Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Roman Rott – Ruby for Pentesters


Published on

OWASP Kyiv 27-05-2017 chapter meeting talk.

Published in: Software
  • Login to see the comments

Roman Rott – Ruby for Pentesters

  1. 1. RUBY FOR PENTESTERS by Roman Rott
  3. 3. RUBY HAS ABILITIES AND TRICKS FOR DEALING WITH ALL STRINGS SCENARIOS ➤ Convert String/Binary to Hex; ➤ Convert Hex to String/Binary; ➤ Encode/Decode String; ➤ Regular Expressions; ➤ String extraction; ➤ Parsing HTML, XML, JSON, etc; ➤ Cryptography libs, MD5, SHA1,2 hash. Generating MySQL/ PostgreSQL, Windows Password Hashes, etc
  4. 4. TOOLS Ronin Ronin is a Ruby platform for vulnerability research and exploit development. Ronin allows for the rapid development and distribution of code, Exploits, Payloads, Scanners, etc, via Repositories.
  5. 5. TOOLS WPScan WordPress vulnerability scanner.
  6. 6. TOOLS WhatWeb Recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, etc
  7. 7. TOOLS bundle-audit Patch-level verification for Bundler
  8. 8. TOOLS brakeman Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
  9. 9. FRAMEWORKS Arachni Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
  10. 10. FRAMEWORKS BeEF The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
  11. 11. FRAMEWORKS Metasploit
  12. 12. HELPERS DuckRails Allows to quickly mock API endpoints, Setting response headers, Setting some advanced configuration (delays, dynamic headers, content type & status), etc.
  13. 13. HELPERS ➤ Oga - XML/HTML parser - ➤ html-pipeline - GitHub HTML processing filters and utilities. This module includes a small framework for defining DOM based content filters and applying them to user provided content. - ➤ Happymapper allows you to parse XML data and convert it quickly and easily into ruby data structures. - ➤ nokogiri - is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. -
  14. 14. BROWSER MANIPULATION Selenium Watir webdrivers
  15. 15. AUTOMATIZATION ruby-nmap
  16. 16. AUTOMATIZATION ➤ net-ping gem ➤ ruby-nmap gem ➤ etc.
  17. 17. AUTOMATIZATION Puppet Chef Vagrant Docker +
  18. 18. COMMAND EXECUTION ➤ Kernel#` (back-ticks) ➤ Kernel#exec ➤ Kernel#system ➤ IO#popen ➤ Process#spawn ➤ %x"", %x[], %x{}, %x$’'$ ➤ Rake#sh
  19. 19. PACKAGING ➤ One-Click Ruby Application(OCRA) Builder ➤ Traveling-ruby ➤ RubyEncoder
  20. 20. EXTEND BURP SUITE USING JRUBY Jruby JRuby is a fully threaded Java implementation of the Ruby
  21. 21. The end.