• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Rugged by example with Gauntlt (Hacker Headshot)
 

Rugged by example with Gauntlt (Hacker Headshot)

on

  • 2,817 views

Hacker Hotshot podcast.

Hacker Hotshot podcast.

http://www.concise-courses.com/infosec/gauntlt-rugged-by-example/

Statistics

Views

Total Views
2,817
Views on SlideShare
2,817
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Rugged by example with Gauntlt (Hacker Headshot) Rugged by example with Gauntlt (Hacker Headshot) Presentation Transcript

    • Rugged by Example with Gauntlt
    • @wickett College Startup Web Systems Engineer Media Startup Web Ops Lead DevOps CISSP CISSP, sounds cool
    • a brief history of infosec
    • 1337 tools
    • the worms and viruses didn’t stop
    • we faced skilled adversaries
    • we couldn’t win
    • Instead of Engineering InfoSec became Actuaries
    • “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
    • there were other movements
    • devs became cool
    • devs became cool agile
    • the biz sells time now
    • dev and ops now play nice
    • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
    • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
    • culture automation measurement sharing credit to John Willis and Damon Edwards
    • infosec hasn’t kept pace
    • Your punch is soft,just like your heart
    • “Is this Secure?” -Your Customer
    • “It’s Certified” -You
    • there’s a better way
    • 6 R’s of Rugged DevOps
    • http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
    • how does one join rugged devops?
    • enter gauntlt
    • gauntlt is like this
    • sqlmap sslyze dirb curl generic nmap your app gauntlt exit status: 0
    • gauntlt credits: Project Leads: James Wickett Jeremiah Shirk Friends: Jason Chan, Netflix Neil Matatall, Twitter Mani Tadayon
    • security tools are confusing
    • mapping discovery exploitation
    • fuzzfind inject
    • security tests on every change
    • wisdom from a video game
    • always listen to Doc
    • Find the weakness of your enemy
    • Codify your knowledge (cheat sheets)
    • sometimes, you face the same enemies again
    • gauntlt is collaboration
    • Gauntlt helps dev and ops and security to communicate
    • gauntlt harmonizes our languages
    • Behavior Driven Development BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well- defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
    • we have to start somewhere
    • $ gem install gauntlt install gauntlt
    • gauntlt design Simple Extensible UNIX™: stdin, stdout, exit status Minimum features yield maximum utility
    • $ gauntlt --list Defined attacks: curl dirb garmr generic nmap sqlmap sslyze
    • Attack File Plain Text File Gherkin syntax: Given When Then
    • Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ Given When Then When Then
    • running gauntlt with failing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s
    • $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m18.341s running gauntlt with passing tests
    • $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch a "curl" attack with:$/ /^I launch a "dirb" attack with:$/ /^I launch a "garmr" attack with:$/ /^I launch a "generic" attack with:$/ /^I launch an "nmap" attack with:$/ /^I launch an "sslyze" attack with:$/ /^I launch an? "sqlmap" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following profile:$/
    • $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"sqlmap" is installed$/ /^I launch a "generic" attack with:$/ /^I launch an? "sqlmap" attack with:$/
    • Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ setup steps verify tool set config
    • Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ attack get config
    • Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ assert needle haystack
    • Supported Tools curl nmap sqlmap sslyze Garmr dirb generic
    • Netflix Use Case Real World Cloud Application Security, Jason Chan https://vimeo.com/54157394
    • Check your ssl certs
    • cookie tampering
    • curl hacking
    • Look for common apache misconfigurations
    • @slow Feature: Run dirb scan on a URL Scenario: Run a dirb scan looking for common vulnerabilities in apache Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ .htaccess .htpasswd .meta .web access_log cgi cgi-bin cgi-pub cgi-script dummy error error_log htdocs httpd httpd.pid icons server-info server-status logs manual printenv test-cgi tmp ~bin ~ftp ~nobody ~root
    • I have my weakness. But I won't tell you! Ha Ha Ha!
    • Test for SQL Injection
    • @slow @announce Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://example.com?x=1 | When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables """
    • my_first.attack See ‘GET STARTED’ on project repo Start here > https:// github.com/gauntlt/ gauntlt/tree/master/ examples Find examples for the attacks Add your config (hostname, login url, user) Repeat
    • Starter Kit on GitHub The starter kit is on GitHub: github.com/gauntlt/gauntlt-starter-kit Or, download a copy from: www.gauntlt.org/
    • @gauntlt future plans
    • Next Features More output parsers More attack adapters JRuby & Java Support Front end UI / web reports
    • Add feature requests here: https://github.com/ gauntlt/gauntlt/ issues
    • Contribute to gauntlt See ‘FOR DEVELOPERS’ in the README Get started in 7 steps
    • If you get stuck Check the README IRC Channel: #gauntlt on freenode @gauntlt on twitter Mailing List (https:// groups.google.com/forum/#!forum/ gauntlt) Office hours with weekly google hangout
    • get started with gauntlt github/gauntlt gauntlt.org videos tutorials google group @gauntlt IRC #gauntlt we help! start here cool vids!
    • @wickett james@gauntlt.org Be Mean to Your Code!