Rugged Driven Development
with Gauntlt

@wickett // @gauntlt // gauntlt.org
@wickett
• Austin, TX
• LASCON Founder
• DevOps Days Organizer
• DevOps, AppSec, Ruby, Chef, Cucumber
@wickett // @gauntlt...
Work like a
Captain
Play like a
Pirate
@wickett // @gauntlt // gauntlt.org
So far, infosec is good
at the pirate part...

@wickett // @gauntlt // gauntlt.org
@wickett // @gauntlt // gauntlt.org
Gauntlt is
Rugged Theology
Applied
@wickett // @gauntlt // gauntlt.org
rugged
@wickett // @gauntlt // gauntlt.org
@wickett // @gauntlt // gauntlt.org
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

@wickett // @gauntlt // gauntlt.org
Rugged & DevOps
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
Gauntlt is
Rugged Theology
Applied
@wickett // @gauntlt // gauntlt.org
security tools today

@wickett // @gauntlt // gauntlt.org
Core Tenets of Gauntlt
• Facilitate communication between Infosec
and Dev and Ops

• Cultural shift from compliance driven...
gauntlt connects people
@wickett // @gauntlt // gauntlt.org
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
github.com/gauntlt
Our Philosophy
• Run security tools in a repeatable, easy to
read way

• Handle stdin, stdout, exit status
• Favor speed a...
Let’s be Captains
@wickett // @gauntlt // gauntlt.org
Install your own tools
you are in fact a captain, right?
@wickett // @gauntlt // gauntlt.org
$ rvm --ruby-version use 1.9.3

optional, but recommended
@wickett // @gauntlt // gauntlt.org
$ mkdir lascon
$ cd ./lascon
$ vim Gemfile
optional, but recommended
@wickett // @gauntlt // gauntlt.org
# Gemfile
source ‘https://rubygems.org’
gem ‘gauntlt’

optional, but recommended
@wickett // @gauntlt // gauntlt.org
$ bundle

optional, but recommended
@wickett // @gauntlt // gauntlt.org
$ bundle
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/..
Res...
$ gem install gauntlt

@wickett // @gauntlt // gauntlt.org
Future slides will use:
$ gauntlt
but, really it is:
$ bundle exec gauntlt

@wickett // @gauntlt // gauntlt.org
$ touch example.attack

@wickett // @gauntlt // gauntlt.org
Given

When
Then
When
Then

Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following ...
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
A...
running gauntlt with passing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
A...
$ gauntlt --list
Defined attacks:
arachni
curl
dirb
garmr
generic
nmap
sqlmap
sslyze
@wickett // @gauntlt // gauntlt.org
$ gauntlt --steps

/^"(w+)" is installed in my path$/
/^"arachni" is installed$/
/^"curl" is installed$/
/^"dirb" is insta...
$ gauntlt --help
$ gauntlt --allsteps

@wickett // @gauntlt // gauntlt.org
https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt
@wickett // @gauntlt // gauntlt.org
https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt
@wickett // @gauntlt // gauntlt.org
RegEx in Gauntlt
Then the output should match /80.tcps+open/

Then the output should match:
"""
80/tcps+open
"""
@wickett ...
Create network.attack
@slow
Feature: check to make sure the right ports are open on our server
Background:
Given "nmap" is...
$ gauntlt
@slow
Feature: check to make sure the right ports are open on our server
Background:
# network.attack:4
Given "n...
Create directory.attack
@slow
Feature: make sure our website doesn't expose sensitive
directories
Scenario: Start with usi...
@slow
Feature: make sure our website doesn't expose sensitive directories
Scenario: Start with using dirb and check for de...
captains need
dashboards

@wickett // @gauntlt // gauntlt.org
bundle exec gauntlt --format html > out.html

@wickett // @gauntlt // gauntlt.org
XSS
...looks cool in this font
@wickett // @gauntlt // gauntlt.org
$ vim Gemfile
gem ‘arachni’
$ bundle

@wickett // @gauntlt // gauntlt.org
Create xss.attack
@slow
Feature: Look for cross site scripting (xss) using
arachni against a URL
Scenario: Using the arach...
@slow
Feature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using the arachni, look for cross...
Other attacks
• Garmr
• HTTP Methods (CURL)
• REST Testing (jerry curl / CURL)
• SQL Injection (sqlmap and arachni)
@wicke...
Resources
•

Google Group > https://groups.google.com/d/
forum/gauntlt

•
•
•
•

Wiki > https://github.com/gauntlt/gauntlt...
Future dev work
• Moar Attack Aliases!
• Bring your own Attack Aliases
• Bring your own Attacks
• Gauntlt Server
@wickett // @gauntlt // gauntlt.org

@gauntlt
gauntlt.org
Rugged Driven Development with Gauntlt
Rugged Driven Development with Gauntlt
Rugged Driven Development with Gauntlt
Rugged Driven Development with Gauntlt
Upcoming SlideShare
Loading in …5
×

Rugged Driven Development with Gauntlt

1,234 views
1,021 views

Published on

Talk from LASCON 2013.

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,234
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Rugged Driven Development with Gauntlt

  1. 1. Rugged Driven Development with Gauntlt @wickett // @gauntlt // gauntlt.org
  2. 2. @wickett • Austin, TX • LASCON Founder • DevOps Days Organizer • DevOps, AppSec, Ruby, Chef, Cucumber @wickett // @gauntlt // gauntlt.org
  3. 3. Work like a Captain Play like a Pirate @wickett // @gauntlt // gauntlt.org
  4. 4. So far, infosec is good at the pirate part... @wickett // @gauntlt // gauntlt.org
  5. 5. @wickett // @gauntlt // gauntlt.org
  6. 6. Gauntlt is Rugged Theology Applied @wickett // @gauntlt // gauntlt.org
  7. 7. rugged @wickett // @gauntlt // gauntlt.org
  8. 8. @wickett // @gauntlt // gauntlt.org
  9. 9. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain @wickett // @gauntlt // gauntlt.org
  10. 10. Rugged & DevOps
  11. 11. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  12. 12. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  13. 13. Gauntlt is Rugged Theology Applied @wickett // @gauntlt // gauntlt.org
  14. 14. security tools today @wickett // @gauntlt // gauntlt.org
  15. 15. Core Tenets of Gauntlt • Facilitate communication between Infosec and Dev and Ops • Cultural shift from compliance driven, auditor-led security • Build a new language and currency in organizations @wickett // @gauntlt // gauntlt.org
  16. 16. gauntlt connects people @wickett // @gauntlt // gauntlt.org
  17. 17. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  18. 18. https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
  19. 19. github.com/gauntlt
  20. 20. Our Philosophy • Run security tools in a repeatable, easy to read way • Handle stdin, stdout, exit status • Favor speed and utility over complexity and slowness • Be part of the pipeline (CI/CD) • We aren’t package managers... install your own tools @wickett // @gauntlt // gauntlt.org
  21. 21. Let’s be Captains @wickett // @gauntlt // gauntlt.org
  22. 22. Install your own tools you are in fact a captain, right? @wickett // @gauntlt // gauntlt.org
  23. 23. $ rvm --ruby-version use 1.9.3 optional, but recommended @wickett // @gauntlt // gauntlt.org
  24. 24. $ mkdir lascon $ cd ./lascon $ vim Gemfile optional, but recommended @wickett // @gauntlt // gauntlt.org
  25. 25. # Gemfile source ‘https://rubygems.org’ gem ‘gauntlt’ optional, but recommended @wickett // @gauntlt // gauntlt.org
  26. 26. $ bundle optional, but recommended @wickett // @gauntlt // gauntlt.org
  27. 27. $ bundle Fetching gem metadata from https://rubygems.org/.......... Fetching gem metadata from https://rubygems.org/.. Resolving dependencies... Using ffi (1.9.0) Using childprocess (0.3.9) Using builder (3.2.2) Using diff-lcs (1.2.4) Using multi_json (1.8.2) Using gherkin (2.12.2) Using multi_test (0.0.2) Using cucumber (1.3.8) Using rspec-expectations (2.14.3) Using aruba (0.5.3) Using nokogiri (1.5.10) Using trollop (2.0) Using gauntlt (1.0.6) Using bundler (1.3.5) Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem is installed. optional, but recommended @wickett // @gauntlt // gauntlt.org
  28. 28. $ gem install gauntlt @wickett // @gauntlt // gauntlt.org
  29. 29. Future slides will use: $ gauntlt but, really it is: $ bundle exec gauntlt @wickett // @gauntlt // gauntlt.org
  30. 30. $ touch example.attack @wickett // @gauntlt // gauntlt.org
  31. 31. Given When Then When Then Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ @wickett // @gauntlt // gauntlt.org
  32. 32. running gauntlt with failing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | hostname | example.com | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s @wickett // @gauntlt // gauntlt.org
  33. 33. running gauntlt with passing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | hostname | example.com | | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m18.341s @wickett // @gauntlt // gauntlt.org
  34. 34. $ gauntlt --list Defined attacks: arachni curl dirb garmr generic nmap sqlmap sslyze @wickett // @gauntlt // gauntlt.org
  35. 35. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/
  36. 36. $ gauntlt --help $ gauntlt --allsteps @wickett // @gauntlt // gauntlt.org
  37. 37. https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt @wickett // @gauntlt // gauntlt.org
  38. 38. https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt @wickett // @gauntlt // gauntlt.org
  39. 39. RegEx in Gauntlt Then the output should match /80.tcps+open/ Then the output should match: """ 80/tcps+open """ @wickett // @gauntlt // gauntlt.org
  40. 40. Create network.attack @slow Feature: check to make sure the right ports are open on our server Background: Given "nmap" is installed And the following profile: | name | value | host | lascon.org | | Scenario: Verify server is open on expected ports When I launch an "nmap-fast" attack Then the output should match /80.tcps+open/ https://gist.github.com/7121100 @wickett // @gauntlt // gauntlt.org
  41. 41. $ gauntlt @slow Feature: check to make sure the right ports are open on our server Background: # network.attack:4 Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/ attack_adapters/nmap.rb:4 And the following profile: # gauntlt-1.0.6/lib/gauntlt/ attack_adapters/gauntlt.rb:9 | name | value | | host | lascon.org | Scenario: Verify server is open on expected ports # network.attack:10 Running a nmap-fast attack. This attack has this description: This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. When I launch an "nmap-fast" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12 Then the output should match /80.tcps+open/ # aruba-0.5.3/ lib/aruba/cucumber.rb:137 1 scenario (1 passed) 4 steps (4 passed) 0m4.799s @wickett // @gauntlt // gauntlt.org
  42. 42. Create directory.attack @slow Feature: make sure our website doesn't expose sensitive directories Scenario: Start with using dirb and check for default apache directories Given "dirb" is installed And the following profile: | name | value | | hostname | http://lascon.org | | wordlist | /opt/wordlists/vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ http://gist.github.com/7124575
  43. 43. @slow Feature: make sure our website doesn't expose sensitive directories Scenario: Start with using dirb and check for default apache directories # directory.attack:4 Given "dirb" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | hostname | http://lascon.org | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9 """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113 """ FOUND: 0 """ 1 scenario (1 passed) 4 steps (4 passed) 0m23.878s
  44. 44. captains need dashboards @wickett // @gauntlt // gauntlt.org
  45. 45. bundle exec gauntlt --format html > out.html @wickett // @gauntlt // gauntlt.org
  46. 46. XSS ...looks cool in this font @wickett // @gauntlt // gauntlt.org
  47. 47. $ vim Gemfile gem ‘arachni’ $ bundle @wickett // @gauntlt // gauntlt.org
  48. 48. Create xss.attack @slow Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using the arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://lascon.org | When I launch an "arachni-simple_xss" attack Then the output should contain "0 issues were detected." @wickett // @gauntlt // gauntlt.org https://gist.github.com/7121728
  49. 49. @slow Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using the arachni, look for cross site scripting and verify no issues are found # xss.attack:4 Given "arachni" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | url | http://lascon.org | Running a arachni-simple_xss attack. This attack has this description: This is a scan for cross site scripting (xss) that only runs the base xss module in arachni. The scan only crawls one level deep which makes it faster. For more depth, run the gauntlt attack alias 'arachnisimple_xss_with_depth' and specifiy depth. The arachni-simple_xss attack requires the following to be set in the profile: ["<url>"] When I launch an "arachni-simple_xss" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9 Then the output should contain "0 issues were detected." # aruba-0.5.3/lib/aruba/cucumber.rb:97 1 scenario (1 passed) 4 steps (4 passed) 0m7.991s @wickett // @gauntlt // gauntlt.org
  50. 50. Other attacks • Garmr • HTTP Methods (CURL) • REST Testing (jerry curl / CURL) • SQL Injection (sqlmap and arachni) @wickett // @gauntlt // gauntlt.org
  51. 51. Resources • Google Group > https://groups.google.com/d/ forum/gauntlt • • • • Wiki > https://github.com/gauntlt/gauntlt/wiki IRC > #gauntlt on freenode Weekly hangout > http://bit.ly/gauntlt-hangout Issue tracking > http://github.com/gauntlt/gauntlt @wickett // @gauntlt // gauntlt.org
  52. 52. Future dev work • Moar Attack Aliases! • Bring your own Attack Aliases • Bring your own Attacks • Gauntlt Server
  53. 53. @wickett // @gauntlt // gauntlt.org @gauntlt gauntlt.org

×