Rugged Driven Development with Gauntlt
Upcoming SlideShare
Loading in...5
×
 

Rugged Driven Development with Gauntlt

on

  • 811 views

Talk from LASCON 2013.

Talk from LASCON 2013.

Statistics

Views

Total Views
811
Views on SlideShare
810
Embed Views
1

Actions

Likes
3
Downloads
2
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Rugged Driven Development with Gauntlt Rugged Driven Development with Gauntlt Presentation Transcript

  • Rugged Driven Development with Gauntlt @wickett // @gauntlt // gauntlt.org
  • @wickett • Austin, TX • LASCON Founder • DevOps Days Organizer • DevOps, AppSec, Ruby, Chef, Cucumber @wickett // @gauntlt // gauntlt.org
  • Work like a Captain Play like a Pirate @wickett // @gauntlt // gauntlt.org
  • So far, infosec is good at the pirate part... @wickett // @gauntlt // gauntlt.org
  • @wickett // @gauntlt // gauntlt.org
  • Gauntlt is Rugged Theology Applied @wickett // @gauntlt // gauntlt.org
  • rugged @wickett // @gauntlt // gauntlt.org
  • @wickett // @gauntlt // gauntlt.org
  • http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @wickett // @gauntlt // gauntlt.org
  • Rugged & DevOps
  • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  • http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  • Gauntlt is Rugged Theology Applied @wickett // @gauntlt // gauntlt.org
  • security tools today @wickett // @gauntlt // gauntlt.org
  • Core Tenets of Gauntlt • Facilitate communication between Infosec and Dev and Ops • Cultural shift from compliance driven, auditor-led security • Build a new language and currency in organizations @wickett // @gauntlt // gauntlt.org
  • gauntlt connects people @wickett // @gauntlt // gauntlt.org
  • https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  • https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  • github.com/gauntlt
  • Our Philosophy • Run security tools in a repeatable, easy to read way • Handle stdin, stdout, exit status • Favor speed and utility over complexity and slowness • Be part of the pipeline (CI/CD) • We aren’t package managers... install your own tools @wickett // @gauntlt // gauntlt.org
  • Let’s be Captains @wickett // @gauntlt // gauntlt.org
  • Install your own tools you are in fact a captain, right? @wickett // @gauntlt // gauntlt.org
  • $ rvm --ruby-version use 1.9.3 optional, but recommended @wickett // @gauntlt // gauntlt.org
  • $ mkdir lascon $ cd ./lascon $ vim Gemfile optional, but recommended @wickett // @gauntlt // gauntlt.org
  • # Gemfile source ‘https://rubygems.org’ gem ‘gauntlt’ optional, but recommended @wickett // @gauntlt // gauntlt.org
  • $ bundle optional, but recommended @wickett // @gauntlt // gauntlt.org
  • $ bundle Fetching gem metadata from https://rubygems.org/.......... Fetching gem metadata from https://rubygems.org/.. Resolving dependencies... Using ffi (1.9.0) Using childprocess (0.3.9) Using builder (3.2.2) Using diff-lcs (1.2.4) Using multi_json (1.8.2) Using gherkin (2.12.2) Using multi_test (0.0.2) Using cucumber (1.3.8) Using rspec-expectations (2.14.3) Using aruba (0.5.3) Using nokogiri (1.5.10) Using trollop (2.0) Using gauntlt (1.0.6) Using bundler (1.3.5) Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem is installed. optional, but recommended @wickett // @gauntlt // gauntlt.org
  • $ gem install gauntlt @wickett // @gauntlt // gauntlt.org
  • Future slides will use: $ gauntlt but, really it is: $ bundle exec gauntlt @wickett // @gauntlt // gauntlt.org
  • $ touch example.attack @wickett // @gauntlt // gauntlt.org
  • Given When Then When Then Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @wickett // @gauntlt // gauntlt.org
  • running gauntlt with failing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | hostname | example.com | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s @wickett // @gauntlt // gauntlt.org
  • running gauntlt with passing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | hostname | example.com | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m18.341s @wickett // @gauntlt // gauntlt.org
  • $ gauntlt --list Defined attacks: arachni curl dirb garmr generic nmap sqlmap sslyze @wickett // @gauntlt // gauntlt.org
  • $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/
  • $ gauntlt --help $ gauntlt --allsteps @wickett // @gauntlt // gauntlt.org
  • https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt @wickett // @gauntlt // gauntlt.org
  • https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt @wickett // @gauntlt // gauntlt.org
  • RegEx in Gauntlt Then the output should match /80.tcps+open/ Then the output should match: """ 80/tcps+open """ @wickett // @gauntlt // gauntlt.org
  • Create network.attack @slow Feature: check to make sure the right ports are open on our server Background: Given "nmap" is installed And the following profile: | name | value | host | lascon.org | | Scenario: Verify server is open on expected ports When I launch an "nmap-fast" attack Then the output should match /80.tcps+open/ https://gist.github.com/7121100 @wickett // @gauntlt // gauntlt.org
  • $ gauntlt @slow Feature: check to make sure the right ports are open on our server Background: # network.attack:4 Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/ attack_adapters/nmap.rb:4 And the following profile: # gauntlt-1.0.6/lib/gauntlt/ attack_adapters/gauntlt.rb:9 | name | value | | host | lascon.org | Scenario: Verify server is open on expected ports # network.attack:10 Running a nmap-fast attack. This attack has this description: This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. When I launch an "nmap-fast" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12 Then the output should match /80.tcps+open/ # aruba-0.5.3/ lib/aruba/cucumber.rb:137 1 scenario (1 passed) 4 steps (4 passed) 0m4.799s @wickett // @gauntlt // gauntlt.org
  • Create directory.attack @slow Feature: make sure our website doesn't expose sensitive directories Scenario: Start with using dirb and check for default apache directories Given "dirb" is installed And the following profile: | name | value | | hostname | http://lascon.org | | wordlist | /opt/wordlists/vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ http://gist.github.com/7124575
  • @slow Feature: make sure our website doesn't expose sensitive directories Scenario: Start with using dirb and check for default apache directories # directory.attack:4 Given "dirb" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | hostname | http://lascon.org | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9 """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113 """ FOUND: 0 """ 1 scenario (1 passed) 4 steps (4 passed) 0m23.878s
  • captains need dashboards @wickett // @gauntlt // gauntlt.org
  • bundle exec gauntlt --format html > out.html @wickett // @gauntlt // gauntlt.org
  • XSS ...looks cool in this font @wickett // @gauntlt // gauntlt.org
  • $ vim Gemfile gem ‘arachni’ $ bundle @wickett // @gauntlt // gauntlt.org
  • Create xss.attack @slow Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using the arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://lascon.org | When I launch an "arachni-simple_xss" attack Then the output should contain "0 issues were detected." @wickett // @gauntlt // gauntlt.org https://gist.github.com/7121728
  • @slow Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using the arachni, look for cross site scripting and verify no issues are found # xss.attack:4 Given "arachni" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | url | http://lascon.org | Running a arachni-simple_xss attack. This attack has this description: This is a scan for cross site scripting (xss) that only runs the base xss module in arachni. The scan only crawls one level deep which makes it faster. For more depth, run the gauntlt attack alias 'arachnisimple_xss_with_depth' and specifiy depth. The arachni-simple_xss attack requires the following to be set in the profile: ["<url>"] When I launch an "arachni-simple_xss" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9 Then the output should contain "0 issues were detected." # aruba-0.5.3/lib/aruba/cucumber.rb:97 1 scenario (1 passed) 4 steps (4 passed) 0m7.991s @wickett // @gauntlt // gauntlt.org
  • Other attacks • Garmr • HTTP Methods (CURL) • REST Testing (jerry curl / CURL) • SQL Injection (sqlmap and arachni) @wickett // @gauntlt // gauntlt.org
  • Resources • Google Group > https://groups.google.com/d/ forum/gauntlt • • • • Wiki > https://github.com/gauntlt/gauntlt/wiki IRC > #gauntlt on freenode Weekly hangout > http://bit.ly/gauntlt-hangout Issue tracking > http://github.com/gauntlt/gauntlt @wickett // @gauntlt // gauntlt.org
  • Future dev work • Moar Attack Aliases! • Bring your own Attack Aliases • Bring your own Attacks • Gauntlt Server
  • @wickett // @gauntlt // gauntlt.org @gauntlt gauntlt.org