Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

OWASP OWTF THE OFFENSIVE (WEB) TESTING
FRAMEWORK + PTES PENETRATION TESTING EXECUTION
STANDARD = KALI POWER AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção

  • Be the first to comment

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

  1. 1. OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES PENETRATION TESTING EXECUTION STANDARD = KALI POWER AUTO WEB PENTESTS Mauro Risonho de Paula Assumpção
  2. 2. PENSAMENTO Nosso Presente; é o Passado de alguma Civilização no Futuro. Mauro Risonho de Paula Assumpção
  3. 3. AGENDA ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusão ● Q&A
  4. 4. WHO I AM? ● Mauro Risonho de Paula Assumpção aka firebits ● Nerd/Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos ● Analista em Segurança (R&D) pela Agility Networks, focado no sistema SIS (RE de Malwares, Deep Web e Pentest)
  5. 5. OWASP OWTF
  6. 6. 6 OWASP OWTF OWASP OWTF https://www.owasp.org/index.php/OWASP_OWTF Email de contato (2014) de Abraham Aranguren, Leader OWASP OWTF Project
  7. 7. 7 OWTF - Offensive (Web) Testing Framework OWTF Test Separation Start Without permission Automation Unite Tools, Knowledge, Standards, (OWASP and PTES) Test Separation Start Without permission
  8. 8. 8 OWTF Chess-like approach OWTF Run Tools theHarvester ● Nikto ● Arachini ● W3af, etc Run Tests directly ● Header Searches ● HTML Body searches ● Craftled requests, etc Knowledge Repository ● PoCs Links ● Resource Links ● OWASP mapping Help Human analysis Flag importance ● Tool Output manager ● Screenshot manager ● Notes Manager ● Report Assistant Pentester OWTF
  9. 9. 9 OWTF - Install Kali 1.1.0 ou Kali 2 - tests (conforme o caso) http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso http://docs.kali.org/network-install/kali-linux-network-mini-iso-install https://www.owasp.org/index.php/OWASP_OWTF kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y github git clone git://github.com/owtf/owtf.git OWTF 1.0.1 Lionheart wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gz tar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
  10. 10. 10 OWTF - Install #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!:) ou pip install --upgrade -r install/owtf.pip
  11. 11. PTES
  12. 12. 12 PTES Penetration Testing Execution Standard PTES – MindMap (FreeMind) http://www.pentest-standard.org/index.php/FAQ http://iamit.org/docs/Penetration_Testing_Execution_Standard.mm 1) Pre-engagement Interactions 2) Intelligence Gathering 3) Threat Modeling 4) Vulnerability Analysis 5) Exploitation 6) Post Exploitation 7) Reporting
  13. 13. KALI
  14. 14. 14 KALI OW TF + KALI2 = FAIL!!!
  15. 15. 15 KALI Escolher opcao 1
  16. 16. 16 Escolher “Y” YES KALI
  17. 17. 17 Acabou de instalar com sucesso! :) KALI
  18. 18. 18 python owtf.py -h|more OWASP OWTF + PTES = KALI OWTF Comandos em CLI
  19. 19. 19 python owtf.py -l web Listar plugins OWTF - Web Attacks OWASP OWTF + PTES = KALI
  20. 20. 20 Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more Simulation mode OWASP OWTF + PTES = KALI
  21. 21. 21 python owtf.py www.google.com OWASP OWTF + PTES = KALI
  22. 22. 22 file:///root/owtf/owtf_review/index.html OWASP OWTF + PTES = KALI
  23. 23. 23 DEMOS Parte 1: OWTF Passive + Semi-passive Web analysis Parte 2: OWTF Active Web analysis Parte 3: OWTF aux plugins – SE, IDs testing
  24. 24. 24 DÚVIDAS?
  25. 25. 25 CONCLUSÃO OWASP OWTF não é “silver-bullet”, ou seja “bala-de-prata” e não substitui o processo manual, inteligente e humano de pentesters, mas ajuda a automatizar um pouco as coisas.
  26. 26. OBRIGADO! Mauro Risonho de Paula Assumpção Email mauro.risonho@gmail.com Twitter @firebitsbr Site https://firebitsbr.wordpress.com

×