0
Rugged by
Example
with
Gauntlt
@wickett
College Startup
Web Systems Engineer
Media Startup
Web Ops Lead
DevOps
CISSP
CISSP, sounds cool
a brief
history of
infosec
1337 tools
the worms
and viruses
didn’t stop
we faced
skilled
adversaries
we couldn’t
win
Instead of
Engineering
InfoSec
became
Actuaries
“[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT
STRUCTURED INADEQUACY
IS ALMOST AS GOOD AS
ADEQUACY AND THAT
UNDER...
there were
other
movements
devs became cool
devs became cool agile
the biz
sells time
now
dev and ops
now play nice
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
culture
automation
measurement
sharing
credit to John Willis and Damon Edwards
infosec
hasn’t kept
pace
Your punch
is soft,just
like your
heart
“Is this
Secure?”
-Your
Customer
“It’s
Certified”
-You
there’s a
better way
6 R’s of
Rugged
DevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
how does
one join
rugged
devops?
enter
gauntlt
gauntlt is
like this
sqlmap sslyze
dirb
curl
generic
nmap
your app
gauntlt
exit status: 0
gauntlt
credits:
Project Leads:
James Wickett
Jeremiah Shirk
Friends:
Jason Chan, Netflix
Neil Matatall, Twitter
Mani Tada...
security tools
are confusing
mapping
discovery
exploitation
fuzzfind inject
security
tests on
every change
wisdom from
a video game
always
listen to
Doc
Find the
weakness of
your enemy
Codify your
knowledge
(cheat sheets)
sometimes, you
face the same
enemies again
gauntlt is
collaboration
Gauntlt helps
dev and ops
and security
to communicate
gauntlt
harmonizes
our languages
Behavior
Driven
Development
BDD is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high...
we have to
start
somewhere
$ gem install gauntlt
install gauntlt
gauntlt
design
Simple
Extensible
UNIX™: stdin, stdout, exit status
Minimum features yield maximum
utility
$ gauntlt --list
Defined attacks:
curl
dirb
garmr
generic
nmap
sqlmap
sslyze
Attack File
Plain Text File
Gherkin syntax:
Given
When
Then
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| ...
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
A...
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | ...
$ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installe...
$ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"sqlmap" is installed$/
/^I launch a "generic" attack with:$/
/^I l...
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| ...
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| ...
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| ...
Supported
Tools
curl
nmap
sqlmap
sslyze
Garmr
dirb
generic
Netflix
Use Case
Real World Cloud Application Security, Jason Chan
https://vimeo.com/54157394
Check your ssl certs
cookie tampering
curl hacking
Look for common
apache
misconfigurations
@slow
Feature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common
vulnerabilities in apache
Given "dirb" ...
I have my weakness.
But I won't tell
you! Ha Ha Ha!
Test for SQL
Injection
@slow @announce
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is in...
my_first.attack
See ‘GET STARTED’ on
project repo
Start here > https://
github.com/gauntlt/
gauntlt/tree/master/
examples
...
Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.g...
@gauntlt
future plans
Next
Features
More output parsers
More attack adapters
JRuby & Java Support
Front end UI / web
reports
Add feature
requests here:
https://github.com/
gauntlt/gauntlt/
issues
Contribute
to gauntlt
See ‘FOR DEVELOPERS’ in
the README
Get started in 7 steps
If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://
groups.goog...
get started
with gauntlt
github/gauntlt
gauntlt.org
videos
tutorials
google group
@gauntlt
IRC #gauntlt
we
help!
start her...
@wickett
james@gauntlt.org
Be Mean to
Your Code!
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)
Rugged by example with Gauntlt (Hacker Headshot)
Upcoming SlideShare
Loading in...5
×

Rugged by example with Gauntlt (Hacker Headshot)

3,274

Published on

Hacker Hotshot podcast.

http://www.concise-courses.com/infosec/gauntlt-rugged-by-example/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,274
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Rugged by example with Gauntlt (Hacker Headshot)"

  1. 1. Rugged by Example with Gauntlt
  2. 2. @wickett College Startup Web Systems Engineer Media Startup Web Ops Lead DevOps CISSP CISSP, sounds cool
  3. 3. a brief history of infosec
  4. 4. 1337 tools
  5. 5. the worms and viruses didn’t stop
  6. 6. we faced skilled adversaries
  7. 7. we couldn’t win
  8. 8. Instead of Engineering InfoSec became Actuaries
  9. 9. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  10. 10. there were other movements
  11. 11. devs became cool
  12. 12. devs became cool agile
  13. 13. the biz sells time now
  14. 14. dev and ops now play nice
  15. 15. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  16. 16. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  17. 17. culture automation measurement sharing credit to John Willis and Damon Edwards
  18. 18. infosec hasn’t kept pace
  19. 19. Your punch is soft,just like your heart
  20. 20. “Is this Secure?” -Your Customer
  21. 21. “It’s Certified” -You
  22. 22. there’s a better way
  23. 23. 6 R’s of Rugged DevOps
  24. 24. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  25. 25. how does one join rugged devops?
  26. 26. enter gauntlt
  27. 27. gauntlt is like this
  28. 28. sqlmap sslyze dirb curl generic nmap your app gauntlt exit status: 0
  29. 29. gauntlt credits: Project Leads: James Wickett Jeremiah Shirk Friends: Jason Chan, Netflix Neil Matatall, Twitter Mani Tadayon
  30. 30. security tools are confusing
  31. 31. mapping discovery exploitation
  32. 32. fuzzfind inject
  33. 33. security tests on every change
  34. 34. wisdom from a video game
  35. 35. always listen to Doc
  36. 36. Find the weakness of your enemy
  37. 37. Codify your knowledge (cheat sheets)
  38. 38. sometimes, you face the same enemies again
  39. 39. gauntlt is collaboration
  40. 40. Gauntlt helps dev and ops and security to communicate
  41. 41. gauntlt harmonizes our languages
  42. 42. Behavior Driven Development BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well- defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
  43. 43. we have to start somewhere
  44. 44. $ gem install gauntlt install gauntlt
  45. 45. gauntlt design Simple Extensible UNIX™: stdin, stdout, exit status Minimum features yield maximum utility
  46. 46. $ gauntlt --list Defined attacks: curl dirb garmr generic nmap sqlmap sslyze
  47. 47. Attack File Plain Text File Gherkin syntax: Given When Then
  48. 48. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ Given When Then When Then
  49. 49. running gauntlt with failing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s
  50. 50. $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m18.341s running gauntlt with passing tests
  51. 51. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch a "curl" attack with:$/ /^I launch a "dirb" attack with:$/ /^I launch a "garmr" attack with:$/ /^I launch a "generic" attack with:$/ /^I launch an "nmap" attack with:$/ /^I launch an "sslyze" attack with:$/ /^I launch an? "sqlmap" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following profile:$/
  52. 52. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"sqlmap" is installed$/ /^I launch a "generic" attack with:$/ /^I launch an? "sqlmap" attack with:$/
  53. 53. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ setup steps verify tool set config
  54. 54. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ attack get config
  55. 55. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ assert needle haystack
  56. 56. Supported Tools curl nmap sqlmap sslyze Garmr dirb generic
  57. 57. Netflix Use Case Real World Cloud Application Security, Jason Chan https://vimeo.com/54157394
  58. 58. Check your ssl certs
  59. 59. cookie tampering
  60. 60. curl hacking
  61. 61. Look for common apache misconfigurations
  62. 62. @slow Feature: Run dirb scan on a URL Scenario: Run a dirb scan looking for common vulnerabilities in apache Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ .htaccess .htpasswd .meta .web access_log cgi cgi-bin cgi-pub cgi-script dummy error error_log htdocs httpd httpd.pid icons server-info server-status logs manual printenv test-cgi tmp ~bin ~ftp ~nobody ~root
  63. 63. I have my weakness. But I won't tell you! Ha Ha Ha!
  64. 64. Test for SQL Injection
  65. 65. @slow @announce Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://example.com?x=1 | When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables """
  66. 66. my_first.attack See ‘GET STARTED’ on project repo Start here > https:// github.com/gauntlt/ gauntlt/tree/master/ examples Find examples for the attacks Add your config (hostname, login url, user) Repeat
  67. 67. Starter Kit on GitHub The starter kit is on GitHub: github.com/gauntlt/gauntlt-starter-kit Or, download a copy from: www.gauntlt.org/
  68. 68. @gauntlt future plans
  69. 69. Next Features More output parsers More attack adapters JRuby & Java Support Front end UI / web reports
  70. 70. Add feature requests here: https://github.com/ gauntlt/gauntlt/ issues
  71. 71. Contribute to gauntlt See ‘FOR DEVELOPERS’ in the README Get started in 7 steps
  72. 72. If you get stuck Check the README IRC Channel: #gauntlt on freenode @gauntlt on twitter Mailing List (https:// groups.google.com/forum/#!forum/ gauntlt) Office hours with weekly google hangout
  73. 73. get started with gauntlt github/gauntlt gauntlt.org videos tutorials google group @gauntlt IRC #gauntlt we help! start here cool vids!
  74. 74. @wickett james@gauntlt.org Be Mean to Your Code!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×