrant] Verifying box...[vagrant] Cleaning up downloaded box...$
    • Start the VM$ cd gauntlt-starter-kit/vagrant/gauntlt$ vagrant up[default] Importing base box precise32...[default] Matching MAC address for NAT networking...[default] Clearing any previously set forwarded ports...[default] Forwarding ports...[default] -- 22 => 2222 (adapter 1)[default] Creating shared folders metadata...[default] Clearing any previously set network interfaces...[default] Booting VM...[default] Waiting for VM to boot. This can take a few minutes....
    • VagrantfileVagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" endend
    • SSH to the VM$ vagrant ssh
    • Secure SSH Keys$ vagrant ssh-config | grep Port Port 2222$ scp -i ~/.vagrant.d/insecure_private_key -P 2222 ~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
    • vagrant@precise32:~$ gauntlt attacks/nmapFeature: simple nmap attack (sanity check) Background: Given "nmap" is installed And the target hostname is "google.com" Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """1 scenario (1 passed)4 steps (4 passed)0m0.112svagrant@precise32:~$
    • vagrant@precise32:~$ gauntlt attacks/sslyzeFeature: Run sslyze against a target Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/attack_adapters/nmap.rb:7 Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/cucumber.rb:111 """ Anon """1 scenario (1 passed)4 steps (4 passed)0m0.736svagrant@precise32:~$
    • Try it yourselfhttp://gauntlt.org/
    • Office hours Hotel bar Tonight, 10 p.m.
    • Questions?